OpenLDAP+FreeRadius Encryption

Greg Mischel Smith gregms at
Tue Feb 2 18:11:39 CET 2016

>   You should set "default_eap_type"  to have the server start a particular EAP type.  The client *should* either start that EAP type, or NAK it with a list of supported EAP types.
>   In this case, you set "default_eap_type = mschapv2", but deleted the "mschapv2" from the "eap" section.  That's confusing and wrong.  Don't do that.

I had forgot to set the default in the PEAP section in this test (I
had tried it before). In either case it doesn't work as it still
provides the same error. But since Alan says that is a bad idea
anyway, I left in the mschapv2 section in and I changed inside PEAP to
"default_eap_type = gtc" in the eap file. Tunnel settings are both set
to no (which I believe is default). Any other default settings I
should try? When I have it like this, it just tries mschapv2, fails
due to authentication problem (as my android puts it) and just keeps
trying and failing. Again if I force it to use GTC on android, then it
would work in this current config.

rlm_ldap (ldap): Released connection (4)
(7)    [ldap] = ok
(7)    [expiration] = noop
(7)    [logintime] = noop
(7)   WARNING: pap : Auth-Type already set.  Not setting to PAP
(7)    [pap] = noop
(7)   } #  authorize = updated
(7)  Found Auth-Type = EAP
(7)  # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)    authenticate {
(7)   eap : Expiring EAP session with state 0x157f222d157738f9
(7)   eap : Finished EAP session with state 0x157f222d157738f9
(7)   eap : Previous EAP request found for state 0x157f222d157738f9,
released from the list
(7)   eap : Peer sent method MSCHAPv2 (26)
(7)   eap : EAP MSCHAPv2 (26)
(7)   eap : Calling eap_mschapv2 to process EAP data
(7)   eap_mschapv2 : # Executing group from file
(7)   eap_mschapv2 :  Auth-Type MS-CHAP {
(7)    WARNING: mschap : No Cleartext-Password configured.  Cannot
create LM-Password
(7)    WARNING: mschap : No Cleartext-Password configured.  Cannot
create NT-Password
(7)    mschap : Creating challenge hash with username: testuser
(7)    mschap : Client is using MS-CHAPv2
(7)    ERROR: mschap : FAILED: No NT/LM-Password.  Cannot perform authentication
(7)    ERROR: mschap : MS-CHAP2-Response is incorrect
(7)     [mschap] = reject
(7)    } # Auth-Type MS-CHAP = reject
(7)   eap : Freeing handler
(7)    [eap] = reject
(7)   } #  authenticate = reject
(7)  Failed to authenticate the user
(7)  Login incorrect (mschap: FAILED: No NT/LM-Password.  Cannot
perform authentication): [testuser/<via Auth-Type = EAP>] (from client
WLC port 0 via TLS tunnel)

More information about the Freeradius-Users mailing list