Your request is correctly being redirected to your inner tunnel, did you enable MSCHAP in the inner tunnel? Also, there seems to be an issue with how your realms are setup (if they are at all).
Try setting up your realms and logging in using the usern...@domain convention. Realms and make sure your mschap module is enabled in your inner-tunnel server. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -----Original Message----- From: freeradius-users-bounces+jake.sallee=umhb....@lists.freeradius.org [mailto:[email protected] rg] On Behalf Of bmano Sent: Monday, October 04, 2010 11:57 PM To: [email protected] Subject: EAP-MSCHAP-V2 - [mschap] FAILED: No NT/LM-Password. Cannot performauthentication. Hello, I am trying to Implement EAP-ttls and MSCHAP(V2). I tried all the forums to solutions. I am getting the following error. [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for john with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect below is the Radius information: FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 5 2010 at 02:49:11 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { allow_core_dumps = yes } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 127.0.0.1 { require_message_authenticator = no secret = "testing123" shortname = "localhost" nastype = "other" } client 5.5.5.101/24 { require_message_authenticator = no secret = "secret" shortname = "private-network-1" } client 192.168.0.0/16 { require_message_authenticator = no secret = "secret" shortname = "private-network-1" } client 10.0.0.0/8 { require_message_authenticator = no secret = "secret" shortname = "private-network-1" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "crypt" auto_header = yes } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/root/server_key.pem" certificate_file = "/root/server_cert.pem" CA_file = "/root/ca_cert.pem" private_key_password = "whatever" dh_file = "/dev/null" random_file = "/dev/urandom" fragment_size = 500 include_length = yes check_crl = no cache { enable = no lifetime = 24 max_entries = 255 } } WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = yes include_length = yes } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 192.168.0.151 port = 0 } listen { type = "acct" ipaddr = 192.168.0.151 port = 0 } Listening on authentication address 192.168.0.151 port 1812 Listening on accounting address 192.168.0.151 port 1813 Listening on proxy address 192.168.0.151 port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.177 port 58989, id=0, length=116 User-Name = "john" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02000009016a6f686e Message-Authenticator = 0x63345840c269c1b54fb17e2e2137cdb8 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.0.177 port 58989 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70851e297084136bafa60810ea244249 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.177 port 58989, id=1, length=131 User-Name = "john" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060315 State = 0x70851e297084136bafa60810ea244249 Message-Authenticator = 0x704f97c360d41603d551267a2a606547 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.0.177 port 58989 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70851e2971870b6bafa60810ea244249 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.177 port 58989, id=2, length=219 User-Name = "john" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0202005e150016030100530100004f03014caaabcb897edcddb6e87019dafef307071a 0b69b3b6320ebe5ee47115c46ed200002800390038003500160013000a00330032002f00 0700050004001500120009001400110008000600030100 State = 0x70851e2971870b6bafa60810ea244249 Message-Authenticator = 0x763cd104835060737d3e97197682e6de +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 94 [eap] Continuing tunnel setup. ++[eap] returns ok WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0053], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 06d7], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.0.177 