Authentication with mschap
Eric Bourkland
eric.bourkland at trustedconcepts.com
Fri Aug 14 17:25:21 CEST 2009
I forgot a couple of lines to the debugging I want to add.
It almost seems like to me that Radius isn't getting the password from the client.
----- Original Message -----
From: "Eric Bourkland" <eric.bourkland at trustedconcepts.com>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Friday, August 14, 2009 9:40:08 AM GMT -05:00 US/Canada Eastern
Subject: Authentication with mschap
Need some help pointing me in the right direction. I think I know what the problem is but I don't know where to look. I think the problem is my freeRadius server and openLDAP server are not talking perfectly.
I am trying to do MS-chapv2 authentication so that windows machines can connect to out access point without having to install additional software.
One of the glaring things that jumps out at me is that in the logs/debugging it says message-Authenticator = 0x000000...
It looks like it is trying the correct authentication
...
No Cleartext-Password configured. Cannot create LM-Password
No Cleartext-Password configured. Cannot create NT-Password
Told to do MS-CHAPv2 for test.user with NT-Password
FAILED: No NT/LM-Password. Cannot perform authentication.
FAILED: MS-CHAP2-Response is incorrect.
...
and then error message
peap got tunnel reply code3
MS-CHAP-Error = "\007E=691 R=1"
Okay that message is pretty clear to me, but I do have an NT-Password in sambaNTPassword and is populate/stored in NT hash format
and there is a maping in ldap.attrmap
checkItem NT-Password sambaNtPassword
I haven't done anything funky with the config files like setting Authe-Type = to anything I've read enough that it is a big no no. The only thing I've done is uncomment a few things so that it will use ldap. And everything works when I use radtest so I know my connection to my ldap server is okay but radtest is using a different protocol as I've been learning through this whole experience.
If anyone can point me in the right direction I would greatly appreciate it.
Thanks,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list