Re: [again] Error "[mschap] No Cleartext-Password configured. Cannot create LM-Password."
Holger Wesser wrote:
> I've googled a while and found different solutions for the error
> message: [mschap] No Cleartext-Password configured. Cannot create
> LM-Password.
There's only one solution: give the server a "known good" password.
e.g. Cleartext-Password, or NT-Password.
> What I've done is, to establish the following setup: Debian 7.1, Samba3,
> OpenLDAP and freeradius 2.1.12 (everything on the same machine). A VPN
> gateway forwards the authentication requests to the freeradius-server.
PLEASE use "radiusd -X" as suggested everywhere. The additional "-x"
is not needed, and is just annoying.
The relevant output is:
[ldap] performing search in dc=example,dc=com, with filter (uid=testuser)
[ldap] Added User-Password = {SSHA}xx in check
items
SSHA passwords are fundamentally incompatible with MS-CHAP.
http://deployingradius.com/documents/protocols/compatibility.html
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: [mschap] No Cleartext-Password configured. Cannot createLM-Password.
Waking up in 3.4 seconds.
rad_recv: Access-Request packet from host 192.168.30.15 port 46844,
id=161, length=192
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 138584
NAS-Port-Type = Ethernet
User-Name = "chmielewska_d"
Calling-Station-Id = "54:E6:FC:E7:EA:E7"
Called-Station-Id = "witosa3"
NAS-Port-Id = "ether1"
MS-CHAP-Challenge = 0x28c98da9117ed73968677b477bfe0adf
MS-CHAP2-Response =
0x01000de14d8d5551d54ac1898b1baffc01133372483474e6d9ef5302fdc1e3bb081e0f47a844c8258da7
NAS-Identifier = "witosa3"
NAS-IP-Address = 192.168.30.15
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "chmielewska_d", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> chmielewska_d
[sql] sql_set_user escaped user --> 'chmielewska_d'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' AND status = '1'
ORDER BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'chmielewska_d' AND status = '1' ORDER
BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'chmielewska_d' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id ->
SELECT id, groupname, attribute, Value, op FROM radgroupcheck
WHERE groupname = 'DaNET 1280' ORDER BY id
[sql] User found in group DaNET 1280
[sql] expand: SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id ->
SELECT id, groupname, attribute, value, op FROM radgroupreply
WHERE groupname = 'DaNET 1280' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: chmielewska_d
[mschap] Client is using MS-CHAPv2 for chmielewska_d, we need NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[sql] expand: %{User-Name} -> chmielewska_d
[sql] sql_set_user escaped user --> 'chmielewska_d'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') ->
INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'chmielewska_d',
'', 'Access-Reject', '2013-01-31 14:34:55')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES
( 'chmielewska_d', '',
'Access-Reject', '2013-01-31 14:34:55')
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released
this log interesed me
chmielewska_d is in database add
why:
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: chmielewska_d
[mschap] Client is using MS-CHAPv2 for chmielewska_d, we need NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with wifi authentication: [mschap] No Cleartext-Password configured...
Hi guys,
I'm with problems on my first radius authentication server for
wireless clients. I've made some progress, but now I'm with problems
that I don't know how to solve.
I want to use the NIS user database.
Freeradius version: 2.1.1, compiled from source on mandriva 2008.1
(yes, i don't like mandriva, but i have to use it)
With radtest, I already can authenticate with users located on
/etc/raddb/users/ , /etc/passwd and NIS' users:
Example:
[EMAIL PROTECTED]:~$ radtest leonardo lalala 172.16.0.2 0 xpto
Sending Access-Request of id 65 to 172.16.0.2 port 1812
User-Name = "leonardo"
User-Password = "radius1234"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=65, length=20
[EMAIL PROTECTED]:~$ radtest usuario1 lalala 172.16.0.2 0 xpto
Sending Access-Request of id 57 to 172.16.0.2 port 1812
User-Name = "usuario1"
User-Password = "senha1"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=57, length=20
[EMAIL PROTECTED]:~$ radtest localradius lalala 172.16.0.2 0 xpto
Sending Access-Request of id 135 to 172.16.0.2 port 1812
User-Name = "localradius"
User-Password = "radius1234"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 172.16.0.2 port 1812, id=212, length=20
Until here, everything was ok, the problems begins when I try
authenticate through wireless access point:
The PEAP doesn't work. And by TTLS/MSCHAPv2 works, but only for users
located on the /etc/raddb/users file, and not for NIS' or passwd'
users.
