ldap machine account auth tutorial
Christophe Deze
christophedeze at wanadoo.fr
Mon Feb 1 17:43:25 CET 2010
Excuse me I didn't want to email you directly.
I run 2 LDAP modules because i would like to put machines in good VLAN
after authentification.
that my next problem ;)
I work on it ... but i don't know to begin :p
Le 01/02/2010 17:34, Phil Mayers a écrit :
>
> On 01/02/10 16:04, cd wrote:
>> thanks Phil
>>
>> but it looks like that i get an access-accept without ldap password
>> validation ??!
>
> Please don't email me directly; I'm on the list.
>
>> rad_recv: Access-Request packet from host 192.168.10.254 port 1024,
>> id=151, length=136
>> NAS-IP-Address = 10.172.253.110
>> NAS-Port-Type = Ethernet
>> Service-Type = Framed-User
>> Message-Authenticator = 0xe35737afd4fb25d9a9cab4dc24bffa77
>> NAS-Port = 10
>> Framed-MTU = 1490
>> User-Name = "host/crid72-42ee2079"
>> Calling-Station-Id = "00-0C-29-7E-44-54"
>> EAP-Message = 0x020d001901686f73742f6372696437322d3432656532303739
>
> SNIP; your LDAP debugging level is way, way too high. It's very hard
> to read the debugging output.
>
>> rlm_ldap: sambaNtPassword -> NT-Password ==
>> 0x3241384242423239424546354639314230324146363837323930414442344637
>
>> [ldap_admin] performing user authorization for host/crid72-42ee2079
>
> ...why are you running 2 LDAP modules?
>
>> +++[ldap_sw] returns ok
>> ++- policy redundant returns ok
>> rlm_ldap: Entering ldap_groupcmp()
>
>> Found Auth-Type = EAP
>> +- entering group authenticate {...}
>> [eap] EAP Identity
>> [eap] processing type mschapv2
>> rlm_eap_mschapv2: Issuing Challenge
>> ++[eap] returns handled
>> } # server inner-tunnel
>> Sending Access-Challenge of id 151 to 192.168.10.254 port 1024
>> EAP-Message =
>> 0x010e002e1a010e002910924d24419c6082e80c304f8d76c22109686f73742f6372696437322d3432656532303739
>>
>> Message-Authenticator = 0x00000000000000000000000000000000
>> State = 0x517b79b8517563ae61de7219537f52df
>
> Ok, so EAP challenge sent.
>
>> Found Auth-Type = EAP
>> +- entering group authenticate {...}
>> [eap] Request found, released from the list
>> [eap] EAP NAK
>> [eap] EAP-NAK asked for EAP-Type/peap
>
>
> So it's using PEAP. Then after lots and lots of unnecessary LDAP debug
> output:
>
>> Sending Access-Accept of id 161 to 192.168.10.254 port 1024
>> User-Name = "host/crid72-42ee2079"
>> MS-MPPE-Recv-Key =
>> 0xc83951c8f97b57386194b58be2d66edbe3a7b37cbaead57df65c61d64cea65e1
>> MS-MPPE-Send-Key =
>> 0xeefc2477dc12da93c583c05676c8474a66fd2ad11b1cd90ef3ff575dcf876010
>> EAP-Message = 0x03170004
>> Message-Authenticator = 0x00000000000000000000000000000000
>
> It succeeds. So what's the problem?
>
> Radius looked the NT password up in LDAP, and did a PEAP/MS-CHAP
> against it. It worked.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list