Discussion:
EAP-MSCHAP-V2 - [mschap] FAILED: No NT/LM-Password. Cannot performauthentication.
(too old to reply)
Sallee, Stephen (Jake)
2010-10-05 05:42:34 UTC
Permalink
Your request is correctly being redirected to your inner tunnel, did you
enable MSCHAP in the inner tunnel? Also, there seems to be an issue
with how your realms are setup (if they are at all).

Try setting up your realms and logging in using the ***@domain
convention.

Realms and make sure your mschap module is enabled in your inner-tunnel
server.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-----Original Message-----
From: freeradius-users-bounces+jake.sallee=***@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=***@lists.freeradius.o
rg] On Behalf Of bmano
Sent: Monday, October 04, 2010 11:57 PM
To: freeradius-***@lists.freeradius.org
Subject: EAP-MSCHAP-V2 - [mschap] FAILED: No NT/LM-Password. Cannot
performauthentication.


Hello,

I am trying to Implement EAP-ttls and MSCHAP(V2).
I tried all the forums to solutions.

I am getting the following error.

[mschapv2] +- entering group MS-CHAP {...} [mschap] No
Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for john with NT-Password [mschap] FAILED:
No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect


below is the Radius information:

FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 5
2010 at 02:49:11 Copyright (C) 1999-2009 The FreeRADIUS server project
and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the GNU
General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf including
configuration file /etc/freeradius/proxy.conf including configuration
file /etc/freeradius/clients.conf including files in directory
/etc/freeradius/modules/ including configuration file
/etc/freeradius/modules/exec including configuration file
/etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/linelog including
configuration file /etc/freeradius/modules/mac2ip including
configuration file /etc/freeradius/modules/krb5 including configuration
file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/counter including
configuration file /etc/freeradius/modules/digest including
configuration file /etc/freeradius/modules/mschap including
configuration file /etc/freeradius/modules/sql_log including
configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/otp including
configuration file /etc/freeradius/modules/echo including configuration
file /etc/freeradius/modules/wimax including configuration file
/etc/freeradius/modules/ldap including configuration file
/etc/freeradius/modules/files including configuration file
/etc/freeradius/modules/mac2vlan including configuration file
/etc/freeradius/modules/inner-eap including configuration file
/etc/freeradius/modules/unix including configuration file
/etc/freeradius/modules/smbpasswd including configuration file
/etc/freeradius/modules/pap including configuration file
/etc/freeradius/modules/etc_group including configuration file
/etc/freeradius/modules/realm including configuration file
/etc/freeradius/modules/detail including configuration file
/etc/freeradius/modules/expr including configuration file
/etc/freeradius/modules/ippool including configuration file
/etc/freeradius/modules/sradutmp including configuration file
/etc/freeradius/modules/perl including configuration file
/etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/cui including
configuration file /etc/freeradius/modules/passwd including
configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/pam including
configuration file /etc/freeradius/modules/policy including
configuration file /etc/freeradius/modules/checkval including
configuration file /etc/freeradius/modules/always including
configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/chap including
configuration file /etc/freeradius/modules/smsotp including
configuration file /etc/freeradius/modules/radutmp including
configuration file /etc/freeradius/modules/logintime including
configuration file /etc/freeradius/eap.conf including configuration file
/etc/freeradius/policy.conf including files in directory
/etc/freeradius/sites-enabled/ including configuration file
/etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
allow_core_dumps = yes
}
including dictionary file /etc/freeradius/dictionary main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
}
radiusd: #### Loading Realms and Home Servers #### proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client 127.0.0.1 {
require_message_authenticator = no
secret = "testing123"
shortname = "localhost"
nastype = "other"
}
client 5.5.5.101/24 {
require_message_authenticator = no
secret = "secret"
shortname = "private-network-1"
}
client 192.168.0.0/16 {
require_message_authenticator = no
secret = "secret"
shortname = "private-network-1"
}
