RADIUS authentication fails with ERROR: No NT-Password

MacUsers

Dear all,

I'm using freeRADIUS3 (v0.15.7_33) on pfSense+, which is working perfectly fine for OpenVPN authentication with OTP enabled. But when I use it to authenticate WiFi access, it fails with the below message:

Dec  7 15:28:58 pfsplus radiusd[1503]: (8)   Login incorrect (mschap: FAILED: No NT-Password.  Cannot perform authentication): [santanu.das] (from client unifi port 0 via TLS tunnel) 
Dec  7 15:28:58 pfsplus radiusd[1503]: (9) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [santanu.das] (from client unifi port 0 cli B0-xx-xx-xx-xx) 

NT passwords is not used, in fact no password at all due to the use of OTP - where is this coming from? I tried all sorts of thing from Internet but still no joy. Is it a bug or am I missing something?

MacUsers

So, no one apart form me having this issue, really??

-S

stephenw10

Not an error I'm familiar with but it seems quite common.

You are just authenticating against Freeradius directly?

How is the client configured? EAP setup?

Steve

MacUsers

Sorry for replying late. Got some other stuff

You are just authenticating against Freeradius directly?

If I really understood the question, the answer is yes. Just using UniFi AP WiFi access.

How is the client configured? EAP setup?

The NAS/Client on the pfSense is configured with the AP IP as Client IP Address, IPv4 and with a client shared-secret and default EAP type PEAP. On the AP, it's configured with WAP2 Enterprise, pointing to pfSense IP as the RADIUS server, with the appropreate Authrozion and Accounting port.

Is that answer your question? Let me know if you ned any othert information.

-San

stephenw10

Hmm you're trying to use OTP for wifi auth also? Have you tested it without that?

MacUsers

@stephenw10 at the the same RADIUS users are used for VPN access as well, so OTP is on. I can give a try disabling OTP but it has to work with OTP for us. I'll reply here soon.

stephenw10

Sure, and I'd expect it to work, but it's definitely something unusual. I'd want to confirm it's not the cause before doing anything further.

Steve

andersonshatch

I encountered this error too on pfSense Community 2.6.0 trying to setup UniFi RADIUS login.
An account with a password specified can login okay, but one setup to use OTP yields the below failure:

Login incorrect (mschap: FAILED: No NT-Password.  Cannot perform authentication)

MacUsers

okay, so looks like it's not an isolated case. I tried with one of my Linksys AP and got exactly the same error - that indicates the issue on the RADIUS side but cannot be very sure. Is there any one can help to debug this pls?

-S

stephenw10

And that was also with OTP? Were you able to test anything without OTP to confirm?

dawsnet

I seem to be getting the same issue's also.

Pfsense : 2.6.0-RELEASE (amd64)
Freeraduis: 3: 0.15.7_33
Access points Unifi

Auth: (11)   Login incorrect (mschap: FAILED: No NT-Password.  Cannot perform authentication): 

Auth: (12) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)):

But if I untick the "Disables weak EAP types: MD5, and GTC" everything connects fine both MAC and Windows devices.

When ticked the Mac device's prompt twice for login's and then connect but the windows device don't connect..

Any help would be great.

Thanks

stephenw10

So the clients is trying to use a weak EAP type and in OSX it is able to see that switch to another type but Windows doesn't. There's probably tweak for that in Windows.

dawsnet

@stephenw10 I am using this solution for a flex office so don't really wan't to go about tweaking the devices ;) but cheers for the advice.

do you think this issue can be fixed so we don't need to use weak EAP ?

Cheers

stephenw10

Probably not if the clients are using one of those weaker options and do not try anything else.
For local wifi auth it's unlikely to be significant risk IMO.

Steve

dawsnet

Would this even be the case with a fresh install of Windows 10 fully up-to-date as I am getting the same errors

Sorry just trying to understand it fully..

Cheers

stephenw10

Not something I've ever looked into but if Windows is choosing to use that I'm not sure what you can do. Maybe radius can indicate why it fails prompting Windows to re-try or send a list of accepted ciphers. Also not something I've had to try.