Re: [again] Error "[mschap] No Cleartext-Password configured. Cannot create LM-Password."
Holger Wesser wrote: > I've googled a while and found different solutions for the error > message: [mschap] No Cleartext-Password configured. Cannot create > LM-Password. There's only one solution: give the server a "known good" password. e.g. Cleartext-Password, or NT-Password. > What I've done is, to establish the following setup: Debian 7.1, Samba3, > OpenLDAP and freeradius 2.1.12 (everything on the same machine). A VPN > gateway forwards the authentication requests to the freeradius-server. PLEASE use "radiusd -X" as suggested everywhere. The additional "-x" is not needed, and is just annoying. The relevant output is: [ldap] performing search in dc=example,dc=com, with filter (uid=testuser) [ldap] Added User-Password = {SSHA}xx in check items SSHA passwords are fundamentally incompatible with MS-CHAP. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: [mschap] No Cleartext-Password configured. Cannot createLM-Password.
Waking up in 3.4 seconds. rad_recv: Access-Request packet from host 192.168.30.15 port 46844, id=161, length=192 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 138584 NAS-Port-Type = Ethernet User-Name = "chmielewska_d" Calling-Station-Id = "54:E6:FC:E7:EA:E7" Called-Station-Id = "witosa3" NAS-Port-Id = "ether1" MS-CHAP-Challenge = 0x28c98da9117ed73968677b477bfe0adf MS-CHAP2-Response = 0x01000de14d8d5551d54ac1898b1baffc01133372483474e6d9ef5302fdc1e3bb081e0f47a844c8258da7 NAS-Identifier = "witosa3" NAS-IP-Address = 192.168.30.15 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = "chmielewska_d", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} -> chmielewska_d [sql] sql_set_user escaped user --> 'chmielewska_d' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' AND status = '1' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'chmielewska_d' AND status = '1' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'chmielewska_d' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'DaNET 1280' ORDER BY id [sql] User found in group DaNET 1280 [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'DaNET 1280' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: chmielewska_d [mschap] Client is using MS-CHAPv2 for chmielewska_d, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [sql] expand: %{User-Name} -> chmielewska_d [sql] sql_set_user escaped user --> 'chmielewska_d' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'chmielewska_d', '', 'Access-Reject', '2013-01-31 14:34:55') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'chmielewska_d', '', 'Access-Reject', '2013-01-31 14:34:55') rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released this log interesed me chmielewska_d is in database add why: +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: chmielewska_d [mschap] Client is using MS-CHAPv2 for chmielewska_d, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with wifi authentication: [mschap] No Cleartext-Password configured...
Hi guys, I'm with problems on my first radius authentication server for wireless clients. I've made some progress, but now I'm with problems that I don't know how to solve. I want to use the NIS user database. Freeradius version: 2.1.1, compiled from source on mandriva 2008.1 (yes, i don't like mandriva, but i have to use it) With radtest, I already can authenticate with users located on /etc/raddb/users/ , /etc/passwd and NIS' users: Example: [EMAIL PROTECTED]:~$ radtest leonardo lalala 172.16.0.2 0 xpto Sending Access-Request of id 65 to 172.16.0.2 port 1812 User-Name = "leonardo" User-Password = "radius1234" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=65, length=20 [EMAIL PROTECTED]:~$ radtest usuario1 lalala 172.16.0.2 0 xpto Sending Access-Request of id 57 to 172.16.0.2 port 1812 User-Name = "usuario1" User-Password = "senha1" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=57, length=20 [EMAIL PROTECTED]:~$ radtest localradius lalala 172.16.0.2 0 xpto Sending Access-Request of id 135 to 172.16.0.2 port 1812 User-Name = "localradius" User-Password = "radius1234" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=212, length=20 Until here, everything was ok, the problems begins when I try authenticate through wireless access point: The PEAP doesn't work. And by TTLS/MSCHAPv2 works, but only for users located on the /etc/raddb/users file, and not for NIS' or passwd' users. Error that happens when a I try connect with TTLS/MSCHAPv2 and with user not listed on the /etc/raddb/users file: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for leonardo with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. I've