ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server

Clement Ogedengbe c.ogedengbe at worc.ac.uk
Fri Jul 3 13:24:45 CEST 2009


OK.   I have done that,  But still returned the error below!

Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
        MS-CHAP-Error = "\010E=691 R=1"
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\010E=691 R=1"
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE                            

Clement

-----Original Message-----
From: freeradius-users-bounces+c.ogedengbe=worc.ac.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+c.ogedengbe=worc.ac.uk at lists.freeradius.org]
On Behalf Of Ivan Kalik
Sent: 03 July 2009 12:17
To: FreeRadius users mailing list
Subject: Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to
LDAP server

> The user/password information are held in the LDAP server.  I have been
> able
> to authenticate successfully with packets coming from non-EAP clients.
> But
> for EAP authentication clients, I have been receiving the following error
> lines.  (I am using ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00} to call the LDAP server.

ntlm_auth is for Active Directory. Comment out ntlm_auth line in maschap
module and it will work as long as you have clear or nt hashed password
stored in ldap.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list