Discussion:
[pfSense] Wireless authentication issues after Freeradius upgrade
Sigurd Kristensen
2018-02-16 13:57:24 UTC
Permalink
We recently purchased a Netgate SG-4860 in order to replace our custom
built desktop hardware.

The desktop hardware was running pfsense 2.3.x and the sg-4860 was running
2.4.0 when delivered. According to Pfsense documentation its possible to
migrate configuration.xml files to newer versions of Pfsense which is what
we did.

After replacing two pieces of hardware most appliances came up correctly as
intended, however after reinstalling Freeradius 3 (over the previously
installed Freeradius 2..x.x) Our radius based wireless SSID's stopped
functioning. With the following error:

"mschap: FAILED: No NT/LM-Password. Cannot perform authentication"

Tests with the command radtest have worked by authenticating from the
pfsense server itself. However the access points are unable to authenticate.

I have two offices running pfsense 2.3.3 and Freeradius 2 that are
currently working from the same SQL database without any issues.

I have seen several posts with similar issues, but no apparant solution.
Many of these are however authenticating against LDAP and not plain-text
SQL - Among these are:

http://lists.freeradius.org/pipermail/freeradius-users/2015-October/080614.html
http://freeradius.1045715.n5.nabble.com/question-regarding-PEAP-MSCHAPv2-ERROR-FAILED-No-NT-LM-Password-Cannot-perform-authentication-td5737504.html
https://github.com/FreeRADIUS/freeradius-server/issues/1314
http://freeradius-users.freeradius.narkive.com/I8llQ7CQ/question-regarding-peap-mschapv2-error-failed-no-nt-lm-password-cannot-perform-authentication
http://freeradius-users.freeradius.narkive.com/iEZKvxM1/rlm-mschap-failed-no-nt-lm-password-cannot-perform-authentication

Notable warnings and errors from the output of "radiusd -X"

Warning:
...
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
...

Warning:
...
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
...

Warning:
....
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
....

Warning:
...
(7) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
....

Warning:
...
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
...

Error:
...
(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
....

Currently i suspect either an issue when the AP connects to the Freeradius
3 server or an issue in the imported configuration.

Currently using Aerohive for the wireless solution.

Excerp from database:

mysql> select * from radcheck;
+-----+------------+----------+--------------------+----+----------------+----------------------+
| id | name | username | attribute | op | value |
email |
+-----+------------+----------+--------------------+----+----------------+----------------------+
| 3 | some name | username | Cleartext-Password | := | somepassword |
***@domain.dk |
| 6 | some name | username | Cleartext-Password | := | somepassword |
***@domain.dk |

Issue is crossposted here:
https://forum.pfsense.org/index.php?topic=144096.0

Any assistance in this is appreciated.
--
Sigurd Kristensen
Systems Administrator
------------------------------

Nodes

Copenhagen // Artillerivej 86, 2300 Copenhagen, Denmark
Aarhus // Frederiksgade 45, 2. sal, 8000 Aarhus, Denmark
London // 174 North Gower Street, London NW1 2NB, United Kingdom

Mobile: +45 31626876

Web: http://www.nodes.dk
d***@nvus.co.uk
2018-02-16 14:45:30 UTC
Permalink
You may be better posting to the Freeradius maillist but IIRC there are
significant differences between the config files for Freeradius 2 and 3
meaning you have to rewrite the radius config files for version 3 as a
version 2 file will not work.

This is from the freeradius website on upgrading to version 3 from 2...

The configuration for 3.0 is largely compatible with the 2.x.x
configuration. However, it is NOT possible to simply use the 2.x.x
configuration as-is. Instead, it should be re-created.

Hope that helps.

Kind regards,
Dan

-----Original Message-----
From: List [mailto:list-***@lists.pfsense.org] On Behalf Of Sigurd
Kristensen
Sent: 16 February 2018 13:57
To: ***@lists.pfsense.org
Subject: [pfSense] Wireless authentication issues after Freeradius upgrade

We recently purchased a Netgate SG-4860 in order to replace our custom built
desktop hardware.

