Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
hi, is the required config in your inner-tunnel? ie is LDAP defined at all? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
Am 03.07.2009 um 13:24 schrieb Clement Ogedengbe: OK. I have done that, But still returned the error below! Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect You have either Cleartext-Password or NT-Password defined in your LDAP database, haven't you? If not, see: http://deployingradius.com/documents/protocols/compatibility.html Have a nice day! ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE Clement -Original Message- From: freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org ] On Behalf Of Ivan Kalik Sent: 03 July 2009 12:17 To: FreeRadius users mailing list Subject: Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server The user/password information are held in the LDAP server. I have been able to authenticate successfully with packets coming from non-EAP clients. But for EAP authentication clients, I have been receiving the following error lines. (I am using ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} to call the LDAP server. ntlm_auth is for Active Directory. Comment out ntlm_auth line in maschap module and it will work as long as you have clear or nt hashed password stored in ldap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
OK. I have done that, But still returned the error below! Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE Clement -Original Message- From: freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: 03 July 2009 12:17 To: FreeRadius users mailing list Subject: Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server > The user/password information are held in the LDAP server. I have been > able > to authenticate successfully with packets coming from non-EAP clients. > But > for EAP authentication clients, I have been receiving the following error > lines. (I am using ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --username=%{Stripped-User-Name:-%{User-Name:-None}} > --challenge=%{mschap:Challenge:-00} to call the LDAP server. ntlm_auth is for Active Directory. Comment out ntlm_auth line in maschap module and it will work as long as you have clear or nt hashed password stored in ldap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
> The user/password information are held in the LDAP server. I have been > able > to authenticate successfully with packets coming from non-EAP clients. > But > for EAP authentication clients, I have been receiving the following error > lines. (I am using ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --username=%{Stripped-User-Name:-%{User-Name:-None}} > --challenge=%{mschap:Challenge:-00} to call the LDAP server. ntlm_auth is for Active Directory. Comment out ntlm_auth line in maschap module and it will work as long as you have clear or nt hashed password stored in ldap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
Can someone please help provide a clue into the problems with using ntlm_auth in a Freeradius config running on Debian. The user/password information are held in the LDAP server. I have been able to authenticate successfully with packets coming from non-EAP clients. But for EAP authentication clients, I have been receiving the following error lines. (I am using ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} to call the LDAP server. Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap]expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=otha1_00 [mschap] mschap2: 18 [mschap]expand: --challenge=%{mschap:Challenge:-00} -> --challenge=b06bae6a129ec4e7 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=c0bec1a04bdd9fb489ef30a2bc22e5806405493ac2038167 Exec-Program output: Invalid handle (0xc008) Exec-Program-Wait: plaintext: Invalid handle (0xc008) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\026E=691 R=1" EAP-Message = 0x04160004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\026E=691 R=1" EAP-Message = 0x04160004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. Clement - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html