PAP + ??NT challange??

Rosario Lumia eryter at gmail.com
Thu Mar 11 15:35:18 CET 2010


Hi to all.

I've this configuration:

- freeradius 2.x
- in mysql i have user "rosario" with attribute "NT-Passwors" and value
"NTHash of my password"

when i try to use radtest works greatlly.
But i have a web library the try to authenticate the same user "rosario" but
in "user-password" it put (i think) an NT-challenge password.
This is the log of freeradius.

rad_recv: Access-Request packet from host 127.0.0.1 port 51435, id=32,
length=85
    NAS-Identifier = "radius2"
    NAS-Port-Type = Virtual
    Service-Type = Framed-User
    Framed-Protocol = PPP
    Calling-Station-Id = "127.0.0.1"
    User-Name = "rosario"
    User-Password = "\202\204\005\340-\275\341\344u\351-\310L$\260\242"
+- entering group authorize {...}
++[preprocess] returns ok
    expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20100311
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100311
    expand: %t -> Thu Mar 11 15:31:56 2010
++[auth_log] returns ok
++[mschap] returns noop
[ntdomain] No '\' in User-Name = "rosario", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[suffix] No '@' in User-Name = "rosario", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
    expand: %{User-Name} -> rosario
[sql] sql_set_user escaped user --> 'rosario'
rlm_sql (sql): Reserving sql socket id: 4
    expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = 'rosario'           ORDER BY id
[sql] User found in radcheck table
    expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = 'rosario'           ORDER BY id
    expand: SELECT groupname           FROM usergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM usergroup           WHERE username =
'rosario'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
    expand: %{Stripped-User-Name:-%{User-Name}} -> rosario
[sql_meeting] sql_set_user escaped user --> 'rosario'
rlm_sql (sql_meeting): Reserving sql socket id: 4
    expand: SELECT id, UserName, Attribute, Value, op           FROM
radcheck           WHERE Username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, UserName, Attribute, Value, op           FROM
radcheck           WHERE Username = 'rosario'           ORDER BY id
    expand: SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE
UserName='rosario'
rlm_sql (sql_meeting): Released sql socket id: 4
[sql_meeting] User rosario not found
++[sql_meeting] returns notfound
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
    expand: %{Stripped-User-Name:-%{User-Name}} -> rosario
[sql_biblio] sql_set_user escaped user --> 'rosario'
rlm_sql (sql_biblio): Reserving sql socket id: 4
    expand: SELECT id, UserName, Attribute, Value, op           FROM
radcheck           WHERE Username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, UserName, Attribute, Value, op           FROM
radcheck           WHERE Username = 'rosario'           ORDER BY id
    expand: SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE
UserName='rosario'
rlm_sql (sql_biblio): Released sql socket id: 4
[sql_biblio] User rosario not found
++[sql_biblio] returns notfound
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
    expand: %{Stripped-User-Name:-%{User-Name}} -> rosario
[sql_signum] sql_set_user escaped user --> 'rosario'
rlm_sql (sql_signum): Reserving sql socket id: 4
    expand: SELECT id, UserName, Attribute, Value, op           FROM
radcheck           WHERE Username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, UserName, Attribute, Value, op           FROM
radcheck           WHERE Username = 'rosario'           ORDER BY id
    expand: SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE
UserName='rosario'
rlm_sql (sql_signum): Released sql socket id: 4
[sql_signum] User rosario not found
++[sql_signum] returns notfound
[pap] Normalizing NT-Password from hex encoding
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "???�-���u�-�L$��"
[pap] Using NT encryption.
[pap] rlm_mschap: NT-Hash: ???�-���u�-�L$��
[pap] rlm_mschap: NT-Hash: Result: 9bf2e48c667225847414c60fd3b16ce0
    expand: %{mschap:NT-Hash ???�-���u�-�L$��} ->
9bf2e48c667225847414c60fd3b16ce0
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: NT password check failed): [rosario] (from client
localhost port 0 cli 127.0.0.1)
  WARNING: Unprintable characters in the password.       Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type Reject
  WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform
requested action.
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 32 to 127.0.0.1 port 51435
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 51435, id=32,
length=85
Sending duplicate reply to client localhost port 51435 - ID: 32
Sending Access-Reject of id 32 to 127.0.0.1 port 51435
Waking up in 4.9 seconds.
Cleaning up request 0 ID 32 with timestamp +7
Ready to process requests.


I think that rlm_pap try to hashing a not cleartext-password and so it
doesn't work.
How can I tell to rlm_pap to do the right thing, otherwise to try to hash a
cleartect-password and do something (that i don't know) if not?

Thanks.

Rosario

-- 
Rosario L.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100311/7db18a57/attachment.html>


More information about the Freeradius-Users mailing list