uploaded the /etc/raddb/radiusd.conf,/ etc/raddb/eap.conf, module /etc/raddb/modules/mschap and also a log from the radiusd -X with a login try which generates the above error and the radiusd startup on the server: http://ivete.fis.unb.br/fradius/ I've found on google a discussion, on this list (http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg48660.html), which a guy had the same error than me, but he was using the ldap database as user's database. And I don't understood what procedures he used to solve his problems. Please, if somebody have some tip, tell me, I don't know what to do anymore :/ Sorry for the poor english. Thanks in advance, -- --- Leonardo Marques --- Blog: BeNerd.analyx.org Website: www.analyx.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
Enable ldap in inner-tunnel virtual server. Radtest works because this is enabled in default virtual server. It looks like auto headers are not enabled in pap module. It defaults to crypt instead of detecting md5 header. Yes so it works - also with eap-mschap Great and many many thanks to you finaly it works ... By luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
Enable ldap in inner-tunnel virtual server. Radtest works because this is enabled in default virtual server. It looks like auto headers are not enabled in pap module. It defaults to crypt instead of detecting md5 header. Ivan Kalik Kalik Informatike ISP Dana 8/10/2008, "alois blasbichler" <[EMAIL PROTECTED]> piše: > Hello > > Thank you for the replay. > >I maked another test with user test and password test with radtest and >then from a windowsxp-client (should be pap) > >with radtest test test 127.0.0.1 12 password - >all works fine - i see in the log : > >rlm_ldap: userPassword -> User-Password == "{md5}CY9rzUYh03PK3k6DJie09g==" >rlm_ldap: sambaNtPassword -> NT-Password == >0x3043423639343838303546373937424632413832383037393733423839353337 >rlm_ldap: sambaLmPassword -> LM-Password == >0x3031464335413642453742433639323941414433423433354235313430344545 >[pap] Found existing Auth-Type, not changing it. >++[pap] returns noop >Found Auth-Type = LDAP >+- entering group LDAP {...} >[ldap] login attempt by "test" with password "test" >[ldap] user DN: uid=test,ou=users,dc=sb-brixen,dc=it >rlm_ldap: (re)connect to mir:389, authentication 1 >rlm_ldap: bind as uid=test,ou=users,dc=sb-brixen,dc=it/test to mir:389 >rlm_ldap: Bind was successful >[ldap] user test authenticated succesfully >++[ldap] returns ok >Login OK: [test] (from client localhost port 12) > > >and here the full log for my windows-client accessing via a cisco >wireless switch (maybe he gives me the problems) : > >Maybe sombody see where i have the problems > >By >luis >- >rad_recv: Access-Request packet from host 10.53.240.10 port 32769, >id=77, length=170 > User-Name = "test" > Calling-Station-Id = "00-40-96-B4-5B-0F" > Called-Station-Id = "00-0B-85-95-70-80:prova" > NAS-Port = 29 > NAS-IP-Address = 10.53.240.10 > NAS-Identifier = "WS4404_Pri" > Airespace-Wlan-Id = 4 > Service-Type = Framed-User > Framed-MTU = 1300 > NAS-Port-Type = Wireless-802.11 > Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Private-Group-Id:0 = "156" > EAP-Message = 0x020f00090174657374 > Message-Authenticator = 0xf69a987d74a723bbc2981decb8c871a0 >+- entering group authorize {...} >++[preprocess] returns ok > expand: >/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> >/usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 >[auth_log] >/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d >expands to >/usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 > expand: %t -> Wed Oct 8 10:33:11 2008 >++[auth_log] returns ok >++[chap] returns noop >++[mschap] returns noop >[suffix] No '@' in User-Name = "test", looking up realm NULL >[suffix] No such realm "NULL" >++[suffix] returns noop >[eap] EAP packet type response id 15 length 9 >[eap] No EAP Start, assuming it's an on-going EAP conversation >++[eap] returns updated >++[unix] returns updated >[files] users: Matched entry test at line 7 >++[files] returns ok >[ldap] performing user authorization for test >WARNING: Deprecated conditional expansion ":-". See "man unlang" for details > expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test) > expand: ou=users,dc=sb-brixen,dc=it -> ou=users,dc=sb-brixen,dc=it >rlm_ldap: ldap_get_conn: Checking Id: 0 >rlm_ldap: ldap_get_conn: Got Id: 0 >rlm_ldap: attempting LDAP reconnection >rlm_ldap: (re)connect to mir:389, authentication 0 >rlm_ldap: bind as uid=cyrus,dc=sb-brixen,dc=it/niko2006 to mir:389 >rlm_ldap: waiting for bind result ... >request done: ld 0x81a9290 msgid 1 >rlm_ldap: Bind was successful >rlm_ldap: performing search in