Hello
I have a working installation of freeradius2, providing AAA on my wlan by using ldap stored users.
I am trying to upgrade to freeradius3, but I met a problem.
As far as I understood, the ldap attribute previusly mapped through the ldap.attrmap file now must be mapped by an update statement, so in the ldap module configuration I configured:
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'sambaNTPassword'
}
I know that this is working because in the debug I see:
..
(12) 8021x1 : User object found at DN "uid=XXXXXXX
(12) 8021x1 : Processing user attributes
(12) 8021x1 : control:Password-With-Header += '{SHA}XXXXXXXXXXXXXXXXXXXX'
(12) 8021x1 : control:NT-Password := 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
rlm_ldap (8021x1): Released connection (4)
But when I try to authenticate I have this error:
(12) Found Auth-Type = EAP
(12) # Executing group from file /ofb/freeradius/etc/raddb/sites-enabled/default
(12) authenticate {
(12) eap : Expiring EAP session with state 0x08682d8c08653729
(12) eap : Finished EAP session with state 0x08682d8c08653729
(12) eap : Previous EAP request found for state 0x08682d8c08653729, released from the list
(12) eap : Peer sent MSCHAPv2 (26)
(12) eap : EAP MSCHAPv2 (26)
(12) eap : Calling eap_mschapv2 to process EAP data
(12) eap_mschapv2 : # Executing group from file /ofb/freeradius/etc/raddb/sites-enabled/default
(12) eap_mschapv2 : Auth-Type MS-CHAP {
(12) mschap : No Cleartext-Password configured. Cannot create LM-Password
(12) ERROR: mschap : NT-Password has not been normalized by the "pap" module. Authentication will fail.
(12) mschap : Creating challenge hash with username: XXX
(12) mschap : Client is using MS-CHAPv2 for XXX, we need NT-Password
(12) mschap : FAILED: No NT/LM-Password. Cannot perform authentication.
(12) mschap : FAILED: MS-CHAP2-Response is incorrect
(12) [mschap] = reject
(12) } # Auth-Type MS-CHAP = reject
(12) eap : Freeing handler
(12) [eap] = reject
(12) } # authenticate = reject
(12) Failed to authenticate the user.
(12) Using Post-Auth-Type Reject
(12) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
} # server default
(12) eap_peap : Got tunneled reply code 3
MS-CHAP-Error = '\rE=691 R=1'
EAP-Message = 0x040d0004
Message-Authenticator = 0x00000000000000000000000000000000
(12) eap_peap : Got tunneled reply RADIUS code 3
MS-CHAP-Error = '\rE=691 R=1'
EAP-Message = 0x040d0004
Message-Authenticator = 0x00000000000000000000000000000000
(12) eap_peap : Tunneled authentication was rejected.
(12) eap_peap : FAILURE
I took a peek at the rlm_mschap.c code and I saw that the part "validating" the NT-Password is oddly different from version 2 to version 3, as v2 was: