freeradius3 - mschap: FAILED: No NT-Password

stephenw10

Hmm, what exactly are you trying to log into there?

It works as expected in the local auth test?

vLANity

iphone > Unifi AP > pfense/freeradius

stephenw10 said in freeradius3 - mschap: FAILED: No NT-Password:

It works as expected in the local auth test?

Yes, I believe that's what my first bullet states

stephenw10

@vLANity said in freeradius3 - mschap: FAILED: No NT-Password:

Yes, I believe that's what my first bullet states

Ah, so it does!

Ok, so you are using this for 802.1x auth to the access point rather than OpenVPN as shown in the article? Did you try using it for OpenVPN?

Yeah reading through that other thread it sure seems the same. You are running a newer pfSense version. I wonder if the those older EAP types were deprecated.

Do you see the same failure from any client type?

vLANity

@stephenw10 said in freeradius3 - mschap: FAILED: No NT-Password:

...you are using this for 802.1x auth to the access point rather than OpenVPN as shown in the article? Did you try using it for OpenVPN?

Correct; I have no need for OpenVPN at this time.

Yeah reading through that other thread it sure seems the same. You are running a newer pfSense version. I wonder if the those older EAP types were deprecated.

True; my concern is that my freeradius setup has seen so many alterations which may have rendered the fix in the reference thread useless. Hence why I was asking how to purge in order to setup from stock (as demonstrated in the original article)...

Do you see the same failure from any client type?

I tried various types, various combinations. I'm unclear on what you mean by "client", the terminology is overused so wanna make sure I know you're referring to the freeradius client vs iphone/etc. I haven't tested with tablet, but anticipate same as iphone.

stephenw10

Sorry I meant Windows, MacOS, Linux, iOS etc. The other user reported Windows failed entirely whereas MacOS eventually succeeded. Implying it tried more EAP types and eventually tried one that worked. Also that it started out with the least secure types....

vLANity

Only iOS clients to date, using what I understand to be the various insecure EAP types. Which again, I suspect there could be an issue with a legacy configuration change I've made that I'm unaware of that is impacting testing...

No plans for Win/Mac/Android.

stephenw10

It would be a good test though since we know it worked after some tries in MacOS in earlier versions.

vLANity

Can not test what I do not have

NogBadTheBad

@vLANity Here is what mine is set to no issues connecting IOS devices:-

Screenshot 2023-09-09 at 08.37.02.png

It also works fine with my Mac Pro, but that's at home so kinda pointless :)

vLANity

@NogBadTheBad Thanks? I added IPsec as was previously not using...

Still - no change re: original issue:

iOS device over wifi (Unifi AP) using 2FA: can NOT authenticate
Diagnostic > Authentication: The same user authenticates using 2FA
Log reports as listed in thread title