Re: Help needed with MS Chap v2
On Fri, Mar 28, 2003 at 11:51:36AM +0300, 3APA3A wrote: --Thursday, March 27, 2003, 2:39:42 PM, you wrote to [EMAIL PROTECTED]: AD Try the latest CVS snapshot. I've re-written rlm_mschap to be AD smaller, simpler, and to have significantly more debug messages. AD It won't look at /etc/smbpasswd any more, but that's probably a Good AD Thing. /etc/smbpasswd is really not required and was only for compatibility (anyway it should be noted in Release Notes for peoples who upgrade their RADIUS versions). Removing SMB-Account-CTRL attribute handling is not good, I know people use it. It's very convinient if accounts are bulk imported from NT domain or from SAMBA. It's standard atribute from SAMBA passwd format, SAMBA LDAP schema, etc. Yeah, I personally think both should be added back ... /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Frank Cusack [EMAIL PROTECTED]wrote: On Fri, Mar 28, 2003 at 11:51:36AM +0300, 3APA3A wrote: /etc/smbpasswd is really not required and was only for compatibility (anyway it should be noted in Release Notes for peoples who upgrade their RADIUS versions). I've done that, and added code to rlm_mschap which will complain if people try to configure it to use /etc/smbpasswd, and will tell people what to do to fix the problem. Removing SMB-Account-CTRL attribute handling is not good, I know people use it. It's very convinient if accounts are bulk imported from NT domain or from SAMBA. It's standard atribute from SAMBA passwd format, SAMBA LDAP schema, etc. That I agree with. But I was trying to take baby steps, to ensure that I could get one thing working, becofee I added another. Yeah, I personally think both should be added back ... I am strongly opposed to duplicate functionality in the code. If rlm_passwd can do all of the work of reading attributes from /etc/smbpasswd, then we should use it, and not duplicate that code elsewhere. To put it another way, what is the gain in having rlm_mschap read /etc/smbpasswd? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
On Fri, Mar 28, 2003 at 06:34:31AM -0500, Alan DeKok wrote: Frank Cusack [EMAIL PROTECTED]wrote: On Fri, Mar 28, 2003 at 11:51:36AM +0300, 3APA3A wrote: /etc/smbpasswd is really not required and was only for compatibility (anyway it should be noted in Release Notes for peoples who upgrade their RADIUS versions). Yeah, I personally think both should be added back ... I am strongly opposed to duplicate functionality in the code. If rlm_passwd can do all of the work of reading attributes from /etc/smbpasswd, then we should use it, and not duplicate that code elsewhere. To put it another way, what is the gain in having rlm_mschap read /etc/smbpasswd? ah. none. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Dear Guy Warner,
Authentication fails because of username or password mismatch. It may be
if packet is corrupted, if realm is not stripped from username or
password contains non-ASCII characters.
--Wednesday, March 26, 2003, 7:10:32 PM, you wrote to [EMAIL PROTECTED]:
GW Hi
GW I am trying to set up a Freeradius 0.8.1 server to authenticate users with
GW MS Chap v2. The information about each user is obtained from an LDAP server.
GW The requests for authentication are being received via a proxy server.
GW The problem is that all requests to authenticate a user result in
GW rlm_mschap: Nothing in the packet I recognise: Rejecting the user
GW The mschap section of radiusd.conf is as follows
GW mschap {
GW authtype = MS-CHAP
GW use_mppe = yes
GW require_encryption = yes
GW require_strong = yes
GW }
GW The output from radiusd in debug mode contains the following
GW rad_recv: Access-Request packet from host omitted:1814, id=3,
GW length=172
GW MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
GW MS-CHAP2-Response =
GW 0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3
GW 05c09460bdc1c3047ab43476f5
GW User-Name = [EMAIL PROTECTED]
GW NAS-IP-Address = omitted
GW NAS-Identifier = omitted
GW Service-Type = Framed-User
GW Framed-Protocol = PPP
GW Proxy-State = 0x313630
GW ..
GW Debug: modcall: entering group authtype
GW Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password
GW Debug: rlm_mschap: Authentication failed
GW Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the
GW user
GW Debug: modcall[authenticate]: module mschap returns reject
GW The username is stripped of the domain since usernames are storred on the
GW LDAP server in the short form.
