RADIUS authentication fails with ERROR: No NT-Password
-
Sure, and I'd expect it to work, but it's definitely something unusual. I'd want to confirm it's not the cause before doing anything further.
Steve
-
I encountered this error too on pfSense Community 2.6.0 trying to setup UniFi RADIUS login.
An account with a password specified can login okay, but one setup to use OTP yields the below failure:Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication) -
okay, so looks like it's not an isolated case. I tried with one of my Linksys AP and got exactly the same error - that indicates the issue on the RADIUS side but cannot be very sure. Is there any one can help to debug this pls?
-S
-
And that was also with OTP? Were you able to test anything without OTP to confirm?
-
I seem to be getting the same issue's also.
Pfsense : 2.6.0-RELEASE (amd64)
Freeraduis: 3: 0.15.7_33
Access points UnifiAuth: (11) Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): Auth: (12) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)):But if I untick the "Disables weak EAP types: MD5, and GTC" everything connects fine both MAC and Windows devices.
When ticked the Mac device's prompt twice for login's and then connect but the windows device don't connect..
Any help would be great.
Thanks
-
So the clients is trying to use a weak EAP type and in OSX it is able to see that switch to another type but Windows doesn't. There's probably tweak for that in Windows.
-
@stephenw10 I am using this solution for a flex office so don't really wan't to go about tweaking the devices ;) but cheers for the advice.
do you think this issue can be fixed so we don't need to use weak EAP ?
Cheers
-
Probably not if the clients are using one of those weaker options and do not try anything else.
For local wifi auth it's unlikely to be significant risk IMO.Steve
-
Would this even be the case with a fresh install of Windows 10 fully up-to-date as I am getting the same errors
Sorry just trying to understand it fully..
Cheers
-
Not something I've ever looked into but if Windows is choosing to use that I'm not sure what you can do. Maybe radius can indicate why it fails prompting Windows to re-try or send a list of accepted ciphers. Also not something I've had to try.
-
V vLANity referenced this topic on