Error that happens when a I try connect with TTLS/MSCHAPv2 and with
user not listed on the /etc/raddb/users file:
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for leonardo with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
I've uploaded the /etc/raddb/radiusd.conf,/ etc/raddb/eap.conf, module
/etc/raddb/modules/mschap and also a log from the radiusd -X with a
login try which generates the above error and the radiusd startup on
the server: http://ivete.fis.unb.br/fradius/
I've found on google a discussion, on this list
(http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg48660.html),
which a guy had the same error than me, but he was using the ldap
database as user's database. And I don't understood what procedures he
used to solve his problems.
Please, if somebody have some tip, tell me, I don't know what to do anymore :/
Sorry for the poor english.
Thanks in advance,
--
---
Leonardo Marques
---
Blog: BeNerd.analyx.org
Website: www.analyx.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
Enable ldap in inner-tunnel virtual server. Radtest works because this is enabled in default virtual server. It looks like auto headers are not enabled in pap module. It defaults to crypt instead of detecting md5 header. Yes so it works - also with eap-mschap Great and many many thanks to you finaly it works ... By luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
Enable ldap in inner-tunnel virtual server. Radtest works because this is
enabled in default virtual server.
It looks like auto headers are not enabled in pap module. It defaults to
crypt instead of detecting md5 header.
Ivan Kalik
Kalik Informatike ISP
Dana 8/10/2008, "alois blasbichler" <[EMAIL PROTECTED]>
piše:
> Hello
>
> Thank you for the replay.
>
>I maked another test with user test and password test with radtest and
>then from a windowsxp-client (should be pap)
>
>with radtest test test 127.0.0.1 12 password -
>all works fine - i see in the log :
>
>rlm_ldap: userPassword -> User-Password == "{md5}CY9rzUYh03PK3k6DJie09g=="
>rlm_ldap: sambaNtPassword -> NT-Password ==
>0x3043423639343838303546373937424632413832383037393733423839353337
>rlm_ldap: sambaLmPassword -> LM-Password ==
>0x3031464335413642453742433639323941414433423433354235313430344545
>[pap] Found existing Auth-Type, not changing it.
>++[pap] returns noop
>Found Auth-Type = LDAP
>+- entering group LDAP {...}
>[ldap] login attempt by "test" with password "test"
>[ldap] user DN: uid=test,ou=users,dc=sb-brixen,dc=it
>rlm_ldap: (re)connect to mir:389, authentication 1
>rlm_ldap: bind as uid=test,ou=users,dc=sb-brixen,dc=it/test to mir:389
>rlm_ldap: Bind was successful
>[ldap] user test authenticated succesfully
>++[ldap] returns ok
>Login OK: [test] (from client localhost port 12)
>
>
>and here the full log for my windows-client accessing via a cisco
>wireless switch (maybe he gives me the problems) :
>
>Maybe sombody see where i have the problems
>
>By
>luis
>-
>rad_recv: Access-Request packet from host 10.53.240.10 port 32769,
>id=77, length=170
> User-Name = "test"
> Calling-Station-Id = "00-40-96-B4-5B-0F"
> Called-Station-Id = "00-0B-85-95-70-80:prova"
> NAS-Port = 29
> NAS-IP-Address = 10.53.240.10
> NAS-Identifier = "WS4404_Pri"
> Airespace-Wlan-Id = 4
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "156"
> EAP-Message = 0x020f00090174657374
> Message-Authenticator = 0xf69a987d74a723bbc2981decb8c871a0
>+- entering group authorize {...}
>++[preprocess] returns ok
> expand:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>/usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008
>[auth_log]
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>expands to
>/usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008
> expand: %t -> Wed Oct 8 10:33:11 2008
>++[auth_log] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>[suffix] No '@' in User-Name = "test", looking up realm NULL
>[suffix] No such realm "NULL"
>++[suffix] returns noop
>[eap] EAP packet type response id 15 length 9
>[eap] No EAP Start, assuming it's an on-going EAP conversation
>++[eap] returns updated
>++[unix] returns updated
>[files] users: Matched entry test at line 7
>++[files] returns ok
>[ldap] performing user authorization for test
>WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test)
> expand: ou=users,dc=sb-brixen,dc=it -> ou=users,dc=sb-brixen,dc=it
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: attempting LDAP reconnection
>rlm_ldap: (re)connect to mir:389, authentication 0
>rlm_ldap: bind as uid=cyrus,dc=sb-brixen,dc=it/niko2006 to mir:389
>rlm_ldap: waiting for bind result ...
