falling back to local auth and not ads

Matthew Newton mcn4 at leicester.ac.uk
Tue Apr 24 13:30:55 CEST 2012 

Hi,

On Tue, Apr 24, 2012 at 11:03:00AM +0000, Morris, Andi wrote:
> I've been through all the steps on that and I get an
> Access-Accept when running the radtest against MSCHAP at the
> end, however when I connect from a supplicant I'm still seeing
> the following in the debug output.
> 
> " [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.

Full debug output from radiusd -X is needed otherwise we're all
guessing what's up.

Have you got 'eap' configured in your inner tunnel
(sites-enabled/inner-tunnel, likely)? When you're using a
supplicant, you'll be doing EAP, which means that you need eap in
both the outer and the inner - the inner eap then internally calls
mschap to then call ntlm_auth.

I'm guessing you followed all of Alan's web page, including the
section at the bottom about configuring ntlm_auth in the mschap
module (not the 'exec mschap' bit) - the ntlm_auth in mschap is
essential for EAP-MSCHAP to work, whereas plain mschap (or
TTLS/MS-CHAP) uses the exec variant.

> The only thing in my users file is:
>  DEFAULT EAP-Message !* "", Auth-Type := Accept

OK I misread - I thought you'd said it was working, and then
stopped, not that it wasn't working to begin with...

> This was a pre-packaged setup of freeradius, I've not knowingly
> put MS-CHAP-Use-NTLM-Auth = Yes somewhere, although I will look
> around and see what I can find.

Don't bother, if you've never added it - it shouldn't be there.

Matthew



> -----Original Message-----
> From: freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org] On Behalf Of Matthew Newton
> Sent: 24 April 2012 10:54
> To: FreeRadius users mailing list
> Subject: Re: falling back to local auth and not ads
> 
> n Tue, Apr 24, 2012 at 09:24:42AM +0000, Morris, Andi wrote:
> > My freeradius server seems to be falling back to local authentication
> > rather than piping it out to our ADS server.  If I create a local user
> > on the radius box authentication is successful.  Can anyone please
> > help with this?  All relevant info I can think of is below.
> 
> Initial guess - you've set MS-CHAP-Use-NTLM-Auth = Yes somewhere (check for broken entries in your users file, etc), so mschap isn't even trying to call ntlm_auth.
> 
> > [mschapv2] # Executing group from file
> > /etc/raddb/sites-enabled/packetfence-tunnel
> > [mschapv2] +- entering group MS-CHAP {...} [mschap] No
> > Cleartext-Password configured.  Cannot create LM-Password.
> > [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> > [mschap] Creating challenge hash with username: sm18818 [mschap] Told
> > to do MS-CHAPv2 for sm18818 with NT-Password [mschap] FAILED: No
> > NT/LM-Password.  Cannot perform authentication.
> > [mschap] FAILED: MS-CHAP2-Response is incorrect
> 
> Matthew
> 
> 
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
> 
> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> 
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> ________________________________
> 
> From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
> 
> Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list