Hi, I've been using Freeradius 1.1.3 with PEAP/MSCHAPv2 authentication with no problem. But now, I need to use it with LDAP too and it doesn't work at all. The client is windows xp without a domain. The LDAP is for the email directory. The user should type your user name (email) and password stored in LDAP. Probably, the error is in: Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for ducavalcanti with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 The full log is listed below Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded Pam pam: pam_auth = "radiusd" Module: Instantiated pam (pam) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "ldap.recife.pe.gov.br" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = yes ldap: tls_cacertfile = "/etc/raddb/certs/demoCA/cacert.pem" ldap: tls_cacertdir = "/etc/raddb/certs/demoCA" ldap: tls_certfile = "/etc/raddb/certs/cert-srv.pem" ldap: tls_keyfile = "/etc/raddb/certs/cert-srv.pem" ldap: tls_randfile = "/etc/raddb/certs/random" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "dc=recife" ldap: filter = "(uid=%u))" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "userPassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x85ac160 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" [/etc/raddb/users]:10 WARNING! Check item "Simultaneous-Use" ?found in reply item list for user "cidadao". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:21 WARNING! Check item "Simultaneous-Use" ?found in reply item list for user "ds". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:32 WARNING! Check item "Simultaneous-Use" ?found in reply item list for user "onibus1". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:41 WARNING! Check item "Simultaneous-Use" ?found in reply item list for user "onibus2". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:50 WARNING! Check item "Simultaneous-Use" ?found in reply item list for user "onibus3". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:74 WARNING! Check item "Simultaneous-Use" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/detail" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.45:1397, id=0, length=215 Message-Authenticator = 0x97a84f20d4434232cd49ca6d658945d3 Service-Type = Framed-User User-Name = "ducavalcanti" Framed-MTU = 1488 Called-Station-Id = "00-18-6E-8F-7F-C6:Teste_Radius" Calling-Station-Id = "00-16-CF-5D-AB-87" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000011016475636176616c63616e7469 NAS-IP-Address = 10.0.0.45 NAS-Port = 3 NAS-Port-Id = "STA port # 3" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "ducavalcanti", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 74 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 10.0.0.45 port 1397 Idle-Timeout = 1200 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6e92a11c2e2eb8b0f5a3ef121130cdbe Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.0.45:1397, id=1, length=296 Message-Authenticator = 0x6f9a9ac031506c58b6c6e44ca2406e45 Service-Type = Framed-User User-Name = "ducavalcanti" Framed-MTU = 1488 State = 0x6e92a11c2e2eb8b0f5a3ef121130cdbe Called-Station-Id = "00-18-6E-8F-7F-C6:Teste_Radius" Calling-Station-Id = "00-16-CF-5D-AB-87" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201005019800000004616030100410100003d03014739af68a8f0d6ff21bcf3d70631bff8fd284444e2b706a9bf448ec99da68d9000001600040005000a000900640062000300060013001200630100 NAS-IP-Address = 10.0.0.45 NAS-Port = 3 NAS-Port-Id = "STA port # 3" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "ducavalcanti", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 74 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0613], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 1 to 10.0.0.45 port 1397 Idle-Timeout = 1200 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 EAP-Message = 0x0102040a19c000000670160301004a0200004603014739b155fbba378d8caad6bf3cf2fcd445f60f72624d63cae1e97a280be0f1f620cfffe3e5b1d4493d5a781cdf4f43bed0de241d70bb915648fcd4285ef7b4f58400040016030106130b00060f00060c0002a6308202a23082020ba00302010202090091c3a0bfdd719e76300d06092a864886f70d0101050500307d310b3009060355040613024252311330110603550408130a5065726e616d6275636f310f300d060355040a1306454d5052454c310f300d060355040b1306454d5052454c3110300e060355040313077375706f7274653125302306092a864886f70d01090116167375706f72 