AW: mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication

Torsten Wilms torsten at wilms-ac.de
Fri Oct 9 17:37:01 CEST 2015


So now i changed the configuration to default, installed samba, added the system in the AD and tried the following:


Over Access Point with PEAP/MSCHAPv2

(0) Received Access-Request Id 151 from 192.168.2.250:3072 to 192.168.8.27:1812 length 178
(0)   User-Name = "test"
(0)   Service-Type = Framed-User
(0)   NAS-IP-Address = 192.168.2.250
(0)   NAS-Port = 12
(0)   NAS-Port-Id = "12"
(0)   Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(0)   Calling-Station-Id = "B8-E8-56-41-2C-2A"
(0)   Connect-Info = "CONNECT 54 Mbps 802.11g"
(0)   NAS-Identifier = "AP-domain01"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Framed-MTU = 1500
(0)   EAP-Message = 0x020100090174657374
(0)   Message-Authenticator = 0x53256bbc98c1251ad9f75dcd28ae8da7
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (!&User-Name) {
(0)       if (!&User-Name)  -> FALSE
(0)       if (&User-Name =~ / /) {
(0)       if (&User-Name =~ / /)  -> FALSE
(0)       if (&User-Name =~ /@.*@/ ) {
(0)       if (&User-Name =~ /@.*@/ )  -> FALSE
(0)       if (&User-Name =~ /\.\./ ) {
(0)       if (&User-Name =~ /\.\./ )  -> FALSE
(0)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)       if (&User-Name =~ /\.$/)  {
(0)       if (&User-Name =~ /\.$/)   -> FALSE
(0)       if (&User-Name =~ /@\./)  {
(0)       if (&User-Name =~ /@\./)   -> FALSE
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}:
(0) ntlm_auth: EXPAND --username=%{mschap:User-Name}
(0) ntlm_auth:    --> --username=test
(0) ntlm_auth: EXPAND --password=%{User-Password}
(0) ntlm_auth:    --> --password=
(0) ntlm_auth: ERROR: Program returned code (1) and output 'NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)'
(0)     [ntlm_auth] = reject
(0)   } # authorize = reject
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> test
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0) eap: Request was previously rejected, inserting EAP-Failure
(0) eap: Sending EAP Failure (code 4) ID 1 length 4
(0)     [eap] = updated
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 151 from 192.168.8.27:1812 to 192.168.2.250:3072 length 44
(0)   EAP-Message = 0x04010004
(0)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 151 with timestamp +20
Ready to process requests
^C
------------------------------------------------------------

Via console:

/usr/local/etc/raddb # /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=test --password=password                                                                                                                                                  root at aaa
NT_STATUS_OK: Success (0x0)



Radtest test password localhost 0 testing123



(0) Received Access-Request Id 119 from 127.0.0.1:44440 to 127.0.0.1:1812 length 74
(0)   User-Name = "test"
(0)   User-Password = "password"
(0)   NAS-IP-Address = 192.168.8.27
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0xbe31e04dd320dc31298bfe9e5e56b2b2
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (!&User-Name) {
(0)       if (!&User-Name)  -> FALSE
(0)       if (&User-Name =~ / /) {
(0)       if (&User-Name =~ / /)  -> FALSE
(0)       if (&User-Name =~ /@.*@/ ) {
(0)       if (&User-Name =~ /@.*@/ )  -> FALSE
(0)       if (&User-Name =~ /\.\./ ) {
(0)       if (&User-Name =~ /\.\./ )  -> FALSE
(0)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)       if (&User-Name =~ /\.$/)  {
(0)       if (&User-Name =~ /\.$/)   -> FALSE
(0)       if (&User-Name =~ /@\./)  {
(0)       if (&User-Name =~ /@\./)   -> FALSE
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}:
(0) ntlm_auth: EXPAND --username=%{mschap:User-Name}
(0) ntlm_auth:    --> --username=test
(0) ntlm_auth: EXPAND --password=%{User-Password}
(0) ntlm_auth:    --> --password=password
(0) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: Success (0x0)'
(0) ntlm_auth: Program executed successfully
(0)     [ntlm_auth] = ok
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> test
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 119 from 127.0.0.1:1812 to 127.0.0.1:44440 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 119 with timestamp +2
Ready to process requests



Why we have user password emty if we use mschap???


