Re: Help needed with MS Chap v2
On Fri, Mar 28, 2003 at 11:51:36AM +0300, 3APA3A wrote: --Thursday, March 27, 2003, 2:39:42 PM, you wrote to [EMAIL PROTECTED]: AD Try the latest CVS snapshot. I've re-written rlm_mschap to be AD smaller, simpler, and to have significantly more debug messages. AD It won't look at /etc/smbpasswd any more, but that's probably a Good AD Thing. /etc/smbpasswd is really not required and was only for compatibility (anyway it should be noted in Release Notes for peoples who upgrade their RADIUS versions). Removing SMB-Account-CTRL attribute handling is not good, I know people use it. It's very convinient if accounts are bulk imported from NT domain or from SAMBA. It's standard atribute from SAMBA passwd format, SAMBA LDAP schema, etc. Yeah, I personally think both should be added back ... /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Frank Cusack [EMAIL PROTECTED]wrote: On Fri, Mar 28, 2003 at 11:51:36AM +0300, 3APA3A wrote: /etc/smbpasswd is really not required and was only for compatibility (anyway it should be noted in Release Notes for peoples who upgrade their RADIUS versions). I've done that, and added code to rlm_mschap which will complain if people try to configure it to use /etc/smbpasswd, and will tell people what to do to fix the problem. Removing SMB-Account-CTRL attribute handling is not good, I know people use it. It's very convinient if accounts are bulk imported from NT domain or from SAMBA. It's standard atribute from SAMBA passwd format, SAMBA LDAP schema, etc. That I agree with. But I was trying to take baby steps, to ensure that I could get one thing working, becofee I added another. Yeah, I personally think both should be added back ... I am strongly opposed to duplicate functionality in the code. If rlm_passwd can do all of the work of reading attributes from /etc/smbpasswd, then we should use it, and not duplicate that code elsewhere. To put it another way, what is the gain in having rlm_mschap read /etc/smbpasswd? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
On Fri, Mar 28, 2003 at 06:34:31AM -0500, Alan DeKok wrote: Frank Cusack [EMAIL PROTECTED]wrote: On Fri, Mar 28, 2003 at 11:51:36AM +0300, 3APA3A wrote: /etc/smbpasswd is really not required and was only for compatibility (anyway it should be noted in Release Notes for peoples who upgrade their RADIUS versions). Yeah, I personally think both should be added back ... I am strongly opposed to duplicate functionality in the code. If rlm_passwd can do all of the work of reading attributes from /etc/smbpasswd, then we should use it, and not duplicate that code elsewhere. To put it another way, what is the gain in having rlm_mschap read /etc/smbpasswd? ah. none. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Dear Guy Warner, Authentication fails because of username or password mismatch. It may be if packet is corrupted, if realm is not stripped from username or password contains non-ASCII characters. --Wednesday, March 26, 2003, 7:10:32 PM, you wrote to [EMAIL PROTECTED]: GW Hi GW I am trying to set up a Freeradius 0.8.1 server to authenticate users with GW MS Chap v2. The information about each user is obtained from an LDAP server. GW The requests for authentication are being received via a proxy server. GW The problem is that all requests to authenticate a user result in GW rlm_mschap: Nothing in the packet I recognise: Rejecting the user GW The mschap section of radiusd.conf is as follows GW mschap { GW authtype = MS-CHAP GW use_mppe = yes GW require_encryption = yes GW require_strong = yes GW } GW The output from radiusd in debug mode contains the following GW rad_recv: Access-Request packet from host omitted:1814, id=3, GW length=172 GW MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2 GW MS-CHAP2-Response = GW 0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3 GW 05c09460bdc1c3047ab43476f5 GW User-Name = [EMAIL PROTECTED] GW NAS-IP-Address = omitted GW NAS-Identifier = omitted GW Service-Type = Framed-User GW Framed-Protocol = PPP GW Proxy-State = 0x313630 GW .. GW Debug: modcall: entering group authtype GW Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password GW Debug: rlm_mschap: Authentication failed GW Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the GW user GW Debug: modcall[authenticate]: module mschap returns reject GW The username is stripped of the domain since usernames are storred on the GW LDAP server in the short form. GW Any suggestions on how to fix this problem would be gratefully received. If