AW: mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
Torsten Wilms
torsten at wilms-ac.de
Fri Oct 9 17:37:01 CEST 2015
So now i changed the configuration to default, installed samba, added the system in the AD and tried the following:
Over Access Point with PEAP/MSCHAPv2
(0) Received Access-Request Id 151 from 192.168.2.250:3072 to 192.168.8.27:1812 length 178
(0) User-Name = "test"
(0) Service-Type = Framed-User
(0) NAS-IP-Address = 192.168.2.250
(0) NAS-Port = 12
(0) NAS-Port-Id = "12"
(0) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(0) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(0) Connect-Info = "CONNECT 54 Mbps 802.11g"
(0) NAS-Identifier = "AP-domain01"
(0) NAS-Port-Type = Wireless-802.11
(0) Framed-MTU = 1500
(0) EAP-Message = 0x020100090174657374
(0) Message-Authenticator = 0x53256bbc98c1251ad9f75dcd28ae8da7
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (!&User-Name) {
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ ) {
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}:
(0) ntlm_auth: EXPAND --username=%{mschap:User-Name}
(0) ntlm_auth: --> --username=test
(0) ntlm_auth: EXPAND --password=%{User-Password}
(0) ntlm_auth: --> --password=
(0) ntlm_auth: ERROR: Program returned code (1) and output 'NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)'
(0) [ntlm_auth] = reject
(0) } # authorize = reject
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> test
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap: Request was previously rejected, inserting EAP-Failure
(0) eap: Sending EAP Failure (code 4) ID 1 length 4
(0) [eap] = updated
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 151 from 192.168.8.27:1812 to 192.168.2.250:3072 length 44
(0) EAP-Message = 0x04010004
(0) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 151 with timestamp +20
Ready to process requests
^C
------------------------------------------------------------
Via console:
/usr/local/etc/raddb # /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=test --password=password root at aaa
NT_STATUS_OK: Success (0x0)
Radtest test password localhost 0 testing123
(0) Received Access-Request Id 119 from 127.0.0.1:44440 to 127.0.0.1:1812 length 74
(0) User-Name = "test"
(0) User-Password = "password"
(0) NAS-IP-Address = 192.168.8.27
(0) NAS-Port = 0
(0) Message-Authenticator = 0xbe31e04dd320dc31298bfe9e5e56b2b2
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (!&User-Name) {
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ ) {
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}:
(0) ntlm_auth: EXPAND --username=%{mschap:User-Name}
(0) ntlm_auth: --> --username=test
(0) ntlm_auth: EXPAND --password=%{User-Password}
(0) ntlm_auth: --> --password=password
(0) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: Success (0x0)'
(0) ntlm_auth: Program executed successfully
(0) [ntlm_auth] = ok
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> test
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 119 from 127.0.0.1:1812 to 127.0.0.1:44440 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 119 with timestamp +2
Ready to process requests
Why we have user password emty if we use mschap???
~ # radtest -t mschap test password localhost 0 testing123 root at aaa
Sent Access-Request Id 61 from 0.0.0.0:55547 to 127.0.0.1:1812 length 130
User-Name = "test"
MS-CHAP-Password = "password"
NAS-IP-Address = 192.168.8.27
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "password"
MS-CHAP-Challenge = 0xe4b7ba0150bb1065
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000c37040e23af21cc7ef5a554e168244fdbe651a1e5e530cac
Received Access-Reject Id 61 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
(1) Received Access-Request Id 61 from 127.0.0.1:55547 to 127.0.0.1:1812 length 130
(1) User-Name = "test"
(1) NAS-IP-Address = 192.168.8.27
(1) NAS-Port = 0
(1) Message-Authenticator = 0xdc18afd2c2c531685bbc96701e690b22
(1) MS-CHAP-Challenge = 0xe4b7ba0150bb1065
(1) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000c37040e23af21cc7ef5a554e168244fdbe651a1e5e530cac
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (!&User-Name) {
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ ) {
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(1) [mschap] = ok
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "test", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}:
(1) ntlm_auth: EXPAND --username=%{mschap:User-Name}
(1) ntlm_auth: --> --username=test
(1) ntlm_auth: EXPAND --password=%{User-Password}
(1) ntlm_auth: --> --password=
(1) ntlm_auth: ERROR: Program returned code (1) and output 'NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)'
(1) [ntlm_auth] = reject
(1) } # authorize = reject
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> test
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 61 from 127.0.0.1:1812 to 127.0.0.1:55547 length 20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 61 with timestamp +10
Ready to process requests
-----Ursprüngliche Nachricht-----
Von: Freeradius-Users [mailto:freeradius-users-bounces+torsten=wilms-ac.de at lists.freeradius.org] Im Auftrag von Matthew Newton
Gesendet: Donnerstag, 8. Oktober 2015 17:15
An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Betreff: Re: mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
On Thu, Oct 08, 2015 at 04:55:35PM +0200, Torsten Wilms wrote:
> If i try to login via "radtest -x test testpwd 127.0.0.1:18120 0 testing123"
> on the linux console, everything is working via ldap. If i try this
> over the 802.1X AccessPoint, it doesn't work.
This is impossible with PEAP/EAP-MSCHAPv2. AD won't give you either the Cleartext-Password or the NT hash.
http://deployingradius.com/documents/protocols/compatibility.html
> I think that everything goes wrong with encrypt/decrypt the Domain
> User password or no User-Password is given after eap or something
> else. I tried a lot of stuff, but nothing works.
Forget trying to do LDAP to AD for auth and install Samba.
http://deployingradius.com/documents/configuration/active_directory.html
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list