~ # radtest -t mschap test password localhost 0 testing123                                                             root at aaa
Sent Access-Request Id 61 from 0.0.0.0:55547 to 127.0.0.1:1812 length 130
	User-Name = "test"
	MS-CHAP-Password = "password"
	NAS-IP-Address = 192.168.8.27
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "password"
	MS-CHAP-Challenge = 0xe4b7ba0150bb1065
	MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000c37040e23af21cc7ef5a554e168244fdbe651a1e5e530cac
Received Access-Reject Id 61 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject


(1) Received Access-Request Id 61 from 127.0.0.1:55547 to 127.0.0.1:1812 length 130
(1)   User-Name = "test"
(1)   NAS-IP-Address = 192.168.8.27
(1)   NAS-Port = 0
(1)   Message-Authenticator = 0xdc18afd2c2c531685bbc96701e690b22
(1)   MS-CHAP-Challenge = 0xe4b7ba0150bb1065
(1)   MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000c37040e23af21cc7ef5a554e168244fdbe651a1e5e530cac
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (!&User-Name) {
(1)       if (!&User-Name)  -> FALSE
(1)       if (&User-Name =~ / /) {
(1)       if (&User-Name =~ / /)  -> FALSE
(1)       if (&User-Name =~ /@.*@/ ) {
(1)       if (&User-Name =~ /@.*@/ )  -> FALSE
(1)       if (&User-Name =~ /\.\./ ) {
(1)       if (&User-Name =~ /\.\./ )  -> FALSE
(1)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)       if (&User-Name =~ /\.$/)  {
(1)       if (&User-Name =~ /\.$/)   -> FALSE
(1)       if (&User-Name =~ /@\./)  {
(1)       if (&User-Name =~ /@\./)   -> FALSE
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(1)     [mschap] = ok
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "test", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}:
(1) ntlm_auth: EXPAND --username=%{mschap:User-Name}
(1) ntlm_auth:    --> --username=test
(1) ntlm_auth: EXPAND --password=%{User-Password}
(1) ntlm_auth:    --> --password=
(1) ntlm_auth: ERROR: Program returned code (1) and output 'NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)'
(1)     [ntlm_auth] = reject
(1)   } # authorize = reject
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> test
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 61 from 127.0.0.1:1812 to 127.0.0.1:55547 length 20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 61 with timestamp +10
Ready to process requests



-----Urspr√ľngliche Nachricht-----
Von: Freeradius-Users [mailto:freeradius-users-bounces+torsten=wilms-ac.de at lists.freeradius.org] Im Auftrag von Matthew Newton
Gesendet: Donnerstag, 8. Oktober 2015 17:15
An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Betreff: Re: mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication

On Thu, Oct 08, 2015 at 04:55:35PM +0200, Torsten Wilms wrote:
> If i try to login via "radtest -x test testpwd 127.0.0.1:18120 0 testing123"
> on the linux console, everything is working via ldap. If i try this 
> over the 802.1X AccessPoint, it doesn't work.

This is impossible with PEAP/EAP-MSCHAPv2. AD won't give you either the Cleartext-Password or the NT hash.

http://deployingradius.com/documents/protocols/compatibility.html

> I think that everything goes wrong with encrypt/decrypt the Domain 
> User password or no User-Password is given after eap or something 
> else. I tried a lot of stuff, but nothing works.

Forget trying to do LDAP to AD for auth and install Samba.

http://deployingradius.com/documents/configuration/active_directory.html

Matthew


--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list