Need some help pointing me in the right direction. I think I know what the problem is but I don't know where to look. I think the problem is my freeRadius server and openLDAP server are not talking perfectly. I am trying to do MS-chapv2 authentication so that windows machines can connect to out access point without having to install additional software. One of the glaring things that jumps out at me is that in the logs/debugging it says message-Authenticator = 0x000000... It looks like it is trying the correct authentication ... Told to do MS-CHAPv2 for test.user with NT-Password FAILED: No NT/LM-Password. Cannot perform authentication. FAILED: MS-CHAP2-Response is incorrect. ... and then error message peap got tunnel reply code3 MS-CHAP-Error = "\007E=691 R=1" Okay that message is pretty clear to me, but I do have an NT-Password in sambaNTPassword and is populate/stored in NT hash format and there is a maping in ldap.attrmap checkItem NT-Password sambaNtPassword I haven't done anything funky with the config files like setting Authe-Type = to anything I've read enough that it is a big no no. The only thing I've done is uncomment a few things so that it will use ldap. And everything works when I use radtest so I know my connection to my ldap server is okay but radtest is using a different protocol as I've been learning through this whole experience. If anyone can point me in the right direction I would greatly appreciate it. Thanks,
I forgot a couple of lines to the debugging I want to add. It almost seems like to me that Radius isn't getting the password from the client. ----- Original Message ----- From: "Eric Bourkland" <eric.bourkland@trustedconcepts.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Friday, August 14, 2009 9:40:08 AM GMT -05:00 US/Canada Eastern Subject: Authentication with mschap Need some help pointing me in the right direction. I think I know what the problem is but I don't know where to look. I think the problem is my freeRadius server and openLDAP server are not talking perfectly. I am trying to do MS-chapv2 authentication so that windows machines can connect to out access point without having to install additional software. One of the glaring things that jumps out at me is that in the logs/debugging it says message-Authenticator = 0x000000... It looks like it is trying the correct authentication ... No Cleartext-Password configured. Cannot create LM-Password No Cleartext-Password configured. Cannot create NT-Password Told to do MS-CHAPv2 for test.user with NT-Password FAILED: No NT/LM-Password. Cannot perform authentication. FAILED: MS-CHAP2-Response is incorrect. ... and then error message peap got tunnel reply code3 MS-CHAP-Error = "\007E=691 R=1" Okay that message is pretty clear to me, but I do have an NT-Password in sambaNTPassword and is populate/stored in NT hash format and there is a maping in ldap.attrmap checkItem NT-Password sambaNtPassword I haven't done anything funky with the config files like setting Authe-Type = to anything I've read enough that it is a big no no. The only thing I've done is uncomment a few things so that it will use ldap. And everything works when I use radtest so I know my connection to my ldap server is okay but radtest is using a different protocol as I've been learning through this whole experience. If anyone can point me in the right direction I would greatly appreciate it. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eric Bourkland wrote:
It looks like it is trying the correct authentication
... Told to do MS-CHAPv2 for test.user with NT-Password FAILED: No NT/LM-Password. Cannot perform authentication. FAILED: MS-CHAP2-Response is incorrect.
So... what are the contents of the NT-Password attribute? Alan DeKok.
So... what are the contents of the NT-Password attribute?
In the LDAP data store? is it a hashed (MD4) format which should be able to be read doing MS-CHAP. I know, I know clear text, but with my current set up Zimbra with OpenLdap it does not let you do complete clear text. I integrated Samba attributes in so I can get the NT/LM passwords stored. I added a few more lines to the debugging from my first message I don't know if that message was seen. but... ... No Cleartext-Password configured. Cannot create LM-Password No Cleartext-Password configured. Cannot create NT-Password Told to do MS-CHAPv2 for test.user with NT-Password FAILED: No NT/LM-Password. Cannot perform authentication. FAILED: MS-CHAP2-Response is incorrect. what it looks like to me is that Radius isn't getting the Cleartext-Password from the laptop client, I don't know if this the case or not. the laptop client is Window's XP pro build and some Vista, and whatever else a guest may bring in. I assumed that it would pass the password in the Cleartext-Password attribute when using the MS-CHAPv2, I need to confrim this. I can get it to work if I install SecureW2 but I've been told that asking everyone to install it on the laptops isn't an option. This protocol is relatively new to me at least how all the various pieces of software handle it. I know I'm close I just need help being pointed in the right direction on where the disconnect is occuring. right now I am pretty certain it is not between Radius and my openLDAP. Thanks, ----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Sunday, August 16, 2009 4:11:47 AM GMT -05:00 US/Canada Eastern Subject: Re: Authentication with mschap Eric Bourkland wrote:
It looks like it is trying the correct authentication
... Told to do MS-CHAPv2 for test.user with NT-Password FAILED: No NT/LM-Password. Cannot perform authentication. FAILED: MS-CHAP2-Response is incorrect.
So... what are the contents of the NT-Password attribute? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eric Bourkland wrote:
No Cleartext-Password configured. Cannot create LM-Password No Cleartext-Password configured. Cannot create NT-Password Told to do MS-CHAPv2 for test.user with NT-Password FAILED: No NT/LM-Password. Cannot perform authentication. FAILED: MS-CHAP2-Response is incorrect.
Which is what you posted before. This doesn't help.
what it looks like to me is that Radius isn't getting the Cleartext-Password from the laptop client, I don't know if this the case or not. the laptop client is Window's XP pro build and some Vista, and whatever else a guest may bring in. I assumed that it would pass the password in the Cleartext-Password attribute when using the MS-CHAPv2, I need to confrim this. I can get it to work if I install SecureW2 but I've been told that asking everyone to install it on the laptops isn't an option. This protocol is relatively new to me at least how all the various pieces of software handle it. I know I'm close I just need help being pointed in the right direction on where the disconnect is occuring. right now I am pretty certain it is not between Radius and my openLDAP.
The issue is that the NT password is NOT being read from LDAP, and is NOT being given to FreeRADIUS. Read the REST of the debug output to see why. Or failing that, post the debug output here, as suggested in the FAQ, README, INSTALL, "man" page, and nearly daily on this list. Posting the last 2-3 lines of "authentication failed" is nearly useless. Alan DeKok.
participants (2)
-
Alan DeKok -
Eric Bourkland