Help needed with MS Chap v2

Discussion:

Guy Warner

2003-03-26 16:10:32 UTC

Hi

I am trying to set up a Freeradius 0.8.1 server to authenticate users with
MS Chap v2. The information about each user is obtained from an LDAP server.
The requests for authentication are being received via a proxy server.

The problem is that all requests to authenticate a user result in
rlm_mschap: Nothing in the packet I recognise: Rejecting the user

The mschap section of radiusd.conf is as follows

mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}

The output from radiusd in debug mode contains the following

rad_recv: Access-Request packet from host <omitted>:1814, id=3,
length=172
MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
MS-CHAP2-Response =
0x0100613e878f3075d4825db25f99da79dac300000000000000002d620d49a20f637cae65f3
05c09460bdc1c3047ab43476f5
User-Name = "***@test.st-and.ac.uk"
NAS-IP-Address = <omitted>
NAS-Identifier = <omitted>
Service-Type = Framed-User
Framed-Protocol = PPP
Proxy-State = 0x313630
......
Debug: modcall: entering group authtype
Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password
Debug: rlm_mschap: Authentication failed
Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the
user
Debug: modcall[authenticate]: module "mschap" returns reject

The username is stripped of the domain since usernames are storred on the
LDAP server in the short form.

Any suggestions on how to fix this problem would be gratefully received. If
I have not provided sufficient information to diagnose the error then please
let me know and I will send more information.

Thanks in advance

Guy Warner

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

3APA3A

2003-03-26 16:19:09 UTC

Permalink

Dear Guy Warner,

Authentication fails because of username or password mismatch. It may be
if packet is corrupted, if realm is not stripped from username or
password contains non-ASCII characters.

--Wednesday, March 26, 2003, 7:10:32 PM, you wrote to freeradius-***@lists.cistron.nl:

GW> Hi

GW> I am trying to set up a Freeradius 0.8.1 server to authenticate users with
GW> MS Chap v2. The information about each user is obtained from an LDAP server.
GW> The requests for authentication are being received via a proxy server.

GW> The problem is that all requests to authenticate a user result in
GW> rlm_mschap: Nothing in the packet I recognise: Rejecting the user

GW> The mschap section of radiusd.conf is as follows

GW> mschap {
GW> authtype = MS-CHAP
GW> use_mppe = yes
GW> require_encryption = yes
GW> require_strong = yes
GW> }

GW> The output from radiusd in debug mode contains the following

GW> rad_recv: Access-Request packet from host <omitted>:1814, id=3,
GW> length=172
GW> MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
GW> MS-CHAP2-Response =
GW> 0x0100613e878f3075d4825db25f99da79dac300000000000000002d620d49a20f637cae65f3
GW> 05c09460bdc1c3047ab43476f5
GW> User-Name = "***@test.st-and.ac.uk"
GW> NAS-IP-Address = <omitted>
GW> NAS-Identifier = <omitted>
GW> Service-Type = Framed-User
GW> Framed-Protocol = PPP
GW> Proxy-State = 0x313630
GW> ......
GW> Debug: modcall: entering group authtype
GW> Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password
GW> Debug: rlm_mschap: Authentication failed
GW> Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the
GW> user
GW> Debug: modcall[authenticate]: module "mschap" returns reject

GW> The username is stripped of the domain since usernames are storred on the
GW> LDAP server in the short form.

GW> Any suggestions on how to fix this problem would be gratefully received. If
GW> I have not provided sufficient information to diagnose the error then please
GW> let me know and I will send more information.

GW> Thanks in advance

GW> Guy Warner

GW> -
GW> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
~/ZARAZA
ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Guy Warner

2003-03-26 16:38:27 UTC

Permalink

Thanks for the fast replies. The line
Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the user
makes me believe the packet is corrupted. Is there any way to test this. My
suspicion is that the packet is being corrupted by the proxy server, however
since this is running a dedicated operating system there is not a lot I can
modify on it. The software used to send the initial request to the proxy is
RASPPOE_098B.

The LDAP server is authorizing the user names fine.

Thanks again.

