question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)

classic Classic list List threaded Threaded
8 messages Options
| Threaded
Open this post in threaded view
|

question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)

Thomas Stather
Hello

I am still failing with my RADIUS setup (eduroam -> PEAP/MSCHAPv2 and
authentication against our LDAP server) on 3.0.10
After having sorted out lots of mistakes by myself in the RADIUS config
(thanks for you help on the previous post), the server now starts.

But when i try to connect with my mobile device to the test SSID, i get:


----------------------------------------------------------------------
...
(6) ldap1: User object found at DN
"uid=tstather,ou=people,dc=mpimf-heidelberg,dc=mpg,dc=de"
rlm_ldap (ldap1): Released connection (0)
(6)         [ldap1] = ok
(6)       } # redundant redundant_ldap = ok
(6)       [pap] = noop
(6)     } # authorize = updated
(6)   Found Auth-Type = EAP
(6)   # Executing group from file
/etc/raddb/sites-enabled/mpimf_inner-tunnel
(6)     authenticate {
(6) eap: Expiring EAP session with state 0x8d973f168d3225fd
(6) eap: Finished EAP session with state 0x8d973f168d3225fd
(6) eap: Previous EAP request found for state 0x8d973f168d3225fd,
released from the list
(6) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/mpimf_inner-tunnel
(6) eap_mschapv2:   Auth-Type MS-CHAP {
(6) mschap: WARNING: No Cleartext-Password configured.  Cannot create
NT-Password
(6) mschap: WARNING: No Cleartext-Password configured.  Cannot create
LM-Password
(6) mschap: Creating challenge hash with username:
[hidden email]
(6) mschap: Client is using MS-CHAPv2
(6) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
(6) mschap: ERROR: MS-CHAP2-Response is incorrect
(6)     [mschap] = reject
(6)   } # Auth-Type MS-CHAP = reject
(6) eap: Sending EAP Failure (code 4) ID 165 length 4
(6) eap: Freeing handler
(6)       [eap] = reject
(6)     } # authenticate = reject
(6)   Failed to authenticate the user
(6)   Using Post-Auth-Type Reject
(6)   # Executing group from file
/etc/raddb/sites-enabled/mpimf_inner-tunnel
(6)     Post-Auth-Type REJECT {
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject:    --> [hidden email]
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6)       [attr_filter.access_reject] = updated
(6)     } # Post-Auth-Type REJECT = updated
(6) } # server mpimf_inner-tunnel
(6) Virtual server sending reply
(6)   MS-CHAP-Error = "\245E=691 R=1 C=d3892ab1fa88824c1ae8daf07fc80483
V=3 M=Authentication failed"
(6)   EAP-Message = 0x04a50004
(6)   Message-Authenticator = 0x00000000000000000000000000000000
...
----------------------------------------------------------------------


Our LDAP server has the attributes "sambaLMPassword" and
"sambaNTPassword" (there is also a samba server linked to it).

I read some documentation but now im confused.

Am i right in the assumption that the error occurs because our LDAP
server has no "clear-text password" entries for the users?

Is the only option to get it to work use the "ntlm_auth" module?

I wanted to implement this setup independently of our samba server, or
is this simply not possible?

Best,

Thomas

--
Thomas Stather
IT Services

Tel:  +49 6221-486 628
Fax: +49 6221-486 561

------------------------------------------------------------------------
Max Planck Institute for Medical Research (MPImF)
Jahnstrasse 29, 69120 Heidelberg
Germany

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)

DaveA
The server tells you what is wrong:

(6) eap_mschapv2:   Auth-Type MS-CHAP {
(6) mschap: WARNING: No Cleartext-Password configured.  Cannot create
NT-Password
(6) mschap: WARNING: No Cleartext-Password configured.  Cannot create
LM-Password
(6) mschap: Creating challenge hash with username:
[hidden email]<mailto:[hidden email]>
(6) mschap: Client is using MS-CHAPv2
(6) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
(6) mschap: ERROR: MS-CHAP2-Response is incorrect

Do you have clear-text or NT hash passwords in LDAP?

See: http://deployingradius.com/documents/protocols/compatibility.html

Dave

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)

DaveA
In reply to this post by Thomas Stather

My mistake. I didn't read far enough.

What is your "password_attribute" set to in /etc/raddb/ldap?

Try setting it to "sambaNTPassword"

The mapping for sambaNTPassword exists by default:

/etc/raddb/ldap.attrmap:

checkItem       LM-Password                     sambaLmPassword
checkItem       NT-Password                     sambaNtPassword

Dave

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)

DaveA
Typo. its early here..

/etc/raddb/modules/ldap?

Dave

-----Original Message-----
From: David Aldwinckle <[hidden email]<mailto:David%20Aldwinckle%20%[hidden email]%3e>>
Reply-to: FreeRadius users mailing list <[hidden email]>
To: [hidden email] <[hidden email]<mailto:%[hidden email]%22%20%[hidden email]%3e>>
Subject: Re: question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)
Date: Fri, 30 Oct 2015 12:15:11 +0000



My mistake. I didn't read far enough.

What is your "password_attribute" set to in /etc/raddb/ldap?

Try setting it to "sambaNTPassword"

The mapping for sambaNTPassword exists by default:

/etc/raddb/ldap.attrmap:

checkItem       LM-Password                     sambaLmPassword
checkItem       NT-Password                     sambaNtPassword

Dave

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)

Thomas Stather
I tried to set

password_attribute to "sambaNTPassword" but the error is still the same.


