the auth fails however when i try conencting from my windows8 client.
i need to mention that i am sure i'm inputting correct passwords.
No, you're not.
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: testuser1
[mschap] Told to do MS-CHA
attempts mschapv1)
and it gives me the same error
[root@be-vpn ~]# radtest -t mschap betatesting1 secret 127.0.0.1
1812 myubersecretpassword
Sending Access-Request of id 13 to 127.0.0.1 port 1812
User-Name = "betatesting1"
NAS-IP-Address = 127.0.0.1
Horatiu Nimigean wrote:
> the auth fails however when i try conencting from my windows8 client.
> i need to mention that i am sure i'm inputting correct passwords.
No, you're not.
> [mschap] Found NT-Password
> [mschap] Creating challenge hash with username: t
On 06/08/13 16:04, Horatiu Nimigean wrote:
i have pptpd on a centos 6 box configured to use radius for auth.
radius in turn checks credentials in ldap.
the user in ldap has a samba extension and a configured password (i used
ldap account manager to set it up) it also has a sambaNTPassword field
a
returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser1", looking up realm NULL
[suffix] No such realm "NULL&q
Holger Wesser wrote:
> I've googled a while and found different solutions for the error
> message: [mschap] No Cleartext-Password configured. Cannot create
> LM-Password.
There's only one solution: give the server a "known good" password.
e.g. Cleartext-Password,
nstalled Ubuntu and build the server
with.
apt-get build-dep freeradius
apt-get install libssl-dev
./configure && make && make install
The result is the same. The first time i try to authenticate the mschap module
says "ERROR: (0) ERROR: mschap : Abnormal child exit:
On 8 Jun 2013, at 10:30, nicolas@ricoh-industrie.fr wrote:
> I have the same problem after upgrade Freeradius to version 3.
> Before, ntlm worked very well but it seems that the new version used the ntlm
> module differently.
Thanks for flagging your email appropriately.
Arran Cudbard-Bell
users mailing list De : John Dennis Envoyé par : freeradius-users-bounces+nicolas.clo=ricoh-industrie...@lists.freeradius.orgDate : 07/06/2013 17:12Objet : [SPAM] Re: FreeRADIUS 3.0 : mschap module fails to execute ntlm_authOn 06/07/2013 10:46 AM, Bjarni Hardarson wrote:> I am sure that the ntlm_a
On 06/07/2013 10:46 AM, Bjarni Hardarson wrote:
> I am sure that the ntlm_auth file is at /usr/bin/ntlm_auth and if i run it
> manually with the expanded attributes i get the NT_KEY.
>
> root@freelab:/#/usr/bin/ntlm_auth --request-nt-key --username=vpntest
> --challenge=d9a8b4d1c188ae1b
> --nt-
Hi list,
I just tried to upgrade FreeRADIUS to the latest version from git. My goal is
to get the passchange feature working in the mschap module.
I am unable to get ntlm_auth to work in mschap.
debug output,
---
Debug: (0) mschap : expand: '--nt-response=%{%{mschap:NT-Response
Hi list,
I just tried to upgrade FreeRADIUS to the latest version from git. My goal is
to get the passchange feature working in the mschap module.
I am unable to get ntlm_auth to work in mschap.
debug output,
---
Debug: (0) mschap : expand: '--nt-response=%{%{mschap:NT-Response
On Sun, Apr 28, 2013 at 1:31 AM, Andres wrote:
> Thank you all for your replays,
>
> I used SLES 11 freeradius standard package and it was too old,
> and it was my mistake and took a few days off my life.
> Hopefully someone else does not make the same mistake
If all you need
on: 2.1.1-7.16.1
> > also installed freeradius-server-libs and utils
>
> Why? That version is SEVEN YEARS old.
>
> Upgrade. Really.
>
> And you're using a version of radclient which doesn't support mschap.
> So... why are you trying to use mschap?
>
>
Andres wrote:
> FreeRADIUS server Version: 2.1.1-7.16.1
> also installed freeradius-server-libs and utils
Why? That version is SEVEN YEARS old.
Upgrade. Really.
And you're using a version of radclient which doesn't support mschap.
