Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug : MS-CHAP-v2 / ntmlv1/ntmlv2 #62

Open
jurgele opened this issue Aug 8, 2019 · 5 comments
Open

Bug : MS-CHAP-v2 / ntmlv1/ntmlv2 #62

jurgele opened this issue Aug 8, 2019 · 5 comments

Comments

@jurgele
Copy link

jurgele commented Aug 8, 2019

Hello,

I'm trying to setup multiOTP 5.4.1.6 (PHP version 5.6.27) and FreeRADIUS 2.2.5 with OTP only (no PIN) and MS-CHAP-v2. I downloaded the multiOTP Hyper-V image and upgraded the multiOTP. The setup works with PAP, CHAP and MS-CHAP but does not work with MS-CHAP-v2. I receive ERROR: Authentication failed (and other possible unknown errors).

I ask kindly for some directions on how to investigate the cause of error.

Kind regards,

Gregor
@multiOTP
Copy link
Owner

Hello, we will look into this in the next few days.
Have a great day.
Yann

@multiOTP
Copy link
Owner

Hello,
This is an old issue now. Could you confirm that MS-CHAPv2 is now working for you, at least with the last version 5.8.1.9 ?
Regards,

@zapotah
Copy link

zapotah commented Dec 8, 2021

Posting to this issue as it seems that something is going completely wrong with the mschapv2 challenge and response generation with multiotp for otp verification. My guess is, looking at the code at CalculateMsChap2Response, that multiotp is doing ntlmv1 hashes for mschapv2 when literally everything on the planet does ntlmv2 these days and ntlmv1 is completely disabled.

@multiOTP
Copy link
Owner

multiOTP commented Dec 9, 2021

Hello,
Thanks a lot for the info.
We are planning on looking at this in January 2022.
Best regards.

@multiOTP multiOTP changed the title MS-CHAP-v2 Bug : MS-CHAP-v2 / ntmlv1/ntmlv2 Nov 1, 2022
@yankaiqian
Copy link

Posting to this issue as it seems that something is going completely wrong with the mschapv2 challenge and response generation with multiotp for otp verification. My guess is, looking at the code at CalculateMsChap2Response, that multiotp is doing ntlmv1 hashes for mschapv2 when literally everything on the planet does ntlmv2 these days and ntlmv1 is completely disabled.

I think we should follow the RFC when implement MS-CHAP v2, not simply change it to NTLMv1 or NTLMv2. I am not familiar with the development, I think MS-CHAPv2 use MD4 hash and DES encryption algorithm, similar to NTLMv1, that is why it will not work when the DC disable NTLMv1.

Just want to share this, there is a issue with MS-CHAPv2 when we use Microsoft RRAS and NPS as VPN server in the Domain where DC servers support NTLMv2 only, we need to add a registry entry in the VPN server to enable NTLMv2 (with MS-CHAPv2) support.
We also test it in server 2016 and 2019, same issue, so even some MS-CHAPv2 related component in microsoft windows server is not compitiable with NTLMv2 by default.

Microsoft KB:
http://support.microsoft.com/en-us/help/2811487

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yankaiqian @multiOTP @zapotah @jurgele