On Jul 9, 2018, at 9:43 AM, Benjamin DUPALUT <benjamin.dupalut@esiee.fr> wrote:
Im' now trying to set up 802.1x Wi-Fi authentication on Cisco Wi-Fi access point trough Cisco Wireless Controller.
While local radtest works fine, when trying to authenticate via the Wi-Fi access point i get these errors : ... mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes }
Which isn't configured to use ntlm_auth.
# Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=lan.esiee.fr --username=%{Stripped-User-Name} --password=%{User-Password}" shell_escape = yes }
That works, if you set "Auth-Type := ntlm", and then only for User-Password. i.e. not for MSCHAP, and not for PEAP.
*(7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password(7) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password(7) mschap: Creating challenge hash with username: dupalutb@esiee.fr <dupalutb@esiee.fr>(7) mschap: Client is using MS-CHAPv2(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication(7) mschap: ERROR: MS-CHAP2-Response is incorrect(7) [mschap] = reject(7) } # authenticate = reject(7) eap: Sending EAP Failure (code 4) ID 8 length 4*
Please don't edit the debug output. Your mailer is reformatting the debug output. That makes it harder to read. read: http://www.deployingradius.com/documents/configuration/active_directory.html See the section titled "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" Follow the instructions in the page, and it *will* work. If you only read half of the documentation, it will only work half-way.
but i don't understand why it doesn't accept the password provided by the Wireless controller.
Because you didn't completely follow the documentation. You only did part of it.
Futhermore, i don't understand neither this message that worries me :
*(7) WARNING: Outer and inner identities are the same. User privacy is compromised.* Can you please help me find the source of these problems ?
The outer user name is supposed to be either "anonymous", or "@domain", or "anonymous@domain". That ensures anyone who can see the RADIUS traffic can't tell which user is logging in. The real user name is inside of the TLS tunnel. Alan DeKok.