can't connect to network with md5-password on windows 10
why my computer can't connect to network with md5-password ? even though if i use cleartext-password it's can connected. but if i use smartphone or linux it's work. can you help me ? there is freeradius debug : # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "hamid", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> hamid [sql] sql_set_user escaped user --> 'hamid' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'hamid' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'hamid' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'hamid' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: hamid [mschap] Told to do MS-CHAPv2 for hamid with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 158 to ***.***.***.*** port 32772 EAP-Message = 0x010a002b190017030100200586e482dcc33b2c9280f10597c6fa8734e6afc7046f9a2e08f41cf18a749f4f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcc3ab30bcb30aa566d0010d0e8ca6221 Finished request 7. Going to the next request Waking up in 3.8 seconds. rad_recv: Access-Request packet from host ***.***.***.*** port 32772, id=159, length=331 User-Name = "hamid" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "94-0c-6d-e1-f1-b4" Called-Station-Id = "58-0a-20-7e-2c-00:annaba4" NAS-Port = 3 Cisco-AVPair = "audit-session-id=c0a81a19000071a65a6ae803" Acct-Session-Id = "5a6ae803/94:0c:6d:e1:f1:b4/34470" Cisco-AVPair = "mDNS=true" NAS-IP-Address = 192.168.35.254 NAS-Identifier = "WLC_2504" Airespace-Wlan-Id = 7 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "35" EAP-Message = 0x020a002b19001703010020b251340da3d5ad94add86f70d3e1b882d6770280ac5d5ab14aa4ab95ec8b91df State = 0xcc3ab30bcb30aa566d0010d0e8ca6221 Message-Authenticator = 0x323eda2ece20e5a64deebab3d52ddb4c # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "hamid", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> hamid attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 159 to 10.237.15.1 port 32772 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.8 seconds. Cleaning up request 0 ID 151 with timestamp +204 Cleaning up request 1 ID 152 with timestamp +204 Cleaning up request 2 ID 153 with timestamp +204 Cleaning up request 3 ID 154 with timestamp +204 Cleaning up request 4 ID 155 with timestamp +204 Waking up in 1.1 seconds. Cleaning up request 5 ID 156 with timestamp +205 Cleaning up request 6 ID 157 with timestamp +205 Cleaning up request 7 ID 158 with timestamp +205 Waking up in 1.0 seconds. Cleaning up request 8 ID 159 with timestamp +205 Ready to process requests. thanks
On 26 January 2018 08:28:21 GMT+00:00, Hamid Rahman <hamidrahman@live.com> wrote:
why my computer can't connect to network with md5-password ? even though if i use cleartext-password it's can connected. but if i use smartphone or linux it's work.
Windows is doing PEAP/MSCHAPv2. That's not compatible with MD5-Password. -- Matthew
so.. what can i doing for connecting md5-password on windows 10 ? or it can not be used ? thanks Get Outlook for Android<https://aka.ms/ghei36> ________________________________ From: Freeradius-Users <freeradius-users-bounces+hamidrahman=live.com@lists.freeradius.org> on behalf of Matthew Newton <matthew@newtoncomputing.co.uk> Sent: Friday, January 26, 2018 10:13:56 AM To: FreeRadius users mailing list Subject: Re: can't connect to network with md5-password on windows 10 On 26 January 2018 08:28:21 GMT+00:00, Hamid Rahman <hamidrahman@live.com> wrote:
why my computer can't connect to network with md5-password ? even though if i use cleartext-password it's can connected. but if i use smartphone or linux it's work.
Windows is doing PEAP/MSCHAPv2. That's not compatible with MD5-Password. -- Matthew - List info/subscribe/unsubscribe? See https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freerad...
thanks for your answer matthew ________________________________ From: Freeradius-Users <freeradius-users-bounces+hamidrahman=live.com@lists.freeradius.org> on behalf of Matthew Newton <matthew@newtoncomputing.co.uk> Sent: Saturday, January 27, 2018 8:35 AM To: freeradius-users@lists.freeradius.org Subject: Re: can't connect to network with md5-password on windows 10 On Sat, 2018-01-27 at 01:18 +0000, Hamid Rahman wrote:
so.. what can i doing for connecting md5-password on windows 10 ?
or it can not be used ?
For wireless? You can't. Not even sure it can be used for wired any more. It's not a sensible choice these days anyway. -- Matthew - List info/subscribe/unsubscribe? See https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freerad...
storing passwords in md5? probably EAP-TTLS/PAP method will get you a result as the password gets sent to the RADIUS server in clear within the TTLS tunnel alan
Windows 7, 8, and 10 cannot use MD5 authentication at all for any network connection (the option has been removed from the os on all network types), it is very insecure and is not suitable for any wireless connection. There are times where you must use MD5 though, it is still the only option for many embedded type of devices on a wired network (such as an ip phone or similar type of device). Usually in this case it is on a wired network and is not reasonably prone to snooping so serves as a suitable safeguard against the port becoming active on the switch. Jeremy -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+jmartin=emcc.edu@lists.freeradius.org] On Behalf Of Hamid Rahman Sent: Friday, January 26, 2018 9:55 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: can't connect to network with md5-password on windows 10 thanks for your answer matthew ________________________________ From: Freeradius-Users <freeradius-users-bounces+hamidrahman=live.com@lists.freeradius.org> on behalf of Matthew Newton <matthew@newtoncomputing.co.uk> Sent: Saturday, January 27, 2018 8:35 AM To: freeradius-users@lists.freeradius.org Subject: Re: can't connect to network with md5-password on windows 10 On Sat, 2018-01-27 at 01:18 +0000, Hamid Rahman wrote:
so.. what can i doing for connecting md5-password on windows 10 ?
or it can not be used ?
