Cannot connect with EAP-TTLS + MS-CHAPv2. if you'd kindly teach me.

Yuya Yanagi peacefull64 at gmail.com
Tue Aug 13 05:31:39 CEST 2019 

Hi Alan

After correcting as pointed out, it worked. Thank you very much!

The problem is why you need the authentication section of the [pap] module.
Commented out due to the specification condition that pap was not used
in the pre-replacement environment.

Was that originally necessary to "correct" various passwords?

please tell me.

2019年8月13日(火) 11:57 Alan DeKok <aland at deployingradius.com>:
>
> On Aug 12, 2019, at 10:43 PM, Yuya Yanagi <peacefull64 at gmail.com> wrote:
> >
> > I understood the pointed out contents and deleted . I'm sorry for bothering you.
> > When you run it again, you will be told that there is no NT / LM
> > password. Where should I look next?
>
>   You edited the default configuration and broke it.  Don't do that.
>
>   You have a very complex configuration.  You've clearly built it without doing much in the way of testing.  That's wrong.
>
> > (6) ldap_regularusers: control:NT-Password :=
> > 0x4243353030433041363439353842434531393638383936303344464645343530
>
>   As I said earlier, that *is* the NT password.
>
> > (6) ldap_regularusers: control:User-Password :=
> > 'BC500C0A64958BCE196889603DFFE450'
> > (6) ldap_regularusers: control:Password-With-Header :=
> > '{SSHA256}Q1iLz8Pc/mkXU/hniRsu3/rpWKOVdjAU/4t2iLynZqdIPFIYPW0elA=='
> > rlm_ldap (ldap_regularusers): Released connection (0)
> > (6)           [ldap_regularusers] = updated
> > (6)         } # if (&outer.request:Called-Station-SSID == 'BLUE')   = updated
> > (6)       } # if (&outer.request:NAS-IP-Address =~
> > /^192\.168\.10\.1[2]{1}$/ || &outer.request:NAS-IP-Address ==
> > "192.168.200.240" || &outer.request:NAS-IP-Address == "localhost")  =
> > updated
> > (6)       [expiration] = noop
> > (6)       [logintime] = noop
> > (6)     } # authorize = updated
>
>   Note that there is no "pap" module.  The "pap" module is used in the default configuration.  It is placed last in the "authorize" section so that it can "fix" the various passwords.
>
>   Put the "pap" module back, as the last entry in the "authorize" section.
>
> > (6) mschap: WARNING: NT-Password has not been normalized by the 'pap'
> > module (likely still in hex format).  Authentication may fail
>
>   Again, that is pretty clear.  The "pap" module should be fixing the NT-Password.  Since you *deleted* the PAP module, it is NOT fixing the NT-Password.
>
>   The solution is to NOT delete the "pap" module.
>
>   It's hard to make these error messages any easier to understand.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list