Thanks for your assistance, my current plan of action is resetting the SG-4860 and then loading a PfSense xml configuration file without the freeradius configuration. That might negate some of the issues i encountered, there are extreme differences between freeradius 2 and 3 but the PFsense web configurator seems to account for these.
Kind Regards, - Sigurd Kristensen On Fri, Feb 16, 2018 at 3:45 PM, <d...@nvus.co.uk> wrote: > You may be better posting to the Freeradius maillist but IIRC there are > significant differences between the config files for Freeradius 2 and 3 > meaning you have to rewrite the radius config files for version 3 as a > version 2 file will not work. > > This is from the freeradius website on upgrading to version 3 from 2... > > The configuration for 3.0 is largely compatible with the 2.x.x > configuration. However, it is NOT possible to simply use the 2.x.x > configuration as-is. Instead, it should be re-created. > > Hope that helps. > > Kind regards, > Dan > > -----Original Message----- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Sigurd > Kristensen > Sent: 16 February 2018 13:57 > To: list@lists.pfsense.org > Subject: [pfSense] Wireless authentication issues after Freeradius upgrade > > We recently purchased a Netgate SG-4860 in order to replace our custom > built > desktop hardware. > > The desktop hardware was running pfsense 2.3.x and the sg-4860 was running > 2.4.0 when delivered. According to Pfsense documentation its possible to > migrate configuration.xml files to newer versions of Pfsense which is what > we did. > > After replacing two pieces of hardware most appliances came up correctly as > intended, however after reinstalling Freeradius 3 (over the previously > installed Freeradius 2..x.x) Our radius based wireless SSID's stopped > functioning. With the following error: > > "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" > > Tests with the command radtest have worked by authenticating from the > pfsense server itself. However the access points are unable to > authenticate. > > I have two offices running pfsense 2.3.3 and Freeradius 2 that are > currently > working from the same SQL database without any issues. > > I have seen several posts with similar issues, but no apparant solution. > Many of these are however authenticating against LDAP and not plain-text > SQL > - Among these are: > > http://lists.freeradius.org/pipermail/freeradius-users/ > 2015-October/080614.h > tml > http://freeradius.1045715.n5.nabble.com/question-regarding- > PEAP-MSCHAPv2-ERR > OR-FAILED-No-NT-LM-Password-Cannot-perform-authentication-td5737504.html > https://github.com/FreeRADIUS/freeradius-server/issues/1314 > http://freeradius-users.freeradius.narkive.com/ > I8llQ7CQ/question-regarding-p > eap-mschapv2-error-failed-no-nt-lm-password-cannot-perform-authentication > http://freeradius-users.freeradius.narkive.com/ > iEZKvxM1/rlm-mschap-failed-no > -nt-lm-password-cannot-perform-authentication > > Notable warnings and errors from the output of "radiusd -X" > > Warning: > ... > [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item > "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". > [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item > "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". > ... > > Warning: > ... > # Loading authorize {...} > Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see > raddb/mods-available/README.rst) ... > > Warning: > .... > (7) WARNING: Outer and inner identities are the same. User privacy is > compromised. > .... > > Warning: > ... > (7) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not > exist! Cancelling invalid proxy request. > .... > > Warning: > ... > (7) mschap: WARNING: No Cleartext-Password configured. Cannot create > NT-Password > (7) mschap: WARNING: No Cleartext-Password configured. Cannot create > LM-Password ... > > Error: > ... > (7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform > authentication > (7) mschap: ERROR: MS-CHAP2-Response is incorrect .... > > Currently i suspect either an issue when the AP connects to the Freeradius > 3 server or an issue in the imported configuration. > > Currently using Aerohive for the wireless solution. > > Excerp from database: > > mysql> select * from radcheck; > +-----+------------+----------+--------------------+----+--- > -------------+-- > --------------------+ > | id | name | username | attribute | op | value | > email | > +-----+------------+----------+--------------------+----+--- > -------------+-- > --------------------+ > | 3 | some name | username | Cleartext-Password | := | somepassword | > usern...@domain.dk | > | 6 | some name | username | Cleartext-Password | := | somepassword | > usern...@domain.dk | > > Issue is crossposted here: > https://forum.pfsense.org/index.php?topic=144096.0 > > Any assistance in this is appreciated. > > > -- > > Sigurd Kristensen > Systems Administrator > ------------------------------ > > Nodes > > Copenhagen // Artillerivej 86, 2300 Copenhagen, Denmark Aarhus // > Frederiksgade 45, 2. sal, 8000 Aarhus, Denmark London // 174 North Gower > Street, London NW1 2NB, United Kingdom > > Mobile: +45 31626876 > > Web: http://www.nodes.dk > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > > > --- > This email has been checked for viruses by AVG. > http://www.avg.com > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- Sigurd Kristensen Systems Administrator ------------------------------ Nodes Copenhagen // Artillerivej 86, 2300 Copenhagen, Denmark Aarhus // Frederiksgade 45, 2. sal, 8000 Aarhus, Denmark London // 174 North Gower Street, London NW1 2NB, United Kingdom Mobile: +45 31626876 Web: http://www.nodes.dk _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
