Failing to authenticate using FreeRadius(in OpenBSD) + XP as a client +Linksys AP (WRT54v2.2) using peap

Maurizio Cimaschi mauri at unixrulez.org
Sat Aug 16 15:25:06 CEST 2008 

Alan DeKok wrote:
>   Because User-Password is the password as entered by the user.
> Cleartext-Password is the "known good" password on the server.  They are
> *not* the same.
> 
>   When you do EAP, there is *no* User-Password attribute in the packets.
>  So doing "User-Password == ..." is *wrong*.  There's no User-Password,
> so there's nothing to compare to.

OK. So the rlm_mschap will look for the internal check-Item
"Cleartext-Password" and it will use that value for authentication.

 From share/freeradius/dictionary.freeradius.internal
ATTRIBUTE       Cleartext-Password                      1100    string

This item should be set by some module (rlm_file, rlm_ldap, possibly 
others) during the "authorize" state. Beside, rlm_mschap has no idea on 
where the passwords (in any form) are stored.

Correct ?

>> In my envirnoment I authenticate against an LDAP server, so according to
>> the ldap.attrmap file the LDAP attribute "userPassword" (which contain
>> the password in clear text form) is copied to the check-item
>> "User-Password". While no attribute seems copied as check-item
>> "Cleartext-Password". Still the mschap module is able to authenticate
>> the users.
>   That is a historical artifact of the server.  See the big warnings in
> debugging mode in 2.0.x.

In rlm_ldap I found this warning (I found just one):

                if (!pairfind(request->config_items, 
PW_CLEARTEXT_PASSWORD) &&
                    !pairfind(request->config_items, PW_USER_PASSWORD)) {
                        DEBUG("WARNING: No \"known good\" password was 
found in LDAP.  Are you sure that the user is configured correctly?");
                }

This fragment is from the "ldap_authorize" section
PW_CLEARTEXT_PASSWORD is defined as value 1100 elsewhere in the source, 
I think in accordance with the internal dictionary file.

Few lines before, it seems that it tries to copy all the attributes that 
smell like a password in the request; this warning is raised if there's 
no user pwd (from the supplicant) and/or no clear text pwd in the DB.

>> In may environment da LDAP server also is used by samba; so there're
>> also LM/NT password available (in fact, some users are not also samba
>> users but are authenticed via radius); but while googling about using
>> freeradius with LDAP that possibility wasn't mentioned, while I found an
>> howto that said to add to ldap.attrmap the line:
>>
>> checkItem       User-Password                   userPassword
> 
>   Which is wrong.  It should map to Cleartext-Password.

I understand that, but how could be possible that my users who are not 
samba users are able lo connect to the AP ?

There's no LM/NT pwd for them, and there's also no "Cleartext-Password" 
because the mapping is wrong (but I've changed now). So how does 
rlm_mschap find the password ?

I've looked the mschap_authenticate and it seems to look for LM pwd and 
NT pwd in the request, and to build one or both of them from the 
cleartext password if they're missing.

More information about the Freeradius-Users mailing list