Radius 3 EAP (PEAP) mschapv2 connection problem

Alan DeKok aland at deployingradius.com
Thu Jun 4 14:49:01 CEST 2020

On Jun 4, 2020, at 3:47 AM, Anatoly Oreshkin <anatoly.oreshkin at gmail.com> wrote:
> I provide debug log for session 72, please see below.
> I've found the reason of failed authentication when connecting through AP
> Compare request format from AP with one from AP

  That's good.  That's why we have debug output.  It can be huge and complex, but it usually gives the answers you need.
> In request format from AP presents line
> (72)   Framed-Protocol = PPP
> Users login and password are kept in the file /etc/raddb/users
> Default user in /etc/raddb/users is specified as follows:
> DEFAULT        Framed-Protocol == PPP
>      Framed-Protocol = PPP,
>       Framed-Compression = Van-Jacobson-TCP-IP
> So radius selects DEFAULT user instead of my user name and hence
> (72) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> NT-Password

  Likely because you added the user at the *end* of the users file.  That's why the documentation says to add it at the beginning.

> In Radius 2 as DEFAULT user it was specified
> DEFAULT Auth-Type = System
>        Fall-Through = 1
> so authentication worked.

   "Auth-type System" is "authenticate users from /etc/passwd.  Which is NOT compatible with MS-CHAP.

  v2 worked because the "users" file entry for that user was in a different place, and it didn't match the DEFAULT entry.

> In Radius 3 there is no " Auth-Type = System" so I've left DEFAULT which
> was in /etc/raddb/users
> At least I dont found suitable DEFAULT from the list in /etc/raddb/users
> May be you can suggest DEFAULT user ?

  I have no idea what that means,

  The DEFAULTs are there to handle some common cases.  If you don't need those DEFAULTs, delete them.

> Now I've commented out DEFAULT in /etc/raddb/users and authentication
> through AP succeeded.

  Good to hear.

  Alan DeKok.

More information about the Freeradius-Users mailing list