On Mar 28, 2018, at 9:07 AM, Robert Plestenjak <robert.plestenjak@xlab.si> wrote:
I'm trying to set up authentication over PEAP-MSCHAPv2. In LDAP I have NTLM-hashed passwords Version is 3.0.13 from CentOS 7 repository.
Testing with radtest is successful:
We don't need to see the output of radtest. See http://wiki.freeradius.org/list-help
When I test with Wifi (Cisco Meraki), it fails:
Reading the debug output helps. As the Wiki page shows, look for ERROR or WARNING. It's that simple.
... (18) ldap: Performing search in "dc=xlab,dc=si" with filter "(uid=robert_plestenjak)", scope "sub" (18) ldap: Waiting for search result... (18) ldap: User object found at DN "cn=Robert Plestenjak,ou=people,ou=xlab-research,dc=xlab,dc=si" (18) ldap: Processing user attributes (18) ldap: control:Password-With-Header += 'XXX'
Which should be your "known good" password. I presume you've read the debug output enough to see the password and edit it. Why not keep reading it?
... (18) mschap: Found Cleartext-Password, hashing to create NT-Password (18) mschap: Found Cleartext-Password, hashing to create LM-Password (18) mschap: Creating challenge hash with username: robert_plestenjak (18) mschap: Client is using MS-CHAPv2 (18) mschap: ERROR: MS-CHAP2-Response is incorrect
That's pretty clear. You entered the wrong password on the client. Alan DeKok.