client 10.0.0.0/8 {
require_message_authenticator = no
secret = "secret"
shortname = "private-network-1"
}
radiusd: #### Instantiating modules #### instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
}
radiusd: #### Loading Virtual Servers #### server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "crypt"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/root/server_key.pem"
certificate_file = "/root/server_cert.pem"
CA_file = "/root/ca_cert.pem"
private_key_password = "whatever"
dh_file = "/dev/null"
random_file = "/dev/urandom"
fragment_size = 500
include_length = yes
check_crl = no
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may
not work!
WARNING: Fix this by running the OpenSSL command listed in eap.conf
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = yes
include_length = yes
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan
"
minimum-timeout = 60
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load } # modules
} # server
radiusd: #### Opening IP addresses and Ports #### listen {
type = "auth"
ipaddr = 192.168.0.151
port = 0
}
listen {
type = "acct"
ipaddr = 192.168.0.151
port = 0
}
Listening on authentication address 192.168.0.151 port 1812 Listening on
accounting address 192.168.0.151 port 1813 Listening on proxy address
192.168.0.151 port 1814 Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.177 port 58989,
id=0,
length=116
User-Name = "john"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02000009016a6f686e
Message-Authenticator = 0x63345840c269c1b54fb17e2e2137cdb8
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 9 [eap] No EAP Start,
assuming it's an on-going EAP conversation
++[eap] returns updated
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.0.177 port 58989
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x70851e297084136bafa60810ea244249
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.177 port 58989,
id=1,
length=131
User-Name = "john"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060315
State = 0x70851e297084136bafa60810ea244249
Message-Authenticator = 0x704f97c360d41603d551267a2a606547
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6 [eap] No EAP Start,
assuming it's an on-going EAP conversation
++[eap] returns updated
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK
asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls]
Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.0.177 port 58989
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x70851e2971870b6bafa60810ea244249
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.177 port 58989,
id=2,
length=219
User-Name = "john"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0202005e150016030100530100004f03014caaabcb897edcddb6e87019dafef307071a
0b69b3b6320ebe5ee47115c46ed200002800390038003500160013000a00330032002f00
0700050004001500120009001400110008000600030100
State = 0x70851e2971870b6bafa60810ea244249
Message-Authenticator = 0x763cd104835060737d3e97197682e6de
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 94 [eap] Continuing tunnel
setup.
++[eap] returns ok
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/ttls [eap]
processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 [ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0053], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 06d7], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client
certificate
A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.0.177 port 58989
EAP-Message =
0x010301f415c000000714160301002a0200002603014caaabcd3694a1eea025793dc8ef
ac1460a8fe1589ebad434ea5d0a0064bfe8b0000350016030106d70b0006d30006d00002
da308202d63082023fa003020102020102300d06092a864886f70d01010405003081ab31
0b3009060355040613025553311330110603550408130a43616c69666f726e6961311130
0f0603550407130853616e204a6f73653111300f060355040a1308576963686f72757331
0c300a060355040b1303456e67311f301d06035504030c16776963686f7275735f726f6f
7443415f676368656e673132303006092a864886f70d0109011623776963686f7275735f
726f
EAP-Message =
0x6f7443415f676368656e6740776963686f7275732e636f6d301e170d30383035313232
31313432395a170d3138303531303231313432395a30819c310b30090603550406130255
53311330110603550408130a43616c69666f726e69613111300f0603550407130853616e
204a6f73653111300f060355040a1308576963686f727573310d300b060355040b130445
6e6767311730150603550403140e64736861685f7365727665725f32312a302806092a86
4886f70d010901161b64736861685f7365727665725f3240776963686f7275732e636f6d
30819f300d06092a864886f70d010101050003818d0030818902818100b4cc27
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x70851e2972860b6bafa60810ea244249
Finished request 2.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Access-Request packet from host 192.168.0.177 port 58989,
id=3,
length=131
User-Name = "john"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300061500