port 58989 EAP-Message = 0x010301f415c000000714160301002a0200002603014caaabcd3694a1eea025793dc8ef ac1460a8fe1589ebad434ea5d0a0064bfe8b0000350016030106d70b0006d30006d00002 da308202d63082023fa003020102020102300d06092a864886f70d01010405003081ab31 0b3009060355040613025553311330110603550408130a43616c69666f726e6961311130 0f0603550407130853616e204a6f73653111300f060355040a1308576963686f72757331 0c300a060355040b1303456e67311f301d06035504030c16776963686f7275735f726f6f 7443415f676368656e673132303006092a864886f70d0109011623776963686f7275735f 726f EAP-Message = 0x6f7443415f676368656e6740776963686f7275732e636f6d301e170d30383035313232 31313432395a170d3138303531303231313432395a30819c310b30090603550406130255 53311330110603550408130a43616c69666f726e69613111300f0603550407130853616e 204a6f73653111300f060355040a1308576963686f727573310d300b060355040b130445 6e6767311730150603550403140e64736861685f7365727665725f32312a302806092a86 4886f70d010901161b64736861685f7365727665725f3240776963686f7275732e636f6d 30819f300d06092a864886f70d010101050003818d0030818902818100b4cc27 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70851e2972860b6bafa60810ea244249 Finished request 2. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 192.168.0.177 port 58989, id=3, length=131 User-Name = "john" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300061500 State = 0x70851e2972860b6bafa60810ea244249 Message-Authenticator = 0x444c552d039d79bf7b6763fb8a91ecdb +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.0.177 port 58989 EAP-Message = 0x010401f415c0000007140b8841d4dac7027a6813c7a611bca71603326411eb6fa08837 767df699faf74b2a8f056feee9e9ffa990f4b41014f59ed1bcb85aed3026235df4fbdeca 8def862015a5386c3d109c30c3a884cf6f83f7162543a9a61dbc3fd75119b4160c834516 99ede9167aba5889f16a6461264c50d92c496799ccfc44e189e887870203010001a31730 1530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405 00038181007a77640e1c7f72e1499bcc1cda2a0d443c880db7ef1436d441b07f801608bb d1d88ba15c816f01eef6fa85b08e961958225385fbe79b9fc7fc5b33004a77b7c1e67704 bc05 EAP-Message = 0x357dcf0bccca40f004504648c02ec1df9f6e91e7600f90669fb3385b64ea4ff1880def 479e02f66c4620d448606e623b967e370814fd1f5d512cca0003f0308203ec30820355a0 030201020209009c1418fe79618077300d06092a864886f70d01010505003081ab310b30 09060355040613025553311330110603550408130a43616c69666f726e69613111300f06 03550407130853616e204a6f73653111300f060355040a1308576963686f727573310c30 0a060355040b1303456e67311f301d06035504030c16776963686f7275735f726f6f7443 415f676368656e673132303006092a864886f70d0109011623776963686f7275 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70851e2973810b6bafa60810ea244249 Finished request 3. Going to the next request Waking up in 4.1 seconds. rad_recv: Access-Request packet from host 192.168.0.177 port 58989, id=4, length=131 User-Name = "john" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061500 State = 0x70851e2973810b6bafa60810ea244249 Message-Authenticator = 0x140b333768c76c631cabee64dfef9fee +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.0.177 port 58989 EAP-Message = 0x010501f415c000000714735f726f6f7443415f676368656e6740776963686f7275732e 636f6d301e170d3038303531323230353935335a170d3138303531303230353935335a30 81ab310b3009060355040613025553311330110603550408130a43616c69666f726e6961 3111300f0603550407130853616e204a6f73653111300f060355040a1308576963686f72 7573310c300a060355040b1303456e67311f301d06035504030c16776963686f7275735f 726f6f7443415f676368656e673132303006092a864886f70d0109011623776963686f72 75735f726f6f7443415f676368656e6740776963686f7275732e636f6d30819f300d0609 2a86 EAP-Message = 0x4886f70d010101050003818d0030818902818100a35084afbdc782cb1111d16f11d637 2c4aac07118813f2d55b0a52a3df951f961530fd4694defb94981e172e46e25e7fb7925a 86975a933cb8761c243575b397abde2a6133b294b1b3bd1ef6a62a6882bdd7761d7942a7 7cf43422b526742dd45c4cf6cd167e43b8e256778e097490fdf0ce872e23c310806e68f1 6b32167e290203010001a382011430820110301d0603551d0e04160414d34f52eabf2135 