Ms-Chap + NT-Password
Alan DeKok
aland at deployingradius.com
Tue Jan 8 19:05:28 CET 2019
On Jan 8, 2019, at 11:07 AM, Anton Kiryushkin <swood at fotofor.biz> wrote:
> Now I read the documentation, but I still don't understand why server
> choose one method instead of others (I've read about attempts predict).
In most cases, the *client* chooses the authentication method. The server is just configured to allow many different methods.
> So,
> I have next config file and I try to understand why it's don't working:
> (Unfortunately, I don't understand the reason why it has working for
> mschapv2 and don't work for eap)
Read the debug log for MSCHAPv2, and see how it's different from EAP.
> (291) eap: Peer sent packet with method EAP MD5 (4)
> (291) eap: Calling submodule eap_md5 to process data
> (291) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5
> authentication
> (291) eap: ERROR: Failed continuing EAP MD5 (4) session. EAP sub-module
> failed
> (291) eap: Sending EAP Failure (code 4) ID 8 length 4
> (291) eap: Failed in EAP select
> (291) [eap] = invalid
> (291) } # authenticate = invalid
> (291) Failed to authenticate the user
> (291) Using Post-Auth-Type Reject
> (291) Post-Auth-Type sub-section not found. Ignoring.
>
> My question is why this client can't log in? I have correct md5-hash in a
> database which added like "0x06d9ded822ff50138cda74ee2e771082".
The debug log *tells you* why it doesn't work. See the text just above. It tells you what's going wrong, and what the server needs.
> The second question is do I have a possibility to check which module has
> used: eap or mschap. I want to use a correct hash from the database in case
> mschapv2 modules has been called.
Your best bet is to just use Cleartext-Password, and let the server figure out what to do.
Alan DeKok.
More information about the Freeradius-Users
mailing list