RADIUS authentication using MS-CHAP - no cleartext password configured error

Deepti kulkarni deepti.kdeeps at gmail.com
Wed Feb 6 23:39:27 CET 2013

I have a windows client trying to set up L2TP tunnel with my linux router.
The linux router talks with the RADIUS server. The authentication is
failing because the request is using MS-CHAP and my server cannot handle
MS-CHAP. I am not sure what is missing from the configuration on the
server. I have the cleartext password in the users file for the "temp" user
I am trying to authenticate. Following is the debug output -

rad_recv: Access-Request packet from host port 46487, id=142,
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "temp"
        MS-CHAP-Challenge = 0xa71f9d0753274da79dfe6f0eb2c1b693
        MS-CHAP2-Response =
        Calling-Station-Id = "l2tp"
        NAS-IP-Address =
        NAS-Port = 0
# Executing section authorize from file
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "temp", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: temp
[mschap] Told to do MS-CHAPv2 for temp with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect: [temp] (from client temp-radius port 0 cli l2tp)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> temp
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 142 to port 46487
Waking up in 4.9 seconds.
Cleaning up request 4 ID 142 with timestamp +1310
Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130206/950e2d5c/attachment.html>

More information about the Freeradius-Users mailing list