question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)

Thomas Stather Thomas.Stather at mpimf-heidelberg.mpg.de
Fri Oct 30 09:33:25 CET 2015 

Hello

I am still failing with my RADIUS setup (eduroam -> PEAP/MSCHAPv2 and 
authentication against our LDAP server) on 3.0.10
After having sorted out lots of mistakes by myself in the RADIUS config 
(thanks for you help on the previous post), the server now starts.

But when i try to connect with my mobile device to the test SSID, i get:


----------------------------------------------------------------------
...
(6) ldap1: User object found at DN 
"uid=tstather,ou=people,dc=mpimf-heidelberg,dc=mpg,dc=de"
rlm_ldap (ldap1): Released connection (0)
(6)         [ldap1] = ok
(6)       } # redundant redundant_ldap = ok
(6)       [pap] = noop
(6)     } # authorize = updated
(6)   Found Auth-Type = EAP
(6)   # Executing group from file 
/etc/raddb/sites-enabled/mpimf_inner-tunnel
(6)     authenticate {
(6) eap: Expiring EAP session with state 0x8d973f168d3225fd
(6) eap: Finished EAP session with state 0x8d973f168d3225fd
(6) eap: Previous EAP request found for state 0x8d973f168d3225fd, 
released from the list
(6) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: # Executing group from file 
/etc/raddb/sites-enabled/mpimf_inner-tunnel
(6) eap_mschapv2:   Auth-Type MS-CHAP {
(6) mschap: WARNING: No Cleartext-Password configured.  Cannot create 
NT-Password
(6) mschap: WARNING: No Cleartext-Password configured.  Cannot create 
LM-Password
(6) mschap: Creating challenge hash with username: 
tstather at mpimf-heidelberg.mpg.de
(6) mschap: Client is using MS-CHAPv2
(6) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
(6) mschap: ERROR: MS-CHAP2-Response is incorrect
(6)     [mschap] = reject
(6)   } # Auth-Type MS-CHAP = reject
(6) eap: Sending EAP Failure (code 4) ID 165 length 4
(6) eap: Freeing handler
(6)       [eap] = reject
(6)     } # authenticate = reject
(6)   Failed to authenticate the user
(6)   Using Post-Auth-Type Reject
(6)   # Executing group from file 
/etc/raddb/sites-enabled/mpimf_inner-tunnel
(6)     Post-Auth-Type REJECT {
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject:    --> tstather at mpimf-heidelberg.mpg.de
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6)       [attr_filter.access_reject] = updated
(6)     } # Post-Auth-Type REJECT = updated
(6) } # server mpimf_inner-tunnel
(6) Virtual server sending reply
(6)   MS-CHAP-Error = "\245E=691 R=1 C=d3892ab1fa88824c1ae8daf07fc80483 
V=3 M=Authentication failed"
(6)   EAP-Message = 0x04a50004
(6)   Message-Authenticator = 0x00000000000000000000000000000000
...
----------------------------------------------------------------------


Our LDAP server has the attributes "sambaLMPassword" and 
"sambaNTPassword" (there is also a samba server linked to it).

I read some documentation but now im confused.

Am i right in the assumption that the error occurs because our LDAP 
server has no "clear-text password" entries for the users?

Is the only option to get it to work use the "ntlm_auth" module?

I wanted to implement this setup independently of our samba server, or 
is this simply not possible?

Best,

Thomas

-- 
Thomas Stather
IT Services

Tel:  +49 6221-486 628
Fax: +49 6221-486 561

------------------------------------------------------------------------
Max Planck Institute for Medical Research (MPImF)
Jahnstrasse 29, 69120 Heidelberg
Germany

More information about the Freeradius-Users mailing list