If you want to subscribe to this forum, use your Facebook account, or send us an email to forum - at - multiotp - dot - net and we will send you back an invitation.

Multiotp can not get "NT_KEY"

Hello. I'm trying to setup multiOTP + FreeRADIUS on CentOS 7. When I run "radtest -t mschap testuser 12345 127.0.0.1 0 testing123" multiotpmschap module returns "Invalid output from ntlm_auth: expecting 'NT_KEY: ' prefix" However, accoding to debug message of FreeRADIUS, NT_KEY is sent to the RADIUS server. here is the debug message of FreeRADIUS -------------------------------------- PHP Warning: Module 'mbstring' already loaded in Unknown on line 0 (2) multiotpmschap: Program returned code (0) and output ' LOG 2018-01-31 05:02:56 debug Debug Debug: *parameter(s) received: testuser -request-nt-key -src=127.0.0.1 -chap-challenge= -chap-password= -ms-chap-challenge=0xe97a929a59d92dad -ms-chap-response=0x00010000000000000000000000000000000000000000000000005b75a41bac340aaf047b4c89de0aa20756fbcc9baf3ebb6c -ms-chap2-response= from 127.0.0.1 LOG 2018-01-31 05:02:56 notice (user testuser) User OK: User testuser successfully logged in with TOTP token from 127.0.0.1 0 *OK: Token accepted LOG 2018-01-31 05:02:56 debug Debug Debug: *Attributes sent to the RADIUS server: NT_KEY: E006844848290D66C085C096E8982A56 from 127.0.0.1 NT_KEY: E006844848290D66C085C096E8982A56 ' (2) multiotpmschap: ERROR: Invalid output from ntlm_auth: expecting 'NT_KEY: ' prefix (2) multiotpmschap: ERROR: MS-CHAP2-Response is incorrect -------------------------------------- My goal is to connect 802.1X network, entering username and one_time_password. (donot need ActiveDirectory password) I syncd multiotp users from Active Directory, and /usr/bin/ntlm_auth is OK. I thought problem is coused by encoding. Becouse I set [mbstring.internal_encoding] of /etc/php.ini "UTF-8" but multiotp write in EUC, so I changed php.ini to EUC, but not effected... Why multiotpmschap module cannot see NT_KEY ? [Products versions] CentOS Linux release 7.4.1708 (Core) multiOTP 5.0.4.8 freeradius.x86_64 3.0.13-8.el7_4 PHP Version 5.4.16 Thanks.

Comments

  • Hello, FreeRADIUS parses the stdout in order to extract the NT_KEY information provided by multiotp. Please disable the display of PHP Warning/Notice/Information on the stdout and put them in a log file only. The warning " Module 'mbstring' already loaded" causes the problem. If there is an UTF encoding problem, thanks to open a separate discussion for that Regards, Andre
  • Thank you AndreL. I disabled the display of PHP (comment out mbstring.so in PHP.ini) But still error... ----------------- (0) multiotpmschap: Program returned code (0) and output ' LOG 2018-02-02 18:33:33 debug Debug Debug: *parameter(s) received: testuser -request-nt-key -src=127.0.0.1 -chap-challenge= -chap-password= -ms-chap-challenge=0x4b498e6fac210cc9 -ms-chap-response=0x000100000000000000000000000000000000000000000000000010d0958830d5f4659378e12a6525b29b01f245a2fdacab57 -ms-chap2-response= from 127.0.0.1 LOG 2018-02-02 18:33:33 notice (user testuser) User OK: User testuser successfully logged in with TOTP token from 127.0.0.1 0 *OK: Token accepted LOG 2018-02-02 18:33:33 debug Debug Debug: *Attributes sent to the RADIUS server: NT_KEY: FFB97C74668F0EE39AC7A6CC0A70CE50 from 127.0.0.1 NT_KEY: FFB97C74668F0EE39AC7A6CC0A70CE50 ' (0) multiotpmschap: ERROR: Invalid output from ntlm_auth: expecting 'NT_KEY: ' prefix (0) multiotpmschap: ERROR: MS-CHAP2-Response is incorrect ----------------- Any ideas? And I want to debug the module. but multiotp.php has wired line feed code. how do you guys debug?? thanks.
  • edited February 27
    Hello Takabow, please disable also permanently the display log option (multiotp -config display-log=0), because ntlm_auth expects to receive NT_KEY and receive LOG 2018... instead! multiotp.php is stripped and everything is included in one file in order to be used easily, but you have also the full version in the source folder (in sperate files). Regards,
  • Thank you AndreL!! Yes! "multiotp -config display-log=0" worked !!! Really thank you again. I'll try to use this on enterprise environment!!
This discussion has been closed.