RADIUS authentication fails with ERROR: No NT-Password

MacUsers

@stephenw10 at the the same RADIUS users are used for VPN access as well, so OTP is on. I can give a try disabling OTP but it has to work with OTP for us. I'll reply here soon.

stephenw10

Sure, and I'd expect it to work, but it's definitely something unusual. I'd want to confirm it's not the cause before doing anything further.

Steve

andersonshatch

I encountered this error too on pfSense Community 2.6.0 trying to setup UniFi RADIUS login.
An account with a password specified can login okay, but one setup to use OTP yields the below failure:

Login incorrect (mschap: FAILED: No NT-Password.  Cannot perform authentication)

MacUsers

okay, so looks like it's not an isolated case. I tried with one of my Linksys AP and got exactly the same error - that indicates the issue on the RADIUS side but cannot be very sure. Is there any one can help to debug this pls?

-S

stephenw10

And that was also with OTP? Were you able to test anything without OTP to confirm?

dawsnet

I seem to be getting the same issue's also.

Pfsense : 2.6.0-RELEASE (amd64)
Freeraduis: 3: 0.15.7_33
Access points Unifi

Auth: (11)   Login incorrect (mschap: FAILED: No NT-Password.  Cannot perform authentication): 

Auth: (12) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)):

But if I untick the "Disables weak EAP types: MD5, and GTC" everything connects fine both MAC and Windows devices.

When ticked the Mac device's prompt twice for login's and then connect but the windows device don't connect..

Any help would be great.

Thanks

stephenw10

So the clients is trying to use a weak EAP type and in OSX it is able to see that switch to another type but Windows doesn't. There's probably tweak for that in Windows.

dawsnet

@stephenw10 I am using this solution for a flex office so don't really wan't to go about tweaking the devices ;) but cheers for the advice.

do you think this issue can be fixed so we don't need to use weak EAP ?

Cheers

stephenw10

Probably not if the clients are using one of those weaker options and do not try anything else.
For local wifi auth it's unlikely to be significant risk IMO.

Steve

dawsnet

Would this even be the case with a fresh install of Windows 10 fully up-to-date as I am getting the same errors

Sorry just trying to understand it fully..

Cheers

stephenw10

Not something I've ever looked into but if Windows is choosing to use that I'm not sure what you can do. Maybe radius can indicate why it fails prompting Windows to re-try or send a list of accepted ciphers. Also not something I've had to try.