subject:"MSCHAP vs MSCHAPv2 for VPN"

MSCHAP vs MSCHAPv2 for VPN

2010-10-13 Thread freeradius




Using freeradius 2.1.8, I have a sonicwall firewall that 
authenticates VPN users against the freeradius server. The VPN 
clients are the native MSFT VPN client.


When the client is configured for L2TP, MS-CHAP, the client connects. 
When the client is configured for L2TP MSChapv2, the client fails to 
connect with an error It was not possible to verify the identity of 
the server


As I understand it, the difference between mschapv1 and v2 is that 
the server sends back an authentication response. Seems like that 
handshake isn't working out? I know I've missed something somewhere. . .



radiusd -xX:
rad_recv: Access-Request packet from host 192.168.104.1 port 3873, 
id=22, length=124

User-Name = rsteeves
MS-CHAP-Challenge = 0x68dd158c5082247cfe49fecd9520386a
MS-CHAP2-Response = 
0x010005edd3135eca19372073504d57f8a4b3ab31aff8b876e703bb4141ddc19afff921f6a358cd80b94b

NAS-IP-Address = x.x.x.x
NAS-Port = 0
Wed Oct 13 14:50:57 2010 : Info: server server_vpn {
Wed Oct 13 14:50:57 2010 : Info: +- entering group authorize {...}
Wed Oct 13 14:50:57 2010 : Info: ++[preprocess] returns ok
Wed Oct 13 14:50:57 2010 : Info: [mschap] Found MS-CHAP 
attributes.  Setting 'Auth-Type  = mschap'

Wed Oct 13 14:50:57 2010 : Info: ++[mschap] returns ok
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] Entering ldap_groupcmp()
Wed Oct 13 14:50:57 2010 : Info: [files]expand: 
OU=Enterprise,DC=int,DC=example,DC=com - 
OU=Enterprise,DC=int,DC=example,DC=com
Wed Oct 13 14:50:57 2010 : Info: [files]expand: 
%{Stripped-User-Name} -
Wed Oct 13 14:50:57 2010 : Info: [files]... expanding second 
conditional
Wed Oct 13 14:50:57 2010 : Info: [files]expand: %{User-Name} 
- rsteeves
Wed Oct 13 14:50:57 2010 : Info: [files]expand: 
((sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=person)) 
- ((sAMAccountname=rsteeves)(objectClass=person))

Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
((sAMAccountname=rsteeves)(objectClass=person))
Wed Oct 13 14:50:57 2010 : Error:   [ldap] ldap_search() failed: LDAP 
connection lost.

Wed Oct 13 14:50:57 2010 : Info:   [ldap] Attempting reconnect
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] attempting LDAP reconnection
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] closing existing LDAP connection
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] (re)connect to 
dc.int.example.com:389, authentication 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] bind as 
CN=_UserID,OU=Service Accounts,OU=Special User 
Accounts,OU=Enterprise,DC=int,DC=example,DC=com/wvyjCHCd2LJHcNrmpr0I 
to dc.int.example.com:389

Wed Oct 13 14:50:57 2010 : Debug:   [ldap] waiting for bind result ...
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] Bind was successful
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
((sAMAccountname=rsteeves)(objectClass=person))

Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Wed Oct 13 14:50:57 2010 : Info: [files]expand: 
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
- (|((objectClass=GroupOfNames)(member=CN\3dRick 
Steeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRick 
Steeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom)))

Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
((cn=VPN_Users)(|((objectClass=GroupOfNames)(member=CN\3dRick 
Steeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRick 
Steeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom

Wed Oct 13 14:50:57 2010 : Debug:   [ldap] object not found
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] performing search in 
CN=Rick 
Steeves,OU=IS,OU=Users,OU=Enterprise,DC=int,DC=example,DC=com, with 
filter (objectclass=*)
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] performing search in 
CN=VPN_Users,OU=Security 
Groups,OU=Enterprise,DC=int,DC=example,DC=com, with filter (cn=VPN_Users)
Wed Oct 13 14:50:57 2010 : Debug: rlm_ldap::ldap_groupcmp: User found 
in group VPN_Users

Wed Oct 13 14:50:57 2010 :

Re: MSCHAP vs MSCHAPv2 for VPN

2010-10-13 Thread Alan DeKok

freerad...@corwyn.net wrote:
 
 
 Using freeradius 2.1.8, I have a sonicwall firewall that authenticates
 VPN users against the freeradius server. The VPN clients are the native
 MSFT VPN client.
 
 When the client is configured for L2TP, MS-CHAP, the client connects.
 When the client is configured for L2TP MSChapv2, the client fails to
 connect with an error It was not possible to verify the identity of the
 server
...
 Wed Oct 13 14:50:57 2010 : Debug: Exec-Program output: NT_KEY:
 DDE9BB9EA12ED17BE5F358CB53EE6A8F

  Change the version of Samba that you're using.  3.5.5 contains a fix
which addresses this issue.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MSCHAP vs MSCHAPv2 for VPN

2010-10-13 Thread freeradius


At 03:43 PM 10/13/2010, Alan DeKok wrote:

 Wed Oct 13 14:50:57 2010 : Debug: Exec-Program output: NT_KEY:
 DDE9BB9EA12ED17BE5F358CB53EE6A8F

  Change the version of Samba that you're using.  3.5.5 contains a fix
which addresses this issue.


Thanks Alan. That server is running samba3x-3.3.8-0.52.el5_5.2 , so 
that's quite useful!


What's interesting is that I have found a server running 
samba3x-3.3.8-0.52.el5_5 (separate installation, same config files, 
also VPN  sonicwall) which is not exhibiting this issue. 
Regardless, I'll go see about finding the new samba.


Rick




  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MSCHAP vs MSCHAPv2 for VPN

Re: MSCHAP vs MSCHAPv2 for VPN

Re: MSCHAP vs MSCHAPv2 for VPN

3 matches

Site Navigation

Mail list logo

Footer information