rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Title: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Continuing my quest to integrate freeradius with Active Directory… here goes another problem! Did anyone already had this problem? rlm_ldap: - authorize rlm_ldap: performing user authorization for hugo.sousa radius_xlat: '(sAMAccountName=hugo.sousa)' radius_xlat: 'dc=office,dc=netsystems,dc=PT' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with filter (sAMAccountName=hugo.sousa) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user hugo.sousa authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for hugo.sousa with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 7 modcall: group Auth-Type returns reject for request 7 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hi folks, I have unsuccessfully attempted to authenticate an XP SP2 user with PEAP MSCHAPv2. I am using Solaris 8 for the freeRADIUS server and a CISCO 1100 Access Point. Ron, I tried the "with_ntdomain_hack=yes" in the mschap section and it made no observable difference. Thanks. Module rlm_mschap is expecting an NT-Password type password, does not find one via the pairfind function, and subsequently builds a VALUE_PAIR containing an NULL NT_Password. This null password is what fails the password length criterion test (16 chars exactly) in the do_mschap function call and results in the "rlm_mschap: FAILED: MS-CHAP2-Response is incorrect " message. However, a pairfind function call in rlm_mschap does return a VALUE_PAIR of PW_Password type with my password, which is configured in the "users" file as well as on the XP SP2 supplicant. I am not sure if this this VALUE_PAIR with my password came from the "users" file(config_items) or from the XP SP2 supplicant. I am not yet sure if the XP SP2 supplicant is not sending the password and that is why rlm_mschap is creating a NULL password of NT-Passwowd type. I added debug statements to rlm_mschap.c module that appear in the "radiusd -X" output. I Included slices from "radiusd -X" output, ".conf" files "rlm_mschap" files. Thanks for any help. John Gauntt [EMAIL PROTECTED] The XP SP2 authentication settings are: "Enable IEEE 802.1x authentication" - checked "Validate server certificate" - checked "Connect to these servers" - identified and checked "Trusted Root Certification Authorities" - copied file, selected "Authentication Method" - EAP-MSCHAPV2 users EI2F-ENDL1\\Tech_Support User-Password == "endl1_freeradius" Framed-IP-Address = 12.1.10.20, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, Reply-Message = "Hello, %u", Fall-Through = no rlm_mschap.c /* * mschap_authenticate() - authenticate user based on given * attributes and configuration. * We will try to find out password in configuration * or in configured passwd file. * If one is found we will check paraneters given by NAS. * * If PW_SMB_ACCOUNT_CTRL is not set to ACB_PWNOTREQ we must have * one of: * PAP: PW_PASSWORD or * MS-CHAP: PW_MSCHAP_CHALLENGE and PW_MSCHAP_RESPONSE or * MS-CHAP2: PW_MSCHAP_CHALLENGE and PW_MSCHAP2_RESPONSE * In case of password mismatch or locked account we MAY return * PW_MSCHAP_ERROR for MS-CHAP or MS-CHAP v2 * If MS-CHAP2 succeeds we MUST return * PW_MSCHAP2_SUCCESS */ static int mschap_authenticate(void * instance, REQUEST *request) { . . . /* * Decide how to get the passwords. */ password = pairfind(request->config_items, PW_PASSWORD); if ( password != NULL ) { DEBUG2(" rlm_mschap, PW-Password: valuepair \"%s\"", password->name); DEBUG2(" rlm_mschap, PW-Password: Password Length \"%x\"", password->length); DEBUG2(" rlm_mschap, PW-Password: Password \"%s\"", password->strvalue); } else { DEBUG2(" rlm_mschap, PW-Password: password = NULL "); } /* * We need an LM-Password. */ lm_password = pairfind(request->config_items, PW_LM_PASSWORD); if (lm_password) { /* * Allow raw octets. */ if ((lm_password->length == 16) || ((lm_password->length == 32) && (hex2bin(lm_password->strvalue, lm_password->strvalue, 16) == 16))) { DEBUG2(" rlm_mschap: Found LM-Password"); lm_password->length = 16; } else { radlog(L_ERR, "rlm_mschap: Invalid LM-Password"); lm_password = NULL; } } else if (!password) { DEBUG2(" rlm_mschap: No User-Password configured. Cannot create LM-Password."); } else { /* there is a configured User-Password */ lm_password = pairmake("LM-Password", "", T_OP_EQ); if (!lm_password) { radlog(L_ERR, "No memory"); } else { smbdes_lmpwdhash(password->strvalue, lm_password->strvalue);
Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
> Hi all > We have a strange propmlem with our RADIUS Server. > I'm not the RADIUS expert and take over this Server and configuration... > :-( > >>From time to time the users are not able to login, sometime it works and > sometime it works only from 1 or 2 accesspopints (we have 10 > accesspoints). > > Attached you'll find the configuration and a snap from the RADIUS-log in > debugmode. > > Accesspoints are Linksys WRT54GL with Tomato 1.23 > > We are running FreeRadius 2.0.5 on Gentoo Linux 2.6.27-r27. > Could it be if we running FreeRadius on another OS we have less problems > ?!? The error from your headline does not appear in the debug you posted. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
