Re: [QUESTION] - MSCHAP not working with YubiRadius/2008r2 R

2013-03-26T14:16:37+01:00

Hello,

To configure the MSCHAPv2 with YubiRADIUS please refer the following link for your reference:
http://freeradius.org/

YubiRADIUS supports PAP and EAP-GTC. You can customize the YubiRADIUS with the help of above link as per your requirements.

To understand what went wrong in your configuration please send us the screenshot of "Global Configuration" >> "General" of YubiRADIUS and following log files to "support@yubico.com".

1. Please configure the log files with the following settings from the webmin console:
1. Login to webmin
2. Go to "System" >> "System Logs"
3. Click on log file (ykropval.log ,etc. mentioned below)
4. Select "all" option in "priorities" field of "Message types to log" section
5. Please click on "save" button to save the changes.
6. Please repeat step 3, 4 and 5 for other log files mentioned below.
7. Please click on "Apply Changes" button on System Logs page
8. Go to "Servers" >> "YubiRADIUS Virtual Appliance"
9. Navigate 'Global Configuration' >> 'FreeRADIUS' menu, please enable FreeRADIUS Logging
10. Could you please ssh to the YRVA instance and restart the rsyslog process by executing the following command:
/etc/init.d/rsyslog restart
11. Please try to add the user and test the user with YubiKey credentials.

Please send us the following log files:
/var/log/syslog
/var/log/messages
/var/log/ykval.log
/var/log/ykropval.log
/var/log/ykmap.log
/var/log/freeradius/radius.log
/var/log/postgresql/postgresql-8.4-main.log
/var/log/apache2/error.log
/var/log/apache2/access.log
/var/log/debug

2. If you have already configure the webmin logs, please send "webmin.debug" file available at /var/webmin/webmin.debug

If not please configure the log file with the following settings from the webmin console:
1. Login to webmin
2. Go to "Webmin" >> "Webmin Configuration"
3. Please Click on "Debugging Log File"
4. Please Click on "yes" option of "Debug log enabled?"
5. Please click on "save" button to save the changes.
6. Please once again Import Users.

Please find the "webmin.debug" file at /var/webmin/webmin.debug

3. Please brief on any other observations and please send the screen shots, error messages observed.

Thanks and best regards,
Samir.

Statistics: Posted by samir — Tue Mar 26, 2013 2:16 pm

[QUESTION] - MSCHAP not working with YubiRadius/2008r2 RRAS

2013-03-25T14:00:06+01:00

I have the YubiRadius 3.6.1 Appliance fully configured. I also have a Server 2008 R2 setup with RRAS. In the configuraion of RRAS I have it set to use MSCHAPv2 for the Authentication type and I have it pointing to the YubiRadius for RADIUS Authentication. On a Windows 7 VPN login, with MSCHAPv2 and Required Encryption, it constantly denies credentials. I have gradual deployment enabled and have single factor authentication turned on for all users imported from Active Directory. I currently have no Yubikeys assigned and I am just testing the functionality of the Radius Authentication provided via YubiRadius. In the FreeRadius log file I see where the Authentication is failing, yet I am unable to decipher what the log is having a problem with. Can someone help me out?

rlm_perl: Added pair MS-CHAP2-Response = 0x0000f460b5f590a1171149195ce6ed4dad2f0000000000000000f224aa1c8d21ea6afcc72c10d69f935078d076b9cb846e67
rlm_perl: Added pair NAS-Port = 257
rlm_perl: Added pair Auth-Type = MSCHAP
++[perl] returns ok
[files] users: Matched entry DEFAULT at line 147
++[files] returns ok
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: abrazier
[mschap] Told to do MS-CHAPv2 for abrazier with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} -> --username=abrazier
[mschap] expand: %{mschap:NT-Domain} -> epc
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-epc} -> --domain=epc
[mschap] mschap2: b1
[mschap] Creating challenge hash with username: abrazier
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=98a9b3e2374fa6cf
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=f224aa1c8d21ea6afcc72c10d69f935078d076b9cb846e67
Exec-Program output: Invalid handle (0xc0000008)
Exec-Program-Wait: plaintext: Invalid handle (0xc0000008)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> epc\abrazier
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Thread 3 waiting to be assigned a request

Statistics: Posted by abrazier — Mon Mar 25, 2013 2:00 pm

Yubico Forum

Re: [QUESTION] - MSCHAP not working with YubiRadius/2008r2 R

[QUESTION] - MSCHAP not working with YubiRadius/2008r2 RRAS