EAP-Message = 0x746540617270736973742e636f6d2e6272301e170d3037313031383132313931315a170d3038313031373132313931315a30818f310b3009060355040613024252311330110603550408130a5065726e616d6275636f3110300e060355040714075c526563696665310f300d060355040a1306454d5052454c310f300d060355040b1306454d5052454c3110300e060355040313077375706f7274653125302306092a864886f70d01090116167375706f72746540617270736973742e636f6d2e627230819f300d06092a864886f70d010101050003818d0030818902818100c493f9d65023f11b86d83e3443a39aa9439dc496752284b2de7376bb59 EAP-Message = 0xf0dd3d3ceaad3870d7d393f619afc5a82e04bbe00131aa116737fd6e6fe0f591b95e83475cb5c5256978242191e5cdf41c66299a4aae6de5a2af98b01ed54257e35a4bb5d22e776f6e9228ca8f3e6657ce1126be95caa7e53724beae1be3ce6327527d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181007294fff28c80a0b0fc13279969ee9deff9027df4826d2303bda176920df162c6e163db22b5de11cce2f04aa83174d20bc611aabd9c6ff0c14d85a3b86a5f114760163ea6f34015825c49180850cfb7f5e94beb0c698ace6c6787f74f0bff5e73750177013be7da604a EAP-Message = 0xe7574dcd6964f26f37744d77b1709c6fb6c9cf25a07bee0003603082035c308202c5a00302010202090091c3a0bfdd719e74300d06092a864886f70d0101050500307d310b3009060355040613024252311330110603550408130a5065726e616d6275636f310f300d060355040a1306454d5052454c310f300d060355040b1306454d5052454c3110300e060355040313077375706f7274653125302306092a864886f70d01090116167375706f72746540617270736973742e636f6d2e6272301e170d3037313031383132303734355a170d3130313031373132303734355a307d310b3009060355040613024252311330110603550408130a506572 EAP-Message = 0x6e616d6275636f310f300d060355040a1306454d5052 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfd0beac7b89b40eefff915efd4d9d96a Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.0.45:1397, id=2, length=222 Message-Authenticator = 0x17dee25fd4e402e0bce5c2e7c4e06575 Service-Type = Framed-User User-Name = "ducavalcanti" Framed-MTU = 1488 State = 0xfd0beac7b89b40eefff915efd4d9d96a Called-Station-Id = "00-18-6E-8F-7F-C6:Teste_Radius" Calling-Station-Id = "00-16-CF-5D-AB-87" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061900 NAS-IP-Address = 10.0.0.45 NAS-Port = 3 NAS-Port-Id = "STA port # 3" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "ducavalcanti", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 74 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 2 to 10.0.0.45 port 1397 Idle-Timeout = 1200 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 EAP-Message = 0x010302761900454c310f300d060355040b1306454d5052454c3110300e060355040313077375706f7274653125302306092a864886f70d01090116167375706f72746540617270736973742e636f6d2e627230819f300d06092a864886f70d010101050003818d0030818902818100a874f87336485c332625fec54ed9362480378288099013dca4f82709de7b981491150f4bd5b66b74ea7580e17c99eccf9eb2e0e2df128dcde28a8b6df8b1b29e7cea11325a07c1928e3a1e3f6a7e78c1625b3934ffb14dc88b7b2a5c4579d4fd4ff8d168f6738e1ad7da52ac7b43abebe498e40ee3090e4f8c78cbc068cd9d650203010001a381e33081e0301d06 EAP-Message = 0x03551d0e041604142b91d9d0c793e7444e1797f22bc1e570b72225343081b00603551d230481a83081a580142b91d9d0c793e7444e1797f22bc1e570b7222534a18181a47f307d310b3009060355040613024252311330110603550408130a5065726e616d6275636f310f300d060355040a1306454d5052454c310f300d060355040b1306454d5052454c3110300e060355040313077375706f7274653125302306092a864886f70d01090116167375706f72746540617270736973742e636f6d2e627282090091c3a0bfdd719e74300c0603551d13040530030101ff300d06092a864886f70d0101050500038181002ce9db31047ea23cf5c461c252 EAP-Message = 0x017d696503c0542fc2e50360b955027d8cc61908d938a3f351302317774c9840d291fa3e3967b893bdd2c0952e93921be784f66795d6395abc58e10a921a138bc90b252b373ca7ca597bd4838d7f45e7741a5502d91c2ed79df141931fd6816c83978d2c09fca2eae6932ed4e538973e75127f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2d984a07595e9ac3aa78f16d85c558c6 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.0.45:1397, id=3, length=408 Message-Authenticator = 0xba582ade90838a38b10004924ed5e5e7 