Re: Re[2]: Help needed with MS Chap v2
3APA3A <[EMAIL PROTECTED]> wrote: > I agree. Since 0.4 we warn people smbpasswd support in rlm_mschap is > outdated and will be removed in future versions. So it's time to remove > it. Done. Can you please double-check the module to ensure I didn't break anything? I've just re-added the support for SMB-Account-Ctrl, and done a few tests with MS-CHAPv1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Help needed with MS Chap v2
Dear Alan DeKok, --Friday, March 28, 2003, 2:34:31 PM, you wrote to [EMAIL PROTECTED]: AD> To put it another way, what is the gain in having rlm_mschap read AD> /etc/smbpasswd? I agree. Since 0.4 we warn people smbpasswd support in rlm_mschap is outdated and will be removed in future versions. So it's time to remove it. -- ~/ZARAZA Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
On Fri, Mar 28, 2003 at 06:34:31AM -0500, Alan DeKok wrote: > Frank Cusack <[EMAIL PROTECTED]>wrote: > > On Fri, Mar 28, 2003 at 11:51:36AM +0300, 3APA3A wrote: > > > /etc/smbpasswd is really not required and was only for compatibility > > > (anyway it should be noted in Release Notes for peoples who upgrade > > > their RADIUS versions). > > Yeah, I personally think both should be added back ... > > I am strongly opposed to duplicate functionality in the code. If > rlm_passwd can do all of the work of reading attributes from > /etc/smbpasswd, then we should use it, and not duplicate that code > elsewhere. > > To put it another way, what is the gain in having rlm_mschap read > /etc/smbpasswd? ah. none. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Frank Cusack <[EMAIL PROTECTED]>wrote: > On Fri, Mar 28, 2003 at 11:51:36AM +0300, 3APA3A wrote: > > /etc/smbpasswd is really not required and was only for compatibility > > (anyway it should be noted in Release Notes for peoples who upgrade > > their RADIUS versions). I've done that, and added code to rlm_mschap which will complain if people try to configure it to use /etc/smbpasswd, and will tell people what to do to fix the problem. > > Removing SMB-Account-CTRL attribute handling is not good, I know people > > use it. It's very convinient if accounts are bulk imported from NT > > domain or from SAMBA. It's standard atribute from SAMBA passwd format, > > SAMBA LDAP schema, etc. That I agree with. But I was trying to take baby steps, to ensure that I could get one thing working, becofee I added another. > Yeah, I personally think both should be added back ... I am strongly opposed to duplicate functionality in the code. If rlm_passwd can do all of the work of reading attributes from /etc/smbpasswd, then we should use it, and not duplicate that code elsewhere. To put it another way, what is the gain in having rlm_mschap read /etc/smbpasswd? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
On Fri, Mar 28, 2003 at 11:51:36AM +0300, 3APA3A wrote: > > --Thursday, March 27, 2003, 2:39:42 PM, you wrote to [EMAIL PROTECTED]: > > > AD> Try the latest CVS snapshot. I've re-written rlm_mschap to be > AD> smaller, simpler, and to have significantly more debug messages. > > AD> It won't look at /etc/smbpasswd any more, but that's probably a Good > AD> Thing. > > /etc/smbpasswd is really not required and was only for compatibility > (anyway it should be noted in Release Notes for peoples who upgrade > their RADIUS versions). > > Removing SMB-Account-CTRL attribute handling is not good, I know people > use it. It's very convinient if accounts are bulk imported from NT > domain or from SAMBA. It's standard atribute from SAMBA passwd format, > SAMBA LDAP schema, etc. Yeah, I personally think both should be added back ... /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[4]: Help needed with MS Chap v2
Dear Alan DeKok, --Thursday, March 27, 2003, 2:39:42 PM, you wrote to [EMAIL PROTECTED]: AD> Try the latest CVS snapshot. I've re-written rlm_mschap to be AD> smaller, simpler, and to have significantly more debug messages. AD> It won't look at /etc/smbpasswd any more, but that's probably a Good AD> Thing. /etc/smbpasswd is really not required and was only for compatibility (anyway it should be noted in Release Notes for peoples who upgrade their RADIUS versions). Removing SMB-Account-CTRL attribute handling is not good, I know people use it. It's very convinient if accounts are bulk imported from NT domain or from SAMBA. It's standard atribute from SAMBA passwd format, SAMBA LDAP schema, etc. -- ~/ZARAZA Машина оказалась способной к единственному действию, а именно умножению 2x2, да и то при этом ошибаясь. (Лем) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[2]: Help needed with MS Chap v2
