Radius 3 EAP (PEAP) mschapv2 connection problem
aland at deployingradius.com
Thu Jun 4 14:49:01 CEST 2020
On Jun 4, 2020, at 3:47 AM, Anatoly Oreshkin <anatoly.oreshkin at gmail.com> wrote:
> I provide debug log for session 72, please see below.
> I've found the reason of failed authentication when connecting through AP
> Compare request format from AP 192.168.14.241 with one from AP
That's good. That's why we have debug output. It can be huge and complex, but it usually gives the answers you need.
> In request format from AP 192.168.14.247 presents line
> (72) Framed-Protocol = PPP
> Users login and password are kept in the file /etc/raddb/users
> Default user in /etc/raddb/users is specified as follows:
> DEFAULT Framed-Protocol == PPP
> Framed-Protocol = PPP,
> Framed-Compression = Van-Jacobson-TCP-IP
> So radius selects DEFAULT user instead of my user name and hence
> (72) mschap: WARNING: No Cleartext-Password configured. Cannot create
Likely because you added the user at the *end* of the users file. That's why the documentation says to add it at the beginning.
> In Radius 2 as DEFAULT user it was specified
> DEFAULT Auth-Type = System
> Fall-Through = 1
> so authentication worked.
"Auth-type System" is "authenticate users from /etc/passwd. Which is NOT compatible with MS-CHAP.
v2 worked because the "users" file entry for that user was in a different place, and it didn't match the DEFAULT entry.
> In Radius 3 there is no " Auth-Type = System" so I've left DEFAULT which
> was in /etc/raddb/users
> At least I dont found suitable DEFAULT from the list in /etc/raddb/users
> May be you can suggest DEFAULT user ?
I have no idea what that means,
The DEFAULTs are there to handle some common cases. If you don't need those DEFAULTs, delete them.
> Now I've commented out DEFAULT in /etc/raddb/users and authentication
> through AP 192.168.14.297 succeeded.
Good to hear.
More information about the Freeradius-Users