So now i changed the configuration to default, installed samba, added the system in the AD and tried the following: Over Access Point with PEAP/MSCHAPv2 (0) Received Access-Request Id 151 from 192.168.2.250:3072 to 192.168.8.27:1812 length 178 (0) User-Name = "test" (0) Service-Type = Framed-User (0) NAS-IP-Address = 192.168.2.250 (0) NAS-Port = 12 (0) NAS-Port-Id = "12" (0) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X" (0) Calling-Station-Id = "B8-E8-56-41-2C-2A" (0) Connect-Info = "CONNECT 54 Mbps 802.11g" (0) NAS-Identifier = "AP-domain01" (0) NAS-Port-Type = Wireless-802.11 (0) Framed-MTU = 1500 (0) EAP-Message = 0x020100090174657374 (0) Message-Authenticator = 0x53256bbc98c1251ad9f75dcd28ae8da7 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (!&User-Name) { (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) { (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "test", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}: (0) ntlm_auth: EXPAND --username=%{mschap:User-Name} (0) ntlm_auth: --> --username=test (0) ntlm_auth: EXPAND --password=%{User-Password} (0) ntlm_auth: --> --password= (0) ntlm_auth: ERROR: Program returned code (1) and output 'NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)' (0) [ntlm_auth] = reject (0) } # authorize = reject (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> test (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap: Request was previously rejected, inserting EAP-Failure (0) eap: Sending EAP Failure (code 4) ID 1 length 4 (0) [eap] = updated (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 151 from 192.168.8.27:1812 to 192.168.2.250:3072 length 44 (0) EAP-Message = 0x04010004 (0) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 151 with timestamp +20 Ready to process requests ^C ------------------------------------------------------------ Via console: /usr/local/etc/raddb # /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=test --password=password root@aaa NT_STATUS_OK: Success (0x0) Radtest test password localhost 0 testing123 (0) Received Access-Request Id 119 from 127.0.0.1:44440 to 127.0.0.1:1812 length 74 (0) User-Name = "test" (0) User-Password = "password" (0) NAS-IP-Address = 192.168.8.27 (0) NAS-Port = 0 (0) Message-Authenticator = 0xbe31e04dd320dc31298bfe9e5e56b2b2 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (!&User-Name) { (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) { (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "test", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}: (0) ntlm_auth: EXPAND --username=%{mschap:User-Name} (0) ntlm_auth: --> --username=test (0) ntlm_auth: EXPAND --password=%{User-Password} (0) ntlm_auth: --> --password=password (0) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: Success (0x0)' (0) ntlm_auth: Program executed successfully (0) [ntlm_auth] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> test (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 119 from 127.0.0.1:1812 to 127.0.0.1:44440 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 119 with timestamp +2 Ready to process requests Why we have user password emty if we use mschap??? ~ # radtest -t mschap test password localhost 0 testing123 root@aaa Sent Access-Request Id 61 from 0.0.0.0:55547 to 127.0.0.1:1812 length 130 User-Name = "test" MS-CHAP-Password = "password" NAS-IP-Address = 192.168.8.27 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "password" MS-CHAP-Challenge = 0xe4b7ba0150bb1065 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000c37040e23af21cc7ef5a554e168244fdbe651a1e5e530cac Received Access-Reject Id 61 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject (1) Received Access-Request Id 61 from 127.0.0.1:55547 to 127.0.0.1:1812 length 130 (1) User-Name = "test" (1) NAS-IP-Address = 192.168.8.27 (1) NAS-Port = 0 (1) Message-Authenticator = 0xdc18afd2c2c531685bbc96701e690b22 (1) MS-CHAP-Challenge = 0xe4b7ba0150bb1065 (1) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000c37040e23af21cc7ef5a554e168244fdbe651a1e5e530cac (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (!&User-Name) { (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) { (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (1) [mschap] = ok (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "test", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}: (1) ntlm_auth: EXPAND --username=%{mschap:User-Name} (1) ntlm_auth: --> --username=test (1) ntlm_auth: EXPAND --password=%{User-Password} (1) ntlm_auth: --> --password= (1) ntlm_auth: ERROR: Program returned code (1) and output 'NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)' (1) [ntlm_auth] = reject (1) } # authorize = reject (1) Using Post-Auth-Type Reject (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> test (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 61 from 127.0.0.1:1812 to 127.0.0.1:55547 length 20 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 61 with timestamp +10 Ready to process requests -----Ursprüngliche Nachricht----- Von: Freeradius-Users [mailto:freeradius-users-bounces+torsten=wilms-ac.de@lists.freeradius.org] Im Auftrag von Matthew Newton Gesendet: Donnerstag, 8. Oktober 2015 17:15 An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication On Thu, Oct 08, 2015 at 04:55:35PM +0200, Torsten Wilms wrote:
If i try to login via "radtest -x test testpwd 127.0.0.1:18120 0 testing123" on the linux console, everything is working via ldap. If i try this over the 802.1X AccessPoint, it doesn't work.
This is impossible with PEAP/EAP-MSCHAPv2. AD won't give you either the Cleartext-Password or the NT hash. http://deployingradius.com/documents/protocols/compatibility.html
I think that everything goes wrong with encrypt/decrypt the Domain User password or no User-Password is given after eap or something else. I tried a lot of stuff, but nothing works.
Forget trying to do LDAP to AD for auth and install Samba. http://deployingradius.com/documents/configuration/active_directory.html Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html