ERROR: FAILED: No NT-Password. Cannot perform authentication

[Alan DeKok]

On Dec 19, 2023, at 10:41 PM, Chevy Innis via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I have Aruba APs, FreeRADIUS, and 389 directory server for LDAP. From what I can gather from the debug output and my own research, I can see that the client (Aruba AP) is trying to use EAP-MSCHAPv2 for authentication, 

  Nope.

 The Aruba AP is *forwarding* PEAP from the users machine to the RADIUS server.  The AP doesn't create PEAP, or EAP-MSCHAPv2.

> which is not compatible with the SSHA2-512 stored passwords in our LDAP server.

  Yes.

> The solution I have seen for this is to either change the password storage format, or change the authentication method, preferably the later.

  Configure the end user device to use TTLS+PAP.  It's the most secure option.

https://networkradius.com/articles/2022/04/11/is-pap-secure.html

>  Aruba APs are compatible with a number of eap authentication methods

  No.  The APs don't implement EAP methods.  They just forward EAP from the end user device to the RADIUS server.

> that should work with SSHA2-512 passwords, but there is no way to define this on the controller, so I think this has to be done on the radius server. 

  No.  It has to be done on the end user device.

  It can't be done on the controller because the controller doesn't implement EAP.

  It can't be done on FreeRADIUS, because EAP doesn't provide enough negotiation.  FreeRADIUS has a very limited ability to do anything.

> Let me know if I am on the right track. If this assumption is correct, how do I manually define the authentication method on freeradius? Or if I am totally wrong and misguided, a point in the right direction will be greatly appreciated.

1) configure the end user device to use TTLS + PAP

2) store clear-text passwords in the database.

  I'd choose (1) 99.999% of the time.

  Alan DeKok.