Freeradius with LDAP, PEAP MSCHAPv2
Robert Plestenjak
robert.plestenjak at xlab.si
Thu Mar 29 09:51:15 CEST 2018
In LDAP I have LM hashed passwords (LM-Password) and radtest with PAP auth metod is successful, but when I switch to MSCHAP it fails.
So the problem is probably that clients (radtest, ...) sends NTLM hashes (NT-Password)?
On Mar 28, 2018, at 9:07 AM, Robert Plestenjak <robert.plestenjak at xlab.si> wrote:
> I'm trying to set up authentication over PEAP-MSCHAPv2. In LDAP I have NTLM-hashed passwords
> Version is 3.0.13 from CentOS 7 repository.
>
> Testing with radtest is successful:
We don't need to see the output of radtest. See http://wiki.freeradius.org/list-help
> When I test with Wifi (Cisco Meraki), it fails:
Reading the debug output helps. As the Wiki page shows, look for ERROR or WARNING. It's that simple.
> ...
> (18) ldap: Performing search in "dc=xlab,dc=si" with filter "(uid=robert_plestenjak)", scope "sub"
> (18) ldap: Waiting for search result...
> (18) ldap: User object found at DN "cn=Robert Plestenjak,ou=people,ou=xlab-research,dc=xlab,dc=si"
> (18) ldap: Processing user attributes
> (18) ldap: control:Password-With-Header += 'XXX'
Which should be your "known good" password.
I presume you've read the debug output enough to see the password and edit it. Why not keep reading it?
> ...
> (18) mschap: Found Cleartext-Password, hashing to create NT-Password
> (18) mschap: Found Cleartext-Password, hashing to create LM-Password
> (18) mschap: Creating challenge hash with username: robert_plestenjak
> (18) mschap: Client is using MS-CHAPv2
> (18) mschap: ERROR: MS-CHAP2-Response is incorrect
That's pretty clear.
You entered the wrong password on the client.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list