Re: MS-CHAP not working
On Wed, Feb 12, 2003 at 05:01:02AM -0500, Alan DeKok wrote: > Frank Keeney <[EMAIL PROTECTED]> wrote: > > Problem number two appears to be the Linux platform we used. MS-CHAP will > > not work under any condition on our Alpha CPU platforms running > > Debian. Our Intel Debian platforms MS-CHAP works fine. > > That sounds like a byte-order problem in the mschap module. I wouldn't think so, as no Solaris folks have complained. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: MS-CHAP not working
Dear Frank Keeney, It's most likely to be a problem of either MD4 or SHA1. Can you send result for 'smbencrypt' for any known password? --Wednesday, February 12, 2003, 6:06:18 PM, you wrote to [EMAIL PROTECTED]: FK> Problem number two appears to be the Linux platform we used. MS-CHAP will FK> not work under any condition on our Alpha CPU platforms running FK> Debian. Our Intel Debian platforms MS-CHAP works fine. FK> On Fri, 7 Feb 2003, Frank Keeney wrote: >> Looks like we had two problems. You are correct, we kept typing in the >> wrong password. MS-CHAP is working now but on a test server with a clean >> install. >> >> We're busy comparing the two server's configs to find out what was wrong. >> FK> - FK> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA Äà, åìó ÷åðòîâñêè ïîâåçëî. Ýõ è ïàðøèâî á åìó ïðèøëîñü åñëè áû îí âûæèë! (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP not working
Frank Keeney <[EMAIL PROTECTED]> wrote: > Problem number two appears to be the Linux platform we used. MS-CHAP will > not work under any condition on our Alpha CPU platforms running > Debian. Our Intel Debian platforms MS-CHAP works fine. That sounds like a byte-order problem in the mschap module. Unfortunately, I don't know much about it... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP not working
Problem number two appears to be the Linux platform we used. MS-CHAP will not work under any condition on our Alpha CPU platforms running Debian. Our Intel Debian platforms MS-CHAP works fine. On Fri, 7 Feb 2003, Frank Keeney wrote: > Looks like we had two problems. You are correct, we kept typing in the > wrong password. MS-CHAP is working now but on a test server with a clean > install. > > We're busy comparing the two server's configs to find out what was wrong. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP not working
Dear Frank Keeney, Plese get new version from CVS, I've changed importance of SMB-Account-Control attribute a couple of days ago, but didn't checked default value is valid, so it fails if this attribute doesn't present. --Friday, February 7, 2003, 9:58:23 PM, you wrote to [EMAIL PROTECTED]: FK> I can't seem to get MS-CHAP to work. We've spent many hours with various FK> configuration but always seem to have an error. We've tried smbpasswd and FK> other options without success. FK> Is there an example MS-CHAP config that I can use for a model? I've been FK> through all the docs and the mailing list. The NAS is a SMC EliteConnect. FK> We keep seeing this message and others: FK> rlm_mschap: No LM/NT password configured. Check authorization. FK> modcall[authenticate]: module "mschap" returns invalid FK> Thank you, Configs and dump below: FK> FK> Applicable parts of the config: FK> mschap { FK> authtype = MS-CHAP FK> use_mppe = yes FK> require_encryption = yes FK> } FK> authorize { FK>mschap FK> } FK> authenticate { FK> authtype PAP { FK> pap FK> } FK> authtype CHAP { FK> chap FK> } FK> authtype MS-CHAP { FK> mschap FK> } FK> } FK> preacct { FK> preprocess FK> suffix FK> files FK> } FK> FK> Test user file: FK> test11Auth-Type := Local, User-Password := "test" FK> test12Auth-Type := MS-CHAP, User-Password := "test" FK> FK> Radius dump: FK> Ready to process requests. FK> rad_recv: Access-Request packet from host 192.168.16.3:1176, id=130, length=110 FK> User-Name = "test12" FK> MS-CHAP-Challenge = 0x2c1096fe257fe7d558cd07dee6ea1638 FK> MS-CHAP2-Response = 0x3d1602735c6db434c3145b04dc81a12325833ba5078dd3cd1fc0f070e6ae98ee629e73bb4d1742a2 FK> rad_lowerpair: User-Name now 'test12' FK> rad_rmspace_pair: User-Name now 'test12' FK> modcall: entering group authorize FK> modcall[authorize]: module "preprocess" returns ok FK> users: Matched DEFAULT at 1 FK> modcall[authorize]: module "files" returns ok FK> modcall[authorize]: module "mschap" returns notfound FK> modcall: group authorize returns ok FK> rad_check_password: Found Auth-Type MS-CHAP FK> auth: type "MS-CHAP" FK> modcall: entering group authtype FK> rlm_mschap: No LM/NT password