Hi Guy using the NAS to test with can be painfull. Here's what I do with radclient. radclient -f radtst-2.txt -x 127.0.0.1 auth testing123 Contents of file radtst-2.txt:- NAS-IP-Address = 10.3.1.252 NAS-Port = 1 NAS-Port-Type = Async User-Name = "barney" MS-CHAP-Challenge = 0xf891896ff83faf76 MS-CHAP-Response = 0x1c01000 02de6c684371d4373ff9ed97884686b55148577df9c12e0cc Service-Type = Framed-User Framed-Protocol = PPP The above is for user "barney" with passord "rockstar". Here's the hashes for same NT-Password: 746FDB64FD2E11D171D80823820969 LM-Password: 78D866152028B45E944E2DF489A880 I use the NAS at first and just screen-scrape (cut & paste actually) the challenge from the radiusd -sxx debug output for use with radclient. I use the PuTTY telnet client. Regards Mike D. >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of Guy Warner >Sent: Thursday, March 27, 2003 5:09 PM >To: [EMAIL PROTECTED] >Subject: Re[2]: Help needed with MS Chap v2 > > >At 19:47 26/03/2003 +0300, you wrote: >>Dear Guy Warner, >> >>This line simply notifies you there is no authentication schema may be >>used for packet (for MS-CHAPv1 both LM and NT authentication is >>available, for MS-CHAPv2 only NT and it fails in your case). Packet >>corruption is most unlikely from all variants. > > >Hi > >Thanks for all your help so far. Given then that no authentication schema >is available is this because of a invalid MS-CHAP-Challenge and >MS-CHAP2-Response pair. If so is there any software to manually generate >the pairings so that the server can be tested with radclient. If on the >other hand the pairing is correct what are the most likely causes of this >problem. I am confident that the username and password being sent >are valid >and the password contains no non-ascii characters. > >Thanks again > >Guy Warner > > > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: Help needed with MS Chap v2
Guy Warner <[EMAIL PROTECTED]> wrote: > Thanks for all your help so far. Given then that no authentication schema > is available is this because of a invalid MS-CHAP-Challenge and > MS-CHAP2-Response pair. If so is there any software to manually generate > the pairings so that the server can be tested with radclient. Not really. > If on the other hand the pairing is correct what are the most likely > causes of this problem. I am confident that the username and > password being sent are valid and the password contains no non-ascii > characters. Try the latest CVS snapshot. I've re-written rlm_mschap to be smaller, simpler, and to have significantly more debug messages. It won't look at /etc/smbpasswd any more, but that's probably a Good Thing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Help needed with MS Chap v2
At 19:47 26/03/2003 +0300, you wrote: Dear Guy Warner, This line simply notifies you there is no authentication schema may be used for packet (for MS-CHAPv1 both LM and NT authentication is available, for MS-CHAPv2 only NT and it fails in your case). Packet corruption is most unlikely from all variants. Hi Thanks for all your help so far. Given then that no authentication schema is available is this because of a invalid MS-CHAP-Challenge and MS-CHAP2-Response pair. If so is there any software to manually generate the pairings so that the server can be tested with radclient. If on the other hand the pairing is correct what are the most likely causes of this problem. I am confident that the username and password being sent are valid and the password contains no non-ascii characters. Thanks again Guy Warner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Help needed with MS Chap v2
Dear Guy Warner,
This line simply notifies you there is no authentication schema may be
used for packet (for MS-CHAPv1 both LM and NT authentication is
available, for MS-CHAPv2 only NT and it fails in your case). Packet
corruption is most unlikely from all variants.
