ntlm_auth problem using EAP-TLS with MSCHAP authentication toLDAP server

Clement Ogedengbe c.ogedengbe at worc.ac.uk
Fri Jul 3 13:52:30 CEST 2009


No...  I don't have any of such definition .. However,  I can see the
following when Radius started ..

rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password         

Clement

-----Original Message-----
From: freeradius-users-bounces+c.ogedengbe=worc.ac.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+c.ogedengbe=worc.ac.uk at lists.freeradius.org]
On Behalf Of Nicolas Goutte
Sent: 03 July 2009 12:33
To: FreeRadius users mailing list
Subject: Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication
toLDAP server


Am 03.07.2009 um 13:24 schrieb Clement Ogedengbe:

> OK.   I have done that,  But still returned the error below!
>
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> [mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password
> [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect

You have either Cleartext-Password or NT-Password defined in your LDAP  
database, haven't you?


If not, see:
http://deployingradius.com/documents/protocols/compatibility.html

Have a nice day!


> ++[mschap] returns reject
> [eap] Freeing handler
> ++[eap] returns reject
> Failed to authenticate the user.
> } # server inner-tunnel
> [peap] Got tunneled reply code 3
>        MS-CHAP-Error = "\010E=691 R=1"
>        EAP-Message = 0x04080004
>        Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Got tunneled reply RADIUS code 3
>        MS-CHAP-Error = "\010E=691 R=1"
>        EAP-Message = 0x04080004
>        Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
>
> Clement
>
> -----Original Message-----
> From: freeradius-users-bounces+c.ogedengbe=worc.ac.uk at lists.freeradius.org
>
[mailto:freeradius-users-bounces+c.ogedengbe=worc.ac.uk at lists.freeradius.org 
> ]
> On Behalf Of Ivan Kalik
> Sent: 03 July 2009 12:17
> To: FreeRadius users mailing list
> Subject: Re: ntlm_auth problem using EAP-TLS with MSCHAP  
> authentication to
> LDAP server
>
>> The user/password information are held in the LDAP server.  I have  
>> been
>> able
>> to authenticate successfully with packets coming from non-EAP  
>> clients.
>> But
>> for EAP authentication clients, I have been receiving the following  
>> error
>> lines.  (I am using ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>> --username=%{Stripped-User-Name:-%{User-Name:-None}}
>> --challenge=%{mschap:Challenge:-00} to call the LDAP server.
>
> ntlm_auth is for Active Directory. Comment out ntlm_auth line in  
> maschap
> module and it will work as long as you have clear or nt hashed  
> password
> stored in ldap.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list