PEAP mschapv2 E= 691 R=0 code is correct?

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

PEAP mschapv2 E= 691 R=0 code is correct?

엔트로링크(주)
atteched full log.
Thanks

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

=?utf-8?B?cnRlc3QudHh0?= (344K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: PEAP mschapv2 E= 691 R=0 code is correct?

Alan DeKok-2


> On Sep 25, 2020, at 9:22 AM, 엔트로링크(주) <[hidden email]> wrote:
>
> atteched full log.
> Thanks
> <rtest.txt>-

  Part of the reason it's so big is you're (again) not following instructions.  DON'T use "radius -Xx" or "radiusd -Xx" or  "radiusd -XXXxxxxxxxxx".  Follow the documentation.  Use "radiusd -X".

  Honestly... it really does help to read the documentation and follow the instructions.  Most of the issues you're running into would have been avoided.

  And reading the debug output show:


(6) mschap: Found Cleartext-Password, hashing to create NT-Password
(6) mschap: Creating challenge hash with username: user01
(6) mschap: Client is using MS-CHAPv2
ERROR: (6) mschap: MS-CHAP2-Response is incorrect

  So... the password is wrong.

  You've told FreeRADIUS one password, and the user is entering a different one.  Make sure that the user is entering the correct password.

  And no, don't argue that "the password is correct".  It's not.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: PEAP mschapv2 E= 691 R=0 code is correct?

엔트로링크(주)
Thank reply.
 
At test case,...(cached password was wrong)
as below document, it will prompt the user for a new password.
but, Windows 10 are not prompt.(FR),
Cisco ISE are prompt ok
my question is it(new password prompt).
Check it.
Thanks.
--
mschapv2 {
                #  Prior to version 2.1.11, the module never
                #  sent the MS-CHAP-Error message to the
                #  client.  This worked, but it had issues
                #  when the cached password was wrong.  The
                #  server *should* send "E=691 R=0" to the
                #  client, which tells it to prompt the user
                #  for a new password.
                #
                #  The default is to behave as in 2.1.10 and
                #  earlier, which is known to work.  If you
                #  set "send_error = yes", then the error
                #  message will be sent back to the client.
                #  This *may* help some clients work better,
                #  but *may* also cause other clients to stop
                #  working.
                #
--
 
 
-----Original Message-----
From: "Alan DeKok"<[hidden email]>
To: "FreeRadius users mailing list"<[hidden email]>;
Cc:
Sent: 2020-09-25 (금) 22:29:42 (GMT+09:00)
Subject: Re: PEAP mschapv2 E= 691 R=0 code is correct?
 


> On Sep 25, 2020, at 9:22 AM,
>
> atteched full log.
> Thanks
> <rtest.txt>-

 Part of the reason it's so big is you're (again) not following instructions.  DON'T use "radius -Xx" or "radiusd -Xx" or  "radiusd -XXXxxxxxxxxx".  Follow the documentation.  Use "radiusd -X".

 Honestly... it really does help to read the documentation and follow the instructions.  Most of the issues you're running into would have been avoided.

 And reading the debug output show:


(6) mschap: Found Cleartext-Password, hashing to create NT-Password
(6) mschap: Creating challenge hash with username: user01
(6) mschap: Client is using MS-CHAPv2
ERROR: (6) mschap: MS-CHAP2-Response is incorrect

 So... the password is wrong.

 You've told FreeRADIUS one password, and the user is entering a different one.  Make sure that the user is entering the correct password.

 And no, don't argue that "the password is correct".  It's not.

 Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: PEAP mschapv2 E= 691 R=0 code is correct?

엔트로링크(주)
Thanks.
my test, put below then work fine.
send_error = yes
Thanks.
 
-----Original Message-----

To: "FreeRadius users mailing list"<[hidden email]>;
Cc:
Sent: 2020-09-25 (금) 23:05:58 (GMT+09:00)
Subject: Re: PEAP mschapv2 E= 691 R=0 code is correct?
 
Thank reply.

At test case,...(cached password was wrong)
as below document, it will prompt the user for a new password.
but, Windows 10 are not prompt.(FR),
Cisco ISE are prompt ok
my question is it(new password prompt).
Check it.
Thanks.
--
mschapv2 {
               #  Prior to version 2.1.11, the module never
               #  sent the MS-CHAP-Error message to the
               #  client.  This worked, but it had issues
               #  when the cached password was wrong.  The
               #  server *should* send "E=691 R=0" to the
               #  client, which tells it to prompt the user
               #  for a new password.
               #
               #  The default is to behave as in 2.1.10 and
               #  earlier, which is known to work.  If you
               #  set "send_error = yes", then the error
               #  message will be sent back to the client.
               #  This *may* help some clients work better,
               #  but *may* also cause other clients to stop
               #  working.
               #
--


-----Original Message-----
From: "Alan DeKok"<[hidden email]>
To: "FreeRadius users mailing list"<[hidden email]>;
Cc:
Sent: 2020-09-25 (금) 22:29:42 (GMT+09:00)
Subject: Re: PEAP mschapv2 E= 691 R=0 code is correct?



> On Sep 25, 2020, at 9:22 AM,
>
> atteched full log.
> Thanks
> <rtest.txt>-

Part of the reason it's so big is you're (again) not following instructions.  DON'T use "radius -Xx" or "radiusd -Xx" or  "radiusd -XXXxxxxxxxxx".  Follow the documentation.  Use "radiusd -X".

Honestly... it really does help to read the documentation and follow the instructions.  Most of the issues you're running into would have been avoided.

And reading the debug output show:


(6) mschap: Found Cleartext-Password, hashing to create NT-Password
(6) mschap: Creating challenge hash with username: user01
(6) mschap: Client is using MS-CHAPv2
ERROR: (6) mschap: MS-CHAP2-Response is incorrect

So... the password is wrong.

You've told FreeRADIUS one password, and the user is entering a different one.  Make sure that the user is entering the correct password.

And no, don't argue that "the password is correct".  It's not.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html