AP> FR> LDAP authentication reject

Fri Dec 28 08:00:02 CET 2012

On 28.12.2012 06:17, Thanakorn Rattanatikul wrote:
> I'm trying to setup the server to authenticate using LDAP. I'm having
> some problem and hope to get some help from the list.
> 
> I'm trying to setup AP->FR->LDAP. FreeRadius is new installation on
> CentOS. LDAP is Sun Java System Directory Server.
> I'm trying radtest ->FR->LDAP pass but AP->FR->LDAP not pass.
It works with radtest because it does pap. The password is sent in
cleartext in the request. Freeradius can then bind to the LDAP with the
user/password supplied to authenticate the user.

With your Access Point, you're doing EAP-PEAP with MSCHAPv2, which mean
you need the clear text password or a NT/LM_Password in your backend, or
via NTLM_Auth. If Freeradius doesn't have them, it can't do the
challenge/response. You have Plenty of warning that this will happen ...

> [ldap]     expand: ou=guest,dc=ku,dc=ac,dc=th -> ou=guest,dc=ku,dc=ac,dc=th
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] attempting LDAP reconnection
>   [ldap] (re)connect to 158.108.8.214:389, authentication 0
>   [ldap] bind as uid=thanakorn,ou=guest,dc=ku,dc=ac,dc=th/testtest to
> 158.108.8.214:389
>   [ldap] waiting for bind result ...
>   [ldap] Bind was successful
>   [ldap] performing search in ou=guest,dc=ku,dc=ac,dc=th, with filter
> (uid=sun)
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
See here ?
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?
>   [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
Or Here ?
> [pap] WARNING! No "known good" password found
> for the user.  Authentication may fail because of this.
> ++[pap] returns noop
And those ?
> [mschapv2] # Executing group from file /etc/raddb/sites-enabled/default
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> [mschap] Creating challenge hash with username: sun
> [mschap] Told to do MS-CHAPv2 for sun wit! h NT-Password
> [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
And here again ...
> [peap]  The users session was previously rejected: returning reject (again.)
> [peap]  *** This means you need to read the PREVIOUS messages in the
> debug output
> [peap]  *** to find out the reason why the user was rejected.
> [peap]  *** Look for "reject" or "fail".  Those earlier messages will
> tell you.
> [peap]  *** what went wrong, and how to fix the problem.
> [eap] Handler failed in EAP/peap
> [eap] Failed in EAP select
> ++[eap] returns invalid

In the default LDAP configuration file, it's clearly stated that :

    #  However, LDAP can be used for authentication ONLY when the
    #  Access-Request packet contains a clear-text User-Password
    #  attribute.  LDAP authentication will NOT work for any other
    #  authentication method.
    #  This means that LDAP servers don't understand EAP.  If you
    #  force "Auth-Type = LDAP", and then send the server a
    #  request containing EAP authentication, then authentication
    #  WILL NOT WORK.

You need either the clear-text password in your LDAP, Store the user
password in the userfile, or use another way of getting the password
(sql database, ntlm_auth to active directory).

Read the comments in the default configuration, and look for Warning and
error in the debug output. It tells you what goes wrong, and what you
should do. In your case : Provide a Cleartext-Password

Olivier
-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mobile: +41 (0)78 619 73 53
 Mail: olivier at heliosnet.org