Wireless authentication issues after Freeradius upgrade



  • We recently purchased a Netgate SG-4860 in order to replace our custom built desktop hardware.

    The desktop hardware was running pfsense 2.3.x and the sg-4860 was running 2.4.0 when delivered. According to Pfsense documentation its possible to migrate configuration.xml files to newer versions of Pfsense which is what we did.

    After replacing two pieces of hardware most appliances came up correctly as intended, however after reinstalling Freeradius 3 (over the previously installed Freeradius 2..x.x) Our radius based wireless SSID's stopped functioning. With the following error:

    "mschap: FAILED: No NT/LM-Password.  Cannot perform authentication"

    Tests with the command radtest have worked by authenticating from the pfsense server itself. However the access points are unable to authenticate.

    I have two offices running pfsense 2.3.3 and Freeradius 2 that are currently working from the same SQL database without any issues.

    I have seen several posts with similar issues, but no apparant solution. Many of these are however authenticating against LDAP and not plain-text SQL - Among these are:

    http://lists.freeradius.org/pipermail/freeradius-users/2015-October/080614.html
    http://freeradius.1045715.n5.nabble.com/question-regarding-PEAP-MSCHAPv2-ERROR-FAILED-No-NT-LM-Password-Cannot-perform-authentication-td5737504.html
    https://github.com/FreeRADIUS/freeradius-server/issues/1314
    http://freeradius-users.freeradius.narkive.com/I8llQ7CQ/question-regarding-peap-mschapv2-error-failed-no-nt-lm-password-cannot-perform-authentication
    http://freeradius-users.freeradius.narkive.com/iEZKvxM1/rlm-mschap-failed-no-nt-lm-password-cannot-perform-authentication

    Notable warnings and errors from the output of "radiusd -X"

    Warning:

    [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
    [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".

    Warning:
    ...

    Loading authorize {...}

    Ignoring "sql" (see raddb/mods-available/README.rst)
    Ignoring "ldap" (see raddb/mods-available/README.rst)
    ...

    Warning:
    ....
    (7) WARNING: Outer and inner identities are the same.  User privacy is compromised.
    ....

    Warning:
    ...
    (7)  WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist!  Cancelling invalid proxy request.
    ....

    Warning:
    ...
    (7) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
    (7) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
    ...

    Error:
    ...
    (7) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
    (7) mschap: ERROR: MS-CHAP2-Response is incorrect
    ....

    Currently i suspect either an issue when the AP connects to the Freeradius  3 server or an issue in the imported configuration.

    Currently using Aerohive for the wireless solution.

    Excerp from database:

    mysql> select * from radcheck;
    +-----+------------+----------+--------------------+----+----------------+----------------------+
    | id  | name      | username | attribute          | op | value          | email                |
    +-----+------------+----------+--------------------+----+----------------+----------------------+
    |  3 | some name  | username | Cleartext-Password | := | somepassword  | username@domain.dk  |
    |  6 | some name  | username | Cleartext-Password | := | somepassword  | username@domain.dk  |

    Any assistance with this issue is highly appreciated.


  • Rebel Alliance Developer Netgate

    Can you update FreeRADIUS 3.x and try again? You should see version 0.15.5 now.

    The NTLM module was active but not configured. It looks like on FreeRADIUS 2.x it was manually edited and disabled, so I tried to replicate that change in a more FreeRADIUS 3-ish way by removing the ntlm_auth module from the active list. This should have the same effect as what was done in the FreeRADIUS 2.x code.



  • Sorry for the delay, unfortunately an update to 0.15.5 did not solve the issue.

    The following error persists.

    Could this be an incompatebility between the APs and Freeradius 3? Current AP's we use are Aerohive AP230.

    (16) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [sikr@nodes.dk] (from client AP1 port 0 via TLS tunnel)


  • Rebel Alliance Developer Netgate

    The only NTLM related change I saw between 2 and 3 was that on 2.x the NTLM module was disabled and on 3 it was enabled, so I disabled it on 3 to match 2 thinking maybe that was triggering the problem.

    It's possible there is some other potential incompatibility there, but so far I haven't been able to reproduce it here so I can't say for sure what might fix it yet.



  • @sikr did you ever solved this?


Log in to reply