Guy Warner

----- Original Message -----
From: "3APA3A" <***@security.nnov.ru>
To: "Guy Warner" <freeradius-***@lists.cistron.nl>
Sent: Wednesday, March 26, 2003 4:19 PM
Subject: Re: Help needed with MS Chap v2

Post by 3APA3A
Dear Guy Warner,
Authentication fails because of username or password mismatch. It may be
if packet is corrupted, if realm is not stripped from username or
password contains non-ASCII characters.
--Wednesday, March 26, 2003, 7:10:32 PM, you wrote to
GW> Hi
GW> I am trying to set up a Freeradius 0.8.1 server to authenticate users with
GW> MS Chap v2. The information about each user is obtained from an LDAP server.
GW> The requests for authentication are being received via a proxy server.
GW> The problem is that all requests to authenticate a user result in
GW> rlm_mschap: Nothing in the packet I recognise: Rejecting the user
GW> The mschap section of radiusd.conf is as follows
GW> mschap {
GW> authtype = MS-CHAP
GW> use_mppe = yes
GW> require_encryption = yes
GW> require_strong = yes
GW> }
GW> The output from radiusd in debug mode contains the following
GW> rad_recv: Access-Request packet from host <omitted>:1814, id=3,
GW> length=172
GW> MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
GW> MS-CHAP2-Response =
GW>

0x0100613e878f3075d4825db25f99da79dac300000000000000002d620d49a20f637cae65f3

Post by 3APA3A
GW> 05c09460bdc1c3047ab43476f5
GW> NAS-IP-Address = <omitted>
GW> NAS-Identifier = <omitted>
GW> Service-Type = Framed-User
GW> Framed-Protocol = PPP
GW> Proxy-State = 0x313630
GW> ......
GW> Debug: modcall: entering group authtype
GW> Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password
GW> Debug: rlm_mschap: Authentication failed
GW> Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the
GW> user
GW> Debug: modcall[authenticate]: module "mschap" returns reject
GW> The username is stripped of the domain since usernames are storred on the
GW> LDAP server in the short form.
GW> Any suggestions on how to fix this problem would be gratefully received. If
GW> I have not provided sufficient information to diagnose the error then please
GW> let me know and I will send more information.
GW> Thanks in advance
GW> Guy Warner
GW> -
GW> List info/subscribe/unsubscribe? See

http://www.freeradius.org/list/users.html

Post by 3APA3A
--
~/ZARAZA
ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì)
-
List info/subscribe/unsubscribe? See

http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

3APA3A

2003-03-26 16:47:40 UTC

Permalink

Dear Guy Warner,

This line simply notifies you there is no authentication schema may be
used for packet (for MS-CHAPv1 both LM and NT authentication is
available, for MS-CHAPv2 only NT and it fails in your case). Packet
corruption is most unlikely from all variants.

--Wednesday, March 26, 2003, 7:38:27 PM, you wrote to freeradius-***@lists.cistron.nl:

GW> Thanks for the fast replies. The line
GW> Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the user
GW> makes me believe the packet is corrupted. Is there any way to test this. My
GW> suspicion is that the packet is being corrupted by the proxy server, however
GW> since this is running a dedicated operating system there is not a lot I can
GW> modify on it. The software used to send the initial request to the proxy is
GW> RASPPOE_098B.

GW> The LDAP server is authorizing the user names fine.

GW> Thanks again.

GW> Guy Warner

GW> ----- Original Message -----
GW> From: "3APA3A" <***@security.nnov.ru>
GW> To: "Guy Warner" <freeradius-***@lists.cistron.nl>
GW> Sent: Wednesday, March 26, 2003 4:19 PM
GW> Subject: Re: Help needed with MS Chap v2

GW> with

Post by 3APA3A
GW> MS Chap v2. The information about each user is obtained from an LDAP

GW> server.

Post by 3APA3A
GW> The requests for authentication are being received via a proxy server.
GW> The problem is that all requests to authenticate a user result in
GW> rlm_mschap: Nothing in the packet I recognise: Rejecting the

GW> user

Post by 3APA3A
GW> The mschap section of radiusd.conf is as follows
GW> mschap {
GW> authtype = MS-CHAP
GW> use_mppe = yes
GW> require_encryption = yes
GW> require_strong = yes
GW> }
GW> The output from radiusd in debug mode contains the following
GW> rad_recv: Access-Request packet from host <omitted>:1814,

GW> id=3,

Post by 3APA3A
GW> length=172
GW> MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
GW> MS-CHAP2-Response =
GW>

GW> 0x0100613e878f3075d4825db25f99da79dac300000000000000002d620d49a20f637cae65f3

GW> Rejecting the

Post by 3APA3A
GW> user
GW> Debug: modcall[authenticate]: module "mschap" returns reject
GW> The username is stripped of the domain since usernames are storred on

GW> the

Post by 3APA3A
GW> LDAP server in the short form.
GW> Any suggestions on how to fix this problem would be gratefully

GW> received. If

Post by 3APA3A
GW> I have not provided sufficient information to diagnose the error then

GW> please

Post by 3APA3A
GW> let me know and I will send more information.
GW> Thanks in advance
GW> Guy Warner
GW> -
GW> List info/subscribe/unsubscribe? See

GW> http://www.freeradius.org/list/users.html

Post by 3APA3A
--
~/ZARAZA
ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì)
-
List info/subscribe/unsubscribe? See

GW> http://www.freeradius.org/list/users.html
GW> -
GW> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
~/ZARAZA
Êëÿíóñü ëûñèíîé ïðîðîêà Ìîèñåÿ - ÿ òåáÿ ñåé÷àñ ñúåì. (Òâåí)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Guy Warner

2003-03-27 15:08:32 UTC

Permalink

Post by 3APA3A
Dear Guy Warner,
This line simply notifies you there is no authentication schema may be
used for packet (for MS-CHAPv1 both LM and NT authentication is
available, for MS-CHAPv2 only NT and it fails in your case). Packet
corruption is most unlikely from all variants.

