Sigurd Kristensen
2018-02-16 13:57:24 UTC
We recently purchased a Netgate SG-4860 in order to replace our custom
built desktop hardware.
The desktop hardware was running pfsense 2.3.x and the sg-4860 was running
2.4.0 when delivered. According to Pfsense documentation its possible to
migrate configuration.xml files to newer versions of Pfsense which is what
we did.
After replacing two pieces of hardware most appliances came up correctly as
intended, however after reinstalling Freeradius 3 (over the previously
installed Freeradius 2..x.x) Our radius based wireless SSID's stopped
functioning. With the following error:
"mschap: FAILED: No NT/LM-Password. Cannot perform authentication"
Tests with the command radtest have worked by authenticating from the
pfsense server itself. However the access points are unable to authenticate.
I have two offices running pfsense 2.3.3 and Freeradius 2 that are
currently working from the same SQL database without any issues.
I have seen several posts with similar issues, but no apparant solution.
Many of these are however authenticating against LDAP and not plain-text
SQL - Among these are:
http://lists.freeradius.org/pipermail/freeradius-users/2015-October/080614.html
http://freeradius.1045715.n5.nabble.com/question-regarding-PEAP-MSCHAPv2-ERROR-FAILED-No-NT-LM-Password-Cannot-perform-authentication-td5737504.html
https://github.com/FreeRADIUS/freeradius-server/issues/1314
http://freeradius-users.freeradius.narkive.com/I8llQ7CQ/question-regarding-peap-mschapv2-error-failed-no-nt-lm-password-cannot-perform-authentication
http://freeradius-users.freeradius.narkive.com/iEZKvxM1/rlm-mschap-failed-no-nt-lm-password-cannot-perform-authentication
Notable warnings and errors from the output of "radiusd -X"
Warning:
...
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
...
Warning:
...
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
...
Warning:
....
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
....
Warning:
...
(7) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
....
Warning:
...
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
...
Error:
...
(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
....
Currently i suspect either an issue when the AP connects to the Freeradius
3 server or an issue in the imported configuration.
Currently using Aerohive for the wireless solution.
Excerp from database:
mysql> select * from radcheck;
+-----+------------+----------+--------------------+----+----------------+----------------------+
| id | name | username | attribute | op | value |
email |
+-----+------------+----------+--------------------+----+----------------+----------------------+
| 3 | some name | username | Cleartext-Password | := | somepassword |
***@domain.dk |
| 6 | some name | username | Cleartext-Password | := | somepassword |
***@domain.dk |
Issue is crossposted here:
https://forum.pfsense.org/index.php?topic=144096.0
Any assistance in this is appreciated.
--
Sigurd Kristensen
Systems Administrator
------------------------------
Nodes
Copenhagen // Artillerivej 86, 2300 Copenhagen, Denmark
Aarhus // Frederiksgade 45, 2. sal, 8000 Aarhus, Denmark
London // 174 North Gower Street, London NW1 2NB, United Kingdom
Mobile: +45 31626876
Web: http://www.nodes.dk
built desktop hardware.
The desktop hardware was running pfsense 2.3.x and the sg-4860 was running
2.4.0 when delivered. According to Pfsense documentation its possible to
migrate configuration.xml files to newer versions of Pfsense which is what
we did.
After replacing two pieces of hardware most appliances came up correctly as
intended, however after reinstalling Freeradius 3 (over the previously
installed Freeradius 2..x.x) Our radius based wireless SSID's stopped
functioning. With the following error:
"mschap: FAILED: No NT/LM-Password. Cannot perform authentication"
Tests with the command radtest have worked by authenticating from the
pfsense server itself. However the access points are unable to authenticate.
I have two offices running pfsense 2.3.3 and Freeradius 2 that are
currently working from the same SQL database without any issues.
I have seen several posts with similar issues, but no apparant solution.
Many of these are however authenticating against LDAP and not plain-text
SQL - Among these are:
http://lists.freeradius.org/pipermail/freeradius-users/2015-October/080614.html
http://freeradius.1045715.n5.nabble.com/question-regarding-PEAP-MSCHAPv2-ERROR-FAILED-No-NT-LM-Password-Cannot-perform-authentication-td5737504.html
https://github.com/FreeRADIUS/freeradius-server/issues/1314
http://freeradius-users.freeradius.narkive.com/I8llQ7CQ/question-regarding-peap-mschapv2-error-failed-no-nt-lm-password-cannot-perform-authentication
http://freeradius-users.freeradius.narkive.com/iEZKvxM1/rlm-mschap-failed-no-nt-lm-password-cannot-perform-authentication
Notable warnings and errors from the output of "radiusd -X"
Warning:
...
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
...
Warning:
...
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
...
Warning:
....
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
....
Warning:
...
(7) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
....
Warning:
...
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
...
Error:
...
(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
....
Currently i suspect either an issue when the AP connects to the Freeradius
3 server or an issue in the imported configuration.
Currently using Aerohive for the wireless solution.
Excerp from database:
mysql> select * from radcheck;
+-----+------------+----------+--------------------+----+----------------+----------------------+
| id | name | username | attribute | op | value |
email |
+-----+------------+----------+--------------------+----+----------------+----------------------+
| 3 | some name | username | Cleartext-Password | := | somepassword |
***@domain.dk |
| 6 | some name | username | Cleartext-Password | := | somepassword |
***@domain.dk |
Issue is crossposted here:
https://forum.pfsense.org/index.php?topic=144096.0
Any assistance in this is appreciated.
--
Sigurd Kristensen
Systems Administrator
------------------------------
Nodes
Copenhagen // Artillerivej 86, 2300 Copenhagen, Denmark
Aarhus // Frederiksgade 45, 2. sal, 8000 Aarhus, Denmark
London // 174 North Gower Street, London NW1 2NB, United Kingdom
Mobile: +45 31626876
Web: http://www.nodes.dk