How to Integrate NAS MSCHAP x FreeRadius
Paulo Roberto Tomasi
pztomasi at gmail.com
Wed Jul 14 23:40:56 CEST 2021
Hi,
I'm trying to configure FreeRadius to control Mikrotik logins (Winbox, SSH,
Telnet, etc) + integration with Windows Active Directory
After a lot of searching about LDAP config I was able to get an
Access-Accept from AD Server using radtest:
root at lab-01:~# radtest -x paulo pass at 777 127.0.0.1 0 testing123
Sent Access-Request Id 45 from 0.0.0.0:44663 to 127.0.0.1:1812 length 75
User-Name = "paulo"
User-Password = "pass at 777"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "pass at 777"
Received Access-Accept Id 45 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
User-Name "paulo" is an AD user
#
My NAS (Mikrotik) is trying to authenticate against FreeRadius, but it
sends a MS-CHAP-Challenge in its logs:
sending Access-Request with id 23 to 172.x.x.70:1812
Signature = 0x00fbf419a1a52d28f3b7479a72eeda9c
Service-Type = 1
User-Name = "paulo"
MS-CHAP-Challenge = 0x728c84707e975a66640bfd9bd4d2ed98
MS-CHAP2-Response = 0x00004b64c3ae410e919c1adaf9ab1ea6
cf8700000000000000000cc476370d07
263c4c707bfb1e9cf52ac40b5ea6d6eb
230d
Calling-Station-Id = "10.x.x.253"
NAS-Identifier = "Mikrotik-1218"
NAS-IP-Address = 172.16.12.18
#
Then freeradius -X command gives me those warnings and errors:
(0) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(0) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
#
What do those lines want to say?
I didn't find any hints after hours searching
Thank you!
More information about the Freeradius-Users
mailing list