EAP-TTLS with mschapv2 inner authentication issue
Phil Mayers
p.mayers at imperial.ac.uk
Tue Aug 31 11:51:11 CEST 2010
On 08/31/2010 10:23 AM, matteo at crs4.it wrote:
> Hello all,
> I'm trying to use Freeradius 21.1.9 EAP-TTLS with MSCHAPv2 as inner
> authentication against an OpenLDAP server with crypt password
> encryption scheme.
That is not possible I'm afraid. MS-CHAP requires access to the NT/LM
hashes (or plaintext password), or access to a machine which does
(domain controller) via the ntlm_auth helper binary.
As you can see:
> Tue Aug 31 11:12:04 2010 : Debug: WARNING: No "known good" password
> was found in LDAP. Are you sure that the user is configured correctly?
Then:
> Tue Aug 31 11:12:04 2010 : Info: +- entering group MS-CHAP {...}
> Tue Aug 31 11:12:04 2010 : Info: [mschap] No Cleartext-Password
> configured. Cannot create LM-Password.
> Tue Aug 31 11:12:04 2010 : Info: [mschap] No Cleartext-Password
> configured. Cannot create NT-Password.
> Tue Aug 31 11:12:04 2010 : Info: [mschap] Told to do MS-CHAPv2 for
> matteo at crs4.it with NT-Password
> Tue Aug 31 11:12:04 2010 : Info: [mschap] FAILED: No NT/LM-Password.
> Cannot perform authentication.
> Tue Aug 31 11:12:04 2010 : Info: [mschap] FAILED: MS-CHAP2-Response is
> incorrect
To emphasise this is IMPOSSIBLE; you will either need to store a
different password hash, or use a different inner EAP method - probably PAP.
More information about the Freeradius-Users
mailing list