So... why are you trying to use mscha
ats your problem. OLD
the current one says this:
usage() {
echo "Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port
-number secret [ppphint] [nasname]" >&2
echo "-d RADIUS_DIR Set radius directory" >&2
echo "
"Framed-Protocol = PPP"
fi
) | $radclient $DICTIONARY -x $3 auth $5
Andres
2013/4/26
> Hi,
>
> what version of FreeRADIUS? are you sure you arent running old copies of
> radclient/radtest
>
> ie you THINK you can do "-t mschap" but the wrapper or binary
Hi,
what version of FreeRADIUS? are you sure you arent running old copies of
radclient/radtest
ie you THINK you can do "-t mschap" but the wrapper or binary doesnt
radclient -v ?
which radtest
then cat the resulting file.
alan
-
List info/subscribe/unsubscribe
mschap testing passme 127.0.0.1 0 testing123456
radclient: Failed to find IP address for host testing: Success
.
radius:/etc # radtest testing passme 127.0.0.1 0 testing123456
Sending Access-Request of id 177 to 127.0.0.1 port 1812
User-Name = "testing"
2013/4/26 Chitrang Srivastava
>
>> Most likely your host file didnt have entry of your domain name,
>> dump your hostname and /etc/hosts file here and then we can comment better
>>
>> On Thu, Apr 25, 2013 at 10:52 PM, Andres wrote:
>>
>>> Hello All,
>&
Andres wrote:
> this way looks my hosts file:
Well... something is wrong with DNS on your system.
The only advantage to using radtest is that it's simpler than
radclient. But it's just a wrapper around radclient. You can edit
radtest to remove the DNS lookups, or write your own wrapper whic
On Thu, Apr 25, 2013 at 10:52 PM, Andres wrote:
>
>> Hello All,
>>
>> I'm trying to test mschap with radtest but it gives me strange error
>> message.
>> I've tried to solve it several days, but had no success.
>>
>> I'm using synt
Most likely your host file didnt have entry of your domain name,
dump your hostname and /etc/hosts file here and then we can comment better
On Thu, Apr 25, 2013 at 10:52 PM, Andres wrote:
> Hello All,
>
> I'm trying to test mschap with radtest but it gives me strange error
>
Hello All,
I'm trying to test mschap with radtest but it gives me strange error
message.
I've tried to solve it several days, but had no success.
I'm using syntax like that:
$ radtest -t mschap user password 127.0.0.1 0 secret
radclient : Failed to find IP address for hos
ng an instance of the "exec" module called
> "ntlm_auth". This processes PAP requests, and is tested by forcing Auth-Type
>
> 2. It then talks about throwing that config away (remove the Auth-Type,
> stop using that module) and now configuring the "mschap" mo
Auth-Type
2. It then talks about throwing that config away (remove the
Auth-Type, stop using that module) and now configuring the "mschap"
module, by setting the "ntlm_auth" helper.
It might be a bit confusing that "ntlm_auth" is used twice there - once
as the n
d/inner-tunnel file."
we dont do that. we just have ntlm_auth as required configured in the mschap
module.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
not needed to add it, as
freeradius is using mschap module to autenticate.
+- entering group MS-CHAP {...}
[mschap] Client is using MS-CHAPv1 with NT-Password
[mschap] expand: %{Stripped-User-Name} -> oscarrdg
[mschap] expand:
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
NAS-IP-Address = 192.168.30.15
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix]
gt; This suggests the problem isn't certs, since you're inside the PEAP tunnel
> at this point.
>
> Check that samba/winbind are working ok, patched to the same level, etc. -
> it looks like the "well" known "mangling mschap response" issue.
> -
>
looks like the "well" known "mangling mschap response" issue.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hey,
I need a bit of assistance. Brief summary: I have two RADIUS servers
connected to different Active Directory domains. I got through the
basic setup, EAP-PEAP / MSCHAP were working successfully
authenticating against both domains.
Then:
- I upgraded freeradius on both from 2.1.10 to 2.2.0
Roger thanks
On Nov 5, 2012 11:35 PM, "Fajar A. Nugraha" wrote:
> On Mon, Nov 5, 2012 at 6:47 PM, Ryan Summey wrote:
> > Thank you for the help guys really appreciate it. Is there anyway to
> > automate this?
>
> My best advice would be to read "Advanced Bash-Scripting Guide", as
> well as "Awk
On Mon, Nov 5, 2012 at 6:47 PM, Ryan Summey wrote:
> Thank you for the help guys really appreciate it. Is there anyway to
> automate this?
My best advice would be to read "Advanced Bash-Scripting Guide", as
well as "Awk Introduction Tutorial – 7 Awk Print Examples" (hint: use
Google), and combine
Thank you for the help guys really appreciate it. Is there anyway to
automate this?
On Nov 5, 2012 12:54 AM, "Fajar A. Nugraha" wrote:
> On Mon, Nov 5, 2012 at 6:26 AM, Ryan Summey wrote:
> > What do i need to do to enable nt-hash rather than pap?
>
> That question should be: "how do I put nt-ha
On Mon, Nov 5, 2012 at 6:26 AM, Ryan Summey wrote:
> What do i need to do to enable nt-hash rather than pap?
That question should be: "how do I put nt-hash password in the db"?
IIRC the attribute name is "NT-Password" (you use this instead of
"Cleartext-Password" as "attribute" in radcheck), an
Yes this is VPN sorry for the confusion... DB is a mysql and isnt hosted
locally. I created it at my hosting company. I setup a virtual machine
with ubuntu server on my desktop with everything i need. This all works
with clear-text passwords from my phone.
What do i need to do to enable nt-hash
Hi,
>yeah i haven't touched anything just setup ubuntu server + pptp +
>freeradius + mysql thats it.
ah. VPN stuff - you should have clarified the pointers about TTLS etc
from others was for enterprise wireless (WPA2/AES - aka WPA/RADIUS)
2 step approach - secure access to the DB i
yeah i haven't touched anything just setup ubuntu server + pptp +
freeradius + mysql thats it.
My phone is android and in the vpn settings it has pptp options but i cant
select eap-ttls .. its ppp encryption(MPPE) and that uses mschapv2 i
believe. How would i get this to work using a encrypted pas
Hi,
>Is there any tutorials on how to do this ?
choose EAP-TTLS/PAP on the client.
so long as you havent butchered your eap.conf (of mods-enabled/eap on FR 3.x)
then it will just work. (EAP-TTLS is one of the EAP methods that FR natively
supports)
you can use eapol_test (part of wpa_suppl
gt;> including configuration file /etc/freeradius/modules/echo
>> including configuration file /etc/freeradius/modules/expiration
>> including configuration file /etc/freeradius/modules/files
>> including configuration file /etc/freeradius/modules/mac2vlan
>> including con
Your only choices are outlined at the url you were given I'm afraid - store the
cleartext or nt hash of the password, which will entail a password change (or
capture); or switch to eap-ttls/pap.
This is a property of the cryptographic aspects of the algorithms in question
and can't be worked ar
ng configuration file /etc/freeradius/modules/files
>> including configuration file /etc/freeradius/modules/mac2vlan
>> including configuration file /etc/freeradius/modules/acct_unique
>> including configuration file /etc/freeradius/modules/krb5
>> including configuration file /et
On 08/24/2012 11:53 PM, McNutt, Justin M. wrote:
The underlying problem is that I have four production RADIUS servers
that all seem to choose the same domain controller, which is not only
a lot of load, but it's a bad idea in terms of fault tolerance.
I agree about the fault tolerance. In my ex
cnuttj=missouri@lists.freeradius.org
[mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On
Behalf Of Phil Mayers
Sent: Friday, August 24, 2012 4:23 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: redundant load balancing and mschap
On 08/24/2012 08:11 PM, McNutt,
ts.freeradius.org
Subject: Re: redundant load balancing and mschap
On 08/24/2012 08:11 PM, McNutt, Justin M. wrote:
> Grrr...
> This is probably a Samba issue - a known one? - but I can't seem to
> get AD authentications to hit multiple DCs. Everything goes to the
> one
This is indeed
lto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On
Behalf Of alan buxey
Sent: Friday, August 24, 2012 3:59 PM
To: FreeRadius users mailing list
Subject: Re: redundant load balancing and mschap
Hi,
>Authentication *works*, but all authentications go to the same DC
On 08/24/2012 08:11 PM, McNutt, Justin M. wrote:
Grrr...
This is probably a Samba issue - a known one? - but I can't seem to get
AD authentications to hit multiple DCs. Everything goes to the one
This is indeed a Samba issue, and unfortunately a hard one to fix.
ntlm_auth doesn't talk over th
Hi,
>Authentication *works*, but all authentications go to the same DC (the one
>specified in "mschap2"). Running "radiusd -X" shows that all mschap1/2/3
>instances are being called, and no authentication *attempts* are being
>sent to the other two domain controllers. (1 and 3 ar
McNutt, Justin M. wrote:
> Grrr...
>
> This is probably a Samba issue - a known one? - but I can't seem to get
> AD authentications to hit multiple DCs. Everything goes to the one
> listed in /etc/samba/smb.conf (which may be a coincidence).