Hi

Thanks for all your help so far. Given then that no authentication schema
is available is this because of a invalid MS-CHAP-Challenge and
MS-CHAP2-Response pair. If so is there any software to manually generate
the pairings so that the server can be tested with radclient. If on the
other hand the pairing is correct what are the most likely causes of this
problem. I am confident that the username and password being sent are valid
and the password contains no non-ascii characters.

Thanks again

Guy Warner

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2003-03-27 11:39:42 UTC

Permalink

Post by Guy Warner
Thanks for all your help so far. Given then that no authentication schema
is available is this because of a invalid MS-CHAP-Challenge and
MS-CHAP2-Response pair. If so is there any software to manually generate
the pairings so that the server can be tested with radclient.

Not really.

Post by Guy Warner
If on the other hand the pairing is correct what are the most likely
causes of this problem. I am confident that the username and
password being sent are valid and the password contains no non-ascii
characters.

Try the latest CVS snapshot. I've re-written rlm_mschap to be
smaller, simpler, and to have significantly more debug messages.

It won't look at /etc/smbpasswd any more, but that's probably a Good
Thing.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

3APA3A

2003-03-28 08:51:36 UTC

Permalink

Dear Alan DeKok,

--Thursday, March 27, 2003, 2:39:42 PM, you wrote to freeradius-***@lists.cistron.nl:

AD> Try the latest CVS snapshot. I've re-written rlm_mschap to be
AD> smaller, simpler, and to have significantly more debug messages.

AD> It won't look at /etc/smbpasswd any more, but that's probably a Good
AD> Thing.

/etc/smbpasswd is really not required and was only for compatibility
(anyway it should be noted in Release Notes for peoples who upgrade
their RADIUS versions).

Removing SMB-Account-CTRL attribute handling is not good, I know people
use it. It's very convinient if accounts are bulk imported from NT
domain or from SAMBA. It's standard atribute from SAMBA passwd format,
SAMBA LDAP schema, etc.

--
~/ZARAZA
Машина оказалась способной к единственному действию,
а именно умножению 2x2, да и то при этом ошибаясь. (Лем)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Frank Cusack

2003-03-28 08:58:07 UTC

Permalink

Post by 3APA3A
AD> Try the latest CVS snapshot. I've re-written rlm_mschap to be
AD> smaller, simpler, and to have significantly more debug messages.
AD> It won't look at /etc/smbpasswd any more, but that's probably a Good
AD> Thing.
/etc/smbpasswd is really not required and was only for compatibility
(anyway it should be noted in Release Notes for peoples who upgrade
their RADIUS versions).
Removing SMB-Account-CTRL attribute handling is not good, I know people
use it. It's very convinient if accounts are bulk imported from NT
domain or from SAMBA. It's standard atribute from SAMBA passwd format,
SAMBA LDAP schema, etc.

Yeah, I personally think both should be added back ...

/fc

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2003-03-28 11:34:31 UTC

Permalink

Post by Frank Cusack

Post by 3APA3A
/etc/smbpasswd is really not required and was only for compatibility
(anyway it should be noted in Release Notes for peoples who upgrade
their RADIUS versions).

I've done that, and added code to rlm_mschap which will complain if
people try to configure it to use /etc/smbpasswd, and will tell people
what to do to fix the problem.

Post by Frank Cusack

Post by 3APA3A
Removing SMB-Account-CTRL attribute handling is not good, I know people
use it. It's very convinient if accounts are bulk imported from NT
domain or from SAMBA. It's standard atribute from SAMBA passwd format,
SAMBA LDAP schema, etc.

That I agree with. But I was trying to take baby steps, to ensure
that I could get one thing working, becofee I added another.

Post by Frank Cusack
Yeah, I personally think both should be added back ...

I am strongly opposed to duplicate functionality in the code. If
rlm_passwd can do all of the work of reading attributes from
/etc/smbpasswd, then we should use it, and not duplicate that code
elsewhere.

To put it another way, what is the gain in having rlm_mschap read
/etc/smbpasswd?