GW Any suggestions on how to fix this problem would be gratefully received. If
GW I have not provided sufficient information to diagnose the error then please
GW let me know and I will send more information.
GW Thanks in advance
GW Guy Warner
GW -
GW List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
~/ZARAZA
ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Guy,
Do the LDAP server logs show anything?
josh.
On Wed, 2003-03-26 at 16:10, Guy Warner wrote:
Hi
I am trying to set up a Freeradius 0.8.1 server to authenticate users with
MS Chap v2. The information about each user is obtained from an LDAP server.
The requests for authentication are being received via a proxy server.
The problem is that all requests to authenticate a user result in
rlm_mschap: Nothing in the packet I recognise: Rejecting the user
The mschap section of radiusd.conf is as follows
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
The output from radiusd in debug mode contains the following
rad_recv: Access-Request packet from host omitted:1814, id=3,
length=172
MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
MS-CHAP2-Response =
0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3
05c09460bdc1c3047ab43476f5
User-Name = [EMAIL PROTECTED]
NAS-IP-Address = omitted
NAS-Identifier = omitted
Service-Type = Framed-User
Framed-Protocol = PPP
Proxy-State = 0x313630
..
Debug: modcall: entering group authtype
Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password
Debug: rlm_mschap: Authentication failed
Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the
user
Debug: modcall[authenticate]: module mschap returns reject
The username is stripped of the domain since usernames are storred on the
LDAP server in the short form.
Any suggestions on how to fix this problem would be gratefully received. If
I have not provided sufficient information to diagnose the error then please
let me know and I will send more information.
Thanks in advance
Guy Warner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
---
Josh Howlett, Networking Digital Communications,
Information Systems Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Thanks for the fast replies. The line
Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the user
makes me believe the packet is corrupted. Is there any way to test this. My
suspicion is that the packet is being corrupted by the proxy server, however
since this is running a dedicated operating system there is not a lot I can
modify on it. The software used to send the initial request to the proxy is
RASPPOE_098B.
The LDAP server is authorizing the user names fine.
Thanks again.
Guy Warner
- Original Message -
From: 3APA3A [EMAIL PROTECTED]
To: Guy Warner [EMAIL PROTECTED]
Sent: Wednesday, March 26, 2003 4:19 PM
Subject: Re: Help needed with MS Chap v2
Dear Guy Warner,
Authentication fails because of username or password mismatch. It may be
if packet is corrupted, if realm is not stripped from username or
password contains non-ASCII characters.
--Wednesday, March 26, 2003, 7:10:32 PM, you wrote to
[EMAIL PROTECTED]:
GW Hi
GW I am trying to set up a Freeradius 0.8.1 server to authenticate users
with
GW MS Chap v2. The information about each user is obtained from an LDAP
server.
GW The requests for authentication are being received via a proxy server.
GW The problem is that all requests to authenticate a user result in
GW rlm_mschap: Nothing in the packet I recognise: Rejecting the
user
GW The mschap section of radiusd.conf is as follows
GW mschap {
GW authtype = MS-CHAP
GW use_mppe = yes
GW require_encryption = yes
GW require_strong = yes
GW }
GW The output from radiusd in debug mode contains the following
GW rad_recv: Access-Request packet from host omitted:1814,
id=3,
GW length=172
GW MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
GW MS-CHAP2-Response =
GW
0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3
GW 05c09460bdc1c3047ab43476f5
GW User-Name = [EMAIL PROTECTED]
GW NAS-IP-Address = omitted
GW NAS-Identifier = omitted
GW Service-Type = Framed-User
GW Framed-Protocol = PPP
GW Proxy-State = 0x313630
GW ..
GW Debug: modcall: entering group authtype
GW Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password
GW Debug: rlm_mschap: Authentication failed
GW Debug: rlm_mschap: Nothing in the packet I recognise:
Rejecting the
GW user
GW Debug: modcall[authenticate]: module mschap returns reject
GW The username is stripped of the domain since usernames are storred on
the
GW LDAP server in the short form.
GW Any suggestions on how to fix this problem would be gratefully
received. If
GW I have not provided sufficient information to diagnose the error then
please
GW let me know and I will send more information.
GW Thanks in advance
GW Guy Warner
GW -
GW List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
~/ZARAZA
ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
