Discussion:
question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)
(too old to reply)
Thomas Stather
2015-10-30 08:33:25 UTC
Permalink
Hello

I am still failing with my RADIUS setup (eduroam -> PEAP/MSCHAPv2 and
authentication against our LDAP server) on 3.0.10
After having sorted out lots of mistakes by myself in the RADIUS config
(thanks for you help on the previous post), the server now starts.

But when i try to connect with my mobile device to the test SSID, i get:


----------------------------------------------------------------------
...
(6) ldap1: User object found at DN
"uid=tstather,ou=people,dc=mpimf-heidelberg,dc=mpg,dc=de"
rlm_ldap (ldap1): Released connection (0)
(6) [ldap1] = ok
(6) } # redundant redundant_ldap = ok
(6) [pap] = noop
(6) } # authorize = updated
(6) Found Auth-Type = EAP
(6) # Executing group from file
/etc/raddb/sites-enabled/mpimf_inner-tunnel
(6) authenticate {
(6) eap: Expiring EAP session with state 0x8d973f168d3225fd
(6) eap: Finished EAP session with state 0x8d973f168d3225fd
(6) eap: Previous EAP request found for state 0x8d973f168d3225fd,
released from the list
(6) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/mpimf_inner-tunnel
(6) eap_mschapv2: Auth-Type MS-CHAP {
(6) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(6) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(6) mschap: Creating challenge hash with username:
***@mpimf-heidelberg.mpg.de
(6) mschap: Client is using MS-CHAPv2
(6) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(6) mschap: ERROR: MS-CHAP2-Response is incorrect
(6) [mschap] = reject
(6) } # Auth-Type MS-CHAP = reject
(6) eap: Sending EAP Failure (code 4) ID 165 length 4
(6) eap: Freeing handler
(6) [eap] = reject
(6) } # authenticate = reject
(6) Failed to authenticate the user
(6) Using Post-Auth-Type Reject
(6) # Executing group from file
/etc/raddb/sites-enabled/mpimf_inner-tunnel
(6) Post-Auth-Type REJECT {
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject: --> ***@mpimf-heidelberg.mpg.de
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6) [attr_filter.access_reject] = updated
(6) } # Post-Auth-Type REJECT = updated
(6) } # server mpimf_inner-tunnel
(6) Virtual server sending reply
(6) MS-CHAP-Error = "\245E=691 R=1 C=d3892ab1fa88824c1ae8daf07fc80483
V=3 M=Authentication failed"
(6) EAP-Message = 0x04a50004
(6) Message-Authenticator = 0x00000000000000000000000000000000
...
----------------------------------------------------------------------


Our LDAP server has the attributes "sambaLMPassword" and
"sambaNTPassword" (there is also a samba server linked to it).

I read some documentation but now im confused.

Am i right in the assumption that the error occurs because our LDAP
server has no "clear-text password" entries for the users?

Is the only option to get it to work use the "ntlm_auth" module?

I wanted to implement this setup independently of our samba server, or
is this simply not possible?

Best,

Thomas
--
Thomas Stather
IT Services

Tel: +49 6221-486 628
Fax: +49 6221-486 561

------------------------------------------------------------------------
Max Planck Institute for Medical Research (MPImF)
Jahnstrasse 29, 69120 Heidelberg
Germany

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
David Aldwinckle
2015-10-30 12:09:51 UTC
Permalink
The server tells you what is wrong:

(6) eap_mschapv2: Auth-Type MS-CHAP {
(6) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(6) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(6) mschap: Creating challenge hash with username:
***@mpimf-heidelberg.mpg.de<mailto:***@mpimf-heidelberg.mpg.de>
(6) mschap: Client is using MS-CHAPv2
(6) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(6) mschap: ERROR: MS-CHAP2-Response is incorrect

Do you have clear-text or NT hash passwords in LDAP?

See: http://deployingradius.com/documents/protocols/compatibility.html

Dave

-
List info/subscribe/unsubscribe? See http://www.freeradi
David Aldwinckle
2015-10-30 12:15:11 UTC
Permalink
My mistake. I didn't read far enough.

What is your "password_attribute" set to in /etc/raddb/ldap?

Try setting it to "sambaNTPassword"

The mapping for sambaNTPassword exists by default:

/etc/raddb/ldap.attrmap:

checkItem LM-Password sambaLmPassword
checkItem NT-Password sambaNtPassword

Dave

-
List info/subscribe/unsubscri
David Aldwinckle
2015-10-30 12:19:41 UTC
Permalink
Typo. its early here..

/etc/raddb/modules/ldap?

Dave

-----Original Message-----
From: David Aldwinckle <***@uwaterloo.ca<mailto:David%20Aldwinckle%20%***@uwaterloo.ca%3e>>
Reply-to: FreeRadius users mailing list <freeradius-***@lists.freeradius.org>
To: freeradius-***@lists.freeradius.org <freeradius-***@lists.freeradius.org<mailto:%22freeradius-***@lists.freeradius.org%22%20%3cfreeradius-***@lists.freeradius.org%3e>>
Subject: Re: question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)
Date: Fri, 30 Oct 2015 12:15:11 +0000



My mistake. I didn't read far enough.