State = 0x70851e2972860b6bafa60810ea244249
Message-Authenticator = 0x444c552d039d79bf7b6763fb8a91ecdb
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel
setup.
++[eap] returns ok
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/ttls [eap]
processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS
[ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls]
eaptls_verify returned 1 [ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 3 to 192.168.0.177 port 58989
EAP-Message =
0x010401f415c0000007140b8841d4dac7027a6813c7a611bca71603326411eb6fa08837
767df699faf74b2a8f056feee9e9ffa990f4b41014f59ed1bcb85aed3026235df4fbdeca
8def862015a5386c3d109c30c3a884cf6f83f7162543a9a61dbc3fd75119b4160c834516
99ede9167aba5889f16a6461264c50d92c496799ccfc44e189e887870203010001a31730
1530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405
00038181007a77640e1c7f72e1499bcc1cda2a0d443c880db7ef1436d441b07f801608bb
d1d88ba15c816f01eef6fa85b08e961958225385fbe79b9fc7fc5b33004a77b7c1e67704
bc05
EAP-Message =
0x357dcf0bccca40f004504648c02ec1df9f6e91e7600f90669fb3385b64ea4ff1880def
479e02f66c4620d448606e623b967e370814fd1f5d512cca0003f0308203ec30820355a0
030201020209009c1418fe79618077300d06092a864886f70d01010505003081ab310b30
09060355040613025553311330110603550408130a43616c69666f726e69613111300f06
03550407130853616e204a6f73653111300f060355040a1308576963686f727573310c30
0a060355040b1303456e67311f301d06035504030c16776963686f7275735f726f6f7443
415f676368656e673132303006092a864886f70d0109011623776963686f7275
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x70851e2973810b6bafa60810ea244249
Finished request 3.
Going to the next request
Waking up in 4.1 seconds.
rad_recv: Access-Request packet from host 192.168.0.177 port 58989,
id=4,
length=131
User-Name = "john"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400061500
State = 0x70851e2973810b6bafa60810ea244249
Message-Authenticator = 0x140b333768c76c631cabee64dfef9fee
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel
setup.
++[eap] returns ok
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/ttls [eap]
processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS
[ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls]
eaptls_verify returned 1 [ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 4 to 192.168.0.177 port 58989
EAP-Message =
0x010501f415c000000714735f726f6f7443415f676368656e6740776963686f7275732e
636f6d301e170d3038303531323230353935335a170d3138303531303230353935335a30
81ab310b3009060355040613025553311330110603550408130a43616c69666f726e6961
3111300f0603550407130853616e204a6f73653111300f060355040a1308576963686f72
7573310c300a060355040b1303456e67311f301d06035504030c16776963686f7275735f
726f6f7443415f676368656e673132303006092a864886f70d0109011623776963686f72
75735f726f6f7443415f676368656e6740776963686f7275732e636f6d30819f300d0609
2a86
EAP-Message =
0x4886f70d010101050003818d0030818902818100a35084afbdc782cb1111d16f11d637
2c4aac07118813f2d55b0a52a3df951f961530fd4694defb94981e172e46e25e7fb7925a
86975a933cb8761c243575b397abde2a6133b294b1b3bd1ef6a62a6882bdd7761d7942a7
7cf43422b526742dd45c4cf6cd167e43b8e256778e097490fdf0ce872e23c310806e68f1
6b32167e290203010001a382011430820110301d0603551d0e04160414d34f52eabf2135
7fb1085256754198a926aab1723081e00603551d230481d83081d58014d34f52eabf2135
7fb1085256754198a926aab172a181b1a481ae3081ab310b3009060355040613
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x70851e2974800b6bafa60810ea244249
Finished request 4.
Going to the next request
Waking up in 4.1 seconds.
rad_recv: Access-Request packet from host 192.168.0.177 port 58989,
id=5,
length=131
User-Name = "john"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500061500
State = 0x70851e2974800b6bafa60810ea244249
Message-Authenticator = 0x6a3bdc1ff10f32916a28e534be84ff3d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel
setup.
++[eap] returns ok
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/ttls [eap]
processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS
[ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls]
eaptls_verify returned 1 [ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 5 to 192.168.0.177 port 58989
EAP-Message =
0x01060160158000000714025553311330110603550408130a43616c69666f726e696131
11300f0603550407130853616e204a6f73653111300f060355040a1308576963686f7275
73310c300a060355040b1303456e67311f301d06035504030c16776963686f7275735f72
6f6f7443415f676368656e673132303006092a864886f70d0109011623776963686f7275
735f726f6f7443415f676368656e6740776963686f7275732e636f6d8209009c1418fe79
618077300c0603551d13040530030101ff300d06092a864886f70d010105050003818100
86c1ee74467f2615a8d5fe190ff44735bbcb3efe675302d5d0f881fc3c7a5c6395d7ccc5
d7b5
EAP-Message =
0x23ce6ff7e87fcd4a52df7ec5b518b687912c535d1f4b875542b1c49997ad16b4408ea1