That's how the NT protocols work, IIRC.
You need
Grrr...
This is probably a Samba issue - a known one? - but I can't seem to get AD
authentications to hit multiple DCs. Everything goes to the one listed in
/etc/samba/smb.conf (which may be a coincidence).
I set up several mschap instances like so:
mschap mschap1 { ...
ntlm_auth -s
Hi,
> # radiusd -X | head -1
> FreeRADIUS Version 2.1.11, for host x86_64-pc-linux-gnu, built on Jun 11
> 2012 at 11:10:29
does it do it with 2.1.12 - which was released in september last year
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
for your help. I'm guessing this shouldn't crash with the example
>> config? maybe the mschap stuff bloats the reply too much?
>
> doesnt crash here - what code release are you using?
# ntlm_auth -V
Version 3.5.15
# radiusd -X | head -1
FreeRADIUS Version 2.1.11, for host x
Hi,
> I did have a retry_msg which was left as the default value of
>
> retry_msg = "Re-enter (or reset) the password"
>
> After I commented out this line the problem went away.
>
> Thanks for your help. I'm guessing this shouldn't crash with the exampl
lem went away.
Thanks for your help. I'm guessing this shouldn't crash with the example
config? maybe the mschap stuff bloats the reply too much?
>
>>> *** buffer overflow detected ***: radiusd terminated
>>> === Backtrace: =
>
> Reading doc/bu
Hi,
> Matt Richards wrote:
if you send me the small bits of mschap config you have made i'll run it on my
debug/testing
platform
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matt Richards wrote:
> Hello,
>
> I have got radius setup to authenticate wireless clients using MS-CHAP
> and everything works correctly if the entered user / pass is correct.
>
> If the password is wrong, however, I get a buffer overflow error and
> radiusd dies.
You probably set the "retry_
...
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] Creatin
;
>Alan DeKok wrote:
>
>>Phil Mayers wrote:
>>> Am I being dumb / getting something wrong or does the post-auth
>session
>>> not get called if PEAP/MSCHAP returns a reject?
>>>
>>> It seems to run for successful auths, but not failures.
>>
>>
>> Am I being dumb / getting something wrong or does the post-auth session
>> not get called if PEAP/MSCHAP returns a reject?
>>
>> It seems to run for successful auths, but not failures.
>
> That is the case.
>
>> This is in the context of us not seeing l
On 05/19/2012 12:37 PM, alan buxey wrote:
Hi,
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
That is the case.
This is in the context of us not seeing log
Hi,
> > Am I being dumb / getting something wrong or does the post-auth session
> > not get called if PEAP/MSCHAP returns a reject?
> >
> > It seems to run for successful auths, but not failures.
>
> That is the case.
>
> > This is in the context of
Phil Mayers wrote:
> Am I being dumb / getting something wrong or does the post-auth session
> not get called if PEAP/MSCHAP returns a reject?
>
> It seems to run for successful auths, but not failures.
That is the case.
> This is in the context of us not seeing log messag
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
This is in the context of us not seeing log messages for EAP auth
failures; I suspect that the client may just "
Hi,
>I am Working on Upgrading my Ubuntu to the Ubuntu 12.04 LTS and then I
>will retry the PEAP Authentication
>I will keep you posted with my results.
I cant spoon feed you with all your required details - I have a day
job too... if you use Ubuntu, then it uses a different name
>
Gilmour, Scott wrote:
> I am Working on Upgrading my Ubuntu to the Ubuntu 12.04 LTS and then I
> will retry the PEAP Authentication
> I will keep you posted with my results.
Upgrading won't help.
> root@FreeRadius:/home/sqauser# radius -X
> No command 'radius' found, did you mean:
> Command 'r
Thanks,
I am Working on Upgrading my Ubuntu to the Ubuntu 12.04 LTS and then I will
retry the PEAP Authentication
I will keep you posted with my results.
root@FreeRadius:/home/sqauser# radius -X
No command 'radius' found, did you mean:
Command 'radiusd' from package 'radiusd-livingston' (universe
What does the server try to run when actually dealing with your client? radius
-X will show you, you can then try running that command yourself.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I have been unable to get a PEAP user to work, but I was able to get a TLS
User to work.
It keeps on failing for MSCHAP. I tried to change the mschap module
settings but this made no difference.
I am currently using samba 3.5 with active directory. Does my ntlm_auth
path look correct?
