Problems with wifi authentication: [mschap] No Cleartext-Password configured...
Hi guys, I'm with problems on my first radius authentication server for wireless clients. I've made some progress, but now I'm with problems that I don't know how to solve. I want to use the NIS user database. Freeradius version: 2.1.1, compiled from source on mandriva 2008.1 (yes, i don't like mandriva, but i have to use it) With radtest, I already can authenticate with users located on /etc/raddb/users/ , /etc/passwd and NIS' users: Example: leonardolocal@lcc56:~$ radtest leonardo lalala 172.16.0.2 0 xpto Sending Access-Request of id 65 to 172.16.0.2 port 1812 User-Name = "leonardo" User-Password = "radius1234" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=65, length=20 leonardolocal@lcc56:~$ radtest usuario1 lalala 172.16.0.2 0 xpto Sending Access-Request of id 57 to 172.16.0.2 port 1812 User-Name = "usuario1" User-Password = "senha1" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=57, length=20 leonardolocal@lcc56:~$ radtest localradius lalala 172.16.0.2 0 xpto Sending Access-Request of id 135 to 172.16.0.2 port 1812 User-Name = "localradius" User-Password = "radius1234" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=212, length=20 Until here, everything was ok, the problems begins when I try authenticate through wireless access point: The PEAP doesn't work. And by TTLS/MSCHAPv2 works, but only for users located on the /etc/raddb/users file, and not for NIS' or passwd' users. Error that happens when a I try connect with TTLS/MSCHAPv2 and with user not listed on the /etc/raddb/users file: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for leonardo with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. I've uploaded the /etc/raddb/radiusd.conf,/ etc/raddb/eap.conf, module /etc/raddb/modules/mschap and also a log from the radiusd -X with a login try which generates the above error and the radiusd startup on the server: http://ivete.fis.unb.br/fradius/ I've found on google a discussion, on this list (http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg48660.h...), which a guy had the same error than me, but he was using the ldap database as user's database. And I don't understood what procedures he used to solve his problems. Please, if somebody have some tip, tell me, I don't know what to do anymore :/ Sorry for the poor english. Thanks in advance, -- --------------------------- Leonardo Marques --------------------------- Blog: BeNerd.analyx.org Website: www.analyx.org
I'm with problems on my first radius authentication server for wireless clients. I've made some progress, but now I'm with problems that I don't know how to solve.
I want to use the NIS user database.
That's your problem right there.
Freeradius version: 2.1.1, compiled from source on mandriva 2008.1 (yes, i don't like mandriva, but i have to use it)
With radtest, I already can authenticate with users located on /etc/raddb/users/ , /etc/passwd and NIS' users:
Example: leonardolocal@lcc56:~$ radtest leonardo lalala 172.16.0.2 0 xpto Sending Access-Request of id 65 to 172.16.0.2 port 1812 User-Name = "leonardo" User-Password = "radius1234" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=65, length=20 leonardolocal@lcc56:~$ radtest usuario1 lalala 172.16.0.2 0 xpto Sending Access-Request of id 57 to 172.16.0.2 port 1812 User-Name = "usuario1" User-Password = "senha1" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=57, length=20 leonardolocal@lcc56:~$ radtest localradius lalala 172.16.0.2 0 xpto Sending Access-Request of id 135 to 172.16.0.2 port 1812 User-Name = "localradius" User-Password = "radius1234" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=212, length=20
Crypted passwords and pap work fine.
Until here, everything was ok, the problems begins when I try authenticate through wireless access point:
The PEAP doesn't work. And by TTLS/MSCHAPv2 works, but only for users located on the /etc/raddb/users file, and not for NIS' or passwd' users.
Error that happens when a I try connect with TTLS/MSCHAPv2 and with user not listed on the /etc/raddb/users file:
Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for leonardo with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user.
But not with mschap: http://deployingradius.com/documents/protocols/compatibility.html You can't use passwords from /etc/passwd for mschap. You will find it that thread that he had NT hashed passwords to use. Ivan Kalik Kalik Informatika ISP
Hi Ivan, First thank you for that link you've sent to me. An It worked fine with PAP ;) Thanks again, []s On Thu, Dec 4, 2008 at 4:58 PM, <tnt@kalik.net> wrote:
I'm with problems on my first radius authentication server for wireless clients. I've made some progress, but now I'm with problems that I don't know how to solve.
I want to use the NIS user database.
That's your problem right there.
Freeradius version: 2.1.1, compiled from source on mandriva 2008.1 (yes, i don't like mandriva, but i have to use it)
With radtest, I already can authenticate with users located on /etc/raddb/users/ , /etc/passwd and NIS' users:
Example: leonardolocal@lcc56:~$ radtest leonardo lalala 172.16.0.2 0 xpto Sending Access-Request of id 65 to 172.16.0.2 port 1812 User-Name = "leonardo" User-Password = "radius1234" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=65, length=20 leonardolocal@lcc56:~$ radtest usuario1 lalala 172.16.0.2 0 xpto Sending Access-Request of id 57 to 172.16.0.2 port 1812 User-Name = "usuario1" User-Password = "senha1" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=57, length=20 leonardolocal@lcc56:~$ radtest localradius lalala 172.16.0.2 0 xpto Sending Access-Request of id 135 to 172.16.0.2 port 1812 User-Name = "localradius" User-Password = "radius1234" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=212, length=20
Crypted passwords and pap work fine.
Until here, everything was ok, the problems begins when I try authenticate through wireless access point:
The PEAP doesn't work. And by TTLS/MSCHAPv2 works, but only for users located on the /etc/raddb/users file, and not for NIS' or passwd' users.
Error that happens when a I try connect with TTLS/MSCHAPv2 and with user not listed on the /etc/raddb/users file:
Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for leonardo with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user.
But not with mschap:
http://deployingradius.com/documents/protocols/compatibility.html
You can't use passwords from /etc/passwd for mschap. You will find it that thread that he had NT hashed passwords to use.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- --------------------------- Leonardo Marques --------------------------- Blog: BeNerd.analyx.org Website: www.analyx.org
participants (2)
-
Leonardo Marques -
tnt@kalik.net