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Frank Cusack

2003-03-28 17:18:52 UTC

Permalink

Post by Alan DeKok

Post by Frank Cusack

Post by 3APA3A
/etc/smbpasswd is really not required and was only for compatibility
(anyway it should be noted in Release Notes for peoples who upgrade
their RADIUS versions).

Yeah, I personally think both should be added back ...

I am strongly opposed to duplicate functionality in the code. If
rlm_passwd can do all of the work of reading attributes from
/etc/smbpasswd, then we should use it, and not duplicate that code
elsewhere.
To put it another way, what is the gain in having rlm_mschap read
/etc/smbpasswd?

ah. none.

/fc

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

3APA3A

2003-03-28 18:35:19 UTC

Permalink

Dear Alan DeKok,

--Friday, March 28, 2003, 2:34:31 PM, you wrote to freeradius-***@lists.cistron.nl:

AD> To put it another way, what is the gain in having rlm_mschap read
AD> /etc/smbpasswd?

I agree. Since 0.4 we warn people smbpasswd support in rlm_mschap is
outdated and will be removed in future versions. So it's time to remove
it.

--
~/ZARAZA
Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2003-03-28 13:30:39 UTC

Permalink

Post by 3APA3A
I agree. Since 0.4 we warn people smbpasswd support in rlm_mschap is
outdated and will be removed in future versions. So it's time to remove
it.

Done. Can you please double-check the module to ensure I didn't
break anything?

I've just re-added the support for SMB-Account-Ctrl, and done a few
tests with MS-CHAPv1.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Michael Davidson

2003-03-27 18:01:29 UTC

Permalink

Hi Guy using the NAS to test with can be painfull. Here's what I do with
radclient.

radclient -f radtst-2.txt -x 127.0.0.1 auth testing123

Contents of file radtst-2.txt:-

NAS-IP-Address = 10.3.1.252
NAS-Port = 1
NAS-Port-Type = Async
User-Name = "barney"
MS-CHAP-Challenge = 0xf891896ff83faf76
MS-CHAP-Response =
0x1c0100000000000000000000000000000000000000000000000
02de6c684371d4373ff9ed97884686b55148577df9c12e0cc
Service-Type = Framed-User
Framed-Protocol = PPP

The above is for user "barney" with passord "rockstar". Here's the hashes
for same
NT-Password: 746FDB64FD2E11D171D80823820969
LM-Password: 78D866152028B45E944E2DF489A880

I use the NAS at first and just screen-scrape (cut & paste actually) the
challenge from the radiusd -sxx debug output for use with radclient.

I use the PuTTY telnet client.

Regards Mike D.

-----Original Message-----
Sent: Thursday, March 27, 2003 5:09 PM
Subject: Re[2]: Help needed with MS Chap v2

Hi
Thanks for all your help so far. Given then that no authentication schema
is available is this because of a invalid MS-CHAP-Challenge and
MS-CHAP2-Response pair. If so is there any software to manually generate
the pairings so that the server can be tested with radclient. If on the
other hand the pairing is correct what are the most likely causes of this
problem. I am confident that the username and password being sent are valid
and the password contains no non-ascii characters.
Thanks again
Guy Warner
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Josh Howlett

2003-03-26 16:26:11 UTC

Permalink

Guy,

Do the LDAP server logs show anything?

josh.

Post by Guy Warner
Hi
I am trying to set up a Freeradius 0.8.1 server to authenticate users with
MS Chap v2. The information about each user is obtained from an LDAP server.
The requests for authentication are being received via a proxy server.
The problem is that all requests to authenticate a user result in
rlm_mschap: Nothing in the packet I recognise: Rejecting the user
The mschap section of radiusd.conf is as follows
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
The output from radiusd in debug mode contains the following
rad_recv: Access-Request packet from host <omitted>:1814, id=3,
length=172
MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2
MS-CHAP2-Response =
0x0100613e878f3075d4825db25f99da79dac300000000000000002d620d49a20f637cae65f3
05c09460bdc1c3047ab43476f5
NAS-IP-Address = <omitted>
NAS-Identifier = <omitted>
Service-Type = Framed-User
Framed-Protocol = PPP
Proxy-State = 0x313630
......
Debug: modcall: entering group authtype
Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password
Debug: rlm_mschap: Authentication failed
Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the
user
Debug: modcall[authenticate]: module "mschap" returns reject
The username is stripped of the domain since usernames are storred on the
LDAP server in the short form.
Any suggestions on how to fix this problem would be gratefully received. If
I have not provided sufficient information to diagnose the error then please
let me know and I will send more information.
Thanks in advance
Guy Warner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
-----------------------------------------------------------
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: ***@bris.ac.uk
------------------------------------------------------------
---

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html