What is your "password_attribute" set to in /etc/raddb/ldap?

Try setting it to "sambaNTPassword"

The mapping for sambaNTPassword exists by default:

/etc/raddb/ldap.attrmap:

checkItem LM-Password sambaLmPassword
checkItem NT-Password sambaNtPassword

Dave

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/user
Thomas Stather
2015-10-30 12:54:31 UTC
Permalink
I tried to set

password_attribute to "sambaNTPassword" but the error is still the same.


As we have the hashes in our LDAP it seems that i have to switch to
"ntlm_auth" module as described in:

http://deployingradius.com/documents/configuration/active_directory.html


But now another (hopefully easy to fix) issue:

In my setip, the ntlm_auth command in raddb/modules/mschap is set to:


ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-MPIMF}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"

when i try

radtest -t mschap tstather <my password> 127.0.0.1:18120 0 <shared secret>

it works, but connecting via WLAN fails.


--------------------------------------------------------
...
(8) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-MPIMF}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(8) mschap: EXPAND --username=%{mschap:User-Name:-None}
(8) mschap: --> --username=***@mpimf-heidelberg.mpg.de
(8) mschap: ERROR: No NT-Domain was found in the User-Name
(8) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-MPIMF}
(8) mschap: --> --domain=MPIMF
(8) mschap: Creating challenge hash with username:
***@mpimf-heidelberg.mpg.de
(8) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(8) mschap: --> --challenge=233049239fe1013b
(8) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(8) mschap: -->
--nt-response=9afa807de748f4cdfb1dcd7414d6ba3a9d5a787c18b448ad
(8) mschap: ERROR: Program returned code (1) and output 'Logon failure
(0xc000006d)'
(8) mschap: External script failed
(8) mschap: ERROR: External script says: Logon failure (0xc000006d)
(8) mschap: ERROR: MS-CHAP2-Response is incorrect
(8) [mschap] = reject
(8) } # Auth-Type MS-CHAP = reject
(8) eap: Sending EAP Failure (code 4) ID 132 length 4
(8) eap: Freeing handler
(8) [eap] = reject
(8) } # authenticate = reject
(8) Failed to authenticate the user
...
--------------------------------------------------------

I think the problem comes from the "Mschap:User-Name" variable which
holds the full username, i.e. "***@mpimf-heidelberg.mpg.de"

How can i change the configuration so that the username is the username
without our realm, in this case "tstather"?


Best,

Thomas
Post by David Aldwinckle
Typo. its early here..
/etc/raddb/modules/ldap?
Dave
-----Original Message-----
Subject: Re: question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)
Date: Fri, 30 Oct 2015 12:15:11 +0000
My mistake. I didn't read far enough.
What is your "password_attribute" set to in /etc/raddb/ldap?
Try setting it to "sambaNTPassword"
checkItem LM-Password sambaLmPassword
checkItem NT-Password sambaNtPassword
Dave
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Thomas Stather
IT Services

Tel: +49 6221-486 628
Fax: +49 6221-486 561

------------------------------------------------------------------------
Max Planck Institute for Medical Research (MPImF)
Jahnstrasse 29, 69120 Heidelberg
Germany

-
List info/subscribe/unsubscribe? See http://www.fr
Alan DeKok
2015-10-30 12:57:07 UTC
Permalink
Post by Thomas Stather
I tried to set
password_attribute to "sambaNTPassword" but the error is still the same.
Post the *full* debug.
Post by Thomas Stather
As we have the hashes in our LDAP it seems that i have to switch to "ntlm_auth" module
No. FreeRADIUS can get the hashes directly from LDAP.
Post by Thomas Stather
radtest -t mschap tstather <my password> 127.0.0.1:18120 0 <shared secret>
it works, but connecting via WLAN fails.
...
Post by Thomas Stather
(8) mschap: --> --nt-response=9afa807de748f4cdfb1dcd7414d6ba3a9d5a787c18b448ad
(8) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
Which seems pretty straightforward.
Post by Thomas Stather
How can i change the configuration so that the username is the username without our realm, in this case "tstather"?
Don't. Fix it so that FreeRADIUS gets the passwords from LDAP. It will be simpler, faster, and easier to maintain.

Alan DeKok.


-
List info/subscribe/unsubscribe? See
Matthew Newton
2015-10-30 13:02:18 UTC
Permalink
Post by Thomas Stather
password_attribute to "sambaNTPassword" but the error is still the same.
"password_attribute" was not a literal.
Post by Thomas Stather
As we have the hashes in our LDAP it seems that i have to switch to
No you don't; David was right.

In the update {} section in mods-enabled/ldap, look at the

# control:NT-Password := 'ntPassword'

line and add instead:

control:NT-Password := 'sambaNTPassword'
control:LM-Password := 'sambaLMPassword'

then it should work.

You can do this with LDAP and Samba. ntlm_auth will also work. You
can't do LDAP with real AD.

Matthew
--
Matthew Newton, Ph.D. <***@le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <***@le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Alan Buxey
2015-10-30 15:01:32 UTC
Permalink
Just edit the ntlm_auth line so that you are using Stripped-User-Name instead of User-Name


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/use
Loading...