Service-Type = Framed-User User-Name = "ducavalcanti" Framed-MTU = 1488 State = 0x2d984a07595e9ac3aa78f16d85c558c6 Called-Station-Id = "00-18-6E-8F-7F-C6:Teste_Radius" Calling-Station-Id = "00-16-CF-5D-AB-87" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300c01980000000b616030100861000008200804d52a6ab167309225ce9a411b4eabf4aa96925f14b8da9bfbc6e89e5410bada5be32d4d918fd13a2c54f0d9bcf03c26280bc3225e5fe83cecec1d6994ba448b5ff1be3cc778d8173d0fb2b9619e586dd2d9603b0128470ad57e0d48ab9ebb91dfa87389335b6ffe3767046a3747f1f53f5bfcc8dc29bbb76679c83c81f46df8914030100010116030100205829fbdf78858311c77221d58efa0a2714ea74c5eb841a7848dbb4256cc344a8 NAS-IP-Address = 10.0.0.45 NAS-Port = 3 NAS-Port-Id = "STA port # 3" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "ducavalcanti", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 74 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 3 to 10.0.0.45 port 1397 Idle-Timeout = 1200 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 EAP-Message = 0x010400311900140301000101160301002044268c376c10a7426ec28ac1f70560496dd01442fc1871d4309a231de0cf2fd2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeb89542136d6968cc340734f68c628c6 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.0.45:1397, id=4, length=222 Message-Authenticator = 0xbe9ec00cfe2576161f6376e77baa9bde Service-Type = Framed-User User-Name = "ducavalcanti" Framed-MTU = 1488 State = 0xeb89542136d6968cc340734f68c628c6 Called-Station-Id = "00-18-6E-8F-7F-C6:Teste_Radius" Calling-Station-Id = "00-16-CF-5D-AB-87" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020400061900 NAS-IP-Address = 10.0.0.45 NAS-Port = 3 NAS-Port-Id = "STA port # 3" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "ducavalcanti", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 74 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 4 to 10.0.0.45 port 1397 Idle-Timeout = 1200 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 EAP-Message = 0x010500201900170301001500822197cc3a4d4115a1707866e50911ccd5fd7153 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe3eb2c3e8d1e2d49910601e06aad46db Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.0.45:1397, id=5, length=256 Message-Authenticator = 0xd469b7f0dc9bceb846ac92b41967a0bd Service-Type = Framed-User User-Name = "ducavalcanti" Framed-MTU = 1488 State = 0xe3eb2c3e8d1e2d49910601e06aad46db Called-Station-Id = "00-18-6E-8F-7F-C6:Teste_Radius" Calling-Station-Id = "00-16-CF-5D-AB-87" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020500281900170301001d10537c5025635ceb31f1789dd73ace4a29aca849cc784caf663ca8bad7 NAS-IP-Address = 10.0.0.45 NAS-Port = 3 NAS-Port-Id = "STA port # 3" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "ducavalcanti", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 40 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 74 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - ducavalcanti rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x02050011016475636176616c63616e7469 PEAP: Got tunneled identity of ducavalcanti PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to ducavalcanti PEAP: Sending tunneled request EAP-Message = 0x02050011016475636176616c63616e7469 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ducavalcanti" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "ducavalcanti", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 74 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 PEAP: Got tunneled reply RADIUS code 11 Simultaneous-Use = 1 Idle-Timeout = 1200 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 EAP-Message = 0x010600261a010600211081f8c12bb5d6b67acd534094d559a0c16475636176616c63616e7469 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf3e601b3722625ab79f99c119a369261 PEAP: Processing from tunneled session code 0x85c4500 11 Simultaneous-Use = 1 Idle-Timeout = 1200 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 EAP-Message = 0x010600261a010600211081f8c12bb5d6b67acd534094d559a0c16475636176616c63616e7469 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf3e601b3722625ab79f99c119a369261 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 5 to 