--Wednesday, March 26, 2003, 7:38:27 PM, you wrote to [EMAIL PROTECTED]:
GW> Thanks for the fast replies. The line
GW> Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the user
GW> makes me believe the packet is corrupted. Is there any way to test this. My
GW> suspicion is that the packet is being corrupted by the proxy server, however
GW> since this is running a dedicated operating system there is not a lot I can
GW> modify on it. The software used to send the initial request to the proxy is
GW> RASPPOE_098B.
GW> The LDAP server is authorizing the user names fine.
GW> Thanks again.
GW> Guy Warner
GW> - Original Message -
GW> From: "3APA3A" <[EMAIL PROTECTED]>
GW> To: "Guy Warner" <[EMAIL PROTECTED]>
GW> Sent: Wednesday, March 26, 2003 4:19 PM
GW> Subject: Re: Help needed with MS Chap v2
>> Dear Guy Warner,
>>
>> Authentication fails because of username or password mismatch. It may be
>> if packet is corrupted, if realm is not stripped from username or
>> password contains non-ASCII characters.
>>
>> --Wednesday, March 26, 2003, 7:10:32 PM, you wrote to
GW> [EMAIL PROTECTED]:
>>
>> GW> Hi
>>
>> GW> I am trying to set up a Freeradius 0.8.1 server to authenticate users
GW> with
>> GW> MS Chap v2. The information about each user is obtained from an LDAP
GW> server.
>> GW> The requests for authentication are being received via a proxy server.
>>
>> GW> The problem is that all requests to authenticate a user result in
>> GW> rlm_mschap: Nothing in the packet I recognise: Rejecting the
GW> user
>>
>> GW> The mschap section of radiusd.conf is as follows
>>
>> GW> mschap {
>> GW> authtype = MS-CHAP
>> GW> use_mppe = yes
>> GW> require_encryption = yes
>> GW> require_strong = yes
>> GW> }
>>
>>
>> GW> The output from radiusd in debug mode contains the following
>>
>> GW> rad_recv: Access-Request packet from host :1814,
GW> id=3,
>> GW> length=172
>> GW> MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
>> GW> MS-CHAP2-Response =
>> GW>
GW> 0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3
>> GW> 05c09460bdc1c3047ab43476f5
>> GW> User-Name = "[EMAIL PROTECTED]"
>> GW> NAS-IP-Address =
>> GW> NAS-Identifier =
>> GW> Service-Type = Framed-User
>> GW> Framed-Protocol = PPP
>> GW> Proxy-State = 0x313630
>> GW> ..
>> GW> Debug: modcall: entering group authtype
>> GW> Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password
>> GW> Debug: rlm_mschap: Authentication failed
>> GW> Debug: rlm_mschap: Nothing in the packet I recognise:
GW> Rejecting the
>> GW> user
>> GW> Debug: modcall[authenticate]: module "mschap" returns reject
>>
>>
>> GW> The username is stripped of the domain since usernames are storred on
GW> the
>> GW> LDAP server in the short form.
>>
>> GW> Any suggestions on how to fix this problem would be gratefully
GW> received. If
>> GW> I have not provided sufficient information to diagnose the error then
GW> please
>> GW> let me know and I will send more information.
