Re: Re[2]: Help needed with MS Chap v2
3APA3A <[EMAIL PROTECTED]> wrote: > I agree. Since 0.4 we warn people smbpasswd support in rlm_mschap is > outdated and will be removed in future versions. So it's time to remove > it. Done. Can you please double-check the module to ensure I didn't break anything? I've just re-added the support for SMB-Account-Ctrl, and done a few tests with MS-CHAPv1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Help needed with MS Chap v2
Dear Alan DeKok, --Friday, March 28, 2003, 2:34:31 PM, you wrote to [EMAIL PROTECTED]: AD> To put it another way, what is the gain in having rlm_mschap read AD> /etc/smbpasswd? I agree. Since 0.4 we warn people smbpasswd support in rlm_mschap is outdated and will be removed in future versions. So it's time to remove it. -- ~/ZARAZA Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
On Fri, Mar 28, 2003 at 06:34:31AM -0500, Alan DeKok wrote: > Frank Cusack <[EMAIL PROTECTED]>wrote: > > On Fri, Mar 28, 2003 at 11:51:36AM +0300, 3APA3A wrote: > > > /etc/smbpasswd is really not required and was only for compatibility > > > (anyway it should be noted in Release Notes for peoples who upgrade > > > their RADIUS versions). > > Yeah, I personally think both should be added back ... > > I am strongly opposed to duplicate functionality in the code. If > rlm_passwd can do all of the work of reading attributes from > /etc/smbpasswd, then we should use it, and not duplicate that code > elsewhere. > > To put it another way, what is the gain in having rlm_mschap read > /etc/smbpasswd? ah. none. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Frank Cusack <[EMAIL PROTECTED]>wrote: > On Fri, Mar 28, 2003 at 11:51:36AM +0300, 3APA3A wrote: > > /etc/smbpasswd is really not required and was only for compatibility > > (anyway it should be noted in Release Notes for peoples who upgrade > > their RADIUS versions). I've done that, and added code to rlm_mschap which will complain if people try to configure it to use /etc/smbpasswd, and will tell people what to do to fix the problem. > > Removing SMB-Account-CTRL attribute handling is not good, I know people > > use it. It's very convinient if accounts are bulk imported from NT > > domain or from SAMBA. It's standard atribute from SAMBA passwd format, > > SAMBA LDAP schema, etc. That I agree with. But I was trying to take baby steps, to ensure that I could get one thing working, becofee I added another. > Yeah, I personally think both should be added back ... I am strongly opposed to duplicate functionality in the code. If rlm_passwd can do all of the work of reading attributes from /etc/smbpasswd, then we should use it, and not duplicate that code elsewhere. To put it another way, what is the gain in having rlm_mschap read /etc/smbpasswd? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
On Fri, Mar 28, 2003 at 11:51:36AM +0300, 3APA3A wrote: > > --Thursday, March 27, 2003, 2:39:42 PM, you wrote to [EMAIL PROTECTED]: > > > AD> Try the latest CVS snapshot. I've re-written rlm_mschap to be > AD> smaller, simpler, and to have significantly more debug messages. > > AD> It won't look at /etc/smbpasswd any more, but that's probably a Good > AD> Thing. > > /etc/smbpasswd is really not required and was only for compatibility > (anyway it should be noted in Release Notes for peoples who upgrade > their RADIUS versions). > > Removing SMB-Account-CTRL attribute handling is not good, I know people > use it. It's very convinient if accounts are bulk imported from NT > domain or from SAMBA. It's standard atribute from SAMBA passwd format, > SAMBA LDAP schema, etc. Yeah, I personally think both should be added back ... /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[4]: Help needed with MS Chap v2
Dear Alan DeKok, --Thursday, March 27, 2003, 2:39:42 PM, you wrote to [EMAIL PROTECTED]: AD> Try the latest CVS snapshot. I've re-written rlm_mschap to be AD> smaller, simpler, and to have significantly more debug messages. AD> It won't look at /etc/smbpasswd any more, but that's probably a Good AD> Thing. /etc/smbpasswd is really not required and was only for compatibility (anyway it should be noted in Release Notes for peoples who upgrade their RADIUS versions). Removing SMB-Account-CTRL attribute handling is not good, I know people use it. It's very convinient if accounts are bulk imported from NT domain or from SAMBA. It's standard atribute from SAMBA passwd format, SAMBA LDAP schema, etc. -- ~/ZARAZA Машина оказалась способной к единственному действию, а именно умножению 2x2, да и то при этом ошибаясь. (Лем) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[2]: Help needed with MS Chap v2
