ERROR: FAILED: No NT-Password. Cannot perform authentication

Wed Dec 20 07:47:38 UTC 2023

Hi Alan,

Thanks for the quick response! This is making a lot more sense to me now, this is great learning.

> Configure the end user device to use TTLS+PAP.  It's the most secure option

Is this the only option or just the most secure? I assume any auth type that is compatible with SSHA2-512 should be ok?

I will continue testing but at least I am on the right track now.

Thank you

From: Freeradius-Users <freeradius-users-bounces+chevy.innis=splithorizon.com.au at lists.freeradius.org> on behalf of Alan DeKok <aland at deployingradius.com>
Sent: 20 December 2023 12:01
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: ERROR: FAILED: No NT-Password. Cannot perform authentication 

[You don't often get email from aland at deployingradius.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

On Dec 19, 2023, at 10:41 PM, Chevy Innis via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I have Aruba APs, FreeRADIUS, and 389 directory server for LDAP. From what I can gather from the debug output and my own research, I can see that the client (Aruba AP) is trying to use EAP-MSCHAPv2 for authentication,

  Nope.

 The Aruba AP is *forwarding* PEAP from the users machine to the RADIUS server.  The AP doesn't create PEAP, or EAP-MSCHAPv2.

> which is not compatible with the SSHA2-512 stored passwords in our LDAP server.

  Yes.

> The solution I have seen for this is to either change the password storage format, or change the authentication method, preferably the later.

  Configure the end user device to use TTLS+PAP.  It's the most secure option.

https://networkradius.com/articles/2022/04/11/is-pap-secure.html

>  Aruba APs are compatible with a number of eap authentication methods

  No.  The APs don't implement EAP methods.  They just forward EAP from the end user device to the RADIUS server.

> that should work with SSHA2-512 passwords, but there is no way to define this on the controller, so I think this has to be done on the radius server.

  No.  It has to be done on the end user device.

  It can't be done on the controller because the controller doesn't implement EAP.

  It can't be done on FreeRADIUS, because EAP doesn't provide enough negotiation.  FreeRADIUS has a very limited ability to do anything.

> Let me know if I am on the right track. If this assumption is correct, how do I manually define the authentication method on freeradius? Or if I am totally wrong and misguided, a point in the right direction will be greatly appreciated.

1) configure the end user device to use TTLS + PAP

2) store clear-text passwords in the database.

  I'd choose (1) 99.999% of the time.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt then chuck it out! Alternatively, you can ask the Systems Team to check it out.