RADIUS authentication fails with ERROR: No NT-Password
-
So, no one apart form me having this issue, really??
-S
-
Not an error I'm familiar with but it seems quite common.
You are just authenticating against Freeradius directly?
How is the client configured? EAP setup?
Steve
-
Sorry for replying late. Got some other stuff
You are just authenticating against Freeradius directly?
If I really understood the question, the answer is
yes. Just using UniFi AP WiFi access.How is the client configured? EAP setup?
The NAS/Client on the pfSense is configured with the AP IP as
Client IP Address, IPv4 and with a client shared-secret and default EAP typePEAP. On the AP, it's configured withWAP2 Enterprise, pointing to pfSense IP as the RADIUS server, with the appropreate Authrozion and Accounting port.Is that answer your question? Let me know if you ned any othert information.
-San
-
Hmm you're trying to use OTP for wifi auth also? Have you tested it without that?
-
@stephenw10 at the the same RADIUS users are used for VPN access as well, so OTP is on. I can give a try disabling OTP but it has to work with OTP for us. I'll reply here soon.
-
Sure, and I'd expect it to work, but it's definitely something unusual. I'd want to confirm it's not the cause before doing anything further.
Steve
-
I encountered this error too on pfSense Community 2.6.0 trying to setup UniFi RADIUS login.
An account with a password specified can login okay, but one setup to use OTP yields the below failure:Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication) -
okay, so looks like it's not an isolated case. I tried with one of my Linksys AP and got exactly the same error - that indicates the issue on the RADIUS side but cannot be very sure. Is there any one can help to debug this pls?
-S
-
And that was also with OTP? Were you able to test anything without OTP to confirm?
-
I seem to be getting the same issue's also.
Pfsense : 2.6.0-RELEASE (amd64)
Freeraduis: 3: 0.15.7_33
Access points UnifiAuth: (11) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): Auth: (12) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)):But if I untick the "Disables weak EAP types: MD5, and GTC" everything connects fine both MAC and Windows devices.
When ticked the Mac device's prompt twice for login's and then connect but the windows device don't connect..
Any help would be great.
Thanks
-
So the clients is trying to use a weak EAP type and in OSX it is able to see that switch to another type but Windows doesn't. There's probably tweak for that in Windows.
-
@stephenw10 I am using this solution for a flex office so don't really wan't to go about tweaking the devices ;) but cheers for the advice.
do you think this issue can be fixed so we don't need to use weak EAP ?
Cheers
-
Probably not if the clients are using one of those weaker options and do not try anything else.
For local wifi auth it's unlikely to be significant risk IMO.Steve
-
Would this even be the case with a fresh install of Windows 10 fully up-to-date as I am getting the same errors
Sorry just trying to understand it fully..
Cheers
-
Not something I've ever looked into but if Windows is choosing to use that I'm not sure what you can do. Maybe radius can indicate why it fails prompting Windows to re-try or send a list of accepted ciphers. Also not something I've had to try.
-
V vLANity referenced this topic on