Hi Guy using the NAS to test with can be painfull. Here's what I do with radclient. radclient -f radtst-2.txt -x 127.0.0.1 auth testing123 Contents of file radtst-2.txt:- NAS-IP-Address = 10.3.1.252 NAS-Port = 1 NAS-Port-Type = Async User-Name = "barney" MS-CHAP-Challenge = 0xf891896ff83faf76 MS-CHAP-Response = 0x1c01000 02de6c684371d4373ff9ed97884686b55148577df9c12e0cc Service-Type = Framed-User Framed-Protocol = PPP The above is for user "barney" with passord "rockstar". Here's the hashes for same NT-Password: 746FDB64FD2E11D171D80823820969 LM-Password: 78D866152028B45E944E2DF489A880 I use the NAS at first and just screen-scrape (cut & paste actually) the challenge from the radiusd -sxx debug output for use with radclient. I use the PuTTY telnet client. Regards Mike D. >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of Guy Warner >Sent: Thursday, March 27, 2003 5:09 PM >To: [EMAIL PROTECTED] >Subject: Re[2]: Help needed with MS Chap v2 > > >At 19:47 26/03/2003 +0300, you wrote: >>Dear Guy Warner, >> >>This line simply notifies you there is no authentication schema may be >>used for packet (for MS-CHAPv1 both LM and NT authentication is >>available, for MS-CHAPv2 only NT and it fails in your case). Packet >>corruption is most unlikely from all variants. > > >Hi > >Thanks for all your help so far. Given then that no authentication schema >is available is this because of a invalid MS-CHAP-Challenge and >MS-CHAP2-Response pair. If so is there any software to manually generate >the pairings so that the server can be tested with radclient. If on the >other hand the pairing is correct what are the most likely causes of this >problem. I am confident that the username and password being sent >are valid >and the password contains no non-ascii characters. > >Thanks again > >Guy Warner > > > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: Help needed with MS Chap v2
Guy Warner <[EMAIL PROTECTED]> wrote: > Thanks for all your help so far. Given then that no authentication schema > is available is this because of a invalid MS-CHAP-Challenge and > MS-CHAP2-Response pair. If so is there any software to manually generate > the pairings so that the server can be tested with radclient. Not really. > If on the other hand the pairing is correct what are the most likely > causes of this problem. I am confident that the username and > password being sent are valid and the password contains no non-ascii > characters. Try the latest CVS snapshot. I've re-written rlm_mschap to be smaller, simpler, and to have significantly more debug messages. It won't look at /etc/smbpasswd any more, but that's probably a Good Thing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Help needed with MS Chap v2
At 19:47 26/03/2003 +0300, you wrote: Dear Guy Warner, This line simply notifies you there is no authentication schema may be used for packet (for MS-CHAPv1 both LM and NT authentication is available, for MS-CHAPv2 only NT and it fails in your case). Packet corruption is most unlikely from all variants. Hi Thanks for all your help so far. Given then that no authentication schema is available is this because of a invalid MS-CHAP-Challenge and MS-CHAP2-Response pair. If so is there any software to manually generate the pairings so that the server can be tested with radclient. If on the other hand the pairing is correct what are the most likely causes of this problem. I am confident that the username and password being sent are valid and the password contains no non-ascii characters. Thanks again Guy Warner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Help needed with MS Chap v2
Dear Guy Warner, This line simply notifies you there is no authentication schema may be used for packet (for MS-CHAPv1 both LM and NT authentication is available, for MS-CHAPv2 only NT and it fails in your case). Packet corruption is most unlikely from all variants. --Wednesday, March 26, 2003, 7:38:27 PM, you wrote to [EMAIL PROTECTED]: GW> Thanks for the fast replies. The line GW> Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the user GW> makes me believe the packet is corrupted. Is there any way to test this. My GW> suspicion is that the packet is being corrupted by the proxy server, however GW> since this is running a dedicated operating system there is not a lot I can GW> modify on it. The software used to send the initial request to the proxy is GW> RASPPOE_098B. GW> The LDAP server is authorizing the user names fine. GW> Thanks again. GW> Guy Warner GW> - Original Message - GW> From: "3APA3A" <[EMAIL PROTECTED]> GW> To: "Guy Warner" <[EMAIL PROTECTED]> GW> Sent: Wednesday, March 26, 2003 4:19 PM GW> Subject: Re: Help needed with MS Chap v2 >> Dear Guy Warner, >> >> Authentication fails because of username or password mismatch. It may be >> if packet is corrupted, if realm is not stripped from username or >> password contains non-ASCII characters. >> >> --Wednesday, March 26, 2003, 7:10:32 PM, you wrote to GW> [EMAIL PROTECTED]: >> >> GW> Hi >> >> GW> I am trying to set up a Freeradius 0.8.1 server to authenticate users GW> with >> GW> MS Chap v2. The information about each user is obtained from an LDAP GW> server. >> GW> The requests for authentication are being received via a proxy server. >> >> GW> The problem is that all requests to authenticate a user result in >> GW> rlm_mschap: Nothing in the packet I recognise: Rejecting the GW> user >> >> GW> The mschap section of radiusd.conf is as follows >> >> GW> mschap { >> GW> authtype = MS-CHAP >> GW> use_mppe = yes >> GW> require_encryption = yes >> GW> require_strong = yes >> GW> } >> >> >> GW> The output from radiusd in debug mode contains the following >> >> GW> rad_recv: Access-Request packet from host :1814, GW> id=3, >> GW> length=172 >> GW> MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2 >> GW> MS-CHAP2-Response = >> GW> GW> 0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3 >> GW> 05c09460bdc1c3047ab43476f5 >> GW> User-Name = "[EMAIL PROTECTED]" >> GW> NAS-IP-Address = >> GW> NAS-Identifier = >> GW> Service-Type = Framed-User >> GW> Framed-Protocol = PPP >> GW> Proxy-State = 0x313630 >> GW> .. >> GW> Debug: modcall: entering group authtype >> GW> Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password >> GW> Debug: rlm_mschap: Authentication failed >> GW> Debug: rlm_mschap: Nothing in the packet I recognise: GW> Rejecting the >> GW> user >> GW> Debug: modcall[authenticate]: module "mschap" returns reject >> >> >> GW> The username is stripped of the domain since usernames are storred on GW> the >> GW> LDAP server in the short form. >> >> GW> Any suggestions on how to fix this problem would be gratefully GW> received. If >> GW> I have not provided sufficient information to diagnose the error then GW> please >> GW> let me know and I will send more information. >> >> >> GW> Thanks in advance >> >> >> GW> Guy Warner >> >> >> GW> - >> GW> List info/subscribe/unsubscribe? See GW> http://www.freeradius.org/list/users.html >> >> >> -- >> ~/ZARAZA >> ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì) >> >> >> - >> List info/subscribe/unsubscribe? See GW> http://www.freeradius.org/list/users.html >> GW> - GW> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA Êëÿíóñü ëûñèíîé ïðîðîêà Ìîèñåÿ - ÿ òåáÿ ñåé÷àñ ñúåì. (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Thanks for the fast replies. The line Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the user makes me believe the packet is corrupted. Is there any way to test this. My suspicion is that the packet is being corrupted by the proxy server, however since this is running a dedicated operating system there is not a lot I can modify on it. The software used to send the initial request to the proxy is RASPPOE_098B. The LDAP server is authorizing the user names fine. Thanks again. Guy Warner - Original Message - From: "3APA3A" <[EMAIL PROTECTED]> To: "Guy Warner" <[EMAIL PROTECTED]> Sent: Wednesday, March 26, 2003 4:19 PM Subject: Re: Help needed with MS Chap v2 > Dear Guy Warner, > > Authentication fails because of username or password mismatch. It may be > if packet is corrupted, if realm is not stripped from username or > password contains non-ASCII characters. > > --Wednesday, March 26, 2003, 7:10:32 PM, you wrote to [EMAIL PROTECTED]: > > GW> Hi > > GW> I am trying to set up a Freeradius 0.8.1 server to authenticate users with > GW> MS Chap v2. The information about each user is obtained from an LDAP server. > GW> The requests for authentication are being received via a proxy server. > > GW> The problem is that all requests to authenticate a user result in > GW> rlm_mschap: Nothing in the packet I recognise: Rejecting the user > > GW> The mschap section of radiusd.conf is as follows > > GW> mschap { > GW> authtype = MS-CHAP > GW> use_mppe = yes > GW> require_encryption = yes > GW> require_strong = yes > GW> } > > > GW> The output from radiusd in debug mode contains the following > > GW> rad_recv: Access-Request packet from host :1814, id=3, > GW> length=172 > GW> MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2 > GW> MS-CHAP2-Response = > GW> 0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3 > GW> 05c09460bdc1c3047ab43476f5 > GW> User-Name = "[EMAIL PROTECTED]" > GW> NAS-IP-Address = > GW> NAS-Identifier = > GW> Service-Type = Framed-User > GW> Framed-Protocol = PPP > GW> Proxy-State = 0x313630 > GW> .. > GW> Debug: modcall: entering group authtype > GW> Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password > GW> Debug: rlm_mschap: Authentication failed > GW> Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the > GW> user > GW> Debug: modcall[authenticate]: module "mschap" returns reject > > > GW> The username is stripped of the domain since usernames are storred on the > GW> LDAP server in the short form. > > GW> Any suggestions on how to fix this problem would be gratefully received. If > GW> I have not provided sufficient information to diagnose the error then please > GW> let me know and I will send more information. > > > GW> Thanks in advance > > > GW> Guy Warner > > > GW> - > GW> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > -- > ~/ZARAZA > ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì) > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Guy, Do the LDAP server logs show anything? josh. On Wed, 2003-03-26 at 16:10, Guy Warner wrote: > Hi > > I am trying to set up a Freeradius 0.8.1 server to authenticate users with > MS Chap v2. The information about each user is obtained from an LDAP server. > The requests for