Problem with MSCHAP when migrating from freeradius2 to freeradius3

Alan DeKok aland at deployingradius.com
Mon Feb 4 13:17:12 CET 2019


On Feb 4, 2019, at 4:22 AM, koehne <koehne at mdw.ac.at> wrote:
> I´ve now spent so much time on troubleshooting, testing and searching for hints in the internet, I hope someone here from this mailing-list can support me.
> 
> We are using freeradius to authenticate CLI-Access to Network-Devices, VPN-Access and WLAN-Access. As User-Database we are using Novell eDirectory via LDAP.
> I want to migrate from freeradius2 to freeradius3 on a new server.
> I´ve allready succeeded with migrating Network-CLI- and VPN-Access, however WLAN-Access is not working.
> 
> These are the significant messages from the DEBUG saying "*mschap: No Cleartext-Password configured*".

  Which should be clear.  The server is unable to get the Cleartext-Password from LDAP.  As such, it can't do MS-CHAP.

> Enclosed is a full debug.

> radius3:/etc/raddb/sites-enabled # radiusd -XX
> ...

 There *is* documentation saying what we need.  And it says DO run "radius -X".  And DON'T run anything else.


> I´ve compared "old" and "new" configuration of the relevant modules several times and adapted the necessary changes in the configuration from freeradius2 to freeradius3.
> 
> Here are the configs of the virtual-server and the ldap module:

  The documentation also says DON'T post config files.

  If you want to fix computer things, it helps to read the documentation.

  If you *read* the debug output, the message about Cleartext-Password is from the "inner-tunnel" virtual server.  So ... go fix that.

  Read what you've done to the "inner-tunnel" virtual server, and ask yourself: "Where is Cleartext-Password supposed to be coming from?"

  There's a reason the documentation says "make small changes to the config files and test them".  In this case, you've done huge edits to "inner-tunnel", and broken it.

  And the above comments about reading the docs are *not* just me being an asshole.  The *entire set of config files* you posted to the list was unrelated to the problem.  So posting them is useless.  Which is why we don't ask for them.  And the bizarre fascination by many people with running "radiusd -Xxxxxxx" is just confusing to me.

  Alan DeKok.




More information about the Freeradius-Users mailing list