How to setup Freeradius

Fajar A. Nugraha list at fajar.net
Thu Jun 30 04:38:35 CEST 2011 

On Thu, Jun 30, 2011 at 9:00 AM, sgilmour <sgilmour at enterasys.com> wrote:
> Thanks for the reply here is my debug log
> Looks like it is failing here.
>
> Tue Jun 21 09:35:28 2011 : Info: [mschap] No Cleartext-Password configured.
> Cannot create LM-Password.
> Tue Jun 21 09:35:28 2011 : Info: [mschap] No Cleartext-Password configured.
> Cannot create NT-Password.
> Tue Jun 21 09:35:28 2011 : Info: [mschap]   NT Domain delimeter found,
> should we have enabled with_ntdomain_hack?
> Tue Jun 21 09:35:28 2011 : Info: [mschap] Told to do MS-CHAPv2 for
> SQA\Administrator with NT-Password
> Tue Jun 21 09:35:28 2011 : Info: [mschap] FAILED: No NT/LM-Password.  Cannot
> perform authentication.
> Tue Jun 21 09:35:28 2011 : Info: [mschap] FAILED: MS-CHAP2-Response is
> incorrect
> Tue Jun 21 09:35:28 2011 : Info: ++[mschap] returns reject
> Tue Jun 21 09:35:28 2011 : Info: [eap] Freeing handler
> Tue Jun 21 09:35:28 2011 : Info: ++[eap] returns reject

Are you using users file? From

[files] users: Matched entry SQA\Administrator at line 93

it seems that you are. If that's the case then it's simple. The lines

Tue Jun 21 09:35:28 2011 : Info: [mschap] No Cleartext-Password configured.
Cannot create LM-Password.
Tue Jun 21 09:35:28 2011 : Info: [mschap] No Cleartext-Password configured.
Cannot create NT-Password.

said it all. You need either a clear-text password, or NT-Password in
the users file. Here's an example in my setup (the mail client might
wrap it, but it's all in one line):

testuser  NT-Password := "35CCBA9168B1D5CA6093B4B7D56C619B",
LM-Password := "3AE6CCCE2A2A253F93E28745B8BF4BA6"

or

testuser  Cleartext-Password := "testpass"

The first example should be able to handle pap and mschap, and is
encrypted, but it won't work if you use EAP-MD5 (which needs
cleartext-password). The second example should be able to handle any
authentication method, but some might say it's a security risk since
the password is stored as clear text.

NT and LM password can be created using the tool smbencrypt (part of
freeradius-utils package)

# smbencrypt testpass
LM Hash                         	NT Hash
--------------------------------	--------------------------------
3AE6CCCE2A2A253F93E28745B8BF4BA6	35CCBA9168B1D5CA6093B4B7D56C619B


> root at Ubuntu-FreeRadius:/etc/freeradius# freeradius -X -X -X

freeradius -X is enough, no need for extra Xs. It makes it harder to read.

> Tue Jun 21 13:06:55 2011 : Info: FreeRADIUS Version 2.1.8, for host
> i486-pc-linux-gnu, built on Jan  5 2010 at 02:49:11

You don't mention which OS you use. Debian and Ubuntu both have
2.1.10. There was a post on this list where someone was having a
problem with an older freeradius server even when he has both
NT-Password and LM-Password stored in LDAP, so if you've provided
those two passwords but still unable to authenticate with mschap, try
upgrading.

-- 
Fajar

More information about the Freeradius-Users mailing list