MSCHAP & MSCHAPv2 Always Error 99
I am trying to use multiOTP for VPN authentication for macOS via FreeRADIUS in the multiOTP Docker image. Apparently macOS requires MSCHAPv2 and will NAK and cause FreeRADIUS to treat it as misbehaving unless MSCHAPv2 is configured as the default in the eap addon, but even if I change the config to default to MSCHAPv2, I still always get an error regardless of authentication configuration (LDAP Password + TOTP [presumably expected to fail], PIN + TOTP, TOTP Only), and the errors also lead to account lockout, implying that authentication was actually attempted.
I am able to successfully authenticate using PAP and CHAP with the default eap addon configuration using diagnostic commands from a fortigate firewall, but MSCHAP and MSCHAPv2 both get rejected (error 99) from there as well. As such, I suspect this is the best point to troubleshoot from (keep macOS out of the equation initially).
I might be confused because I don't remember following the instructions under https://github.com/multiOTP/multiotp/wiki/#configuring-multiotp-with-freeradius-3x-under-linux to make the changes, but when I step through the instructions, most of the changes seem to already be in place. Since they might be in place by default in newer versions, I am hesitant to make changes based on that section or the page it links to in case they could be incorrect/outdated. I also notice that the top of that section says "NT_KEY generation is also supported using the -request-nt-key option (like for ntlm_auth --request-nt-key option), which is needed in order to enable VPN (PPTP + MPPE) with MS-CHAP/MS-CHAPv2." But then step 3 proceeds to say -nt-key-only (it isn't obvious if I might need both and/or if they are interchangeable).
Here is some lightly sanitized example output from the fortigate for reference:
fortigate # diag test authserver radius multiOTP pap testuser 123456900680
authenticate 'testuser' against 'pap' succeeded, server=primary assigned_rad_session_id=74659676487683 session_timeout=0 secs idle_timeout=0 secs!
fortigate # diag test authserver radius multiOTP chap testuser 123456398830
authenticate 'testuser' against 'chap' succeeded, server=primary assigned_rad_session_id=74659676487684 session_timeout=0 secs idle_timeout=0 secs!
fortigate # diag test authserver radius multiOTP mschap testuser 123456898101
authenticate 'testuser' against 'mschap' failed, assigned_rad_session_id=74659676487685 session_timeout=0 secs idle_timeout=0 secs!
fortigate # diag test authserver radius multiOTP mschap2 testuser 123456819895
authenticate 'testuser' against 'mschap2' failed, assigned_rad_session_id=74659676487686 session_timeout=0 secs idle_timeout=0 secs!
Here are the lightly sanitized logs for those tests:
notice testuser User OK: User testuser successfully logged in with TOTP token 0 26d5455e1eb9 172.24.0.1
notice testuser User Info: User testuser successfully logged in using an external server from [] for 0.0.0.0 0 26d5455e1eb9
notice testuser User OK: User testuser successfully logged in with TOTP token 0 26d5455e1eb9 172.24.0.1
notice testuser User Info: User testuser successfully logged in using an external server from [] for 0.0.0.0 0 26d5455e1eb9
warning testuser User Error: authentication failed for user testuser 0 26d5455e1eb9 172.24.0.1
warning testuser User Error: authentication failed for user testuser (same token replayed) 0 26d5455e1eb9 172.24.0.1
When I debug, I see this for MSCHAP:
multiotp 5.10.2.2
Your script is running from /usr/local/bin/multiotp/
debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1
debug Server-Client Info: *CheckUserExists server request for testuser with challenge MOSH93eb750295d8479422eb88d3985ab89c 0 26d5455e1eb9 172.24.0.1
debug Server-Client Info: *CheckUserExists intermediate error code: 22 0 26d5455e1eb9 172.24.0.1
========================================
multiotp 5.10.2.2
Your script is running from /usr/local/bin/multiotp/
debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1
debug Server-Client Info: *ReadUserData server request for testuser 0 26d5455e1eb9 172.24.0.1
info Debug Debug: *CheckToken intermediate result (totp) 19578, push_trial: -1 result: 99 0 26d5455e1eb9 172.24.0.1
warning testuser User Error: authentication failed for user testuser 0 26d5455e1eb9 172.24.0.1
warning testuser Debug Debug: *authentication typed by the user is CHAP encrypted 0 26d5455e1eb9 172.24.0.1
