falling back to local auth and not ads

Morris, Andi amorris at cardiffmet.ac.uk
Tue Apr 24 13:03:00 CEST 2012


Thanks Alan,
Great website!  I've been through all the steps on that and I get an Access-Accept when running the radtest against MSCHAP at the end, however when I connect from a supplicant I'm still seeing the following in the debug output.

" [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: sm18818
[mschap] Told to do MS-CHAPv2 for sm18818 with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect"

Matthew,
The only thing in my users file is:
 DEFAULT EAP-Message !* "", Auth-Type := Accept

This was a pre-packaged setup of freeradius, I've not knowingly put MS-CHAP-Use-NTLM-Auth = Yes somewhere, although I will look around and see what I can find.

-----Original Message-----
From: freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org] On Behalf Of Matthew Newton
Sent: 24 April 2012 10:54
To: FreeRadius users mailing list
Subject: Re: falling back to local auth and not ads

On Tue, Apr 24, 2012 at 09:24:42AM +0000, Morris, Andi wrote:
> My freeradius server seems to be falling back to local authentication
> rather than piping it out to our ADS server.  If I create a local user
> on the radius box authentication is successful.  Can anyone please
> help with this?  All relevant info I can think of is below.

Initial guess - you've set MS-CHAP-Use-NTLM-Auth = Yes somewhere (check for broken entries in your users file, etc), so mschap isn't even trying to call ntlm_auth.

> [mschapv2] # Executing group from file
> /etc/raddb/sites-enabled/packetfence-tunnel
> [mschapv2] +- entering group MS-CHAP {...} [mschap] No
> Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> [mschap] Creating challenge hash with username: sm18818 [mschap] Told
> to do MS-CHAPv2 for sm18818 with NT-Password [mschap] FAILED: No
> NT/LM-Password.  Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect

Matthew


--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________

From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>

Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>



More information about the Freeradius-Users mailing list