>>
>>
>> GW> Thanks in advance
>>
>>
>> GW> Guy Warner
>>
>>
>> GW> -
>> GW> List info/subscribe/unsubscribe? See
GW> http://www.freeradius.org/list/users.html
>>
>>
>> --
>> ~/ZARAZA
>> ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì)
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
GW> http://www.freeradius.org/list/users.html
>>
GW> -
GW> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
~/ZARAZA
Êëÿíóñü ëûñèíîé ïðîðîêà Ìîèñåÿ - ÿ òåáÿ ñåé÷àñ ñúåì. (Òâåí)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Thanks for the fast replies. The line
Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the user
makes me believe the packet is corrupted. Is there any way to test this. My
suspicion is that the packet is being corrupted by the proxy server, however
since this is running a dedicated operating system there is not a lot I can
modify on it. The software used to send the initial request to the proxy is
RASPPOE_098B.
The LDAP server is authorizing the user names fine.
Thanks again.
Guy Warner
- Original Message -
From: "3APA3A" <[EMAIL PROTECTED]>
To: "Guy Warner" <[EMAIL PROTECTED]>
Sent: Wednesday, March 26, 2003 4:19 PM
Subject: Re: Help needed with MS Chap v2
> Dear Guy Warner,
>
> Authentication fails because of username or password mismatch. It may be
> if packet is corrupted, if realm is not stripped from username or
> password contains non-ASCII characters.
>
> --Wednesday, March 26, 2003, 7:10:32 PM, you wrote to
[EMAIL PROTECTED]:
>
> GW> Hi
>
> GW> I am trying to set up a Freeradius 0.8.1 server to authenticate users
with
> GW> MS Chap v2. The information about each user is obtained from an LDAP
server.
> GW> The requests for authentication are being received via a proxy server.
>
> GW> The problem is that all requests to authenticate a user result in
> GW> rlm_mschap: Nothing in the packet I recognise: Rejecting the
user
>
> GW> The mschap section of radiusd.conf is as follows
>
> GW> mschap {
> GW> authtype = MS-CHAP
> GW> use_mppe = yes
> GW> require_encryption = yes
> GW> require_strong = yes
> GW> }
>
>
> GW> The output from radiusd in debug mode contains the following
>
> GW> rad_recv: Access-Request packet from host :1814,
id=3,
> GW> length=172
> GW> MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
> GW> MS-CHAP2-Response =
> GW>
0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3
> GW> 05c09460bdc1c3047ab43476f5
> GW> User-Name = "[EMAIL PROTECTED]"
> GW> NAS-IP-Address =
> GW> NAS-Identifier =
> GW> Service-Type = Framed-User
> GW> Framed-Protocol = PPP
> GW> Proxy-State = 0x313630
> GW> ..
> GW> Debug: modcall: entering group authtype
> GW> Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password
> GW> Debug: rlm_mschap: Authentication failed
> GW> Debug: rlm_mschap: Nothing in the packet I recognise:
Rejecting the
> GW> user
> GW> Debug: modcall[authenticate]: module "mschap" returns reject
>
>
> GW> The username is stripped of the domain since usernames are storred on
the
> GW> LDAP server in the short form.
>
> GW> Any suggestions on how to fix this problem would be gratefully
received. If
> GW> I have not provided sufficient information to diagnose the error then
please
> GW> let me know and I will send more information.
>
>
> GW> Thanks in advance
>
>
> GW> Guy Warner
>
>
> GW> -
> GW> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>
> --
> ~/ZARAZA
> ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì)
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Guy,
Do the LDAP server logs show anything?
josh.
On Wed, 2003-03-26 at 16:10, Guy Warner wrote:
> Hi
>
> I am trying to set up a Freeradius 0.8.1 server to authenticate users with
> MS Chap v2. The information about each user is obtained from an LDAP server.
> The requests for authentication are being received via a proxy server.
>
> The problem is that all requests to authenticate a user result in
> rlm_mschap: Nothing in the packet I recognise: Rejecting the user
>
> The mschap section of radiusd.conf is as follows
>
> mschap {
> authtype = MS-CHAP
> use_mppe = yes
> require_encryption = yes
> require_strong = yes
> }
>
>
> The output from radiusd in debug mode contains the following
>
> rad_recv: Access-Request packet from host :1814, id=3,
> length=172
> MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
> MS-CHAP2-Response =
> 0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3
> 05c09460bdc1c3047ab43476f5
> User-Name = "[EMAIL PROTECTED]"
> NAS-IP-Address =
> NAS-Identifier =
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Proxy-State = 0x313630
> ..