GW I have not provided sufficient information to diagnose the error then please GW let me know and I will send more information. GW Thanks in advance GW Guy Warner GW - GW List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Guy, Do the LDAP server logs show anything? josh. On Wed, 2003-03-26 at 16:10, Guy Warner wrote: Hi I am trying to set up a Freeradius 0.8.1 server to authenticate users with MS Chap v2. The information about each user is obtained from an LDAP server. The requests for authentication are being received via a proxy server. The problem is that all requests to authenticate a user result in rlm_mschap: Nothing in the packet I recognise: Rejecting the user The mschap section of radiusd.conf is as follows mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } The output from radiusd in debug mode contains the following rad_recv: Access-Request packet from host omitted:1814, id=3, length=172 MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2 MS-CHAP2-Response = 0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3 05c09460bdc1c3047ab43476f5 User-Name = [EMAIL PROTECTED] NAS-IP-Address = omitted NAS-Identifier = omitted Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 0x313630 .. Debug: modcall: entering group authtype Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password Debug: rlm_mschap: Authentication failed Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the user Debug: modcall[authenticate]: module mschap returns reject The username is stripped of the domain since usernames are storred on the LDAP server in the short form. Any suggestions on how to fix this problem would be gratefully received. If I have not provided sufficient information to diagnose the error then please let me know and I will send more information. Thanks in advance Guy Warner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Thanks for the fast replies. The line Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the user makes me believe the packet is corrupted. Is there any way to test this. My suspicion is that the packet is being corrupted by the proxy server, however since this is running a dedicated operating system there is not a lot I can modify on it. The software used to send the initial request to the proxy is RASPPOE_098B. The LDAP server is authorizing the user names fine. Thanks again. Guy Warner - Original Message - From: 3APA3A [EMAIL PROTECTED] To: Guy Warner [EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 4:19 PM Subject: Re: Help needed with MS Chap v2 Dear Guy Warner, Authentication fails because of username or password mismatch. It may be if packet is corrupted, if realm is not stripped from username or password contains non-ASCII characters. --Wednesday, March 26, 2003, 7:10:32 PM, you wrote to [EMAIL PROTECTED]: GW Hi GW I am trying to set up a Freeradius 0.8.1 server to authenticate users with GW MS Chap v2. The information about each user is obtained from an LDAP server. GW The requests for authentication are being received via a proxy server. GW The problem is that all requests to authenticate a user result in GW rlm_mschap: Nothing in the packet I recognise: Rejecting the user GW The mschap section of radiusd.conf is as follows GW mschap { GW authtype = MS-CHAP GW use_mppe = yes GW require_encryption = yes GW require_strong = yes GW } GW The output from radiusd in debug mode contains the following GW rad_recv: Access-Request packet from host omitted:1814, id=3, GW length=172 GW MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2 GW MS-CHAP2-Response = GW 0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3 GW 05c09460bdc1c3047ab43476f5 GW User-Name = [EMAIL PROTECTED] GW NAS-IP-Address = omitted GW NAS-Identifier = omitted GW Service-Type = Framed-User GW Framed-Protocol = PPP GW Proxy-State = 0x313630 GW .. GW Debug: modcall: entering group authtype GW Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password GW Debug: rlm_mschap: Authentication failed GW Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the GW user GW Debug: modcall[authenticate]: module mschap returns reject GW The username is stripped of the domain since usernames are storred on the GW LDAP server in the short form. GW Any suggestions on how to fix this problem would be gratefully received. If GW I have not provided sufficient information to diagnose the error then please GW let me know and I will send more information. GW Thanks in advance GW Guy Warner GW - GW List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html