For the type of configuration you're trying to use (PEAP/EAP-MSCHAPv2 with Active Directory), you'll need to use the ntlm_auth hooks in the mschap module. --Mike On Fri, 2004-09-10 at 11:12, Hugo Sousa wrote: > Continuing my quest to integrate freeradius with Active Directory… > here goes another problem! > > Did anyone already had this problem? > > > rlm_ldap: - authorize > rlm_ldap: performing user authorization for hugo.sousa > radius_xlat: '(sAMAccountName=hugo.sousa)' > radius_xlat: 'dc=office,dc=netsystems,dc=PT' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with > filter (sAMAccountName=hugo.sousa) > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user hugo.sousa authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 7 > modcall: group authorize returns updated for request 7 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 7 > rlm_eap: Request found, released from the list > rlm_eap: EAP/mschapv2 > rlm_eap: processing type mschapv2 > Processing the authenticate section of radiusd.conf > modcall: entering group Auth-Type for request 7 > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for hugo.sousa with NT-Password > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > authentication. > rlm_mschap: FAILED: MS-CHAP2-Response is incorrect > modcall[authenticate]: module "mschap" returns reject for request 7 > modcall: group Auth-Type returns reject for request 7 > rlm_eap: Freeing handler > modcall[authenticate]: module "eap" returns reject for request 7 > modcall: group authenticate returns reject for request 7 > auth: Failed to validate the user. > PEAP: Tunneled authentication was rejected. > rlm_eap_peap: FAILURE > > > > Regards, > > Hugo Sousa > SysAdmin / NetworkAdmin > http://www.netsystems.pt > Portugal -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Are you talking about this: #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" There is no other way to perform authentication on the Domain Controller ? Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: sexta-feira, 10 de Setembro de 2004 17:30 To: [EMAIL PROTECTED] Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect For the type of configuration you're trying to use (PEAP/EAP-MSCHAPv2 with Active Directory), you'll need to use the ntlm_auth hooks in the mschap module. --Mike On Fri, 2004-09-10 at 11:12, Hugo Sousa wrote: > Continuing my quest to integrate freeradius with Active Directory. > here goes another problem! > > Did anyone already had this problem? > > > rlm_ldap: - authorize > rlm_ldap: performing user authorization for hugo.sousa > radius_xlat: '(sAMAccountName=hugo.sousa)' > radius_xlat: 'dc=office,dc=netsystems,dc=PT' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in dc=office,dc=netsystems,dc=PT, with > filter (sAMAccountName=hugo.sousa) > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user hugo.sousa authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 7 > modcall: group authorize returns updated for request 7 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 7 > rlm_eap: Request found, released from the list > rlm_eap: EAP/mschapv2 > rlm_eap: processing type mschapv2 > Processing the authenticate section of radiusd.conf > modcall: entering group Auth-Type for request 7 > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for hugo.sousa with NT-Password > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > authentication. > rlm_mschap: FAILED: MS-CHAP2-Response is incorrect > modcall[authenticate]: module "mschap" returns reject for request 7 > modcall: group Auth-Type returns reject for request 7 > rlm_eap: Freeing handler > modcall[authenticate]: module "eap" returns reject for request 7 > modcall: group authenticate returns reject for request 7 > auth: Failed to validate the user. > PEAP: Tunneled authentication was rejected. > rlm_eap_peap: FAILURE > > > > Regards, > > Hugo Sousa > SysAdmin / NetworkAdmin > http://www.netsystems.pt > Portugal -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
"Hugo Sousa" <[EMAIL PROTECTED]> wrote: > Are you talking about this: > > #ntlm_auth = "/path/to/ntlm_auth --request-nt-key > --username=%{Stripped-User-Name:-%{User-Name:-None}} > --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Yes. > There is no other way to perform authentication on the Domain Controller ? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
But if the domain controller uses LDAP, why do we have to use LDAP and after that ntlm_auth ??? I just want to understand why. Btw.. (I'm already compiling Samba to have nmbd, etc) Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: sexta-feira, 10 de Setembro de 2004 19:10 To: [EMAIL PROTECTED] Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect "Hugo Sousa" <[EMAIL PROTECTED]> wrote: > Are you talking about this: > > #ntlm_auth = "/path/to/ntlm_auth --request-nt-key > --username=%{Stripped-User-Name:-%{User-Name:-None}} > --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Yes. > There is no other way to perform authentication on the Domain Controller ? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
