ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
Can someone please help provide a clue into the problems with using ntlm_auth
in a Freeradius config running on Debian.
The user/password information are held in the LDAP server. I have been able
to authenticate successfully with packets coming from non-EAP clients. But
for EAP authentication clients, I have been receiving the following error
lines. (I am using ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} to call the LDAP server.
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang
for details
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang
for details
[mschap]expand: --username=%{Stripped-User-Name:-%{User-Name:-None}}
- --username=otha1_00
[mschap] mschap2: 18
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=b06bae6a129ec4e7
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=c0bec1a04bdd9fb489ef30a2bc22e5806405493ac2038167
Exec-Program output: Invalid handle (0xc008)
Exec-Program-Wait: plaintext: Invalid handle (0xc008)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = \026E=691 R=1
EAP-Message = 0x04160004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = \026E=691 R=1
EAP-Message = 0x04160004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
Clement
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
The user/password information are held in the LDAP server. I have been
able
to authenticate successfully with packets coming from non-EAP clients.
But
for EAP authentication clients, I have been receiving the following error
lines. (I am using ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} to call the LDAP server.
ntlm_auth is for Active Directory. Comment out ntlm_auth line in maschap
module and it will work as long as you have clear or nt hashed password
stored in ldap.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
OK. I have done that, But still returned the error below!
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE
Clement
-Original Message-
From: freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org]
On Behalf Of Ivan Kalik
Sent: 03 July 2009 12:17
To: FreeRadius users mailing list
Subject: Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to
LDAP server
The user/password information are held in the LDAP server. I have been
able
to authenticate successfully with packets coming from non-EAP clients.
But
for EAP authentication clients, I have been receiving the following error
lines. (I am using ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} to call the LDAP server.
ntlm_auth is for Active Directory. Comment out ntlm_auth line in maschap
module and it will work as long as you have clear or nt hashed password
stored in ldap.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
Am 03.07.2009 um 13:24 schrieb Clement Ogedengbe:
OK. I have done that, But still returned the error below!
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
You have either Cleartext-Password or NT-Password defined in your LDAP
database, haven't you?
If not, see:
http://deployingradius.com/documents/protocols/compatibility.html
Have a nice day!
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE
Clement
-Original Message-
From: freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org
]
On Behalf Of Ivan Kalik
Sent: 03 July 2009 12:17
To: FreeRadius users mailing list
Subject: Re: ntlm_auth problem using EAP-TLS with MSCHAP
authentication to
LDAP server
The user/password information are held in the LDAP server. I have
been
able
to authenticate successfully with packets coming from non-EAP
clients.
But
for EAP authentication clients, I have been receiving the following
error
lines. (I am using ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} to call the LDAP server.
ntlm_auth is for Active Directory. Comment out ntlm_auth line in
maschap
module and it will work as long as you have clear or nt hashed
password
stored in ldap.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
hi, is the required config in your inner-tunnel? ie is LDAP defined at all? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
