EAP-TTLS with mschapv2 inner authentication issue

Phil Mayers p.mayers at imperial.ac.uk
Tue Aug 31 11:51:11 CEST 2010


On 08/31/2010 10:23 AM, matteo at crs4.it wrote:
> Hello all,
> I'm trying to use Freeradius 21.1.9 EAP-TTLS with MSCHAPv2 as inner
> authentication against an OpenLDAP server with crypt password
> encryption scheme.

That is not possible I'm afraid. MS-CHAP requires access to the NT/LM 
hashes (or plaintext password), or access to a machine which does 
(domain controller) via the ntlm_auth helper binary.

As you can see:

> Tue Aug 31 11:12:04 2010 : Debug: WARNING: No "known good" password
> was found in LDAP.  Are you sure that the user is configured correctly?

Then:

> Tue Aug 31 11:12:04 2010 : Info: +- entering group MS-CHAP {...}
> Tue Aug 31 11:12:04 2010 : Info: [mschap] No Cleartext-Password
> configured.  Cannot create LM-Password.
> Tue Aug 31 11:12:04 2010 : Info: [mschap] No Cleartext-Password
> configured.  Cannot create NT-Password.
> Tue Aug 31 11:12:04 2010 : Info: [mschap] Told to do MS-CHAPv2 for
> matteo at crs4.it with NT-Password
> Tue Aug 31 11:12:04 2010 : Info: [mschap] FAILED: No NT/LM-Password.
> Cannot perform authentication.
> Tue Aug 31 11:12:04 2010 : Info: [mschap] FAILED: MS-CHAP2-Response is
> incorrect

To emphasise this is IMPOSSIBLE; you will either need to store a 
different password hash, or use a different inner EAP method - probably PAP.



More information about the Freeradius-Users mailing list