"Hugo Sousa" <[EMAIL PROTECTED]> wrote: > But if the domain controller uses LDAP, why do we have to use LDAP and after > that ntlm_auth ??? Because Active Directory isn't LDAP in the same way that other LDAP servers are LDAP. You can't get NT-Passwords from AD, you can get it from other LDAP servers. Therefore, you can't get FreeRADIUS to compare a known good password to the password in the Access-Request, you've got to use something else. In this case, NT domain authentication does MS-CHAP, so FreeRADIUS can use ntlm_auth to do MS-CHAP to the NT domain, and thus authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Does that mean that I don't need to use the LDAP modules on FreeRadius and use only the ntlm_auth? Is is enough? Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: sexta-feira, 10 de Setembro de 2004 19:21 To: [EMAIL PROTECTED] Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect "Hugo Sousa" <[EMAIL PROTECTED]> wrote: > But if the domain controller uses LDAP, why do we have to use LDAP and > after that ntlm_auth ??? Because Active Directory isn't LDAP in the same way that other LDAP servers are LDAP. You can't get NT-Passwords from AD, you can get it from other LDAP servers. Therefore, you can't get FreeRADIUS to compare a known good password to the password in the Access-Request, you've got to use something else. In this case, NT domain authentication does MS-CHAP, so FreeRADIUS can use ntlm_auth to do MS-CHAP to the NT domain, and thus authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
"Hugo Sousa" <[EMAIL PROTECTED]> wrote: > Does that mean that I don't need to use the LDAP modules on FreeRadius and > use only the ntlm_auth? Is is enough? That depends on what you're trying to do. If you're not storing user information in LDAP, you don't need to run LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
I'm storing user information on the Windowze Active Directory, ONLY. So, LDAP doesn't apply, right ??? Regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: sexta-feira, 10 de Setembro de 2004 19:51 To: [EMAIL PROTECTED] Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect "Hugo Sousa" <[EMAIL PROTECTED]> wrote: > Does that mean that I don't need to use the LDAP modules on FreeRadius > and use only the ntlm_auth? Is is enough? That depends on what you're trying to do. If you're not storing user information in LDAP, you don't need to run LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
To simply answer your question, if you're not storing any sort of Access Allowed/Denied attribute in AD (iow, all your users are allowed to auth to RADIUS), and you're not pulling any supplemental check/reply RADIUS attributes from LDAP, then no, you don't need the LDAP module. For what you're doing, you probably do not need it based on what you're saying. --Mike On Fri, 2004-09-10 at 13:50, Hugo Sousa wrote: > I'm storing user information on the Windowze Active Directory, ONLY. > > So, LDAP doesn't apply, right ??? > > > Regards, > > Hugo Sousa > SysAdmin / NetworkAdmin > http://www.netsystems.pt > Portugal > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok > Sent: sexta-feira, 10 de Setembro de 2004 19:51 > To: [EMAIL PROTECTED] > Subject: Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect > > "Hugo Sousa" <[EMAIL PROTECTED]> wrote: > > Does that mean that I don't need to use the LDAP modules on FreeRadius > > and use only the ntlm_auth? Is is enough? > > That depends on what you're trying to do. > > If you're not storing user information in LDAP, you don't need to run > LDAP. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
have you tried a non mschapv2 authentication? try a basic authentication with NTradping to make sure The password is read correctly when you are not doing mschapv2. I think you set the password incorrectly in the users file. Ron. http://www.positive-logic.net
help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hi, All, When I tried to develop PEAP at client side, i found I am always rejected by the server. The following is the log. what might be wrong? my server config? thanks, Jie Tue Dec 13 19:17:04 2005 : Debug: users: Matched [EMAIL PROTECTED].com at 53Tue Dec 13 19:17:04 2005 : Debug: modsingle[authorize]: returned from files (r lm_files) for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall[authorize]: module "files" returns ok for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall: group authorize returns updated for r equest 14Tue Dec 13 19:17:04 2005 : Debug: rad_check_password: Found Auth-Type EAPTue Dec 13 19:17:04 2005 : Debug: auth: type "EAP"Tue Dec 13 19:17:04 2005 : Debug: Processing the authenticate section of radiu sd.confTue Dec 13 19:17:04 2005 : Debug: modcall: entering group authenticate for request 14Tue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 14Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: Request found, released from the li stTue Dec 13 19:17:04 2005 : Debug: rlm_eap: EAP/mschapv2Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: processing type mschapv2Tue Dec 13 19:17:04 2005 : Debug: Processing the authenticate section of radiu sd.confTue Dec 13 19:17:04 2005 : Debug: modcall: entering group Auth-Type for request14Tue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for request 14Tue