[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Sudden User Authentication Rejection as a result Compatibility - error
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2015-02-24 15:40:36
Message-ID: 442864D0-863E-4FCA-88EF-87603A92930A () deployingradius ! com
[Download RAW message or body]

On Feb 24, 2015, at 8:47 AM, Clement Ogedengbe <c.ogedengbe@worc.ac.uk> wrote:
> I have now tested the server with eapol_test (without certificate validation) and \
> it failed. I tested  using the eaptest config below (PEAP & TTLS) : (I have masked \
> out userid & password).  

  That's bad.

> EAP-MSCHAPV2: Received success
> EAP-MSCHAPV2: Invalid authenticator response in success request

  That's the problem.

  Why does it happen?

> [mschap_ad] Creating challenge hash with username: uwjrstest
> [mschap_ad] 	expand: --challenge=%{mschap_ad:Challenge:-00} -> \
> --challenge=eb2123a7a496e886 [mschap_ad] 	expand: \
> --nt-response=%{mschap_ad:NT-Response:-00} -> \
> --nt-response=4619af06b81d1426e5c7921fe751e5f46b7ee3456b3b0c7f Exec-Program output: \
>                 NT_KEY: 51C1A08577E4ECDBBD59863E8B0BF5BD 
> Exec-Program-Wait: plaintext: NT_KEY: 51C1A08577E4ECDBBD59863E8B0BF5BD 

  ntlm_auth is giving the wrong response to FreeRADIUS.

  i.e. the problem isn't FreeRADIUS.

  Re-start Samba, winbindd, etc.  Then try it again.  It should work.

  If it doesn't, upgrade Samba to a version that works.  Or (sad to say) downgrade it \
to a version that works.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]