>request done: ld 0x81a9290 msgid 1
>rlm_ldap: Bind was successful
>rlm_ldap: performing search in ou=users,dc=sb-brixen,dc=it, with
>filter (uid=test)
>request done: ld 0x81a9290 msgid 2
>[ldap] looking for check items in directory...
>rlm_ldap: userPassword -> User-Password == "{md5}CY9rzUYh03PK3k6DJie09g=="
>rlm_ldap: sambaNtPassword -> NT-Password ==
>0x3043423639343838303546373937424632413832383037393733423839353337
>rlm_ldap: sambaLmPassword -> LM-Password ==
>0x3031464335413642453742433639323941414433423433354235313430344545
>[ldap] looking for reply items in directory...
>[ldap] user test authorized to use remote access
>rlm_ldap: ldap_release_conn: Release Id: 0
>++[ldap] returns ok
>++[expiration] returns noop
>++[logintime] returns noop
>[pap] Normalizing NT-Password from hex encoding
>[pap] Normalizing LM-Password from hex encoding
>[pap] Normalizing MD5-Password from base64 encoding
>[pap] Found existing Auth-Type, not changing it.
>++[pap] returns noop
>Found Auth-Type = EAP
>+- entering group authenticate {...}
>[eap] EAP Identity
>[eap] processing type md5
>rlm_eap_md5: Issuing Challenge
>++[eap] returns handled
>Sending Access
Re: mschap No Cleartext-Password configured
Hello
Thank you for the replay.
I maked another test with user test and password test with radtest and
then from a windowsxp-client (should be pap)
with radtest test test 127.0.0.1 12 password -
all works fine - i see in the log :
rlm_ldap: userPassword -> User-Password == "{md5}CY9rzUYh03PK3k6DJie09g=="
rlm_ldap: sambaNtPassword -> NT-Password ==
0x3043423639343838303546373937424632413832383037393733423839353337
rlm_ldap: sambaLmPassword -> LM-Password ==
0x3031464335413642453742433639323941414433423433354235313430344545
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by "test" with password "test"
[ldap] user DN: uid=test,ou=users,dc=sb-brixen,dc=it
rlm_ldap: (re)connect to mir:389, authentication 1
rlm_ldap: bind as uid=test,ou=users,dc=sb-brixen,dc=it/test to mir:389
rlm_ldap: Bind was successful
[ldap] user test authenticated succesfully
++[ldap] returns ok
Login OK: [test] (from client localhost port 12)
and here the full log for my windows-client accessing via a cisco
wireless switch (maybe he gives me the problems) :
Maybe sombody see where i have the problems
By
luis
-
rad_recv: Access-Request packet from host 10.53.240.10 port 32769,
id=77, length=170
User-Name = "test"
Calling-Station-Id = "00-40-96-B4-5B-0F"
Called-Station-Id = "00-0B-85-95-70-80:prova"
NAS-Port = 29
NAS-IP-Address = 10.53.240.10
NAS-Identifier = "WS4404_Pri"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "156"
EAP-Message = 0x020f00090174657374
Message-Authenticator = 0xf69a987d74a723bbc2981decb8c871a0
+- entering group authorize {...}
++[preprocess] returns ok
expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008
[auth_log]
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008
expand: %t -> Wed Oct 8 10:33:11 2008
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 15 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
[files] users: Matched entry test at line 7
++[files] returns ok
[ldap] performing user authorization for test
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test)
expand: ou=users,dc=sb-brixen,dc=it -> ou=users,dc=sb-brixen,dc=it
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to mir:389, authentication 0
rlm_ldap: bind as uid=cyrus,dc=sb-brixen,dc=it/niko2006 to mir:389
rlm_ldap: waiting for bind result ...
request done: ld 0x81a9290 msgid 1
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,dc=sb-brixen,dc=it, with
filter (uid=test)
request done: ld 0x81a9290 msgid 2
[ldap] looking for check items in directory...