10.0.0.45 port 1397 Idle-Timeout = 1200 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 EAP-Message = 0x0106003d190017030100324053f25612454fd272b962c7131679228164337ddc83ca7f617c0ffb77ec9f6a01b77e338e1878a50ed7740fd57eeec946c7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc72085ef2bc63e62f47a3fe126211ebe Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.0.45:1397, id=6, length=310 Message-Authenticator = 0x29eaa29601a8e416c9d18bac862e94c0 Service-Type = Framed-User User-Name = "ducavalcanti" Framed-MTU = 1488 State = 0xc72085ef2bc63e62f47a3fe126211ebe Called-Station-Id = "00-18-6E-8F-7F-C6:Teste_Radius" Calling-Station-Id = "00-16-CF-5D-AB-87" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206005e1900170301005368c49f7d568b3493615bb4786eb9cbe9add92efec32e3690cbb373dc7230e7cc3b95945d2e9a8305a3197dc9485223992b1e2c7574ebe1a06d7349e036cc82f50c0cb78613bf938941fc7c79df7ef5ad703b4e NAS-IP-Address = 10.0.0.45 NAS-Port = 3 NAS-Port-Id = "STA port # 3" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "ducavalcanti", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 94 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 74 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600471a0206004231c09d2e726a412f912f80c6c2c24a01cf0000000000000000f03d9d7d5bd85c82c5f72d39aa28929b49b63bf52ecff5cb006475636176616c63616e7469 PEAP: Setting User-Name to ducavalcanti PEAP: Adding old state with f3 e6 PEAP: Sending tunneled request EAP-Message = 0x020600471a0206004231c09d2e726a412f912f80c6c2c24a01cf0000000000000000f03d9d7d5bd85c82c5f72d39aa28929b49b63bf52ecff5cb006475636176616c63616e7469 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ducavalcanti" State = 0xf3e601b3722625ab79f99c119a369261 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "ducavalcanti", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 71 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 74 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for ducavalcanti with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 Simultaneous-Use = 1 Idle-Timeout = 1200 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x85e80e8 3 Simultaneous-Use = 1 Idle-Timeout = 1200 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 6 to 10.0.0.45 port 1397 Idle-Timeout = 1200 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 EAP-Message = 0x010700261900170301001b4a225c725a01e1ae8ee997fa96c6065c6c2688941f65cb21b089bd Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb91f907fbd983f95c34961b9e8b8c182 Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.0.45:1397, id=7, length=254 Message-Authenticator = 0xf4a4b6cf3eda5ad189a531100a4ab76a Service-Type = Framed-User User-Name = "ducavalcanti" Framed-MTU = 1488 State = 0xb91f907fbd983f95c34961b9e8b8c182 Called-Station-Id = "00-18-6E-8F-7F-C6:Teste_Radius" Calling-Station-Id = "00-16-CF-5D-AB-87" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020700261900170301001beb99d02b18f142827e3a1a0590988723cff7c84b868b96f2c5d2b3 NAS-IP-Address = 10.0.0.45 NAS-Port = 3 NAS-Port-Id = "STA port # 3" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "ducavalcanti", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 7 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 74 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.0.45:1397, id=7, length=254 Sending Access-Reject of id 7 to 10.0.0.45 port 1397 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 4739b155 Cleaning up request 1 ID 1 with timestamp 4739b155 Cleaning up request 2 ID 2 with timestamp 4739b155 Cleaning up request 3 ID 3 with timestamp 4739b155 Cleaning up request 4 ID 4 with timestamp 4739b155 Cleaning up request 5 ID 5 with timestamp 4739b155 Cleaning up request 6 ID 6 with timestamp 4739b155 Cleaning up request 7 ID 7 with timestamp 4739b155 Nothing to do. Sleeping until we see a request. PLEASE HELP!! --------------------------------- Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento!
Eduardo Lima wrote:
Hi, I've been using Freeradius 1.1.3
Please upgrade to 1.1.7...
with PEAP/MSCHAPv2 authentication with no problem. But now, I need to use it with LDAP too and it doesn't work at all.