info Debug Debug: *CheckToken intermediate result 19880, result: 99 0 26d5455e1eb9 172.24.0.1
However, I see this for MSCHAPv2 (even though I do not submit the token more than once):
multiotp 5.10.2.2
Your script is running from /usr/local/bin/multiotp/
debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1
debug Server-Client Info: *CheckUserExists server request for testuser with challenge MOSHb541faaea333a29de711d14ab4167525 0 26d5455e1eb9 172.24.0.1
debug Server-Client Info: *CheckUserExists intermediate error code: 22 0 26d5455e1eb9 172.24.0.1
========================================
multiotp 5.10.2.2
Your script is running from /usr/local/bin/multiotp/
debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1
debug Server-Client Info: *ReadUserData server request for testuser 0 26d5455e1eb9 172.24.0.1
info Debug Debug: *CheckToken intermediate result (totp) 19578, push_trial: -1 result: 99 0 26d5455e1eb9 172.24.0.1
warning testuser User Error: authentication failed for user testuser (same token replayed) 0 26d5455e1eb9 172.24.0.1
warning testuser Debug Debug: *authentication typed by the user is CHAP encrypted 0 26d5455e1eb9 172.24.0.1
info Debug Debug: *CheckToken intermediate result 19880, result: 99 0 26d5455e1eb9 172.24.0.1
Both also have this matching (lightly sanitized) bit following the bits above:
multiotp 5.10.2.2
Your script is running from /usr/local/bin/multiotp/
info Debug Debug: *CheckToken intermediate result 19891, result: 99 from [] for 0.0.0.0 0 26d5455e1eb9
debug Debug Debug: *99 ERROR: Authentication failed (and other possible unknown errors) from [] for 0.0.0.0 0 26d5455e1eb9
debug Debug Debug: *Attributes sent to the RADIUS server: Reply-Message := "ERROR: Authentication failed (and other possible unknown errors)" from [] for 0.0.0.0 0 26d5455e1eb9
A bit more testing shows that the replayed error was caused by changing -nt-key-only to -request-nt-key in /etc/freeradius/3.0/mods-available/multiotpmschap and reverting that causes MSCHAPv2 to behave the same way as MSCHAPv1. Also, in case it could be relevant, after getting the error with MSCHAPv2, I can go to the webUI and successfully use the same token that didn't work with MSCHAPv2. I'm not sure how to proceed from here.
I am able to successfully authenticate using PAP and CHAP with the default eap addon configuration using diagnostic commands from a fortigate firewall, but MSCHAP and MSCHAPv2 both get rejected (error 99) from there as well. As such, I suspect this is the best point to troubleshoot from (keep macOS out of the equation initially).
I might be confused because I don't remember following the instructions under https://github.com/multiOTP/multiotp/wiki/#configuring-multiotp-with-freeradius-3x-under-linux to make the changes, but when I step through the instructions, most of the changes seem to already be in place. Since they might be in place by default in newer versions, I am hesitant to make changes based on that section or the page it links to in case they could be incorrect/outdated. I also notice that the top of that section says "NT_KEY generation is also supported using the -request-nt-key option (like for ntlm_auth --request-nt-key option), which is needed in order to enable VPN (PPTP + MPPE) with MS-CHAP/MS-CHAPv2." But then step 3 proceeds to say -nt-key-only (it isn't obvious if I might need both and/or if they are interchangeable).
Here is some lightly sanitized example output from the fortigate for reference:
fortigate # diag test authserver radius multiOTP pap testuser 123456900680
authenticate 'testuser' against 'pap' succeeded, server=primary assigned_rad_session_id=74659676487683 session_timeout=0 secs idle_timeout=0 secs!
fortigate # diag test authserver radius multiOTP chap testuser 123456398830
authenticate 'testuser' against 'chap' succeeded, server=primary assigned_rad_session_id=74659676487684 session_timeout=0 secs idle_timeout=0 secs!
fortigate # diag test authserver radius multiOTP mschap testuser 123456898101
authenticate 'testuser' against 'mschap' failed, assigned_rad_session_id=74659676487685 session_timeout=0 secs idle_timeout=0 secs!
fortigate # diag test authserver radius multiOTP mschap2 testuser 123456819895
authenticate 'testuser' against 'mschap2' failed, assigned_rad_session_id=74659676487686 session_timeout=0 secs idle_timeout=0 secs!
