We recently purchased a Netgate SG-4860 in order to replace our custom built desktop hardware.
The desktop hardware was running pfsense 2.3.x and the sg-4860 was running 2.4.0 when delivered. According to Pfsense documentation its possible to migrate configuration.xml files to newer versions of Pfsense which is what we did. After replacing two pieces of hardware most appliances came up correctly as intended, however after reinstalling Freeradius 3 (over the previously installed Freeradius 2..x.x) Our radius based wireless SSID's stopped functioning. With the following error: "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" Tests with the command radtest have worked by authenticating from the pfsense server itself. However the access points are unable to authenticate. I have two offices running pfsense 2.3.3 and Freeradius 2 that are currently working from the same SQL database without any issues. I have seen several posts with similar issues, but no apparant solution. Many of these are however authenticating against LDAP and not plain-text SQL - Among these are: http://lists.freeradius.org/pipermail/freeradius-users/2015-October/080614.html http://freeradius.1045715.n5.nabble.com/question-regarding-PEAP-MSCHAPv2-ERROR-FAILED-No-NT-LM-Password-Cannot-perform-authentication-td5737504.html https://github.com/FreeRADIUS/freeradius-server/issues/1314 http://freeradius-users.freeradius.narkive.com/I8llQ7CQ/question-regarding-peap-mschapv2-error-failed-no-nt-lm-password-cannot-perform-authentication http://freeradius-users.freeradius.narkive.com/iEZKvxM1/rlm-mschap-failed-no-nt-lm-password-cannot-perform-authentication Notable warnings and errors from the output of "radiusd -X" Warning: ... [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". ... Warning: ... # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) ... Warning: .... (7) WARNING: Outer and inner identities are the same. User privacy is compromised. .... Warning: ... (7) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. .... Warning: ... (7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (7) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password ... Error: ... (7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (7) mschap: ERROR: MS-CHAP2-Response is incorrect .... Currently i suspect either an issue when the AP connects to the Freeradius 3 server or an issue in the imported configuration. Currently using Aerohive for the wireless solution. Excerp from database: mysql> select * from radcheck; +-----+------------+----------+--------------------+----+----------------+----------------------+ | id | name | username | attribute | op | value | email | +-----+------------+----------+--------------------+----+----------------+----------------------+ | 3 | some name | username | Cleartext-Password | := | somepassword | [email protected] | | 6 | some name | username | Cleartext-Password | := | somepassword | [email protected] | Issue is crossposted here: https://forum.pfsense.org/index.php?topic=144096.0 Any assistance in this is appreciated. -- Sigurd Kristensen Systems Administrator ------------------------------ Nodes Copenhagen // Artillerivej 86, 2300 Copenhagen, Denmark Aarhus // Frederiksgade 45, 2. sal, 8000 Aarhus, Denmark London // 174 North Gower Street, London NW1 2NB, United Kingdom Mobile: +45 31626876 Web: http://www.nodes.dk _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
