FreeRADIUS 3.x package NTLM problem



  • FreeRADIUS 3.x package NTLM problem since upgrade to PFS 2.4.
    Before I used Freeradius 2. Since PFS 2.4 doesn't have Freeradius 2 package anymore I tried Freeradius 3.

    OpenVPN and Captive portal both work with Freeradius 3 but wpa2-eap does not work anymore. I have 2 sites both same problem

    The error i'm seeing is:
    Oct 13 13:23:27    radiusd    48737    (38) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [SomeUsername] (from client AP2 port 0 via TLS tunnel)
    Oct 13 13:23:20    radiusd    48737    (30) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [anonymous] (from client AP3 port 0 cli F0-D7-AA-xx-xx-xx)

    The last line has to do with the first one obviously.
    I don't know how to go forward other then turning back to PFS 2.3.4 with Freeradius 2, which I did, and wpa-eap is working again.



  • Tonight I upgraded to pfS 2.3.5. Again forced to use Freeradius 3 where I before used Freeradius 2 in 2.3.4 and again the same problem as with pfS 2.4:

    Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [Username/<via auth-type="eap">] (from client AP2 port 0 via TLS tunnel)

    Tomorrow re-install pfS 2.3.4 again  :(</via>



  • I would realy like to upgrade to 2.4.
    I'm not the only one with this problem:

    https://forum.pfsense.org/index.php?topic=131883.msg737459#msg737459

    How can I fix this?
    I have no clou what to do other then staying on pfS 2.3.4.



  • I didn't use 2.0, so can't say this is it for sure, but when setting up 3, I ran into that issue.  I found I had to store passwords as cleartext for it to work, not MD5.  Thats on the 2.4 line though. Hopefully that helps you



  • I use NT-Password for most users I also have a test user with Cleartext-Password set. No difference they generate the same error message, I don't use md5. The 2 sites I have are in use I can't use them to test and/or try things. I have no other choice then to stay on pfSense 2.3 with Freeradius 2 for the time being. At the moment I have no idea how to figure this out.

    Thank you for responding.



  • Since I couldn't fix the above problem I have setup a external freeradius 2 server so I can uninstall freeradius from pfsense system. To be able to upgrade to the latest pfsense version.
    Now I want to uninstall Freeradius 2 from pfSense 2.3.4 but it isn't showing in the installed packages list. How do I uninstall Freeradius wen it is not showing in the packages manager?
    I don't want any left over packages files etc of freeradius wen i'm going to upgrade pfSense.



  • @Gé:

    ….
    I don't want any left over packages files etc of freeradius wen i'm going to upgrade pfSense.

    Hi,
    Throw out all references to Freeradius in the config.xml

    Then, do a clean install using 2.4.x - import your config, and done.
    (10 minutes max).

    Clean system guaranteed.



  • Okay great advice, thanks!


  • Rebel Alliance Developer Netgate

    Try again on with FreeRADIUS 3.x package version 0.15.5, this should be fixed now.



  • Today I upgraded to pfSense 2.4.2-1. I didn't want to install Freeeradius anymore in pfSense since it didn't work anymore for me. But then you posted the problem should be fixed in the latest version. Today I tested it but sadly it is still the same.

    I will keep the Freeradius 3 setup on pfSense for testing new package versions in the future.
    Till it is fixed I'm using my other Freeradius 2.



  • Hi,
    today I've set up freeradius3 for WPA-EAP, an it is working, but only with "clear text passwords".
    If I change it to "MD5 Password", I get error "mschap: FAILED: No NT/LM-Password. Cannot perform authentication"

    Is there any way to use non clear text password storage with working WPA-EAP?



  • Hi Zizi,

    I have a freeradius 3 in pfsense and a external freeradius 2 in a vps. The last one works with plain password ánd nthash paswd's.
    I have a test user with a plain passwd this is not working in fact non of my users can login wen i use the pfsense radius 3 server package. If i use the external freeradius 2 server i installed in a virtual debian system all users work 100% nthash and plan text password are no difference then. I have even md5 test users that do work also.

    I keep the FR3 package on pfsense on hand so I can test it if and wen there are updates in the hope one day it will work again.



  • @Zizi:

    Hi,
    today I've set up freeradius3 for WPA-EAP, an it is working, but only with "clear text passwords".
    If I change it to "MD5 Password", I get error "mschap: FAILED: No NT/LM-Password. Cannot perform authentication"

    Is there any way to use non clear text password storage with working WPA-EAP?

    Same here.