authentication are being received via a proxy server. > > The problem is that all requests to authenticate a user result in > rlm_mschap: Nothing in the packet I recognise: Rejecting the user > > The mschap section of radiusd.conf is as follows > > mschap { > authtype = MS-CHAP > use_mppe = yes > require_encryption = yes > require_strong = yes > } > > > The output from radiusd in debug mode contains the following > > rad_recv: Access-Request packet from host :1814, id=3, > length=172 > MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2 > MS-CHAP2-Response = > 0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3 > 05c09460bdc1c3047ab43476f5 > User-Name = "[EMAIL PROTECTED]" > NAS-IP-Address = > NAS-Identifier = > Service-Type = Framed-User > Framed-Protocol = PPP > Proxy-State = 0x313630 > .. > Debug: modcall: entering group authtype > Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password > Debug: rlm_mschap: Authentication failed > Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the > user > Debug: modcall[authenticate]: module "mschap" returns reject > > > The username is stripped of the domain since usernames are storred on the > LDAP server in the short form. > > Any suggestions on how to fix this problem would be gratefully received. If > I have not provided sufficient information to diagnose the error then please > let me know and I will send more information. > > > Thanks in advance > > > Guy Warner > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Dear Guy Warner, Authentication fails because of username or password mismatch. It may be if packet is corrupted, if realm is not stripped from username or password contains non-ASCII characters. --Wednesday, March 26, 2003, 7:10:32 PM, you wrote to [EMAIL PROTECTED]: GW> Hi GW> I am trying to set up a Freeradius 0.8.1 server to authenticate users with GW> MS Chap v2. The information about each user is obtained from an LDAP server. GW> The requests for authentication are being received via a proxy server. GW> The problem is that all requests to authenticate a user result in GW> rlm_mschap: Nothing in the packet I recognise: Rejecting the user GW> The mschap section of radiusd.conf is as follows GW> mschap { GW> authtype = MS-CHAP GW> use_mppe = yes GW> require_encryption = yes GW> require_strong = yes GW> } GW> The output from radiusd in debug mode contains the following GW> rad_recv: Access-Request packet from host :1814, id=3, GW> length=172 GW> MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2 GW> MS-CHAP2-Response = GW> 0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3 GW> 05c09460bdc1c3047ab43476f5 GW> User-Name = "[EMAIL PROTECTED]" GW> NAS-IP-Address = GW> NAS-Identifier = GW> Service-Type = Framed-User GW> Framed-Protocol = PPP GW> Proxy-State = 0x313630 GW> .. GW> Debug: modcall: entering group authtype GW> Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password GW> Debug: rlm_mschap: Authentication failed GW> Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the GW> user GW> Debug: modcall[authenticate]: module "mschap" returns reject GW> The username is stripped of the domain since usernames are storred on the GW> LDAP server in the short form. GW> Any suggestions on how to fix this problem would be gratefully received. If GW> I have not provided sufficient information to diagnose the error then please GW> let me know and I will send more information. GW> Thanks in advance GW> Guy Warner GW> - GW> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help needed with MS Chap v2
Hi I am trying to set up a Freeradius 0.8.1 server to authenticate users with MS Chap v2. The information about each user is obtained from an LDAP server. The requests for authentication are being received via a proxy server. The problem is that all requests to authenticate a user result in rlm_mschap: Nothing in the packet I recognise: Rejecting the user The mschap section of radiusd.conf is as follows mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } The output from radiusd in debug mode contains the following rad_recv: Access-Request packet from host :1814, id=3, length=172 MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2 MS-CHAP2-Response = 0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3 05c09460bdc1c3047ab43476f5 User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = NAS-Identifier = Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 0x313630 .. Debug: modcall: entering group authtype Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password Debug: rlm_mschap: Authentication failed Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the user Debug: modcall[authenticate]: module "mschap" returns reject The username is stripped of the domain since usernames are storred on the LDAP server in the short form. Any suggestions on how to fix this problem would be gratefully received. If I have not provided sufficient information to diagnose the error then please let me know and I will send more information. Thanks in advance Guy Warner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html