6a423ad1e504eab9d6bd33aa4c1b6c1cea5cee6b52dcb7dd251f0a20aac54e0ef046f1d4
1d62a6f31c8f1c75c6ce9b1a74633147671b5016030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x70851e2975830b6bafa60810ea244249
Finished request 5.
Going to the next request
Waking up in 4.0 seconds.
rad_recv: Access-Request packet from host 192.168.0.177 port 58989,
id=6,
length=329
User-Name = "john"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020600cc150016030100861000008200801dd452024420fce1efff4fdf3553a914faf2
88e5aa0a5c3a1c38ddf96cd6e626efee41762495b18e7768d44cc9128088ba76483ceaf7
3cb746f3fc785c3298321053c6b90276eec623eeefa2648c8d2ec1e96a1005c262c91f10
d6faa3eb55768e46dc7e35978325d5f7b6857a75fe48322dcec2e17bab2af4d6d4de0bd6
96d81403010001011603010030c4f83f149442210cb5d56e073822928b7eb57cd891c3e9
34f01f4e55b1161dc00bcb5316e6e0fb3cb888a15dc739ea36
State = 0x70851e2975830b6bafa60810ea244249
Message-Authenticator = 0x88fab0713d28fae91f143a8e06f7a508
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 204 [eap] Continuing tunnel
setup.
++[eap] returns ok
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/ttls [eap]
processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<<
TLS 1.0 Handshake [length 0086], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0
Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 6 to 192.168.0.177 port 58989
EAP-Message =
0x0107004515800000003b14030100010116030100307f9a14be792d03d1f03354c1fca7
7fe40b4c45ca62ca82615333432f0690a6d70f619ae59a7b3f675013ebf231abc2c5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x70851e2976820b6bafa60810ea244249
Finished request 6.
Going to the next request
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.177 port 58989,
id=7,
length=221
User-Name = "john"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02070060150017030100202abf4899df6abcd33096f265cdd16e719635702bf38ce8f8
80b7e0fb959799051703010030d2669fb2fb2f436aa094debcdb79518f4c0ee3f33e2877
a4a44f3a446ccc10c64a542bb3b5378c56b5418653b3164466
State = 0x70851e2976820b6bafa60810ea244249
Message-Authenticator = 0x1e478f10f4bab4278b9faf92ba4d5b0d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 96 [eap] Continuing tunnel
setup.
++[eap] returns ok
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/ttls [eap]
processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls]
eaptls_process returned 7 [ttls] Session established. Proceeding to
decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x02000009016a6f686e
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Got tunneled identity of john
[ttls] Setting default EAP type for tunneled EAP session.
[ttls] Sending tunneled request
EAP-Message = 0x02000009016a6f686e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "john"
server {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 9 [eap] No EAP Start,
assuming it's an on-going EAP conversation
++[eap] returns updated
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
} # server
[ttls] Got tunneled reply code 11
EAP-Message = 0x010100160410e04582c33411dfd2af929b709cc23601
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb0ed2c00b0ec285c05125915d24f2066
[ttls] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 7 to 192.168.0.177 port 58989
EAP-Message =
0x0108004f1580000000451703010040a13a91a48ddd4ed8d7e4b2cfb5e0b567a38096af
c082a654395446250099e84d5d5e952f3e2875e15e3e18ca6b750ad68395704ca589b175
659d71ddbfc8c29f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x70851e29778d0b6bafa60810ea244249
Finished request 7.
Going to the next request
Waking up in 3.8 seconds.
rad_recv: Access-Request packet from host 192.168.0.177 port 58989,
id=8,
length=221
User-Name = "john"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02080060150017030100208dddbae8a2d00c011b90a2f31006dcde6475e6e38ef85fc4
64516e9080f6d72617030100309d5904194f3b071d1e938c302c13147ca9db0230e7ae16
3df618f510286caf2c01d77224032f091cf153429ab9707d97
State = 0x70851e29778d0b6bafa60810ea244249
Message-Authenticator = 0xe690ad1ec9220fb4e4d1bd78cec8e20a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 96 [eap] Continuing tunnel
setup.
++[eap] returns ok
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/ttls [eap]
processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls]
eaptls_process returned 7 [ttls] Session established. Proceeding to
decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x02010006031a
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x02010006031a
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "john"
State = 0xb0ed2c00b0ec285c05125915d24f2066
server {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6 [eap] No EAP Start,
assuming it's an on-going EAP conversation
++[eap] returns updated
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK
asked for EAP-Type/mschapv2 [eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server
[ttls] Got tunneled reply code 11
EAP-Message =
0x0102001e1a01020019102959e603f5ec55fc4d3b4d1e6cdfb4626a6f686e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb0ed2c00b1ef365c05125915d24f2066
[ttls] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 8 to 192.168.0.177 port 58989
EAP-Message =
0x0109004f158000000045170301004000f2d6ff37bd5591853aac3b581da2ef6734c261
10f9a51dabcbba3d31640c1dbf58e744e564b57c15209c7f26b384d6f91de9623bdc2c9c
4671f9ae0f60f00f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x70851e29788c0b6bafa60810ea244249
Finished request 8.
Going to the next request
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 192.168.0.177 port 58989,
id=9,
length=269
User-Name = "john"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020900901500170301002059b68674bd770cdb478dc184ed5ed0ba3d492448af8b1f4e
b868a73db5c164901703010060b6dd122a70a4b877fd516c218f952adf2a645b4c942718
926f817788a5682539e3e1498d33b9ba76d3f14a3185140df1e4f89583990dbd365c432a
7f0ebcc5b2af9a7762688a2318f7c972f3055bcdee12b2d334d3e233d4a1ee57ff15ef61
c0
State = 0x70851e29788c0b6bafa60810ea244249
Message-Authenticator = 0x03d36e4152a4b579117dbbcded472d58
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 144 [eap] Continuing tunnel
setup.
++[eap] returns ok
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/ttls [eap]
processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls]
eaptls_process returned 7 [ttls] Session established. Proceeding to
decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message =
0x0202003f1a0202003a313040f71ffff45932c78288172e36d8020000000000000000fe
d561ff311854eb54e8dbc91a6c84a5461735610fc0a048006a6f686e
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message =
0x0202003f1a0202003a313040f71ffff45932c78288172e36d8020000000000000000fe
d561ff311854eb54e8dbc91a6c84a5461735610fc0a048006a6f686e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "john"
State = 0xb0ed2c00b1ef365c05125915d24f2066
server {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 63 [eap] No EAP Start,
assuming it's an on-going EAP conversation
++[eap] returns updated
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/mschapv2 [eap]
processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for john with NT-Password [mschap] FAILED:
No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server
[ttls] Got tunneled reply code 3
MS-CHAP-Error = "\002E=691 R=1"
EAP-Message = 0x04020004
Message-Authenticator = 0x00000000000000000000000000000000
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user john [eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> john
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 9 to 192.168.0.177 port 58989
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.4 seconds.
Cleaning up request 0 ID 0 with timestamp +173 Cleaning up request 1 ID
1 with timestamp +173 Waking up in 0.6 seconds.
Cleaning up request 2 ID 2 with timestamp +173 Cleaning up request 3 ID
3 with timestamp +174 Waking up in 0.1 seconds.
Cleaning up request 4 ID 4 with timestamp +174 Cleaning up request 5 ID
5 with timestamp +174 Waking up in 0.1 seconds.
Cleaning up request 6 ID 6 with timestamp +174 Waking up in 0.1 seconds.
Cleaning up request 7 ID 7 with timestamp +174 Waking up in 0.1 seconds.
Cleaning up request 8 ID 8 with timestamp +174 Waking up in 1.2 seconds.
Cleaning up request 9 ID 9 with timestamp +174 Ready to process
requests.


Thanks,
BMano
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-MSCHAP-V2-mschap-FAILED-No-N
T-LM-Password-Cannot-perform-authentication-tp3198834p3198834.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Phil Mayers
2010-10-05 07:04:22 UTC
Permalink
Post by Sallee, Stephen (Jake)
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for john with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Fix the first error. Entries in the users file should read:

username Cleartext-Password := "thepassword"

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2010-10-06 05:38:33 UTC
Permalink
Post by Sallee, Stephen (Jake)
Hello,
I am trying to Implement EAP-ttls and MSCHAP(V2).
I tried all the forums to solutions.
I am getting the following error.
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for john with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
You haven't configured a "known good" password for the user.

Download 2.1.10, and look at the top of the file
"raddb/sites-available/inner-tunnel". That "listen" section will also
work in 2.1.8. In fact, it may already be there in 2.1.8, but commented
out.

Follow the instructions at the top of the file from 2.1.10, using the
2.1.10 version of "radclient" and "radtest".

It *will* work.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...