Thanks
ll fail with an access-reject
>leaving me to believe it has something to do with the MSCHAP module. I
>anm still investigating.
what version of SAMBA? 3.0.x wil be fine, as will 3.5.x and 3.6.x latest
versions,
you may have all kinds of issues with 3.1.x through to 3.4.x.
also, when
access-reject
leaving me to believe it has something to do with the MSCHAP module. I anm
still investigating.
Thanks
Scott
On Mon, May 14, 2012 at 1:55 PM, James J J Hooper [via FreeRadius] <
ml-node+s1045715n5709347...@n5.nabble.com> wrote:
> On 11/05/2012 13:35, Phil Mayers wrote:
>
denied (0xc022)
Fri May 11 08:08:13 2012 : Debug: Exec-Program: returned: 1
Fri May 11 08:08:13 2012 : Info: [mschap] External script failed.
Fri May 11 08:08:13 2012 : Info: [mschap] FAILED: MS-CHAP2-Response is
incorrect
The "ntlm_auth" helper is returning errors. Try the command fr
: Debug: Exec-Program: returned: 1
Fri May 11 08:08:13 2012 : Info: [mschap] External script failed.
Fri May 11 08:08:13 2012 : Info: [mschap] FAILED: MS-CHAP2-Response is
incorrect
The "ntlm_auth" helper is returning errors. Try the command from the CLI
and examine the output.
Hi,
I am running freeradius with Ubuntu and with the Active Directory
Configuration. When doing PEAP authentication I keep on getting a MSCHAP
Error. Not sure where to make changes or what changes to make. Is there
something I need to add in the Radiusd.conf or the eap.conf file?
Thanks in
hup'd it until it got
>>> borked. Seems to me like the mschap module gets somehow lost during the hup:
>>
>> That's enough to tell what's going on.
>>
>> Try grabbing the "v2.1.x" branch from git. It has a fix.
>
> Just to confirm
Hi,
On Fri, Apr 13, 2012 at 05:23:22PM +0200, Alan DeKok wrote:
> Jan Weiher wrote:
> > I had some sparetime and was able to have a deeper look at it. What I
> > did is basically running freeradius -X and then hup'd it until it got
> > borked. Seems to me like the mscha
Jan Weiher wrote:
> I had some sparetime and was able to have a deeper look at it. What I
> did is basically running freeradius -X and then hup'd it until it got
> borked. Seems to me like the mschap module gets somehow lost during the hup:
That's enough to tell what's g
>> I'm wondering if the mschap module somehow gets its internal state
>> muddled on a HUP, and starts sending the wrong challenge response.
>> ntlm_auth from the command line works fine when FR has a problem.
Hi,
I had some sparetime and was able to have a deeper lo
Matthew Newton wrote:
> I've just replicated the problem by repeatedly HUPping freeradius,
> with about 10 second gaps between. On the 8th or so try, the same
> issue hit. Stopping and starting FR fixed it.
Maybe valgrind helps. It doesn't say anything for me...
> I
Brian Gold wrote:
> Ok, new pastebin: http://pastebin.com/5f2W3PjN
> I've confirmed that I don't have "Auth-Type := LDAP" anywhere in my
> configuration.
Did you try checking the "set_auth_type" entry in the ldap module
config, as suggested in another post?
> The sambaNTPassword hash was incor
users mailing list
> Subject: Re: adding mschap to an existing ttls/pap setup
>
> Brian Gold wrote:
> > We currently have an existing freeradius setup using eap-ttls/pap with
> > an openldap backend. Up until now, our userPassword has always been SHA
> > encoded. I've been
> Hi,
>
> I think I had a similar problem and fixed it by setting set_auth_type = no in
> modules/ldap. But I'm not sure if this is the only
thing I
> changed...
>
> all the best,
> Jan
I have the same behavior after making this change unfortunately.
-
List info/subscribe/unsubscribe? See http
Brian Gold wrote:
> We currently have an existing freeradius setup using eap-ttls/pap with an
> openldap backend. Up until now, our userPassword has
> always been SHA encoded. I've been working to add sambaNTPassword hashes so
> that we can use either eap-ttls/mschap or peap/m
Am 12.04.2012 17:49, schrieb Brian Gold:
> We currently have an existing freeradius setup using eap-ttls/pap with an
> openldap backend. Up until now, our userPassword has
> always been SHA encoded. I've been working to add sambaNTPassword hashes so
> that we can use either e
We currently have an existing freeradius setup using eap-ttls/pap with an
openldap backend. Up until now, our userPassword has
always been SHA encoded. I've been working to add sambaNTPassword hashes so
that we can use either eap-ttls/mschap or peap/mschap.