The desktop hardware was running pfsense 2.3.x and the sg-4860 was running
2.4.0 when delivered. According to Pfsense documentation its possible to
migrate configuration.xml files to newer versions of Pfsense which is what
we did.

After replacing two pieces of hardware most appliances came up correctly as
intended, however after reinstalling Freeradius 3 (over the previously
installed Freeradius 2..x.x) Our radius based wireless SSID's stopped
functioning. With the following error:

"mschap: FAILED: No NT/LM-Password. Cannot perform authentication"

Tests with the command radtest have worked by authenticating from the
pfsense server itself. However the access points are unable to authenticate.

I have two offices running pfsense 2.3.3 and Freeradius 2 that are currently
working from the same SQL database without any issues.

I have seen several posts with similar issues, but no apparant solution.
Many of these are however authenticating against LDAP and not plain-text SQL
- Among these are:

http://lists.freeradius.org/pipermail/freeradius-users/2015-October/080614.h
tml
http://freeradius.1045715.n5.nabble.com/question-regarding-PEAP-MSCHAPv2-ERR
OR-FAILED-No-NT-LM-Password-Cannot-perform-authentication-td5737504.html
https://github.com/FreeRADIUS/freeradius-server/issues/1314
http://freeradius-users.freeradius.narkive.com/I8llQ7CQ/question-regarding-p
eap-mschapv2-error-failed-no-nt-lm-password-cannot-perform-authentication
http://freeradius-users.freeradius.narkive.com/iEZKvxM1/rlm-mschap-failed-no
-nt-lm-password-cannot-perform-authentication

Notable warnings and errors from the output of "radiusd -X"

Warning:
...
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
...

Warning:
...
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see
raddb/mods-available/README.rst) ...

Warning:
....
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
....

Warning:
...
(7) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
....

Warning:
...
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password ...

Error:
...
(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(7) mschap: ERROR: MS-CHAP2-Response is incorrect ....

Currently i suspect either an issue when the AP connects to the Freeradius
3 server or an issue in the imported configuration.

Currently using Aerohive for the wireless solution.

Excerp from database:

mysql> select * from radcheck;
+-----+------------+----------+--------------------+----+----------------+--
--------------------+
| id | name | username | attribute | op | value |
email |
+-----+------------+----------+--------------------+----+----------------+--
--------------------+
| 3 | some name | username | Cleartext-Password | := | somepassword |
***@domain.dk |
| 6 | some name | username | Cleartext-Password | := | somepassword |
***@domain.dk |

Issue is crossposted here:
https://forum.pfsense.org/index.php?topic=144096.0

Any assistance in this is appreciated.
--
Sigurd Kristensen
Systems Administrator
------------------------------

Nodes

Copenhagen // Artillerivej 86, 2300 Copenhagen, Denmark Aarhus //
Frederiksgade 45, 2. sal, 8000 Aarhus, Denmark London // 174 North Gower
Street, London NW1 2NB, United Kingdom

Mobile: +45 31626876

Web: http://www.nodes.dk
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


---
This email has been checked for viruses by AVG.
http://www.avg.com
Sigurd Kristensen
2018-02-16 15:15:58 UTC
Permalink
Thanks for your assistance, my current plan of action is resetting the
SG-4860 and then loading a PfSense xml configuration file without the
freeradius configuration. That might negate some of the issues i
encountered, there are extreme differences between freeradius 2 and 3 but
the PFsense web configurator seems to account for these.

