Hi,
when using MS-CHAP, an incomming authentication request is successfully
answered.
When using MS-CHAPv2 in the client configuration instead, the call is
rejected because mschap doesn't recognize it as MS-CHAP during
authenticate.
radiusd output is: "No MS-CHAP related attributes in request" - followed by
the rejecting of the request.
The first difference I saw was, that in case of using MS-CHAPv2 there is no
incomming attribute like "MS-CHAP-Challenge" and an attribute
"MS-CHAP2-Response" instead of "MS-CHAP-Response".
If the missing "MS-CHAP-Challenge" is the reason for that behavior - what I
guess because of the corresponding comment in the authorize{}-section of
radiusd.conf - what can I do to make it work?
1. my configuration:
====================
The installed version of radiusd is freeradius-snapshot-20020909.
Dial in client: W2k
NAS: Bintec Brick XL/2
radiusd.conf:
-------------
modules {
...
mschap {
Auth-Type = MS-CHAP
use_mppe = no
}
...
ldap {
server = "ebdcbn02.dpeb.de"
identity = "\#\#ldap\@dpeb.de"
password = xxxx
basedn = "dc=DPEB,dc=DE"
filter = "(&(objectclass=person)(sAMAccountName=%{User-Name}))"
start_tls = no
# access_attr = "msNPAllowDialin"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#password_header = "{clear}"
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
authorize {
files
ldap
mschap
}
authenticate {
authtype LDAP {
ldap
}
mschap
}
users file: (it's reproduceable with any other user)
-----------
...
DEFAULT Service-Type == Framed-User
Idle-Timeout = 300,
Port-Limit = 2,
BinTec-biboPPPTable += "biboPPPDNSNegotiation=enabled",
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP,
Fall-Through = Yes
"##ldap" Service-Type == Framed-User, Auth-Type += MS-CHAP
BinTec-biboPPPTable += "biboPPPIpPoolId=3",
Fall-Through = No
DEFAULT Service-Type == Framed-User, Auth-Type := Reject
...
2. radiusd -X -A output:
========================
>>>>>>>>>>>>>>
...
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 213.68.141.34:1024, id=185,
length=129
NAS-Identifier = "pmxbn01"
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "##ldap"
Called-Station-Id = "36903690"
NAS-Port = 0
NAS-Port-Type = ISDN
MS-CHAP2-Response =
0x0100ec160924d8dee377e77c388cb0e669840000000000000000a75
3a221ab3fa0a0d10b6342e22bab1064e6df1c5d11376e
modcall: entering group authorize
users: Matched DEFAULT at 147
users: Matched DEFAULT at 159
users: Matched ##ldap at 189
modcall[authorize]: module "files" returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ##ldap
radius_xlat: '(&(objectclass=person)(sAMAccountName=##ldap))'
radius_xlat: 'dc=DPEB,dc=DE'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=DPEB,dc=DE, with filter
(&(objectclass=person)(sAMA
ccountName=##ldap))
rlm_ldap: Added password 689D3F1884E0423F468C01987A58C3EB in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as NT-Password, value
689D3F1884E0423F468C01987A58C3EB
& op=11
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding userPassword as NT-Password, value
689D3F1884E0423F468C01987A58C3EB
& op=11
rlm_ldap: user ##ldap authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group authenticate
No MS-CHAP related attributes in request
modcall[authenticate]: module "mschap" returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.
Login incorrect: [##ldap] (from client pmxbn01 port 0)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
...
<<<<<<<<<<<<<<<<<
When using MS-CHAP instead (on w2k-client), I get this result:
>>>>>>>>>>>>>>>>
...
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 213.68.141.34:1024, id=186,
length=145
NAS-Identifier = "pmxbn01"
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "##ldap"
Called-Station-Id = "36903690"
NAS-Port = 0
NAS-Port-Type = ISDN
MS-CHAP-Response =
0x01010ef6eeb0ff66f08516424106209f957a1af2cc00560702509b9d
634251b10b16d4cdb39521f24388b18914bf73549811
MS-CHAP-Challenge = 0x6d173708a662ec90
modcall: entering group authorize
...
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group authenticate
rlm_mschap: doing MS-CHAPv1 with NT-Password
modcall[authenticate]: module "mschap" returns ok
modcall: group authenticate returns ok
Login OK: [##ldap] (from client pmxbn01 port 0)
Sending Access-Accept of id 186 to 213.68.141.34:1024
Idle-Timeout = 300
Port-Limit = 2
BinTec-biboPPPTable = "biboPPPDNSNegotiation=enabled"
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
BinTec-biboPPPTable = "biboPPPIpPoolId=3"
Finished request 2
Going to the next request
...
<<<<<<<<<<<<<<<<<<
Regards,
Martin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
