Problem with MSCHAP when migrating from freeradius2 to freeradius3

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Problem with MSCHAP when migrating from freeradius2 to freeradius3

koehne
Hello,

I´ve now spent so much time on troubleshooting, testing and searching
for hints in the internet, I hope someone here from this mailing-list
can support me.

We are using freeradius to authenticate CLI-Access to Network-Devices,
VPN-Access and WLAN-Access. As User-Database we are using Novell
eDirectory via LDAP.
I want to migrate from freeradius2 to freeradius3 on a new server.
I´ve allready succeeded with migrating Network-CLI- and VPN-Access,
however WLAN-Access is not working.

These are the significant messages from the DEBUG saying "*mschap: No
Cleartext-Password configured*".

...
Executing group from file /etc/raddb/sites-enabled/inner-tunnel
Fri Feb 1 10:18:31 2019 : Debug: (8) eap_mschapv2: authenticate {
Fri Feb 1 10:18:31 2019 : Debug: (8) eap_mschapv2:
modsingle[authenticate]: calling mschap (rlm_mschap)
*Fri Feb 1 10:18:31 2019 : WARNING: (8) mschap: No Cleartext-Password
configured. Cannot create NT-Password
Fri Feb 1 10:18:31 2019 : WARNING: (8) mschap: No Cleartext-Password
configured. Cannot create LM-Password*
Fri Feb 1 10:18:31 2019 : Debug: (8) mschap: Creating challenge hash
with username: koehne
Fri Feb 1 10:18:31 2019 : Debug: (8) mschap: Client is using MS-CHAPv2
Fri Feb 1 10:18:31 2019 : ERROR: (8) mschap: FAILED: No NT/LM-Password.
Cannot perform authentication
...

Enclosed is a full debug.

I´ve compared "old" and "new" configuration of the relevant modules
several times and adapted the necessary changes in the configuration
from freeradius2 to freeradius3.

Here are the configs of the virtual-server and the ldap module:

server mdwwlan    {
                   listen {
                          ....
                          }
                   }
                   authorize {
                             filter_username
                             preprocess
                             auth_log
                             detail
                             suffix
                             files
                             -ldap
                              eap {
                                 ok = return
                             }
                             Autz-Type LDAP  {
                                             mdwacc_wlan
                                             mschap
                                             update {
&MS-CHAP-User-Name := "%{mschap:User-Name}"
                                                   }
                           }
                    }
                    authenticate    {
                                    Auth-Type MSCHAP {
                                                     mschap
                                    }
                                    eap
                   }
}



ldap mdwacc_wlan {
         server = "ldap.mdw.ac.at"
         port = 636
         identity = "cn=ldap_radius,o=MDWds"
         password = frtz56uit33
         basedn = "o=MDWds"
         access_attr = "mdwaccAllowwlan"
         filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
         update {
                control:NT-Password             := 'mdwaccPwwlan'
         }
         edir_autz = yes
         user {
              basedn = "o=MDWds"
              filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
              scope = 'sub'
              access_attr = 'mdwaccAllowwlan'
         }
         group {
              basedn = "o=MDWds"
              filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
              scope = 'sub'
              membership_attribute = 'radiusGroupName'
         }
         options {
                 timeout = 4
                 srv_timelimit = 3
                 net_timeout = 1
         }
         tls {
                 start_tls = no
         }
         pool {
              start = ${thread[pool].start_servers}
              min = ${thread[pool].min_spare_servers}
              max = ${thread[pool].max_servers}
              uses = 0
              lifetime = 0
         }
}



And the "users" File:

DEFAULT Huntgroup-Name == WISM, Autz-Type := LDAP
                 Fall-Through = yes




Do you have any hints for me, what could be missing or wrong in my
configuration of version 3?

Thank You!!

Best Regards
Ronald

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radius3-fulllog.txt (421K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Problem with MSCHAP when migrating from freeradius2 to freeradius3

Alan DeKok-2
On Feb 4, 2019, at 4:22 AM, koehne <[hidden email]> wrote:
> I´ve now spent so much time on troubleshooting, testing and searching for hints in the internet, I hope someone here from this mailing-list can support me.
>
> We are using freeradius to authenticate CLI-Access to Network-Devices, VPN-Access and WLAN-Access. As User-Database we are using Novell eDirectory via LDAP.
> I want to migrate from freeradius2 to freeradius3 on a new server.
> I´ve allready succeeded with migrating Network-CLI- and VPN-Access, however WLAN-Access is not working.
>
> These are the significant messages from the DEBUG saying "*mschap: No Cleartext-Password configured*".

  Which should be clear.  The server is unable to get the Cleartext-Password from LDAP.  As such, it can't do MS-CHAP.

> Enclosed is a full debug.

> radius3:/etc/raddb/sites-enabled # radiusd -XX
> ...

 There *is* documentation saying what we need.  And it says DO run "radius -X".  And DON'T run anything else.


> I´ve compared "old" and "new" configuration of the relevant modules several times and adapted the necessary changes in the configuration from freeradius2 to freeradius3.
>
> Here are the configs of the virtual-server and the ldap module:

  The documentation also says DON'T post config files.

  If you want to fix computer things, it helps to read the documentation.

  If you *read* the debug output, the message about Cleartext-Password is from the "inner-tunnel" virtual server.  So ... go fix that.

  Read what you've done to the "inner-tunnel" virtual server, and ask yourself: "Where is Cleartext-Password supposed to be coming from?"

  There's a reason the documentation says "make small changes to the config files and test them".  In this case, you've done huge edits to "inner-tunnel", and broken it.

  And the above comments about reading the docs are *not* just me being an asshole.  The *entire set of config files* you posted to the list was unrelated to the problem.  So posting them is useless.  Which is why we don't ask for them.  And the bizarre fascination by many people with running "radiusd -Xxxxxxx" is just confusing to me.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Problem with MSCHAP when migrating from freeradius2 to freeradius3

koehne
In reply to this post by koehne
Hi Alan,

thanks for your quick response.

 > Which should be clear. The server is unable to get the
Cleartext-Password from LDAP. As such, it can't do MS-CHAP.

 >> Do you mean, I shall get back the password from LDAP in Cleartext
form?? Our eDir sends it in a hashed form. It works so with freeradius2
for years.


 > Read what you've done to the "inner-tunnel" virtual server,

 >> I´ve gone through this module several times in the last weeks and
have no further idea ...

and ask yourself: "Where is Cleartext-Password supposed to be coming from?"

 >>  this is exactly what I´m asking myself ... with no clear answer and
idea what to change.
Sorry, I´m no Server-, Freeradius- or Linux-Expert. Normally I´m working
with Network-Devices, but now trying to migrate a very old  freeradius
installation, because there´s no other person in our office able to do
this.

Thanks for your patience.

Regards
Ronald

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html