ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
Nicolas Goutte
nicolas.goutte at extragroup.de
Fri Jul 3 13:33:01 CEST 2009
Am 03.07.2009 um 13:24 schrieb Clement Ogedengbe:
> OK. I have done that, But still returned the error below!
>
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
You have either Cleartext-Password or NT-Password defined in your LDAP
database, haven't you?
If not, see:
http://deployingradius.com/documents/protocols/compatibility.html
Have a nice day!
> ++[mschap] returns reject
> [eap] Freeing handler
> ++[eap] returns reject
> Failed to authenticate the user.
> } # server inner-tunnel
> [peap] Got tunneled reply code 3
> MS-CHAP-Error = "\010E=691 R=1"
> EAP-Message = 0x04080004
> Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Got tunneled reply RADIUS code 3
> MS-CHAP-Error = "\010E=691 R=1"
> EAP-Message = 0x04080004
> Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
>
> Clement
>
> -----Original Message-----
> From: freeradius-users-bounces+c.ogedengbe=worc.ac.uk at lists.freeradius.org
> [mailto:freeradius-users-bounces+c.ogedengbe=worc.ac.uk at lists.freeradius.org
> ]
> On Behalf Of Ivan Kalik
> Sent: 03 July 2009 12:17
> To: FreeRadius users mailing list
> Subject: Re: ntlm_auth problem using EAP-TLS with MSCHAP
> authentication to
> LDAP server
>
>> The user/password information are held in the LDAP server. I have
>> been
>> able
>> to authenticate successfully with packets coming from non-EAP
>> clients.
>> But
>> for EAP authentication clients, I have been receiving the following
>> error
>> lines. (I am using ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>> --username=%{Stripped-User-Name:-%{User-Name:-None}}
>> --challenge=%{mschap:Challenge:-00} to call the LDAP server.
>
> ntlm_auth is for Active Directory. Comment out ntlm_auth line in
> maschap
> module and it will work as long as you have clear or nt hashed
> password
> stored in ldap.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
More information about the Freeradius-Users
mailing list