Thanks for your assistance, my current plan of action is resetting the
SG-4860 and then loading a PfSense xml configuration file without the
freeradius configuration. That might negate some of the issues i
encountered, there are extreme differences between freeradius 2 and 3 but
the PFsense web configurator seems to account for these.

Kind Regards,

- Sigurd Kristensen

On Fri, Feb 16, 2018 at 3:45 PM, <d...@nvus.co.uk> wrote:

> You may be better posting to the Freeradius maillist but IIRC there are
> significant differences between the config files for Freeradius 2 and 3
> meaning you have to rewrite the radius config files for version 3 as a
> version 2 file will not work.
>
> This is from the freeradius website on upgrading to version 3 from 2...
>
> The configuration for 3.0 is largely compatible with the 2.x.x
> configuration. However, it is NOT possible to simply use the 2.x.x
> configuration as-is. Instead, it should be re-created.
>
> Hope that helps.
>
> Kind regards,
> Dan
>
> -----Original Message-----
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Sigurd
> Kristensen
> Sent: 16 February 2018 13:57
> To: list@lists.pfsense.org
> Subject: [pfSense] Wireless authentication issues after Freeradius upgrade
>
> We recently purchased a Netgate SG-4860 in order to replace our custom
> built
> desktop hardware.
>
> The desktop hardware was running pfsense 2.3.x and the sg-4860 was running
> 2.4.0 when delivered. According to Pfsense documentation its possible to
> migrate configuration.xml files to newer versions of Pfsense which is what
> we did.
>
> After replacing two pieces of hardware most appliances came up correctly as
> intended, however after reinstalling Freeradius 3 (over the previously
> installed Freeradius 2..x.x) Our radius based wireless SSID's stopped
> functioning. With the following error:
>
> "mschap: FAILED: No NT/LM-Password.  Cannot perform authentication"
>
> Tests with the command radtest have worked by authenticating from the
> pfsense server itself. However the access points are unable to
> authenticate.
>
> I have two offices running pfsense 2.3.3 and Freeradius 2 that are
> currently
> working from the same SQL database without any issues.
>
> I have seen several posts with similar issues, but no apparant solution.
> Many of these are however authenticating against LDAP and not plain-text
> SQL
> - Among these are:
>
> http://lists.freeradius.org/pipermail/freeradius-users/
> 2015-October/080614.h
> tml
> http://freeradius.1045715.n5.nabble.com/question-regarding-
> PEAP-MSCHAPv2-ERR
> OR-FAILED-No-NT-LM-Password-Cannot-perform-authentication-td5737504.html
> https://github.com/FreeRADIUS/freeradius-server/issues/1314
> http://freeradius-users.freeradius.narkive.com/
> I8llQ7CQ/question-regarding-p
> eap-mschapv2-error-failed-no-nt-lm-password-cannot-perform-authentication
> http://freeradius-users.freeradius.narkive.com/
> iEZKvxM1/rlm-mschap-failed-no
> -nt-lm-password-cannot-perform-authentication
>
> Notable warnings and errors from the output of "radiusd -X"
>
> Warning:
> ...
> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
> ...
>
> Warning:
> ...
>  # Loading authorize {...}
> Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see
> raddb/mods-available/README.rst) ...
>
> Warning:
> ....
> (7) WARNING: Outer and inner identities are the same.  User privacy is
> compromised.
> ....
>
> Warning:
> ...
> (7)   WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
> exist!  Cancelling invalid proxy request.
> ....
>
> Warning:
> ...
> (7) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> NT-Password
> (7) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> LM-Password ...
>
> Error:
> ...
> (7) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform
> authentication
> (7) mschap: ERROR: MS-CHAP2-Response is incorrect ....
>
> Currently i suspect either an issue when the AP connects to the Freeradius
> 3 server or an issue in the imported configuration.
>
> Currently using Aerohive for the wireless solution.
>
> Excerp from database:
>
> mysql> select * from radcheck;
> +-----+------------+----------+--------------------+----+---
> -------------+--
> --------------------+
> | id  | name       | username | attribute          | op | value          |
> email                |
> +-----+------------+----------+--------------------+----+---
> -------------+--
> --------------------+
> |   3 | some name  | username | Cleartext-Password | := | somepassword   |
> usern...@domain.dk   |
> |   6 | some name  | username | Cleartext-Password | := | somepassword   |
> usern...@domain.dk   |
>
> Issue is crossposted here:
> https://forum.pfsense.org/index.php?topic=144096.0
>
> Any assistance in this is appreciated.
>
>
> --
>
> Sigurd Kristensen
> Systems Administrator
> ------------------------------
>
> Nodes
>
> Copenhagen // Artillerivej 86, 2300 Copenhagen, Denmark Aarhus //
> Frederiksgade 45, 2. sal, 8000 Aarhus, Denmark London // 174 North Gower
> Street, London NW1 2NB, United Kingdom
>
> Mobile: +45 31626876
>
> Web: http://www.nodes.dk
> _______________________________________________
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
>
> ---
> This email has been checked for viruses by AVG.
> http://www.avg.com
>
> _______________________________________________
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 

Sigurd Kristensen
Systems Administrator
------------------------------

Nodes

Copenhagen // Artillerivej 86, 2300 Copenhagen, Denmark
Aarhus // Frederiksgade 45, 2. sal, 8000 Aarhus, Denmark
London // 174 North Gower Street, London NW1 2NB, United Kingdom

Mobile: +45 31626876

Web: http://www.nodes.dk
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to