Kind Regards,

- Sigurd Kristensen
Post by d***@nvus.co.uk
You may be better posting to the Freeradius maillist but IIRC there are
significant differences between the config files for Freeradius 2 and 3
meaning you have to rewrite the radius config files for version 3 as a
version 2 file will not work.
This is from the freeradius website on upgrading to version 3 from 2...
The configuration for 3.0 is largely compatible with the 2.x.x
configuration. However, it is NOT possible to simply use the 2.x.x
configuration as-is. Instead, it should be re-created.
Hope that helps.
Kind regards,
Dan
-----Original Message-----
Kristensen
Sent: 16 February 2018 13:57
Subject: [pfSense] Wireless authentication issues after Freeradius upgrade
We recently purchased a Netgate SG-4860 in order to replace our custom built
desktop hardware.
The desktop hardware was running pfsense 2.3.x and the sg-4860 was running
2.4.0 when delivered. According to Pfsense documentation its possible to
migrate configuration.xml files to newer versions of Pfsense which is what
we did.
After replacing two pieces of hardware most appliances came up correctly as
intended, however after reinstalling Freeradius 3 (over the previously
installed Freeradius 2..x.x) Our radius based wireless SSID's stopped
"mschap: FAILED: No NT/LM-Password. Cannot perform authentication"
Tests with the command radtest have worked by authenticating from the
pfsense server itself. However the access points are unable to
authenticate.
I have two offices running pfsense 2.3.3 and Freeradius 2 that are currently
working from the same SQL database without any issues.
I have seen several posts with similar issues, but no apparant solution.
Many of these are however authenticating against LDAP and not plain-text SQL
http://lists.freeradius.org/pipermail/freeradius-users/
2015-October/080614.h
tml
http://freeradius.1045715.n5.nabble.com/question-regarding-
PEAP-MSCHAPv2-ERR
OR-FAILED-No-NT-LM-Password-Cannot-perform-authentication-td5737504.html
https://github.com/FreeRADIUS/freeradius-server/issues/1314
http://freeradius-users.freeradius.narkive.com/
I8llQ7CQ/question-regarding-p
eap-mschapv2-error-failed-no-nt-lm-password-cannot-perform-authentication
http://freeradius-users.freeradius.narkive.com/
iEZKvxM1/rlm-mschap-failed-no
-nt-lm-password-cannot-perform-authentication
Notable warnings and errors from the output of "radiusd -X"
...
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
...
...
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see
raddb/mods-available/README.rst) ...
....
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
....
...
(7) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
....
...
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password ...
...
(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform
authentication
(7) mschap: ERROR: MS-CHAP2-Response is incorrect ....
Currently i suspect either an issue when the AP connects to the Freeradius
3 server or an issue in the imported configuration.
Currently using Aerohive for the wireless solution.
mysql> select * from radcheck;
+-----+------------+----------+--------------------+----+---
-------------+--
--------------------+
| id | name | username | attribute | op | value |
email |
+-----+------------+----------+--------------------+----+---
-------------+--
--------------------+
| 3 | some name | username | Cleartext-Password | := | somepassword |
| 6 | some name | username | Cleartext-Password | := | somepassword |
https://forum.pfsense.org/index.php?topic=144096.0
Any assistance in this is appreciated.
--
Sigurd Kristensen
Systems Administrator
------------------------------
Nodes
Copenhagen // Artillerivej 86, 2300 Copenhagen, Denmark Aarhus //
Frederiksgade 45, 2. sal, 8000 Aarhus, Denmark London // 174 North Gower
Street, London NW1 2NB, United Kingdom
Mobile: +45 31626876
Web: http://www.nodes.dk
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
---
This email has been checked for viruses by AVG.
http://www.avg.com
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
--
Sigurd Kristensen
Systems Administrator
------------------------------

Nodes

Copenhagen // Artillerivej 86, 2300 Copenhagen, Denmark
Aarhus // Frederiksgade 45, 2. sal, 8000 Aarhus, Denmark
London // 174 North Gower Street, London NW1 2NB, United Kingdom

Mobile: +45 31626876

Web: http://www.nodes.dk
Loading...