> Debug: modcall: entering group authtype
> Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password
> Debug: rlm_mschap: Authentication failed
> Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the
> user
> Debug: modcall[authenticate]: module "mschap" returns reject
>
>
> The username is stripped of the domain since usernames are storred on the
> LDAP server in the short form.
>
> Any suggestions on how to fix this problem would be gratefully received. If
> I have not provided sufficient information to diagnose the error then please
> let me know and I will send more information.
>
>
> Thanks in advance
>
>
> Guy Warner
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
---
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Dear Guy Warner,
Authentication fails because of username or password mismatch. It may be
if packet is corrupted, if realm is not stripped from username or
password contains non-ASCII characters.
--Wednesday, March 26, 2003, 7:10:32 PM, you wrote to [EMAIL PROTECTED]:
GW> Hi
GW> I am trying to set up a Freeradius 0.8.1 server to authenticate users with
GW> MS Chap v2. The information about each user is obtained from an LDAP server.
GW> The requests for authentication are being received via a proxy server.
GW> The problem is that all requests to authenticate a user result in
GW> rlm_mschap: Nothing in the packet I recognise: Rejecting the user
GW> The mschap section of radiusd.conf is as follows
GW> mschap {
GW> authtype = MS-CHAP
GW> use_mppe = yes
GW> require_encryption = yes
GW> require_strong = yes
GW> }
GW> The output from radiusd in debug mode contains the following
GW> rad_recv: Access-Request packet from host :1814, id=3,
GW> length=172
GW> MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
GW> MS-CHAP2-Response =
GW> 0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3
GW> 05c09460bdc1c3047ab43476f5
GW> User-Name = "[EMAIL PROTECTED]"
GW> NAS-IP-Address =
GW> NAS-Identifier =
GW> Service-Type = Framed-User
GW> Framed-Protocol = PPP
GW> Proxy-State = 0x313630
GW> ..
GW> Debug: modcall: entering group authtype
GW> Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password
GW> Debug: rlm_mschap: Authentication failed
GW> Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the
GW> user
GW> Debug: modcall[authenticate]: module "mschap" returns reject
GW> The username is stripped of the domain since usernames are storred on the
GW> LDAP server in the short form.
GW> Any suggestions on how to fix this problem would be gratefully received. If
GW> I have not provided sufficient information to diagnose the error then please
GW> let me know and I will send more information.
GW> Thanks in advance
GW> Guy Warner
GW> -
GW> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
~/ZARAZA
ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help needed with MS Chap v2
Hi
I am trying to set up a Freeradius 0.8.1 server to authenticate users with
MS Chap v2. The information about each user is obtained from an LDAP server.
The requests for authentication are being received via a proxy server.
The problem is that all requests to authenticate a user result in
rlm_mschap: Nothing in the packet I recognise: Rejecting the user
The mschap section of radiusd.conf is as follows
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
The output from radiusd in debug mode contains the following
rad_recv: Access-Request packet from host :1814, id=3,
length=172
MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
MS-CHAP2-Response =
0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3
05c09460bdc1c3047ab43476f5
User-Name = "[EMAIL PROTECTED]"
NAS-IP-Address =
NAS-Identifier =
Service-Type = Framed-User
Framed-Protocol = PPP
Proxy-State = 0x313630
..
Debug: modcall: entering group authtype
Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password
Debug: rlm_mschap: Authentication failed
Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the
user
Debug: modcall[authenticate]: module "mschap" returns reject
The username is stripped of the domain since usernames are storred on the
LDAP server in the short form.
Any suggestions on how to fix this problem would be gratefully received. If
I have not provided sufficient information to diagnose the error then please
let me know and I will send more information.
Thanks in advance
Guy Warner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