For wireless? You can't. Not even sure it can be used for wired any more. It's not a sensible choice these days anyway. -- Matthew - List info/subscribe/unsubscribe? See https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freerad... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
this is why I seeked clarification of question. I believe that his passwords are stored in MD5-password field - not that he wants to do EAP-MD5 (not possible on wireless anyway). alan On 27 January 2018 at 23:39, Martin, Jeremy <jmartin@emcc.edu> wrote:
Windows 7, 8, and 10 cannot use MD5 authentication at all for any network connection (the option has been removed from the os on all network types), it is very insecure and is not suitable for any wireless connection. There are times where you must use MD5 though, it is still the only option for many embedded type of devices on a wired network (such as an ip phone or similar type of device). Usually in this case it is on a wired network and is not reasonably prone to snooping so serves as a suitable safeguard against the port becoming active on the switch.
Jeremy
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+jmartin=emcc.edu@lists.freeradius.org] On Behalf Of Hamid Rahman Sent: Friday, January 26, 2018 9:55 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: can't connect to network with md5-password on windows 10
thanks for your answer matthew ________________________________ From: Freeradius-Users <freeradius-users-bounces+hamidrahman=live.com@lists.freeradius.org> on behalf of Matthew Newton <matthew@newtoncomputing.co.uk> Sent: Saturday, January 27, 2018 8:35 AM To: freeradius-users@lists.freeradius.org Subject: Re: can't connect to network with md5-password on windows 10
On Sat, 2018-01-27 at 01:18 +0000, Hamid Rahman wrote:
so.. what can i doing for connecting md5-password on windows 10 ?
or it can not be used ?
For wireless? You can't. Not even sure it can be used for wired any more.
It's not a sensible choice these days anyway.
-- Matthew
- List info/subscribe/unsubscribe? See https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freerad... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
storing passwords in md5? probably EAP-TTLS/PAP method will get you a result as the password gets sent to the RADIUS server in clear within the TTLS tunnel
Windows 7, 8, and 10 cannot use MD5 authentication at all for any network connection (the option >has been removed from the os on all network types), it is very insecure and is not suitable for any >wireless connection. There are times where you must use MD5 though, it is still the only option for >many embedded type of devices on a wired network (such as an ip phone or similar type of device). >Usually in this case it is on a wired network and is not reasonably prone to snooping so serves as a >suitable safeguard against the port becoming active on the switch.
i've tried used EAP-TTLS/PAP method from microsoft but it still can't work. but if i using application w2secure with EAP-TTLS/PAP method it's work. i don't know why. but the problem is if i using third-party application, it will be very inconvenient for client to install the application ________________________________ From: Freeradius-Users <freeradius-users-bounces+hamidrahman=live.com@lists.freeradius.org> on behalf of Alan Buxey <alan.buxey@gmail.com> Sent: Sunday, January 28, 2018 5:30 PM To: FreeRadius users mailing list Subject: Re: can't connect to network with md5-password on windows 10 this is why I seeked clarification of question. I believe that his passwords are stored in MD5-password field - not that he wants to do EAP-MD5 (not possible on wireless anyway). alan On 27 January 2018 at 23:39, Martin, Jeremy <jmartin@emcc.edu> wrote:
Windows 7, 8, and 10 cannot use MD5 authentication at all for any network connection (the option has been removed from the os on all network types), it is very insecure and is not suitable for any wireless connection. There are times where you must use MD5 though, it is still the only option for many embedded type of devices on a wired network (such as an ip phone or similar type of device). Usually in this case it is on a wired network and is not reasonably prone to snooping so serves as a suitable safeguard against the port becoming active on the switch.
Jeremy
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+jmartin=emcc.edu@lists.freeradius.org] On Behalf Of Hamid Rahman Sent: Friday, January 26, 2018 9:55 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: can't connect to network with md5-password on windows 10
thanks for your answer matthew ________________________________ From: Freeradius-Users <freeradius-users-bounces+hamidrahman=live.com@lists.freeradius.org> on behalf of Matthew Newton <matthew@newtoncomputing.co.uk> Sent: Saturday, January 27, 2018 8:35 AM To: freeradius-users@lists.freeradius.org Subject: Re: can't connect to network with md5-password on windows 10
On Sat, 2018-01-27 at 01:18 +0000, Hamid Rahman wrote:
so.. what can i doing for connecting md5-password on windows 10 ?
or it can not be used ?
For wireless? You can't. Not even sure it can be used for wired any more.
It's not a sensible choice these days anyway.
-- Matthew
- List info/subscribe/unsubscribe? See https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freerad... - List info/subscribe/unsubscribe? See https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freerad...
- List info/subscribe/unsubscribe? See https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freerad...
- List info/subscribe/unsubscribe? See https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freerad...
On Jan 28, 2018, at 8:35 PM, Hamid Rahman <hamidrahman@live.com> wrote:
i've tried used EAP-TTLS/PAP method from microsoft but it still can't work.
Why not run the server in debug mode, as suggested in the FAQ, "man" page, web pages, and daily on this list?
but if i using application w2secure with EAP-TTLS/PAP method it's work. i don't know why. but the problem is if i using third-party application, it will be very inconvenient for client to install the application
If you use the information available to you, you can solve the problem. If you ignore the information available to you, you won't solve the problem. Alan DeKok.
participants (5)
-
Alan Buxey -
Alan DeKok -
Hamid Rahman -
Martin, Jeremy -
Matthew Newton