question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)

Fri Oct 30 13:54:31 CET 2015

I tried to set

password_attribute to "sambaNTPassword" but the error is still the same.

As we have the hashes in our LDAP it seems that i have to switch to 
"ntlm_auth" module as described in:

http://deployingradius.com/documents/configuration/active_directory.html

But now another (hopefully easy to fix) issue:

In my setip, the ntlm_auth command in raddb/modules/mschap is set to:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--username=%{mschap:User-Name:-None} 
--domain=%{%{mschap:NT-Domain}:-MPIMF} 
--challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00}"

when i try

radtest -t mschap tstather <my password>  127.0.0.1:18120 0 <shared secret>

it works, but connecting via WLAN fails.

--------------------------------------------------------
...
(8) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key 
--username=%{mschap:User-Name:-None} 
--domain=%{%{mschap:NT-Domain}:-MPIMF} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(8) mschap: EXPAND --username=%{mschap:User-Name:-None}
(8) mschap:    --> --username=tstather at mpimf-heidelberg.mpg.de
(8) mschap: ERROR: No NT-Domain was found in the User-Name
(8) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-MPIMF}
(8) mschap:    --> --domain=MPIMF
(8) mschap: Creating challenge hash with username: 
tstather at mpimf-heidelberg.mpg.de
(8) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(8) mschap:    --> --challenge=233049239fe1013b
(8) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(8) mschap:    --> 
--nt-response=9afa807de748f4cdfb1dcd7414d6ba3a9d5a787c18b448ad
(8) mschap: ERROR: Program returned code (1) and output 'Logon failure 
(0xc000006d)'
(8) mschap: External script failed
(8) mschap: ERROR: External script says: Logon failure (0xc000006d)
(8) mschap: ERROR: MS-CHAP2-Response is incorrect
(8)     [mschap] = reject
(8)   } # Auth-Type MS-CHAP = reject
(8) eap: Sending EAP Failure (code 4) ID 132 length 4
(8) eap: Freeing handler
(8)       [eap] = reject
(8)     } # authenticate = reject
(8)   Failed to authenticate the user
...
--------------------------------------------------------

I think the problem comes from the "Mschap:User-Name" variable which 
holds the full username, i.e. "tstather at mpimf-heidelberg.mpg.de"

How can i change the configuration so that the username is the username 
without our realm, in this case "tstather"?

Best,

Thomas

Am 30.10.2015 um 13:19 schrieb David Aldwinckle:
> Typo. its early here..
>
> /etc/raddb/modules/ldap?
>
> Dave
>
> -----Original Message-----
> From: David Aldwinckle <daldwinc at uwaterloo.ca<mailto:David%20Aldwinckle%20%3cdaldwinc at uwaterloo.ca%3e>>
> Reply-to: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org<mailto:%22freeradius-users at lists.freeradius.org%22%20%3cfreeradius-users at lists.freeradius.org%3e>>
> Subject: Re: question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)
> Date: Fri, 30 Oct 2015 12:15:11 +0000
>
>
>
> My mistake. I didn't read far enough.
>
> What is your "password_attribute" set to in /etc/raddb/ldap?
>
> Try setting it to "sambaNTPassword"
>
> The mapping for sambaNTPassword exists by default:
>
> /etc/raddb/ldap.attrmap:
>
> checkItem       LM-Password                     sambaLmPassword
> checkItem       NT-Password                     sambaNtPassword
>
> Dave
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Thomas Stather
IT Services

Tel:  +49 6221-486 628
Fax: +49 6221-486 561

------------------------------------------------------------------------
Max Planck Institute for Medical Research (MPImF)
Jahnstrasse 29, 69120 Heidelberg
Germany