Problem with EAP-PEAP and freeradius3

Angel L. Mateo amateo at um.es
Tue Mar 10 13:51:01 CET 2015 

Hello,

	I'm trying to migrate my freeradius2 configuration for eduroam to 
freeradius3, but EAP-PEAP is not working.

	The configuration in my outer server is:
server eduroam {
   authorize {
     preprocess
     suffix
     files_eduroam_outer
     eap
   }
   authenticate {
     eap
   }
   ...
}

	In the inner tunnel I have:
server eduroam-inner-tunnel {
   authorize {
     preprocess
     suffix
     eap
     files_eduroam_inner
     mschap
     Autz-Type LDAP-MSCHAP {
       ldap-email
     }
     pap
   }
   authenticate {
     Auth-Type PAP {
       pap
     }
     Auth-Type MS-CHAP {
       mschap
     }
     Auth-Type LDAP {
       ldap-email
     }
   }
   ...
}

	And the authorize user's file configured in files_eduroam_inner is:
DEFAULT Realm == um.es, Autz-Type = LDAP-MSCHAP
         User-Name = "%{User-Name}",
         X-Atica-Tipo = 'paspdi',
         Fall-Through = No

	In the ldap module, I have configured:
update {
   control:Password-With-Header  += 'userPassword'
   control:NT-Password    = 'sambaNTPassword'
   ...
}

	because sambaNTPassword is the attribute in my LDAP where I have the 
password in the windows format (I don't have it in cleartext)

	With this configuration, I'm getting the error (I have attached the 
complete log):

(8) eap: Previous EAP request found for state 0x47fa1d5f47f20719, 
released from the list
(8) eap: Peer sent method MSCHAPv2 (26)
(8) eap: EAP MSCHAPv2 (26)
(8) eap: Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2: # Executing group from file 
/etc/freeradius/sites-enabled/eduroam-inner-tunnel
(8) eap_mschapv2:   Auth-Type MS-CHAP {
(8) mschap: WARNING: NT-Password has not been normalized by the 'pap' 
module (likely still in hex format).  Authentication may fail
(8) mschap: WARNING: No Cleartext-Password configured.  Cannot create 
NT-Password
(8) mschap: WARNING: No Cleartext-Password configured.  Cannot create 
LM-Password
(8) mschap: Creating challenge hash with username: angel.luis at um.es
(8) mschap: Client is using MS-CHAPv2
(8) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
(8) mschap: ERROR: MS-CHAP2-Response is incorrect
(8)     [mschap] = reject
(8)   } # Auth-Type MS-CHAP = reject

	With this same configuration, if I create a user directly in the 
authorize file (with its Cleartext-Password), it works, but with my 
users defined in ldap, don't.

	Any help?

-- 
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868887590
Fax: 868888337

More information about the Freeradius-Users mailing list