Re: MS-CHAP2-Response is incorrect + invalid NT-Password
hello,
i'm still stuck and don't know how to make it work
i added in ldap.attrmap:
checkItem Cleartext-Password userPassword
checkItem NT-passworduserPassword
but i stil have:
[ldap] expand: %{User-Name} - bernard
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=bernard)
[ldap] expand: dc=example,dc=com - dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=example,dc=com, with filter (cn=bernard)
[ldap] Added User-Password = test in check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword - NT-Password == 0x7465737420
[ldap] userPassword - Cleartext-Password == test
[ldap] looking for reply items in directory...
[ldap] user bernard authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
*[mschap] Invalid NT-Password
[mschap] Told to do MS-CHAPv2 for bernard with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect*
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
I don't understand why i still got an invalid NT-Password.
thanks for your help
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
can i post all the debug output? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
sorry for spamming, i just want to understand
*OpenLDAP knows the clear text password:*
[ldap] userPassword - Cleartext-Password == test
[ldap] userPassword - NT-Password == 0x7465737420 *= supposed to be the
hash password*
[ldap] looking for reply items in directory...
[ldap] user bernard authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
*Is the inner tunnel part of the MSCHAPv2 is failing because
it doesn't kwow the way of dealing with the password supplied ?*
*Adding into ldap.attrmap the userPassword - NT-Password is enough to
produce a correct NT hash password?
*[mschap] Invalid NT-Password * *
[mschap] Told to do MS-CHAPv2 for bernard with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = \nE=691 R=1
EAP-Message = 0x040a0004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = \nE=691 R=1
EAP-Message = 0x040a0004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
Hi, [ldap] userPassword - Cleartext-Password == test note the space at the end. your password is 'test ' not just 'test' is this deliberate? check your LDAP! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
Am 15.03.2010 um 11:35 schrieb omega bk: sorry for spamming, i just want to understand OpenLDAP knows the clear text password: [ldap] userPassword - Cleartext-Password == test [ldap] userPassword - NT-Password == 0x7465737420 = supposed to be the hash password I doub very much that this is a hash: 0x74: t 0x65: e 0x73: s 0x74: t 0x20: space (all in ASCII) Have you tried *not* to define a NT-Password and let Freeradius calculate from the Cleartext-Password what it needs? [...] Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
thank u for your quick reply i fixed bernard's password in ldap so: [ldap] userPassword - Cleartext-Password == test [ldap] userPassword - NT-Password == 0x74657374 i added the password_radius_attribute = NT-Password but still the same: [mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect 2010/3/15 Alan Buxey a.l.m.bu...@lboro.ac.uk Hi, [ldap] userPassword - Cleartext-Password == test note the space at the end. your password is 'test ' not just 'test' is this deliberate? check your LDAP! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
Hi, [mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect get rid of the NT-Password LDAP hook if you're not using it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
Hi, you mean by commenting mschap in autorize and authenticate section? thanks 2010/3/15 Alan Buxey a.l.m.bu...@lboro.ac.uk Hi, [mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect get rid of the NT-Password LDAP hook if you're not using it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
forgot what i said. i commented the line: #checkItem NT-password userPassword in ldap.attrmap and it works!! THANK U ALAN you saved me 2010/3/15 omega bk omeg...@gmail.com Hi, you mean by commenting mschap in autorize and authenticate section? thanks 2010/3/15 Alan Buxey a.l.m.bu...@lboro.ac.uk Hi, [mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect get rid of the NT-Password LDAP hook if you're not using it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
another question? how freeradius deal with simultaneous mutiple access? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
Hi, another question? why not. how freeradius deal with simultaneous mutiple access? read the mailing list archives? read the documents that come with the product? doc/Simultaneous-Use alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
