freeradius 1.1.4 + LDAP + PEAP/mschapv2
Hi all ! After installing Freeradius 1.1.4, I am trying to set it up to authenticate users with a LDAP database using PEAP + eap/mschapv2. Freeradius seems to work fine for most users, but for a few people I get this error in my log file : /Mon Feb 19 09:30:07 2007 : Info: rlm_eap_tls: Length Included Mon Feb 19 09:30:07 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Feb 19 09:30:07 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Mon Feb 19 09:30:07 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Mon Feb 19 09:30:07 2007 : Info: rlm_eap_tls: Length Included Mon Feb 19 09:30:07 2007 : Info: (other): SSL negotiation finished successfully Mon Feb 19 09:30:07 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Mon Feb 19 09:30:07 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Mon Feb 19 09:30:07 2007 : Info: rlm_eap_mschapv2: Issuing Challenge Mon Feb 19 09:30:08 2007 : Error: rlm_mschap: Invalid LM-Password Mon Feb 19 09:30:08 2007 : Error: rlm_mschap: Invalid NT-Password Mon Feb 19 09:30:08 2007 : Auth: Login incorrect: [********] /Authentication works perfectly with the same config files (eap.conf, radiusd.conf,users...) with an older version (1.0.1 and even 1.1.3) of freeradius on the same server. I've made tests with EAP-TTLS, and in that case authentication also works fine for everyone. In both cases, I get this line when I run freeradius in debug mode : /rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. /And I can't find if there's a link between that warning and the authentication failure for some of my users. Thanks for your help. -- Ce message a été vérifié par MailScanner pour des virus ou des polluriels et rien de suspect n'a été trouvé. MailScanner remercie transtec pour son soutien.
Baptiste Delporte wrote:
Mon Feb 19 09:30:08 2007 : Error: rlm_mschap: Invalid LM-Password Mon Feb 19 09:30:08 2007 : Error: rlm_mschap: Invalid NT-Password
That happens only when an LM-Password and NT-Password are added for the user, AND where they're not the right format.
/Authentication works perfectly with the same config files (eap.conf, radiusd.conf,users...) with an older version (1.0.1 and even 1.1.3) of freeradius on the same server.
Run the server in debugging mode in 1.1.3, and in 1.1.4. See what's different. The PAP module changed in 1.1.4, but I don't see why it would break MSCHAP.
In both cases, I get this line when I run freeradius in debug mode :
/rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
That happens if there's no way to authenticate the user. But it shouldn't result in the above messages from the mschap module.
/And I can't find if there's a link between that warning and the authentication failure for some of my users.
Perhaps you could try posting the whole debug output, rather than tiny pieces. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Baptiste Delporte