Clients are rejected on Nac with the reason "mschap: MS-CHAP2-Response is incorrect"

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Hi,
We are trying to deploy Extreme Nac server with alcatel-lucent os-6450-24 switch and the clients is authenticated via OpenLDAP. 
We have configured AAA config on Nac for Ldap and tested users on Nac successfully. On the end-system part, the client seems rejected 
although its cridentials are true. It seems On the state description on Nac like that: "mschap: MS-CHAP2-Response is incorrect". We have
tested both on Windows 7 and Windows 10 PC's. What can be the reason for this type of rejection?
Photo of Support Forte

Support Forte

  • 102 Points 100 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,498 Points 5k badge 2x thumb
A couple of things. It sounds like NAC has not joined the LDAP setup.
It could be the communication just failed - or the NAC itself is not also a member of the domain. (typically a domain admin in AD anyways)
1-Try to look at wbinfo -t
2-Check in OpenLDAP to see that the NAC is a member of a domain.

Check the tag.log output to see if the NAC joined the domain.
You can review the following.

 https://gtacknowledge.extremenetworks.com/articles/Q_A/How-do-I-know-if-the-NAC-has-joined-the-domai...

Also see:
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-Configure-PEAP-Authentication-via-O...

How To Test a NAC Appliance's LDAP Connection 

If this provides no feedback. You will likely will want to open a case with the GTAC, and provide pertient logs such as show support and tag.log
Photo of Support Forte

Support Forte

  • 102 Points 100 badge 2x thumb
Hi Tomas,
Our customer uses OpenLDAP to validate the username and password and users have different types of hash algorithms. For example, while personal groups use SSHA, students use MD5 hash algorithm. When we use NAC as a local radius server, we can not authenticate the user and rejected reason is '"mschap: MS-CHAP2-Response is incorrect". On a test user, we have changed the hash algorithm option to the plain text format on the both LDAP and NAC, we succeeded to authenticate the user, but our customer does not want to use plain text format for security reasons. We have tried to use the NAC as a proxy radius, using free radius server, same problems occurs. 

So, what is the best practice to authenticate the users according to this scenario? Is there any way to implement this scenario without changing the database and hash algorithm?
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,782 Points 10k badge 2x thumb
Hi,

MS-CHAPv2 needs either the clear text password or the NTLM password hash, neither SHA-1 nor MD5 hashes, no salted hashes.

Thanks,
Erik