Here are the lightly sanitized logs for those tests:
notice testuser User OK: User testuser successfully logged in with TOTP token 0 26d5455e1eb9 172.24.0.1
notice testuser User Info: User testuser successfully logged in using an external server from [] for 0.0.0.0 0 26d5455e1eb9
notice testuser User OK: User testuser successfully logged in with TOTP token 0 26d5455e1eb9 172.24.0.1
notice testuser User Info: User testuser successfully logged in using an external server from [] for 0.0.0.0 0 26d5455e1eb9
warning testuser User Error: authentication failed for user testuser 0 26d5455e1eb9 172.24.0.1
warning testuser User Error: authentication failed for user testuser (same token replayed) 0 26d5455e1eb9 172.24.0.1
When I debug, I see this for MSCHAP:
multiotp 5.10.2.2
Your script is running from /usr/local/bin/multiotp/
debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1
debug Server-Client Info: *CheckUserExists server request for testuser with challenge MOSH93eb750295d8479422eb88d3985ab89c 0 26d5455e1eb9 172.24.0.1
debug Server-Client Info: *CheckUserExists intermediate error code: 22 0 26d5455e1eb9 172.24.0.1
========================================
multiotp 5.10.2.2
Your script is running from /usr/local/bin/multiotp/
debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1
debug Server-Client Info: *ReadUserData server request for testuser 0 26d5455e1eb9 172.24.0.1
info Debug Debug: *CheckToken intermediate result (totp) 19578, push_trial: -1 result: 99 0 26d5455e1eb9 172.24.0.1
warning testuser User Error: authentication failed for user testuser 0 26d5455e1eb9 172.24.0.1
warning testuser Debug Debug: *authentication typed by the user is CHAP encrypted 0 26d5455e1eb9 172.24.0.1
info Debug Debug: *CheckToken intermediate result 19880, result: 99 0 26d5455e1eb9 172.24.0.1
However, I see this for MSCHAPv2 (even though I do not submit the token more than once):
multiotp 5.10.2.2
Your script is running from /usr/local/bin/multiotp/
debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1
debug Server-Client Info: *CheckUserExists server request for testuser with challenge MOSHb541faaea333a29de711d14ab4167525 0 26d5455e1eb9 172.24.0.1
debug Server-Client Info: *CheckUserExists intermediate error code: 22 0 26d5455e1eb9 172.24.0.1
========================================
multiotp 5.10.2.2
Your script is running from /usr/local/bin/multiotp/
debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1
debug Server-Client Info: *ReadUserData server request for testuser 0 26d5455e1eb9 172.24.0.1
info Debug Debug: *CheckToken intermediate result (totp) 19578, push_trial: -1 result: 99 0 26d5455e1eb9 172.24.0.1
warning testuser User Error: authentication failed for user testuser (same token replayed) 0 26d5455e1eb9 172.24.0.1
warning testuser Debug Debug: *authentication typed by the user is CHAP encrypted 0 26d5455e1eb9 172.24.0.1
info Debug Debug: *CheckToken intermediate result 19880, result: 99 0 26d5455e1eb9 172.24.0.1
Both also have this matching (lightly sanitized) bit following the bits above:
multiotp 5.10.2.2
Your script is running from /usr/local/bin/multiotp/
info Debug Debug: *CheckToken intermediate result 19891, result: 99 from [] for 0.0.0.0 0 26d5455e1eb9
debug Debug Debug: *99 ERROR: Authentication failed (and other possible unknown errors) from [] for 0.0.0.0 0 26d5455e1eb9
debug Debug Debug: *Attributes sent to the RADIUS server: Reply-Message := "ERROR: Authentication failed (and other possible unknown errors)" from [] for 0.0.0.0 0 26d5455e1eb9
A bit more testing shows that the replayed error was caused by changing -nt-key-only to -request-nt-key in /etc/freeradius/3.0/mods-available/multiotpmschap and reverting that causes MSCHAPv2 to behave the same way as MSCHAPv1. Also, in case it could be relevant, after getting the error with MSCHAPv2, I can go to the webUI and successfully use the same token that didn't work with MSCHAPv2. I'm not sure how to proceed from here.