mschap : NT-Password has not been normalized by the 'pap' module.

Mohamed Lrhazi Mohamed.Lrhazi at georgetown.edu
Mon Mar 9 20:42:25 CET 2015 

Hello,

Trying to get freeradius working for tls and mschap and ldap based
authentication... seems the password is found correctly in LDAP, but fails
to be decoded maybe?

the passwords in LDAP look like: {MD4}6DDDA<an so on..>

The pap module is enabled, by the default config, in the end of the
authorize section in sites-enabled/default and inner-tunnel.

Or is this not my problem at all? and I should be looking elsewhere?

Thanks a lot,
Mohamed.

root at 27840c0ba8ef:/data# freeradius -v
freeradius: FreeRADIUS Version 3.0.3, for host x86_64-pc-linux-gnu, built
on May 20 2014 at 11:59:21

freeradius -XXX :
...
(8) ldap :    --> ou=people,dc=georgetown,dc=edu
(8) ldap : Performing search in 'ou=people,dc=georgetown,dc=edu' with
filter '(uid=ml623)', scope 'sub'
(8) ldap : Waiting for search result...
(8) ldap : User object found at DN
"uid=ml623,ou=People,dc=georgetown,dc=edu"
(8) ldap : Processing user attributes
(8) ldap :      control:NT-Password := 0x7b4d44347d36444<and so on....>
rlm_ldap (ldap): Released connection (4)
(8)   [ldap] = ok
(8)   [expiration] = noop
(8)   [logintime] = noop
(8) WARNING: pap : Auth-Type already set.  Not setting to PAP
(8)   [pap] = noop
(8)  } #  authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8)   authenticate {
(8) eap : Expiring EAP session with state 0xd374de30d37cc42e
(8) eap : Finished EAP session with state 0xd374de30d37cc42e
(8) eap : Previous EAP request found for state 0xd374de30d37cc42e, released
from the list
(8) eap : Peer sent MSCHAPv2 (26)
(8) eap : EAP MSCHAPv2 (26)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2 : # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
(8) eap_mschapv2 :  Auth-Type MS-CHAP {
(8) WARNING: mschap : No Cleartext-Password configured.  Cannot create
LM-Password
(8) WARNING: mschap : NT-Password has not been normalized by the 'pap'
module.  Authentication will fail
(8) mschap : Creating challenge hash with username: ml623
(8) mschap : Client is using MS-CHAPv2
(8) ERROR: mschap : FAILED: No NT/LM-Password.  Cannot perform
authentication
(8) ERROR: mschap : MS-CHAP2-Response is incorrect
(8)   [mschap] = reject

More information about the Freeradius-Users mailing list