I've got the nt hashes se
> So that seems to indicate it's the HUP that causes the problem.
Okay, I thought it might me the config a.k.a "me"...
I think I'm going to modify the logrotate script until this issue is fixed.
best,
Jan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Apr 12, 2012 at 04:45:56PM +0200, Jan Weiher wrote:
> Am 12.04.2012 16:32, schrieb Matthew Newton:
> > I'll dig a bit more, but the easy solution is to change the
> > logrotate script to restart, rather than reload/HUP.
> >
>
> Yes, that would be a solution for me as well, because when lo
Hi,
Am 12.04.2012 16:32, schrieb Matthew Newton:
>
> I'll dig a bit more, but the easy solution is to change the
> logrotate script to restart, rather than reload/HUP.
>
Yes, that would be a solution for me as well, because when logrotate
runs, the freeradius server is basically idle, but I don
Hi,
On Thu, Apr 12, 2012 at 03:59:56PM +0200, Jan Weiher wrote:
> I've got a strange problem with FR 2.1.12, sometimes (not always) when
> logrotate ran, freeradius goes bonkers and responds to every pap request
> with "mschap xlat failed". Restarting FR fixes this magica
with FR 2.1.12, sometimes (not always) when
>> logrotate ran, freeradius goes bonkers and responds to every pap request
>> with "mschap xlat failed". Restarting FR fixes this magically and all
>> works fine again. I created a small and hackish script, which restarts
>&
On 04/12/2012 09:59 AM, Jan Weiher wrote:
Hi,
I've got a strange problem with FR 2.1.12, sometimes (not always) when
logrotate ran, freeradius goes bonkers and responds to every pap request
with "mschap xlat failed". Restarting FR fixes this magically and all
works fine again. I
Hi,
I've got a strange problem with FR 2.1.12, sometimes (not always) when
logrotate ran, freeradius goes bonkers and responds to every pap request
with "mschap xlat failed". Restarting FR fixes this magically and all
works fine again. I created a small and hackish script, which r
James J J Hooper wrote:
> --- mschap-orig2012-04-08 00:39:44.0 +0100
> +++ mschap-new2012-04-08 00:41:06.0 +0100
> @@ -78,3 +78,3 @@
> #ntlm_auth_username = "username: %{mschap:User-Name}"
> -#ntlm_auth_domain = &quo
--- mschap-orig 2012-04-08 00:39:44.0 +0100
+++ mschap-new 2012-04-08 00:41:06.0 +0100
@@ -78,3 +78,3 @@
# ntlm_auth_username = "username: %{mschap:User-Name}"
-# ntlm_auth_domain = "username: %{mschap:NT-Domain}"
+# nt
Alan DeKok
Gesendet: Mittwoch, 4. April 2012 18:43
An: FreeRadius users mailing list
Betreff: Re: AW: MSCHAP Auth fails
Go back and ensure that there is only ONE mschap module in the "modules"
directory.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Weber, Felix wrote:
> Just looked at this line in my config there is a "--ntresponse" instead
> of "#ntresponse"
That's bad.
> In my mschap module the ntresponse parameter is written with "--", so
> why is radtest interpreting it with an "#&
Just looked at this line in my config there is a "--ntresponse" instead
of "#ntresponse"
[mschap]expand: #ntresponse=%{mschap:NT-Response:-00} ->
#ntresponse=f7b8cd66af90b5791fb4b09421dbbf2cbed180e7e72304b5
Exec-Program output: Logon failure (0xc06d)
Exec-
Tested both at radtest USER@DOMAIN and DOMAIN\\USER, nothing worked.
Configured krb5.conf and smb.conf with domain and local ntlm_auth works fine on
the machine.
And in mschap module this line has beed added:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]expand: %{Stripped-User-Name} ->
[mschap]... expanding second conditional
[mschap]expand: %{mschap:User-Name:-N
been added to users:
DEFAULT Auth-Type = mschap
This is the output from radtest:
radtest -t mschap User001 USERPW localhost 0 s3cr3t
Sending Access-Request of id 61 to 127.0.0.1 port 1812
User-Name = "User001"
NAS-IP-Address = 172.16.28.168
NAS-Port
1 - 100 of 674 matches
Mail list logo