Big Problem with peap-mschapv2+freeradius 1.1.7

Christian Frank christian.frank at rsel.renesas.com
Thu Aug 16 17:34:39 CEST 2007 


Alan DeKok schrieb:
> Christian Frank wrote:
>> I have a big problem with my radius setup. I want to authenticate
>> my users with peap+mschapv2. The radius backend is an ldap server.
> 
>   Does the LDAP server contain a clear-text or NT hashed password for
> the user?

The ldap server contains a clear text password. I added it using jxplorer.

> 
>> I have this setup working with Freeradius 1.0.1 on Redhat 4 ES.
>>
>> But after upgrading to 1.1.7 this setup does not work anymore.
>> I configured my radius/eap/client config file the same way like the old file was.
> 
>   Are you sure?  The configurations are similar, but not identical.

I will doublecheck this tomorrow morning. Maybe i haved missed something...

> 
>> rlm_ldap: performing search in dc=rsel,dc=com, with filter (uid=cfra)
>> rlm_ldap: checking if remote access for cfra is allowed by uid
>> rlm_ldap: looking for check items in directory...
>> rlm_ldap: looking for reply items in directory...
>> rlm_ldap: user cfra authorized to use remote access
> 
>   BUT there was no "known good" password for the user found in LDAP.
> That's why authentication is failing.

Mhhhh. Here is my ldap config from radiusd.conf

ldap {
         #server = "ldap.your.domain"
         server = "150.150.40.241"
         # identity = "cn=admin,o=My Org,c=UA"
         identity = "cn=Manager,dc=rsel,dc=com"
         # password = mypass
         password = secret
         #basedn = "o=My Org,c=UA"
         basedn = "dc=rsel,dc=com"
         filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
         # base_filter = "(objectclass=radiusprofile)"

         # set this to 'yes' to use TLS encrypted connections
         # to the LDAP database by using the StartTLS extended
         # operation.
         # The StartTLS operation is supposed to be used with normal
         # ldap connections instead of using ldaps (port 689) connections
         start_tls = no

         # tls_cacertfile    = /path/to/cacert.pem
         # tls_cacertdir        = /path/to/ca/dir/
         # tls_certfile        = /path/to/radius.crt
         # tls_keyfile        = /path/to/radius.key
         # tls_randfile        = /path/to/rnd
         # tls_require_cert    = "demand"

         # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
         # profile_attribute = "radiusProfileDn"
         access_attr = "uid"

         # Mapping of RADIUS dictionary attributes to LDAP
         # directory attributes.
         dictionary_mapping = ${raddbdir}/ldap.attrmap

         ldap_connections_number = 5

         #
         # NOTICE: The password_header directive is NOT case insensitive
         #
         # password_header = "{clear}"
         #
         # Set:
         #    password_attribute = nspmPassword
         #
         # to get the user's password from a Novell eDirectory
         # backend. This will work *only if* freeRADIUS is
         # configured to build with --with-edir option.
         #
         #
         #  The server can usually figure this out on its own, and pull
         #  the correct User-Password or NT-Password from the database.
         #
         #  Note that NT-Passwords MUST be stored as a 32-digit hex
         #  string, and MUST start off with "0x", such as:
         #
         #    0x000102030405060708090a0b0c0d0e0f
         #
         #  Without the leading "0x", NT-Passwords will not work.
         #  This goes for NT-Passwords stored in SQL, too.
         #
         # password_attribute = userPassword
         #
         # Un-comment the following to disable Novell eDirectory account
         # policy check and intruder detection. This will work *only if*
         # FreeRADIUS is configured to build with --with-edir option.
         #
         edir_account_policy_check=no
         #
         # groupname_attribute = cn
         # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
         # groupmembership_attribute = radiusGroupName
         timeout = 4
         timelimit = 3
         net_timeout = 1
         # compare_check_items = yes
         # do_xlat = yes
         # access_attr_used_for_allow = yes

         #
         #  By default, if the packet contains a User-Password,
         #  and no other module is configured to handle the
         #  authentication, the LDAP module sets itself to do
         #  LDAP bind for authentication.
         #
         #  You can disable this behavior by setting the following
         #  configuration entry to "no".
         #
         #  allowed values: {no, yes}
         # set_auth_type = yes
     }

The only thing i do not understand in this case is the password_header = "{clear}" directive.
What is its prupose ? Maybe that is the problem ?

Today i tried 2.0 pre 1 and it is working with this version (And the password_header thing seems to be changed in this version).
I get a big warning about that "something with my known_good password was adjusted automatically in the config"
( I will post the full warning tomorrow morning) and that i should correct the
problem with "Replace User-Password with Cleartext-Password in the config....", but i dont know what i should change ...

Addiotnally it seems that the authentication is case sensitiv in 2.0. In 1.0.1 i used my username in lower and uppercase and it worked without problems.
In 2.0 i have to use the username as it is setup in ldap (There my username is uppercase).
So, did something change with the case sensitivity between the freeradius versions ? Cause my ldap setup did not change..

Many thanks,
Christian Frank

> 
>   Alan DeKok.
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

****************************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance on
it, is prohibited.
E-mail messages are not necessarily secure.  Renesas does not accept
responsibility for any changes made to this message after it was sent.
Please note that this email message has been swept by Renesas for
the presence of computer viruses.

Renesas Semiconductor Europe (Landshut) GmbH
Jenaer Strasse 1, 84034 Landshut
Tel.: +49-(0)871-684-0, Fax: +49-(0)871-684-150
www.rsel.renesas.com

GESCHAEFTSFUEHRER:  Dipl.-Ing. YOSHIHARU KAKUI
GESCHAEFTSFUEHRER:  Dipl.-Phys. STEFAN SAUER

Registergericht Landshut HRB 1464
Ust-ldNr.: DE 128953054  Steuer-Nr.: 132/136/30347

HypoVereinsbank, Landshut, Kto.-Nr. 3704 700 (BLZ  743 200 73) 
Mizuho Corporate Bank (Germany) AG, Frankfurt, Kto.-Nr. 200 733 (BLZ 503 308 00)
****************************************************************************

More information about the Freeradius-Users mailing list