I configured what I thought were two identical FreeRadus 2.1.3 servers.
I'm attempting to do MS-CHAP2 authentication on both, one is working, the
other is not. For the life of me I can't find any difference in their
configuration.
On my client, I switch the host name between the two servers, everything
else stays the same. One works, one fails, and I don't know why. Below is
the debug output for both the failure and success. PAP authentication
works fine on both with the same id. What the heck have I missed?
This is the one that fails:
rad_recv: Access-Request packet from host 192.168.2.15 port 2357, id=26,
length=127
NAS-Identifier = "test-cam1"
NAS-IP-Address = 192.168.2.15
MS-CHAP-Challenge = 0xbd4261d677c0d793ee781d7a032218df
MS-CHAP2-Response =
0xa300ac9567587df3e83b3799dc49a53f433000000000000000007e0e6320a093349fbd0afc94436ed32e1258e26c5463147b
User-Name = "test26"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "test26", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for test26 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect: [test26] (from client 192.168.2.15 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> test26
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 26 to 192.168.2.15 port 2357
Waking up in 4.9 seconds.
Cleaning up request 7 ID 26 with timestamp +1885
Ready to process requests.
This one works:
rad_recv: Access-Request packet from host 192.168.2.15 port 2358, id=115,
length=127
NAS-Identifier = "test-cam1"
NAS-IP-Address = 192.168.2.15
MS-CHAP-Challenge = 0xfdd0ccd7059225f80093cea2929eb415
MS-CHAP2-Response =
0x780017ff811e7761fc6bd332fb45f4f6b3f50000000000000000b6834efb6626804caf2aa055c5a157851e9bc927698cf23f
User-Name = "test26"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "test26", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for test26 with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} ->
--username=test26
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: --domain=%{mschap:NT-Domain:-ap1} -> --domain=ap1
[mschap] mschap2: fd
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=cc26ba941d6d9678
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=b6834efb6626804caf2aa055c5a157851e9bc927698cf23f
Exec-Program output: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program-Wait: plaintext: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program: returned: 0
++[mschap] returns ok
Login OK: [test26] (from client 192.168.2.15 port 0)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 115 to 192.168.2.15 port 2358
MS-CHAP2-Success =
0x78533d41453631324635393130344535373132364133414234374339463844443541453538384142453943
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 5 ID 115 with timestamp +1773
Ready to process requests.
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
