Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

freeradius 1.1.4 + LDAP + PEAP/mschapv2

309 views
Skip to first unread message

Baptiste Delporte

unread,
Feb 19, 2007, 4:54:27 AM2/19/07
to
Hi all !

After installing Freeradius 1.1.4, I am trying to set it up to =

authenticate users with a LDAP database using PEAP + eap/mschapv2.

Freeradius seems to work fine for most users, but for a few people I get =

this error in my log file :

/Mon Feb 19 09:30:07 2007 : Info: rlm_eap_tls: Length Included
Mon Feb 19 09:30:07 2007 : Error: TLS_accept:error in SSLv3 read =

client certificate A
Mon Feb 19 09:30:07 2007 : Error: rlm_eap: SSL error =

error:00000000:lib(0):func(0):reason(0)
Mon Feb 19 09:30:07 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Mon Feb 19 09:30:07 2007 : Info: rlm_eap_tls: Length Included
Mon Feb 19 09:30:07 2007 : Info: (other): SSL negotiation finished =

successfully
Mon Feb 19 09:30:07 2007 : Error: rlm_eap: SSL error =

error:00000000:lib(0):func(0):reason(0)
Mon Feb 19 09:30:07 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Mon Feb 19 09:30:07 2007 : Info: rlm_eap_mschapv2: Issuing Challenge
Mon Feb 19 09:30:08 2007 : Error: rlm_mschap: Invalid LM-Password
Mon Feb 19 09:30:08 2007 : Error: rlm_mschap: Invalid NT-Password
Mon Feb 19 09:30:08 2007 : Auth: Login incorrect: [********]

/Authentication works perfectly with the same config files (eap.conf, =

radiusd.conf,users...) with an older version (1.0.1 and even 1.1.3) of =

freeradius on the same server.

I've made tests with EAP-TTLS, and in that case authentication also =

works fine for everyone.

In both cases, I get this line when I run freeradius in debug mode :

/rlm_pap: WARNING! No "known good" password found for the user. =

Authentication may fail because of this.

/And I can't find if there's a link between that warning and the =

authentication failure for some of my users.

Thanks for your help.


-- =

Ce message a =E9t=E9 v=E9rifi=E9 par MailScanner
pour des virus ou des polluriels et rien de
suspect n'a =E9t=E9 trouv=E9.
MailScanner remercie transtec pour son soutien.

- =

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.h=
tml

Alan DeKok

unread,
Feb 19, 2007, 8:47:10 AM2/19/07
to
Baptiste Delporte wrote:
> Mon Feb 19 09:30:08 2007 : Error: rlm_mschap: Invalid LM-Password
> Mon Feb 19 09:30:08 2007 : Error: rlm_mschap: Invalid NT-Password

That happens only when an LM-Password and NT-Password are added for
the user, AND where they're not the right format.

> /Authentication works perfectly with the same config files (eap.conf,

> radiusd.conf,users...) with an older version (1.0.1 and even 1.1.3) of

> freeradius on the same server.

Run the server in debugging mode in 1.1.3, and in 1.1.4. See what's
different.

The PAP module changed in 1.1.4, but I don't see why it would break
MSCHAP.

> In both cases, I get this line when I run freeradius in debug mode :
>
> /rlm_pap: WARNING! No "known good" password found for the user.

> Authentication may fail because of this.

That happens if there's no way to authenticate the user. But it
shouldn't result in the above messages from the mschap module.

> /And I can't find if there's a link between that warning and the

> authentication failure for some of my users.

Perhaps you could try posting the whole debug output, rather than tiny
pieces.

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

0 new messages