rlm_ldap: userPassword -> User-Password == "{md5}CY9rzUYh03PK3k6DJie09g=="
rlm_ldap: sambaNtPassword -> NT-Password ==
0x3043423639343838303546373937424632413832383037393733423839353337
rlm_ldap: sambaLmPassword -> LM-Password ==
0x3031464335413642453742433639323941414433423433354235313430344545
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing MD5-Password from base64 encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 77 to 10.53.240.10 port 32769
EAP-Message = 0x011000160410741fcd7da1e640ba9f4390917645a3ad
Message-Authenticator = 0x
State = 0x8d60a8298d70aca02ffd6ac34c7adfdb
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.53.240.10 port 32769,
id=78, length=185
User-Name = "test"
Re: mschap No Cleartext-Password configured
Am 08.10.2008 um 10:12 schrieb Nicolas Goutte: Am 08.10.2008 um 09:49 schrieb alois blasbichler: ablasbichler Cleartext-Password == "ablasbichler" With no success Should be := not ==. Hello Thank you for the the answers. I changed how you suggested but without success. Another thing : we use md5 encrypted passwords in our Ldap-DB for userpasswords - is it right that the line above in users overwrite this ? I am not sure, so I won't answer this one. Here my log (tested with user test password alois) Why pap use CRYPT encryption not it should be cleartext ? If you define a Cleartext-Password for a user, it does not mean that you force the use of cleartext for the authentification for the user. If the authentification needs the password in another form, it will transform the cleartext password into the needed form. (For example for MS-CHAP, it would encode the password into UTF32-LE and then make the MD4 hash of it.) Sorry, I meant "UTF16-LE" (16 bit Unicode, little endian) instead of "UTF32-LE" by luis Have a nice day! [...] - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
Am 08.10.2008 um 09:49 schrieb alois blasbichler: ablasbichler Cleartext-Password == "ablasbichler" With no success Should be := not ==. Hello Thank you for the the answers. I changed how you suggested but without success. Another thing : we use md5 encrypted passwords in our Ldap-DB for userpasswords - is it right that the line above in users overwrite this ? I am not sure, so I won't answer this one. Here my log (tested with user test password alois) Why pap use CRYPT encryption not it should be cleartext ? If you define a Cleartext-Password for a user, it does not mean that you force the use of cleartext for the authentification for the user. If the authentification needs the password in another form, it will transform the cleartext password into the needed form. (For example for MS-CHAP, it would encode the password into UTF32-LE and then make the MD4 hash of it.) by luis Have a nice day! [...] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
ablasbichler Cleartext-Password == "ablasbichler"
With no success
Should be := not ==.
Hello
Thank you for the the answers. I changed how you suggested but without
success.
Another thing : we use md5 encrypted passwords in our Ldap-DB for
userpasswords - is it right that the line above in users overwrite
this ?
Here my log (tested with user test password alois)
Why pap use CRYPT encryption not it should be cleartext ?
by
luis
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
request done: ld 0x81a0ba8 msgid 7
++[unix] returns updated
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry test at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "alois"
[pap] Using CRYPT encryption.
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CRYPT password check failed): [test] (from
client ciscosw port 0 via TLS tunnel)
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [test] (from client ciscosw port 29 cli 00-40-96-B4-5B-0F)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 13 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 13
Sending Access-Reject of id 6 to 10.53.240.10 port 32769
EAP-Message = 0x0414
Message-Authenticator = 0x
Waking up in 3.4 seconds.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
Am 07.10.2008 um 11:48 schrieb alois blasbichler: Hello list I am trying to authenticate a windows xp client via a Cisco Wireless Router with radius on Linux and behind there a Openldap-DB. Users have posix and samba-passworts [...] Somebody can give a a hint? I have seen in an old mail : NT-Password is wrong. Try first with plain text one (Cleartext- Password). Then fix hashing. Ivan Kalik Kalik Informatika ISP How i set plain text passwords ? i tried to add in users : ablasbichler Cleartext-Password == "ablasbichler" Try := instaed of == (Think of "setiing" the password instead of "comparing" it.) For example: foo Cleartext-Password := "foo" With no success i have a big debug-file if it can help thank you for a help luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap No Cleartext-Password configured
>i tried to add in users : > >ablasbichler Cleartext-Password == "ablasbichler" >With no success > Should be := not ==. >i have a big debug-file if it can help > Change the operator. If it doesn't help, post the debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschap No Cleartext-Password configured
Hello list
I am trying to authenticate a windows xp client via a Cisco Wireless
Router with radius on Linux and behind there a Openldap-DB.
Users have posix and samba-passworts
I installed raius from source : freeradius-server-2.1.0
I configured only :
clients.conf (shgared secrets)
/sites-availabel/default (enabled ldap)
/modules/ldap (addes my ldap-settings)
Is this all i have to do ?
With radtest all works fine - but my windows-client gives me an error :
-
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for ablasbichler with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
--
Somebody can give a a hint?
I have seen in an old mail :
NT-Password is wrong. Try first with plain text one (Cleartext-Password).
Then fix hashing.
Ivan Kalik
Kalik Informatika ISP
How i set plain text passwords ?
i tried to add in users :
ablasbichler Cleartext-Password == "ablasbichler"
With no success
i have a big debug-file if it can help
thank you for a help
luis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