7fb1085256754198a926aab1723081e00603551d230481d83081d58014d34f52eabf2135 7fb1085256754198a926aab172a181b1a481ae3081ab310b3009060355040613 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70851e2974800b6bafa60810ea244249 Finished request 4. Going to the next request Waking up in 4.1 seconds. rad_recv: Access-Request packet from host 192.168.0.177 port 58989, id=5, length=131 User-Name = "john" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500061500 State = 0x70851e2974800b6bafa60810ea244249 Message-Authenticator = 0x6a3bdc1ff10f32916a28e534be84ff3d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.0.177 port 58989 EAP-Message = 0x01060160158000000714025553311330110603550408130a43616c69666f726e696131 11300f0603550407130853616e204a6f73653111300f060355040a1308576963686f7275 73310c300a060355040b1303456e67311f301d06035504030c16776963686f7275735f72 6f6f7443415f676368656e673132303006092a864886f70d0109011623776963686f7275 735f726f6f7443415f676368656e6740776963686f7275732e636f6d8209009c1418fe79 618077300c0603551d13040530030101ff300d06092a864886f70d010105050003818100 86c1ee74467f2615a8d5fe190ff44735bbcb3efe675302d5d0f881fc3c7a5c6395d7ccc5 d7b5 EAP-Message = 0x23ce6ff7e87fcd4a52df7ec5b518b687912c535d1f4b875542b1c49997ad16b4408ea1 6a423ad1e504eab9d6bd33aa4c1b6c1cea5cee6b52dcb7dd251f0a20aac54e0ef046f1d4 1d62a6f31c8f1c75c6ce9b1a74633147671b5016030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70851e2975830b6bafa60810ea244249 Finished request 5. Going to the next request Waking up in 4.0 seconds. rad_recv: Access-Request packet from host 192.168.0.177 port 58989, id=6, length=329 User-Name = "john" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020600cc150016030100861000008200801dd452024420fce1efff4fdf3553a914faf2 88e5aa0a5c3a1c38ddf96cd6e626efee41762495b18e7768d44cc9128088ba76483ceaf7 3cb746f3fc785c3298321053c6b90276eec623eeefa2648c8d2ec1e96a1005c262c91f10 d6faa3eb55768e46dc7e35978325d5f7b6857a75fe48322dcec2e17bab2af4d6d4de0bd6 96d81403010001011603010030c4f83f149442210cb5d56e073822928b7eb57cd891c3e9 34f01f4e55b1161dc00bcb5316e6e0fb3cb888a15dc739ea36 State = 0x70851e2975830b6bafa60810ea244249 Message-Authenticator = 0x88fab0713d28fae91f143a8e06f7a508 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 204 [eap] Continuing tunnel setup. ++[eap] returns ok WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.0.177 port 58989 EAP-Message = 0x0107004515800000003b14030100010116030100307f9a14be792d03d1f03354c1fca7 7fe40b4c45ca62ca82615333432f0690a6d70f619ae59a7b3f675013ebf231abc2c5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70851e2976820b6bafa60810ea244249 Finished request 6. Going to the next request Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.0.177 port 58989, id=7, length=221 User-Name = "john" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02070060150017030100202abf4899df6abcd33096f265cdd16e719635702bf38ce8f8 80b7e0fb959799051703010030d2669fb2fb2f436aa094debcdb79518f4c0ee3f33e2877 a4a44f3a446ccc10c64a542bb3b5378c56b5418653b3164466 State = 0x70851e2976820b6bafa60810ea244249 Message-Authenticator = 0x1e478f10f4bab4278b9faf92ba4d5b0d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x02000009016a6f686e FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Got tunneled identity of john [ttls] Setting default EAP type for tunneled EAP session. [ttls] Sending tunneled request EAP-Message = 0x02000009016a6f686e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "john" server { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled } # server [ttls] Got tunneled reply code 11 EAP-Message = 0x010100160410e04582c33411dfd2af929b709cc23601 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb0ed2c00b0ec285c05125915d24f2066 [ttls] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 7 to 192.168.0.177 port 58989 EAP-Message = 0x0108004f1580000000451703010040a13a91a48ddd4ed8d7e4b2cfb5e0b567a38096af c082a654395446250099e84d5d5e952f3e2875e15e3e18ca6b750ad68395704ca589b175 