freeradius using linux user passwd
Matthew Newton
mcn4 at leicester.ac.uk
Tue Jul 9 11:18:43 CEST 2013
Julian,
On Mon, Jul 08, 2013 at 03:10:31PM -0700, Julian Macassey wrote:
> I'm just trying to do a bog standard username and
> password for OS X and Linux users on laptops - Plus the
> ubiquitous smartphones of course. I have no Microsoft gear on the
> LAN.
Try adding the following to the *top* of your users file:
evergreen Cleartext-Password := "pa55word", MS-CHAP-Use-NTLM-Auth := 0
Then restart FR and try logging in again with the password 'pa55word'.
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
...
your client is set to do PEAP/EAP-MSCHAPv2 - which is what most
things (including Windows) will do by default. It can't auth
against /etc/passwd, but it can if it knows the cleartext password
as shown above.
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] Creating challenge hash with username: evergreen
> [mschap] Told to do MS-CHAPv2 for evergreen with NT-Password
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
This is the EAP-MSCHAPv2 bit (inside the PEAP inner tunnel)
telling you it's got no cleartext password or NTLM hash, so it
can't authenticate the user.
Given a cleartext password as above, you should be good to go.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list