configured. Check authorization. FK> modcall[authenticate]: module "mschap" returns invalid FK> modcall: group authtype returns invalid FK> auth: Failed to validate the user. FK> Login incorrect: [test12] (from client smc port 0) FK> Delaying request 0 for 1 seconds FK> Finished request 0 FK> Going to the next request FK> --- Walking the entire request list --- FK> Waking up in 1 seconds... FK> --- Walking the entire request list --- FK> Waking up in 1 seconds... FK> --- Walking the entire request list --- FK> Sending Access-Reject of id 130 to 192.168.16.3:1176 FK> MS-CHAP-Error = "\000E=691 R=1" FK> Waking up in 4 seconds... FK> --- Walking the entire request list --- FK> Cleaning up request 0 ID 130 with timestamp 3e43ffcc FK> Nothing to do. Sleeping until we see a request. FK> Radius dump number 2: FK> --- Walking the entire request list --- FK> Threads: total/active/spare threads = 5/1/4 FK> Waking up in 5 seconds... FK> Thread 1 handling request 0, (1 handled so far) FK> User-Name = "test12" FK> MS-CHAP-Challenge = 0x6227301276f8a2625c5e1b17f5cf8c4b FK> MS-CHAP2-Response = 0x5e2f83723e193f82d54c210d15bab6744a1ee29726edf3a348188e0d4c5c4a59c6542ff9637ec90d FK> rad_lowerpair: User-Name now 'test12' FK> rad_rmspace_pair: User-Name now 'test12' FK> modcall: entering group authorize FK> modcall[authorize]: module "preprocess" returns ok FK> rlm_chap: Could not find proper Chap-Password attribute in request FK> modcall[authorize]: module "chap" returns noop FK> users: Matched test12 at 1075 FK> modcall[authorize]: module "files" returns ok FK> modcall[authorize]: module "mschap" returns ok FK> modcall: group authorize returns ok FK> rad_check_password: Found Auth-Type MS-CHAP FK> auth: type "MS-CHAP" FK> modcall: entering group authtype FK> rlm_mschap: doing MS-CHAPv2 with NT-Password FK> rlm_mschap: Authentication failed FK> rlm_mschap: Nothing in the packet I recognise: Rejecting the user FK> modcall[authenticate]: module "mschap" returns reject FK> modcall: group authtype returns reject FK> auth: Failed to validate the user. FK> Login incorrect: [test12] (from client smc port 0) FK> Delaying request 0 for 1 seconds FK> Finished request 0 FK> Going to the next request FK> Thread 1 waiting to be assigned a request FK> --- Walking the entire request list --- FK> Threads: total/active/spare threads = 5/0/5 FK> Sending Access-Reject of id 56 to 192.168.16.3:1102 FK>
Re: MS-CHAP not working
Alan, Looks like we had two problems. You are correct, we kept typing in the wrong password. MS-CHAP is working now but on a test server with a clean install. We're busy comparing the two server's configs to find out what was wrong. Thanks for your assistance. This is great! fyi the NAS is an SMC EliteConnect, http://elite.smc.com it's for wireless authentication and encryption. Frank On Fri, 7 Feb 2003, Alan DeKok wrote: > > rlm_mschap: doing MS-CHAPv2 with NT-Password > > rlm_mschap: Authentication failed > > That would appear to be definitive. > > It's using MS-CHAP, but the supplied passwords don't match. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP not working
Frank Keeney <[EMAIL PROTECTED]> wrote: > > Configure the 'passwd' file for the module, to point to 'smbpasswd', > > and I bet it will work. > > We did that. Here is the dump: ... > rlm_mschap: doing MS-CHAPv2 with NT-Password > rlm_mschap: Authentication failed That would appear to be definitive. It's using MS-CHAP, but the supplied passwords don't match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP not working
On Fri, 7 Feb 2003, Alan DeKok wrote: > Oh, you *do* have it using 'files. But you didn't post the config > you're using... why? Config is at the bottom of this message. Thanks for the help! > And why are you forcing MS-CHAP authentication for user 'test12'? > Why not let the server discover that for itself? We mads that change. See config below. > Configure the 'passwd' file for the module, to point to 'smbpasswd', > and I bet it will work. We did that. Here is the dump: [root@localhost sbin]# radiusd -xx Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: ignore_password = no mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "/etc/smbpasswd" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Initializing the thread pool... thread: start_servers = 5 thread: max_servers = 32 thread: min_spare_servers = 3 thread: max_spare_servers = 10 thread: max_requests_per_server = 0 thread: cleanup_delay = 5 Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread spawned new child 3. Total threads in pool: 3 Thread spawned new child 4. Total threads in pool: 4 Thread 1 waiting to be assigned a request Thread 2 waiting to be assigned a request Thread 3 waiting to be assigned a request Thread 4 waiting to be assigned a request Thread 5 waiting to be assigned a request Thread spawned new child 5. Total threads in pool: 5 Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Rea