The client is windows xp without a domain. The LDAP is for the email directory.
The user should type your user name (email) and password stored in LDAP.
Can you retrieve the password from LDAP? If so, it should be easy to make it work.
Probably, the error is in:
Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for ducavalcanti with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Yes. ...
[/etc/raddb/users]:10 WARNING! Check item "Simultaneous-Use" ?found in reply item list for user "cidadao". ?This attribute MUST go on the first line with the other check items
You also want to fix this. See "man users". ...
Processing the authorize section of radiusd.conf ... modcall: leaving group authorize (returns updated) for request 0
And there are NO references to the LDAP module. i.e. you have not configured the server to read "known good" passwords from LDAP. See radiusd.conf for how to do this. Alan DeKok.
Thanks Alan. I'll update to 1.1.7 but I don't think it will solve the problem. Ldap authentication work with radping (wired connection) but on the wireless, it keeps failing. I don't understand this: " Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for ducavalcanti with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect " MS-CHAPv2 doesn't work with openLDAP??? Please help. Alan DeKok <aland@deployingradius.com> escreveu: Eduardo Lima wrote:
Hi, I've been using Freeradius 1.1.3
Please upgrade to 1.1.7...
with PEAP/MSCHAPv2 authentication with no problem. But now, I need to use it with LDAP too and it doesn't work at all.
The client is windows xp without a domain. The LDAP is for the email directory.
The user should type your user name (email) and password stored in LDAP.
Can you retrieve the password from LDAP? If so, it should be easy to make it work.
Probably, the error is in:
Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for ducavalcanti with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Yes. ...
[/etc/raddb/users]:10 WARNING! Check item "Simultaneous-Use" ?found in reply item list for user "cidadao". ?This attribute MUST go on the first line with the other check items
You also want to fix this. See "man users". ...
Processing the authorize section of radiusd.conf ... modcall: leaving group authorize (returns updated) for request 0
And there are NO references to the LDAP module. i.e. you have not configured the server to read "known good" passwords from LDAP. See radiusd.conf for how to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --------------------------------- Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento!
Ldap authentication work with radping (wired connection) but on the wireless, it keeps failing.
I don't understand this:
" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for ducavalcanti with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect "
MS-CHAPv2 doesn't work with openLDAP???
It does. But it doesn't work with encrypted passwords. Ntradping sends a pap request and that protocol can use encrypted passwords. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP
So I'll have to unencrypt all the ldap passwords to use mschapv2??? What about the ldap database security?? tnt@kalik.co.yu escreveu: >
Ldap authentication work with radping (wired connection) but on the wireless, it keeps failing.
I don't understand this:
" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for ducavalcanti with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect "
MS-CHAPv2 doesn't work with openLDAP???
It does. But it doesn't work with encrypted passwords. Ntradping sends a pap request and that protocol can use encrypted passwords. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --------------------------------- Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento!
Eduardo Lima wrote:
So I'll have to unencrypt all the ldap passwords to use mschapv2???
Yes. See the web page for your options.
What about the ldap database security??
The LDAP database has to be kept secure. Please go read the web page again. If you want to use MS-CHAP, your options are limited for how to store passwords. If you don't like those options, then don't use MS-CHAP. If you want to store passwords via a different method than is permitted in the table, AND you want to use MS-CHAP, then you need to change your requirements to match reality. Alan DeKok.
Alan, I didn't find any option for the mschapv2 problem in your web page. Unencrypt ldap passwords is not a smart solution. It seems that windos xp client only accept mschapv2 or TLS to authenticate, if a use TLS, I cannot use ldap because only the client certificate is used to authenticate. In my network, I need to authenticate with the mail passwords stored in ldap. Server: red hat with freeradius Client: windows xp sp2 Protocols: PEAP + MSCHAPv2 + LDAP I don't use TLS because it only uses certificates to authenticate. Do you have any suggestion??? Alan DeKok <aland@deployingradius.com> escreveu: Eduardo Lima wrote:
So I'll have to unencrypt all the ldap passwords to use mschapv2???
Yes. See the web page for your options.
What about the ldap database security??