659d71ddbfc8c29f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70851e29778d0b6bafa60810ea244249 Finished request 7. Going to the next request Waking up in 3.8 seconds. rad_recv: Access-Request packet from host 192.168.0.177 port 58989, id=8, length=221 User-Name = "john" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02080060150017030100208dddbae8a2d00c011b90a2f31006dcde6475e6e38ef85fc4 64516e9080f6d72617030100309d5904194f3b071d1e938c302c13147ca9db0230e7ae16 3df618f510286caf2c01d77224032f091cf153429ab9707d97 State = 0x70851e29778d0b6bafa60810ea244249 Message-Authenticator = 0xe690ad1ec9220fb4e4d1bd78cec8e20a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x02010006031a FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x02010006031a FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "john" State = 0xb0ed2c00b0ec285c05125915d24f2066 server { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/mschapv2 [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server [ttls] Got tunneled reply code 11 EAP-Message = 0x0102001e1a01020019102959e603f5ec55fc4d3b4d1e6cdfb4626a6f686e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb0ed2c00b1ef365c05125915d24f2066 [ttls] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 8 to 192.168.0.177 port 58989 EAP-Message = 0x0109004f158000000045170301004000f2d6ff37bd5591853aac3b581da2ef6734c261 10f9a51dabcbba3d31640c1dbf58e744e564b57c15209c7f26b384d6f91de9623bdc2c9c 4671f9ae0f60f00f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70851e29788c0b6bafa60810ea244249 Finished request 8. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 192.168.0.177 port 58989, id=9, length=269 User-Name = "john" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020900901500170301002059b68674bd770cdb478dc184ed5ed0ba3d492448af8b1f4e b868a73db5c164901703010060b6dd122a70a4b877fd516c218f952adf2a645b4c942718 926f817788a5682539e3e1498d33b9ba76d3f14a3185140df1e4f89583990dbd365c432a 7f0ebcc5b2af9a7762688a2318f7c972f3055bcdee12b2d334d3e233d4a1ee57ff15ef61 c0 State = 0x70851e29788c0b6bafa60810ea244249 Message-Authenticator = 0x03d36e4152a4b579117dbbcded472d58 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x0202003f1a0202003a313040f71ffff45932c78288172e36d8020000000000000000fe d561ff311854eb54e8dbc91a6c84a5461735610fc0a048006a6f686e FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x0202003f1a0202003a313040f71ffff45932c78288172e36d8020000000000000000fe d561ff311854eb54e8dbc91a6c84a5461735610fc0a048006a6f686e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "john" State = 0xb0ed2c00b1ef365c05125915d24f2066 server { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for john with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server [ttls] Got tunneled reply code 3 MS-CHAP-Error = "\002E=691 R=1" EAP-Message = 0x04020004 Message-Authenticator = 0x00000000000000000000000000000000 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user john [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> john attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 9 to 192.168.0.177 port 58989 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.4 seconds. Cleaning up request 0 ID 0 with timestamp +173 Cleaning up request 1 ID 1 with timestamp +173 Waking up in 0.6 seconds. Cleaning up request 2 ID 2 with timestamp +173 Cleaning up request 3 ID 3 with timestamp +174 Waking up in 0.1 seconds. Cleaning up request 4 ID 4 with timestamp +174 Cleaning up request 5 ID 5 with timestamp +174 Waking up in 0.1 seconds. Cleaning up request 6 ID 6 with timestamp +174 Waking up in 0.1 seconds. Cleaning up request 7 ID 7 with timestamp +174 Waking up in 0.1 seconds. Cleaning up request 8 ID 8 with timestamp +174 Waking up in 1.2 seconds. Cleaning up request 9 ID 9 with timestamp +174 Ready to process requests. Thanks, BMano -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-MSCHAP-V2-mschap-FAILED-No-N T-LM-Password-Cannot-perform-authentication-tp3198834p3198834.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