Dec 13 19:17:04 2005 : Debug: rlm_mschap: Told to do MS-CHAPv2 for supplic [EMAIL PROTECTED] with NT-PasswordTue Dec 13 19:17:04 2005 : Debug: rlm_mschap: FAILED: MS-CHAP2-Response is incorrectTue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: returned from mscha p (rlm_mschap) for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall[authenticate]: module "mschap" returns reject for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall: group Auth-Type returns reject for re quest 14Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: Freeing handler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hi, All, When I tried to develop PEAP at client side, i found I am always rejected by the server. The following is the log. what might be wrong? my server config? thanks, Jie Tue Dec 13 19:17:04 2005 : Debug: users: Matched [EMAIL PROTECTED].com at 53 Tue Dec 13 19:17:04 2005 : Debug: modsingle[authorize]: returned from files (r lm_files) for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall[authorize]: module "files" returns ok for request 14 Tue Dec 13 19:17:04 2005 : Debug: modcall: group authorize returns updated for r equest 14Tue Dec 13 19:17:04 2005 : Debug: rad_check_password: Found Auth-Type EAPTue Dec 13 19:17:04 2005 : Debug: auth: type "EAP" Tue Dec 13 19:17:04 2005 : Debug: Processing the authenticate section of radiu sd.confTue Dec 13 19:17:04 2005 : Debug: modcall: entering group authenticate for request 14Tue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: calling eap (rlm_ea p) for request 14Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: Request found, released from the li stTue Dec 13 19:17:04 2005 : Debug: rlm_eap: EAP/mschapv2Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: processing type mschapv2 Tue Dec 13 19:17:04 2005 : Debug: Processing the authenticate section of radiu sd.confTue Dec 13 19:17:04 2005 : Debug: modcall: entering group Auth-Type for request14Tue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: calling mschap (rlm _mschap) for request 14Tue Dec 13 19:17:04 2005 : Debug: rlm_mschap: Told to do MS-CHAPv2 for supplic [EMAIL PROTECTED] with NT-PasswordTue Dec 13 19:17:04 2005 : Debug: rlm_mschap: FAILED: MS-CHAP2-Response is incorrectTue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: returned from mscha p (rlm_mschap) for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall[authenticate]: module "mschap" returns reject for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall: group Auth-Type returns reject for re quest 14Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: Freeing handler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Jie Yang wrote: Hi, All, When I tried to develop PEAP at client side, i found I am always rejected by the server. The following is the log. what might be wrong? You almost certainly need to strip the "@domain" off the username before mschap sees it - the username is used in calculating the challenge response. See the "realms" module, specifically you'll want the "suffix" instance in authorize, "spirentcom.com" as a LOCAL realm in proxy.conf and proxying turned on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hi, I removed "@domain", but still the same error. I also run an AEGIS v.2.0.5 (a very old version though) with same supplicant configuration, which also gave me the same error. It seems to me there might be something wrong at the server side. But I don't know where. my freeradius version is 1.0.1. thanks for your suggestion though. Jie On 12/14/05, Phil Mayers <[EMAIL PROTECTED]> wrote: Jie Yang wrote:> Hi, All,> When I tried to develop PEAP at client side, i found I am always rejected by > the server. The following is the log. what might be wrong?You almost certainly need to strip the "@domain" off the username beforemschap sees it - the username is used in calculating the challenge response. See the "realms" module, specifically you'll want the "suffix" instancein authorize, "spirentcom.com" as a LOCAL realm in proxy.conf andproxying turned on. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Ok, I solved the problem. The PEAP of freeRadius 1.0.1 on solaris cannot work correctly. after I upgraded the server to 1.0.5, it is working. Jie On 12/14/05, Jie Yang <[EMAIL PROTECTED]> wrote: Hi, I removed "@domain", but still the same error. I also run an AEGIS v.2.0.5 (a very old version though) with same supplicant configuration, which also gave me the same error. It seems to me there might be something wrong at the server side. But I don't know where. my freeradius version is 1.0.1. thanks for your suggestion though. Jie On 12/14/05, Phil Mayers <[EMAIL PROTECTED] > wrote: Jie Yang wrote:> Hi, All,> When I tried to develop PEAP at client side, i found I am always rejected by > the server. The following is the log. what might be wrong?You almost certainly need to strip the "@domain" off the username beforemschap sees it - the username is used in calculating the challenge response. See the "realms" module, specifically you'll want the "suffix" instancein authorize, " spirentcom.com" as a LOCAL realm in proxy.conf andproxying turned on. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html