Re: MS-CHAP not working
Frank Keeney <[EMAIL PROTECTED]> wrote: > Is there an example MS-CHAP config that I can use for a model? radiusd.conf? > authorize { >mschap > } You don't have it using 'files' at all... > users: Matched DEFAULT at 1 > modcall[authorize]: module "files" returns ok Oh, you *do* have it using 'files. But you didn't post the config you're using... why? And why are you forcing MS-CHAP authentication for user 'test12'? Why not let the server discover that for itself? Configure the 'passwd' file for the module, to point to 'smbpasswd', and I bet it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP not working
I can't seem to get MS-CHAP to work. We've spent many hours with various configuration but always seem to have an error. We've tried smbpasswd and other options without success. Is there an example MS-CHAP config that I can use for a model? I've been through all the docs and the mailing list. The NAS is a SMC EliteConnect. We keep seeing this message and others: rlm_mschap: No LM/NT password configured. Check authorization. modcall[authenticate]: module "mschap" returns invalid Thank you, Configs and dump below: Applicable parts of the config: mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes } authorize { mschap } authenticate { authtype PAP { pap } authtype CHAP { chap } authtype MS-CHAP { mschap } } preacct { preprocess suffix files } Test user file: test11Auth-Type := Local, User-Password := "test" test12Auth-Type := MS-CHAP, User-Password := "test" Radius dump: Ready to process requests. rad_recv: Access-Request packet from host 192.168.16.3:1176, id=130, length=110 User-Name = "test12" MS-CHAP-Challenge = 0x2c1096fe257fe7d558cd07dee6ea1638 MS-CHAP2-Response = 0x3d1602735c6db434c3145b04dc81a12325833ba5078dd3cd1fc0f070e6ae98ee629e73bb4d1742a2 rad_lowerpair: User-Name now 'test12' rad_rmspace_pair: User-Name now 'test12' modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok users: Matched DEFAULT at 1 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns notfound modcall: group authorize returns ok rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" modcall: entering group authtype rlm_mschap: No LM/NT password configured. Check authorization. modcall[authenticate]: module "mschap" returns invalid modcall: group authtype returns invalid auth: Failed to validate the user. Login incorrect: [test12] (from client smc port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 130 to 192.168.16.3:1176 MS-CHAP-Error = "\000E=691 R=1" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 130 with timestamp 3e43ffcc Nothing to do. Sleeping until we see a request. Radius dump number 2: --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds... Thread 1 handling request 0, (1 handled so far) User-Name = "test12" MS-CHAP-Challenge = 0x6227301276f8a2625c5e1b17f5cf8c4b MS-CHAP2-Response = 0x5e2f83723e193f82d54c210d15bab6744a1ee29726edf3a348188e0d4c5c4a59c6542ff9637ec90d rad_lowerpair: User-Name now 'test12' rad_rmspace_pair: User-Name now 'test12' modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop users: Matched test12 at 1075 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" modcall: entering group authtype rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: Authentication failed rlm_mschap: Nothing in the packet I recognise: Rejecting the user modcall[authenticate]: module "mschap" returns reject modcall: group authtype returns reject auth: Failed to validate the user. Login incorrect: [test12] (from client smc port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 1 waiting to be assigned a request --- Walking the entire request list --- Threads: total/active/spare threads = 5/0/5 Sending Access-Reject of id 56 to 192.168.16.3:1102 MS-CHAP-Error = "\000E=691 R=1" Waking up in 1 seconds... Error receiving packet: Connection refused rl_next: returning NULL Cleaning up request 0 ID 56 with timestamp 3e3b09ec Waking up in 1 seconds... --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.16.3:1103, id=57, length=108 Thread 2 assigned request 1 --- Walking the entire request list --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html