Freeradius with LDAP, PEAP MSCHAPv2
Alan DeKok
aland at deployingradius.com
Wed Mar 28 15:15:46 CEST 2018
On Mar 28, 2018, at 9:07 AM, Robert Plestenjak <robert.plestenjak at xlab.si> wrote:
> I'm trying to set up authentication over PEAP-MSCHAPv2. In LDAP I have NTLM-hashed passwords
> Version is 3.0.13 from CentOS 7 repository.
>
> Testing with radtest is successful:
We don't need to see the output of radtest. See http://wiki.freeradius.org/list-help
> When I test with Wifi (Cisco Meraki), it fails:
Reading the debug output helps. As the Wiki page shows, look for ERROR or WARNING. It's that simple.
> ...
> (18) ldap: Performing search in "dc=xlab,dc=si" with filter "(uid=robert_plestenjak)", scope "sub"
> (18) ldap: Waiting for search result...
> (18) ldap: User object found at DN "cn=Robert Plestenjak,ou=people,ou=xlab-research,dc=xlab,dc=si"
> (18) ldap: Processing user attributes
> (18) ldap: control:Password-With-Header += 'XXX'
Which should be your "known good" password.
I presume you've read the debug output enough to see the password and edit it. Why not keep reading it?
> ...
> (18) mschap: Found Cleartext-Password, hashing to create NT-Password
> (18) mschap: Found Cleartext-Password, hashing to create LM-Password
> (18) mschap: Creating challenge hash with username: robert_plestenjak
> (18) mschap: Client is using MS-CHAPv2
> (18) mschap: ERROR: MS-CHAP2-Response is incorrect
That's pretty clear.
You entered the wrong password on the client.
Alan DeKok.
More information about the Freeradius-Users
mailing list