ou=users,dc=sb-brixen,dc=it, with >filter (uid=test) >request done: ld 0x81a9290 msgid 2 >[ldap] looking for check items in directory... >rlm_ldap: userPassword -> User-Password == "{md5}CY9rzUYh03PK3k6DJie09g==" >rlm_ldap: sambaNtPassword -> NT-Password == >0x3043423639343838303546373937424632413832383037393733423839353337 >rlm_ldap: sambaLmPassword -> LM-Password == >0x3031464335413642453742433639323941414433423433354235313430344545 >[ldap] looking for reply items in directory... >[ldap] user test authorized to use remote access >rlm_ldap: ldap_release_conn: Release Id: 0 >++[ldap] returns ok >++[expiration] returns noop >++[logintime] returns noop >[pap] Normalizing NT-Password from hex encoding >[pap] Normalizing LM-Password from hex encoding >[pap] Normalizing MD5-Password from base64 encoding >[pap] Found existing Auth-Type, not changing it. >++[pap] returns noop >Found Auth-Type = EAP >+- entering group authenticate {...} >[eap] EAP Identity >[eap] processing type md5 >rlm_eap_md5: Issuing Challenge >++[eap] returns handled >Sending Access
Re: mschap No Cleartext-Password configured
Hello Thank you for the replay. I maked another test with user test and password test with radtest and then from a windowsxp-client (should be pap) with radtest test test 127.0.0.1 12 password - all works fine - i see in the log : rlm_ldap: userPassword -> User-Password == "{md5}CY9rzUYh03PK3k6DJie09g==" rlm_ldap: sambaNtPassword -> NT-Password == 0x3043423639343838303546373937424632413832383037393733423839353337 rlm_ldap: sambaLmPassword -> LM-Password == 0x3031464335413642453742433639323941414433423433354235313430344545 [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by "test" with password "test" [ldap] user DN: uid=test,ou=users,dc=sb-brixen,dc=it rlm_ldap: (re)connect to mir:389, authentication 1 rlm_ldap: bind as uid=test,ou=users,dc=sb-brixen,dc=it/test to mir:389 rlm_ldap: Bind was successful [ldap] user test authenticated succesfully ++[ldap] returns ok Login OK: [test] (from client localhost port 12) and here the full log for my windows-client accessing via a cisco wireless switch (maybe he gives me the problems) : Maybe sombody see where i have the problems By luis - rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=77, length=170 User-Name = "test" Calling-Station-Id = "00-40-96-B4-5B-0F" Called-Station-Id = "00-0B-85-95-70-80:prova" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x020f00090174657374 Message-Authenticator = 0xf69a987d74a723bbc2981decb8c871a0 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t -> Wed Oct 8 10:33:11 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 15 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry test at line 7 ++[files] returns ok [ldap] performing user authorization for test WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test) expand: ou=users,dc=sb-brixen,dc=it -> ou=users,dc=sb-brixen,dc=it rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to mir:389, authentication 0 rlm_ldap: bind as uid=cyrus,dc=sb-brixen,dc=it/niko2006 to mir:389 rlm_ldap: waiting for bind result ... request done: ld 0x81a9290 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=sb-brixen,dc=it, with filter (uid=test) request done: ld 0x81a9290 msgid 2 [ldap] looking for check items in directory... rlm_ldap: userPassword -> User-Password == "{md5}CY9rzUYh03PK3k6DJie09g==" rlm_ldap: sambaNtPassword -> NT-Password == 0x3043423639343838303546373937424632413832383037393733423839353337 rlm_ldap: sambaLmPassword -> LM-Password == 0x3031464335413642453742433639323941414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing MD5-Password from base64 encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 77 to 10.53.240.10 port 32769 EAP-Message = 0x011000160410741fcd7da1e640ba9f4390917645a3ad Message-Authenticator = 0x State = 0x8d60a8298d70aca02ffd6ac34c7adfdb Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=78, length=185 User-Name = "test"
Re: mschap No Cleartext-Password configured
Am 08.10.2008 um 10:12 schrieb Nicolas Goutte: Am 08.10.2008 um 09:49 schrieb alois blasbichler: ablasbichler Cleartext-Password == "ablasbichler" With no success Should be := not ==. Hello Thank you for the the answers. I changed how you suggested but without success. Another thing : we use md5 encrypted passwords in our Ldap-DB for userpasswords - is it right that the line above in users overwrite this ? I am not sure, so I won't answer this one. Here my log (tested with user test password alois) Why pap use CRYPT encryption not it should be cleartext ? If you define a Cleartext-Password for a user, it does not mean that you force the use of cleartext for the authentification for the user. If the authentification needs the password in another form, it will transform the cleartext password into the needed form. (For example for MS-CHAP, it would encode the password into UTF32-LE and then make the MD4 hash of it.) Sorry, I meant "UTF16-LE" (16 bit Unicode, little endian) instead of "UTF32-LE" by luis Have a nice day! [...] - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
