On Thu, Jun 30, 2011 at 9:00 AM, sgilmour <[email protected]> wrote: > Thanks for the reply here is my debug log > Looks like it is failing here. > > Tue Jun 21 09:35:28 2011 : Info: [mschap] No Cleartext-Password configured. > Cannot create LM-Password. > Tue Jun 21 09:35:28 2011 : Info: [mschap] No Cleartext-Password configured. > Cannot create NT-Password. > Tue Jun 21 09:35:28 2011 : Info: [mschap] NT Domain delimeter found, > should we have enabled with_ntdomain_hack? > Tue Jun 21 09:35:28 2011 : Info: [mschap] Told to do MS-CHAPv2 for > SQA\Administrator with NT-Password > Tue Jun 21 09:35:28 2011 : Info: [mschap] FAILED: No NT/LM-Password. Cannot > perform authentication. > Tue Jun 21 09:35:28 2011 : Info: [mschap] FAILED: MS-CHAP2-Response is > incorrect > Tue Jun 21 09:35:28 2011 : Info: ++[mschap] returns reject > Tue Jun 21 09:35:28 2011 : Info: [eap] Freeing handler > Tue Jun 21 09:35:28 2011 : Info: ++[eap] returns reject
Are you using users file? From [files] users: Matched entry SQA\Administrator at line 93 it seems that you are. If that's the case then it's simple. The lines Tue Jun 21 09:35:28 2011 : Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password. Tue Jun 21 09:35:28 2011 : Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password. said it all. You need either a clear-text password, or NT-Password in the users file. Here's an example in my setup (the mail client might wrap it, but it's all in one line): testuser NT-Password := "35CCBA9168B1D5CA6093B4B7D56C619B", LM-Password := "3AE6CCCE2A2A253F93E28745B8BF4BA6" or testuser Cleartext-Password := "testpass" The first example should be able to handle pap and mschap, and is encrypted, but it won't work if you use EAP-MD5 (which needs cleartext-password). The second example should be able to handle any authentication method, but some might say it's a security risk since the password is stored as clear text. NT and LM password can be created using the tool smbencrypt (part of freeradius-utils package) # smbencrypt testpass LM Hash NT Hash -------------------------------- -------------------------------- 3AE6CCCE2A2A253F93E28745B8BF4BA6 35CCBA9168B1D5CA6093B4B7D56C619B > root@Ubuntu-FreeRadius:/etc/freeradius# freeradius -X -X -X freeradius -X is enough, no need for extra Xs. It makes it harder to read. > Tue Jun 21 13:06:55 2011 : Info: FreeRADIUS Version 2.1.8, for host > i486-pc-linux-gnu, built on Jan 5 2010 at 02:49:11 You don't mention which OS you use. Debian and Ubuntu both have 2.1.10. There was a post on this list where someone was having a problem with an older freeradius server even when he has both NT-Password and LM-Password stored in LDAP, so if you've provided those two passwords but still unable to authenticate with mschap, try upgrading. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
