Cannot connect with EAP-TTLS + MS-CHAPv2. if you'd kindly teach me.

Alan DeKok aland at deployingradius.com
Tue Aug 13 04:56:59 CEST 2019


On Aug 12, 2019, at 10:43 PM, Yuya Yanagi <peacefull64 at gmail.com> wrote:
> 
> I understood the pointed out contents and deleted . I'm sorry for bothering you.
> When you run it again, you will be told that there is no NT / LM
> password. Where should I look next?

  You edited the default configuration and broke it.  Don't do that.

  You have a very complex configuration.  You've clearly built it without doing much in the way of testing.  That's wrong.

> (6) ldap_regularusers: control:NT-Password :=
> 0x4243353030433041363439353842434531393638383936303344464645343530

  As I said earlier, that *is* the NT password.

> (6) ldap_regularusers: control:User-Password :=
> 'BC500C0A64958BCE196889603DFFE450'
> (6) ldap_regularusers: control:Password-With-Header :=
> '{SSHA256}Q1iLz8Pc/mkXU/hniRsu3/rpWKOVdjAU/4t2iLynZqdIPFIYPW0elA=='
> rlm_ldap (ldap_regularusers): Released connection (0)
> (6)           [ldap_regularusers] = updated
> (6)         } # if (&outer.request:Called-Station-SSID == 'BLUE')   = updated
> (6)       } # if (&outer.request:NAS-IP-Address =~
> /^192\.168\.10\.1[2]{1}$/ || &outer.request:NAS-IP-Address ==
> "192.168.200.240" || &outer.request:NAS-IP-Address == "localhost")  =
> updated
> (6)       [expiration] = noop
> (6)       [logintime] = noop
> (6)     } # authorize = updated

  Note that there is no "pap" module.  The "pap" module is used in the default configuration.  It is placed last in the "authorize" section so that it can "fix" the various passwords.

  Put the "pap" module back, as the last entry in the "authorize" section.

> (6) mschap: WARNING: NT-Password has not been normalized by the 'pap'
> module (likely still in hex format).  Authentication may fail

  Again, that is pretty clear.  The "pap" module should be fixing the NT-Password.  Since you *deleted* the PAP module, it is NOT fixing the NT-Password.

  The solution is to NOT delete the "pap" module.

  It's hard to make these error messages any easier to understand.

  Alan DeKok.




More information about the Freeradius-Users mailing list