Cannot connect with EAP-TTLS + MS-CHAPv2. if you'd kindly teach me.

Yuya Yanagi peacefull64 at gmail.com
Tue Aug 13 04:43:13 CEST 2019


Hi Alan

I understood the pointed out contents and deleted . I'm sorry for bothering you.
When you run it again, you will be told that there is no NT / LM
password. Where should I look next?

---------
lm_ldap (ldap_regularusers): Reserved connection (0)
(6) ldap_regularusers: EXPAND
(&(!(employeeType=participant))(!(employeeType=trainee))(!(tutPersonAccountStatus=03))(!(tutPersonAccountStatus=04))(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
(6) ldap_regularusers:    -->
(&(!(employeeType=participant))(!(employeeType=trainee))(!(tutPersonAccountStatus=03))(!(tutPersonAccountStatus=04))(uid=yanagi))
(6) ldap_regularusers: Performing search in
"ou=Users,dc=edu,dc=tut,dc=ac,dc=jp" with filter
"(&(!(employeeType=participant))(!(employeeType=trainee))(!(tutPersonAccountStatus=03))(!(tutPersonAccountStatus=04))(uid=yanagi))",
scope "sub"
(6) ldap_regularusers: Waiting for search result...
(6) ldap_regularusers: User object found at DN
"uid=yanagi,ou=Users,dc=edu,dc=tut,dc=ac,dc=jp"
(6) ldap_regularusers: Processing user attributes
(6) ldap_regularusers: control:NT-Password :=
0x4243353030433041363439353842434531393638383936303344464645343530
(6) ldap_regularusers: control:User-Password :=
'BC500C0A64958BCE196889603DFFE450'
(6) ldap_regularusers: control:Password-With-Header :=
'{SSHA256}Q1iLz8Pc/mkXU/hniRsu3/rpWKOVdjAU/4t2iLynZqdIPFIYPW0elA=='
rlm_ldap (ldap_regularusers): Released connection (0)
(6)           [ldap_regularusers] = updated
(6)         } # if (&outer.request:Called-Station-SSID == 'BLUE')   = updated
(6)       } # if (&outer.request:NAS-IP-Address =~
/^192\.168\.10\.1[2]{1}$/ || &outer.request:NAS-IP-Address ==
"192.168.200.240" || &outer.request:NAS-IP-Address == "localhost")  =
updated
(6)       [expiration] = noop
(6)       [logintime] = noop
(6)     } # authorize = updated
(6)   Found Auth-Type = eap
(6)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6)     authenticate {
(6) eap: Expiring EAP session with state 0x826df85d8265e230
(6) eap: Finished EAP session with state 0x826df85d8265e230
(6) eap: Previous EAP request found for state 0x826df85d8265e230,
released from the list
(6) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(6) eap_mschapv2:   authenticate {
(6) mschap: WARNING: NT-Password has not been normalized by the 'pap'
module (likely still in hex format).  Authentication may fail
(6) mschap: WARNING: No Cleartext-Password configured.  Cannot create
NT-Password
(6) mschap: WARNING: No Cleartext-Password configured.  Cannot create
LM-Password
(6) mschap: Creating challenge hash with username: yanagi
(6) mschap: Client is using MS-CHAPv2
(6) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
(6) mschap: ERROR: MS-CHAP2-Response is incorrect
(6)     [mschap] = reject
(6)   } # authenticate = reject
(6) eap: Sending EAP Failure (code 4) ID 8 length 4
(6) eap: Freeing handler
(6)       [eap] = reject
(6)     } # authenticate = reject
(6)   Failed to authenticate the user
(6)   Login incorrect (mschap: FAILED: No NT/LM-Password.  Cannot
perform authentication): [yanagi/<via Auth-Type = eap>] (from client
n-test port 0 via TLS tunnel)
(6)   Using Post-Auth-Type Reject
(6)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6)     Post-Auth-Type REJECT {
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject:    --> yanagi
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6)       [attr_filter.access_reject] = updated
(6)       update outer.session-state {
(6)         &Module-Failure-Message := &request:Module-Failure-Message
-> 'mschap: FAILED: No NT/LM-Password.  Cannot perform authentication'
(6)       } # update outer.session-state = noop
(6)     } # Post-Auth-Type REJECT = updated
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6)   MS-CHAP-Error = "\010E=691 R=1
C=0d87b3e853acf17d17b03a4b37641556 V=3 M=Authentication failed"
(6)   EAP-Message = 0x04080004
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_ttls: Got tunneled Access-Reject
(6) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module failed
(6) eap: Sending EAP Failure (code 4) ID 8 length 4

2019年8月13日(火) 11:31 Alan DeKok <aland at deployingradius.com>:
>
> On Aug 12, 2019, at 10:25 PM, Yuya Yanagi <peacefull64 at gmail.com> wrote:
> >
> >> That seems pretty clear.  Don't set "Auth-Type := LDAP".  It's not needed.
> >
> > Does that mean commenting out the Auth-Type LDAP part of the
> > authentication section?
>
>   No.
>
>   Read my message.  I said to DELETE the section that did:
>
>         update control {
>                 Auth-Type := LDAP
>         }
>
>   Read this:
>
> >>> (6)           update control {
> >>> (6)             &Auth-Type := LDAP
> >>> (6)           } # update control = noop
> >>
> >>  Don't do that.  It's breaking the server.
> >>
> >>  Delete those lines from your configuration.  The user should then be able to authenticate.
>
>   DELETE that section.  Don't delete ANOTHER section.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list