Radius 3 EAP (PEAP) mschapv2 connection problem

[Alan DeKok]

On Jun 4, 2020, at 3:47 AM, Anatoly Oreshkin <anatoly.oreshkin at gmail.com> wrote:
> 
> I provide debug log for session 72, please see below.
> 
> I've found the reason of failed authentication when connecting through AP
> 192.168.14.247.
> Compare request format from AP 192.168.14.241 with one from AP
> 192.168.14.247.

  That's good.  That's why we have debug output.  It can be huge and complex, but it usually gives the answers you need.
> 
> In request format from AP 192.168.14.247 presents line
> (72)   Framed-Protocol = PPP
> 
> Users login and password are kept in the file /etc/raddb/users
> Default user in /etc/raddb/users is specified as follows:
> DEFAULT        Framed-Protocol == PPP
>      Framed-Protocol = PPP,
>       Framed-Compression = Van-Jacobson-TCP-IP
> 
> So radius selects DEFAULT user instead of my user name and hence
> (72) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> NT-Password

  Likely because you added the user at the *end* of the users file.  That's why the documentation says to add it at the beginning.

> In Radius 2 as DEFAULT user it was specified
> DEFAULT Auth-Type = System
>        Fall-Through = 1
> so authentication worked.

   "Auth-type System" is "authenticate users from /etc/passwd.  Which is NOT compatible with MS-CHAP.

  v2 worked because the "users" file entry for that user was in a different place, and it didn't match the DEFAULT entry.

> In Radius 3 there is no " Auth-Type = System" so I've left DEFAULT which
> was in /etc/raddb/users
> At least I dont found suitable DEFAULT from the list in /etc/raddb/users
> May be you can suggest DEFAULT user ?

  I have no idea what that means,

  The DEFAULTs are there to handle some common cases.  If you don't need those DEFAULTs, delete them.

> Now I've commented out DEFAULT in /etc/raddb/users and authentication
> through AP 192.168.14.297 succeeded.

  Good to hear.

  Alan DeKok.