Cisco AP, mysql, either MSCHAP or Auth-Type problem i think

Mikael Syska mikael at syska.dk
Thu Mar 27 13:19:50 CET 2008


Hi,

Thanks, that seemed to get me a bit further to the end .... now I got this:
+----+----------+--------------------+----+-------+
| id | username | attribute          | op | value |
+----+----------+--------------------+----+-------+
|  2 | 44       | Cleartext-Password | := | 4444  |
+----+----------+--------------------+----+-------+

Here is where its failing:
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm!
Cancelling invalid proxy request.
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
+- entering group MS-CHAP
  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for 44 with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
  rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [44/<via Auth-Type = EAP>] (from client ap30 port 0)
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
++[eap] returns handled
        EAP-Message =
0x010b002b190017030100206f04599b56f9940737b9c497b35f5f64e78bceb46ce824932fe2d58d5d3850de
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x5856f36f505dea9c1496d5ca0872b221
Finished request 20.
Going to the next request
Waking up in 3.9 seconds.

So ... what do I need to set ... I'm not sure were I can read about
this, so this mailing list is my only hope ... :-) Maybe its something
about what Alan wrote:

>hi,
>
>trying to authenticate Vista against a plain password?  PEAP doesnt
>work like this. you could put an NThash into the database instead..
>or try using SecureW2 or other asupplicant that does EAP-TTLS/PAP
>alan

But I'm not sure ... its still all very new to me ...

If you need more information, just say so ... and I will get it.

best regards
Mikael Syska

On Thu, Mar 27, 2008 at 6:38 AM, Alan DeKok <aland at deployingradius.com> wrote:
> Mikael Syska wrote:
>  > I'm using default setup, only uncomment the sql in the default "sites-enabled"
>  >
>  > Running version: 2.0.3
>
>   I think you have to copy "sites-available/inner-tunnel" from the tar
>  file to /etc/raddb.  It isn't installed by default in 2.0.3, but it *is*
>  referenced.  Sorry...
>
>   This is fixed in CVS head.
>
>   Alan DeKok.
>  -
>  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



More information about the Freeradius-Users mailing list