As we have the hashes in our LDAP it seems that i have to switch to
"ntlm_auth" module as described in:

http://deployingradius.com/documents/configuration/active_directory.html


But now another (hopefully easy to fix) issue:

In my setip, the ntlm_auth command in raddb/modules/mschap is set to:


ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-MPIMF}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"

when i try

radtest -t mschap tstather <my password>  127.0.0.1:18120 0 <shared secret>

it works, but connecting via WLAN fails.


--------------------------------------------------------
...
(8) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-MPIMF}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(8) mschap: EXPAND --username=%{mschap:User-Name:-None}
(8) mschap:    --> --username=[hidden email]
(8) mschap: ERROR: No NT-Domain was found in the User-Name
(8) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-MPIMF}
(8) mschap:    --> --domain=MPIMF
(8) mschap: Creating challenge hash with username:
[hidden email]
(8) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(8) mschap:    --> --challenge=233049239fe1013b
(8) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(8) mschap:    -->
--nt-response=9afa807de748f4cdfb1dcd7414d6ba3a9d5a787c18b448ad
(8) mschap: ERROR: Program returned code (1) and output 'Logon failure
(0xc000006d)'
(8) mschap: External script failed
(8) mschap: ERROR: External script says: Logon failure (0xc000006d)
(8) mschap: ERROR: MS-CHAP2-Response is incorrect
(8)     [mschap] = reject
(8)   } # Auth-Type MS-CHAP = reject
(8) eap: Sending EAP Failure (code 4) ID 132 length 4
(8) eap: Freeing handler
(8)       [eap] = reject
(8)     } # authenticate = reject
(8)   Failed to authenticate the user
...
--------------------------------------------------------

I think the problem comes from the "Mschap:User-Name" variable which
holds the full username, i.e. "[hidden email]"

How can i change the configuration so that the username is the username
without our realm, in this case "tstather"?


Best,

Thomas


Am 30.10.2015 um 13:19 schrieb David Aldwinckle:

> Typo. its early here..
>
> /etc/raddb/modules/ldap?
>
> Dave
>
> -----Original Message-----
> From: David Aldwinckle <[hidden email]<mailto:David%20Aldwinckle%20%[hidden email]%3e>>
> Reply-to: FreeRadius users mailing list <[hidden email]>
> To: [hidden email] <[hidden email]<mailto:%[hidden email]%22%20%[hidden email]%3e>>
> Subject: Re: question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)
> Date: Fri, 30 Oct 2015 12:15:11 +0000
>
>
>
> My mistake. I didn't read far enough.
>
> What is your "password_attribute" set to in /etc/raddb/ldap?
>
> Try setting it to "sambaNTPassword"
>
> The mapping for sambaNTPassword exists by default:
>
> /etc/raddb/ldap.attrmap:
>
> checkItem       LM-Password                     sambaLmPassword
> checkItem       NT-Password                     sambaNtPassword
>
> Dave
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Thomas Stather
IT Services

Tel:  +49 6221-486 628
Fax: +49 6221-486 561

------------------------------------------------------------------------
Max Planck Institute for Medical Research (MPImF)
Jahnstrasse 29, 69120 Heidelberg
Germany

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)

Alan DeKok-2
On Oct 30, 2015, at 8:54 AM, Thomas Stather <[hidden email]> wrote:
>
> I tried to set
>
> password_attribute to "sambaNTPassword" but the error is still the same.

  Post the *full* debug.

>
> As we have the hashes in our LDAP it seems that i have to switch to "ntlm_auth" module

  No.  FreeRADIUS can get the hashes directly from LDAP.

> radtest -t mschap tstather <my password>  127.0.0.1:18120 0 <shared secret>
>
> it works, but connecting via WLAN fails.
...
> (8) mschap:    --> --nt-response=9afa807de748f4cdfb1dcd7414d6ba3a9d5a787c18b448ad
> (8) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'

  Which seems pretty straightforward.

> I think the problem comes from the "Mschap:User-Name" variable which holds the full username, i.e. "[hidden email]"
>
> How can i change the configuration so that the username is the username without our realm, in this case "tstather"?

  Don't.  Fix it so that FreeRADIUS gets the passwords from LDAP.  It will be simpler, faster, and easier to maintain.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)

Matthew Newton
In reply to this post by Thomas Stather
On Fri, Oct 30, 2015 at 01:54:31PM +0100, Thomas Stather wrote:
> password_attribute to "sambaNTPassword" but the error is still the same.

"password_attribute" was not a literal.

> As we have the hashes in our LDAP it seems that i have to switch to
> "ntlm_auth" module as described in:

No you don't; David was right.

In the update {} section in mods-enabled/ldap, look at the

#               control:NT-Password             := 'ntPassword'

line and add instead:

               control:NT-Password             := 'sambaNTPassword'
               control:LM-Password             := 'sambaLMPassword'

then it should work.

You can do this with LDAP and Samba. ntlm_auth will also work. You
can't do LDAP with real AD.

Matthew


--
Matthew Newton, Ph.D. <[hidden email]>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <[hidden email]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: question regarding PEAP/MSCHAPv2 (ERROR: FAILED: No NT/LM-Password. Cannot perform authentication)

A.L.M.Buxey
In reply to this post by Thomas Stather
Just edit the ntlm_auth line so that you are using Stripped-User-Name instead of User-Name


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html