Charles Blake wrote:
I am trying to set up a freeradius-1.1.0 server for authenticating users
using MS-CHAP passwords.
I pretend to authenticate users against shadow.
You can't do that.
MS-CHAP requires the NT hash, the plaintext password from which it can
derive the NT hash, or Samba configured as a domain member and use of
the "ntlm_auth" helper.
radtest shows ok:
This is a PAP request. They work fine against /etc/shadow
# radtest mts mypassword localhost 0 testing123
Sending Access-Request of id 160 to 127.0.0.1 port 1812
User-Name = "mts"
User-Password = "mypassword"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=160, length=20
But when I try to authenticate an user using MS-CHAP, I am getting this
output:
This is an MS-CHAP request - you cannot authenticate it against
/etc/shadow. See above.
rad_recv: Access-Request packet from host 127.0.0.1:1027, id=5, length=146
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "mts"
MS-CHAP-Challenge = 0x6b61b1ed954a289c0fa3aebedc329ac6
MS-CHAP2-Response =
0x8f0001684e1d34295e1232edb0682bd04e6e00000000000000002caaa9579823e00501812d3e2dce9225b7dd251c02e1fd89
These error messages are quite detailed:
Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: No User-Password
configured.
Cannot create LM-Password.
Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: No User-Password
configured.
Cannot create NT-Password.
Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: Told to do MS-CHAPv2 for
mts
with NT-Password
Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: FAILED: No NT/LM-Password.
Cannot perform authentication.
As it says.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html