mschapv2 and peap not working, please help
Phil Mayers
p.mayers at imperial.ac.uk
Thu Apr 7 13:53:22 CEST 2011
> [ldap] looking for check items in directory...
> [ldap] userPassword -> Password-With-Header ==
> "{crypt}$1$94hl3NgJ$AuuZleae5i2GkzrT9XIye0"
"crypt" passwords cannot be used to do MS-CHAP. It is impossible.
MS-CHAP requires either the cleartext password or NT/LM hashes.
See:
http://deployingradius.com/documents/protocols/compatibility.html
> [ldap] looking for reply items in directory...
> [ldap] user mahendra authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING: Auth-Type already set. Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file /etc/raddb/sites-enabled/default
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] Creating challenge hash with username: mahendra
> [mschap] Told to do MS-CHAPv2 for mahendra with NT-Password
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
...because you only have crypt passwords, it fails.
You MUST store plaintext or nt/lm hashes if you want to do PEAP/MSCHAP
More information about the Freeradius-Users
mailing list