The LDAP database has to be kept secure. Please go read the web page again. If you want to use MS-CHAP, your options are limited for how to store passwords. If you don't like those options, then don't use MS-CHAP. If you want to store passwords via a different method than is permitted in the table, AND you want to use MS-CHAP, then you need to change your requirements to match reality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --------------------------------- Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento!
Hi,
Alan, I didn't find any option for the mschapv2 problem in your web page.
Unencrypt ldap passwords is not a smart solution.
It seems that windos xp client only accept mschapv2 or TLS to authenticate, if a use TLS, I cannot use ldap because only the client certificate is used to authenticate.
In my network, I need to authenticate with the mail passwords stored in ldap.
Server: red hat with freeradius Client: windows xp sp2
Protocols: PEAP + MSCHAPv2 + LDAP
I don't use TLS because it only uses certificates to authenticate.
Do you have any suggestion???
store the NThash in the LDAP? i havent tried this but should work alan
Eduardo Lima wrote:
Alan, I didn't find any option for the mschapv2 problem in your web page.
I have no idea what you mean by that. The compatibility page you were pointed to is all that matters here: http://deployingradius.com/documents/protocols/compatibility.html
Unencrypt ldap passwords is not a smart solution.
You are being naive and unrealistic. Your choices for what is stored in LDAP are given in the table. Look up the authentication protocol you want to use, and find out which password storage methods are compatible. Pick one.
It seems that windos xp client only accept mschapv2 or TLS to authenticate, if a use TLS, I cannot use ldap because only the client certificate is used to authenticate.
Which is spelled out in the table on the web page... which I wrote. Which I'm very familiar with.
In my network, I need to authenticate with the mail passwords stored in ldap.
In .... what format?
Protocols: PEAP + MSCHAPv2 + LDAP
PEAP is an authentication protocol. LDAP is a database. Go read the web page. It appears you either haven't read it, or you haven't understood it.
I don't use TLS because it only uses certificates to authenticate.
Do you have any suggestion???
Choose one of the password storage methods given on the web page for PEAP. If you don't like those methods, then stop posting messages on this list. What you want is impossible, and you're unprepared to accept that it's impossible. It can't be done, and you're wasting your time trying to come up with a solution that doesn't exist. This is not something I control. This is the way things are. Deal with it. Alan DeKok.
How do I make passwords hashes in ldap?? Do I have to create all the passwords again??? Thanks in advance. Alan DeKok <aland@deployingradius.com> escreveu: Eduardo Lima wrote:
Alan, I didn't find any option for the mschapv2 problem in your web page.
I have no idea what you mean by that. The compatibility page you were pointed to is all that matters here: http://deployingradius.com/documents/protocols/compatibility.html
Unencrypt ldap passwords is not a smart solution.
You are being naive and unrealistic. Your choices for what is stored in LDAP are given in the table. Look up the authentication protocol you want to use, and find out which password storage methods are compatible. Pick one.
It seems that windos xp client only accept mschapv2 or TLS to authenticate, if a use TLS, I cannot use ldap because only the client certificate is used to authenticate.
Which is spelled out in the table on the web page... which I wrote. Which I'm very familiar with.
In my network, I need to authenticate with the mail passwords stored in ldap.
In .... what format?
Protocols: PEAP + MSCHAPv2 + LDAP
PEAP is an authentication protocol. LDAP is a database. Go read the web page. It appears you either haven't read it, or you haven't understood it.
I don't use TLS because it only uses certificates to authenticate.
Do you have any suggestion???
Choose one of the password storage methods given on the web page for PEAP. If you don't like those methods, then stop posting messages on this list. What you want is impossible, and you're unprepared to accept that it's impossible. It can't be done, and you're wasting your time trying to come up with a solution that doesn't exist. This is not something I control. This is the way things are. Deal with it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --------------------------------- Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento!
Eduardo Lima wrote:
How do I make passwords hashes in ldap??
What kind of hashes? If you want NT hashes, use the "smbencrypt" program that comes with the server.
Do I have to create all the passwords again???
Very likely, yes. The web page should make this clear. Alan DeKok.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Eduardo Lima -
tnt@kalik.co.yu