Am 08.10.2008 um 09:49 schrieb alois blasbichler: ablasbichler Cleartext-Password == "ablasbichler" With no success Should be := not ==. Hello Thank you for the the answers. I changed how you suggested but without success. Another thing : we use md5 encrypted passwords in our Ldap-DB for userpasswords - is it right that the line above in users overwrite this ? I am not sure, so I won't answer this one. Here my log (tested with user test password alois) Why pap use CRYPT encryption not it should be cleartext ? If you define a Cleartext-Password for a user, it does not mean that you force the use of cleartext for the authentification for the user. If the authentification needs the password in another form, it will transform the cleartext password into the needed form. (For example for MS-CHAP, it would encode the password into UTF32-LE and then make the MD4 hash of it.) by luis Have a nice day! [...] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
ablasbichler Cleartext-Password == "ablasbichler" With no success Should be := not ==. Hello Thank you for the the answers. I changed how you suggested but without success. Another thing : we use md5 encrypted passwords in our Ldap-DB for userpasswords - is it right that the line above in users overwrite this ? Here my log (tested with user test password alois) Why pap use CRYPT encryption not it should be cleartext ? by luis server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop request done: ld 0x81a0ba8 msgid 7 ++[unix] returns updated [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 3 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "alois" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CRYPT password check failed): [test] (from client ciscosw port 0 via TLS tunnel) } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [test] (from client ciscosw port 29 cli 00-40-96-B4-5B-0F) Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 13 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 13 Sending Access-Reject of id 6 to 10.53.240.10 port 32769 EAP-Message = 0x0414 Message-Authenticator = 0x Waking up in 3.4 seconds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
Am 07.10.2008 um 11:48 schrieb alois blasbichler: Hello list I am trying to authenticate a windows xp client via a Cisco Wireless Router with radius on Linux and behind there a Openldap-DB. Users have posix and samba-passworts [...] Somebody can give a a hint? I have seen in an old mail : NT-Password is wrong. Try first with plain text one (Cleartext- Password). Then fix hashing. Ivan Kalik Kalik Informatika ISP How i set plain text passwords ? i tried to add in users : ablasbichler Cleartext-Password == "ablasbichler" Try := instaed of == (Think of "setiing" the password instead of "comparing" it.) For example: foo Cleartext-Password := "foo" With no success i have a big debug-file if it can help thank you for a help luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
>i tried to add in users : > >ablasbichler Cleartext-Password == "ablasbichler" >With no success > Should be := not ==. >i have a big debug-file if it can help > Change the operator. If it doesn't help, post the debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschap No Cleartext-Password configured
Hello list I am trying to authenticate a windows xp client via a Cisco Wireless Router with radius on Linux and behind there a Openldap-DB. Users have posix and samba-passworts I installed raius from source : freeradius-server-2.1.0 I configured only : clients.conf (shgared secrets) /sites-availabel/default (enabled ldap) /modules/ldap (addes my ldap-settings) Is this all i have to do ? With radtest all works fine - but my windows-client gives me an error : - [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for ablasbichler with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. -- Somebody can give a a hint? I have seen in an old mail : NT-Password is wrong. Try first with plain text one (Cleartext-Password). Then fix hashing. Ivan Kalik Kalik Informatika ISP How i set plain text passwords ? i tried to add in users : ablasbichler Cleartext-Password == "ablasbichler" With no success i have a big debug-file if it can help thank you for a help luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html