Freeradius/LDAP Authentication issue

[Benjamin Dupalut]

Hi,

First of all, sorry for my bad english.

I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to 
authenticate users via our LDAP. I  face an issue when i perform this 
radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/

Here is the freeradius -X debug :


rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111, 
length=48
Sending duplicate reply to client localhost port 44928 - ID: 111
Sending Access-Reject of id 111 to 127.0.0.1 port 44928
Waking up in 2.9 seconds.
Cleaning up request 2 ID 111 with timestamp +114
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111, 
length=48
     User-Name = "toto"
     User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ"
server inner-tunnel {
# Executing section authorize from file 
/etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[mschap] = noop
[suffix] No '@' in User-Name = "toto", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
++group  {
[ldap_1] performing user authorization for toto
[ldap_1]     expand: %{Stripped-User-Name} ->
[ldap_1]     ... expanding second conditional
[ldap_1]     expand: %{User-Name} -> toto
[ldap_1]     expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(uid=toto)
[ldap_1]     expand: ou=Users,dc=XXXX,dc=fr -> ou=Users,dc=XXXX,dc=fr
   [ldap_1] ldap_get_conn: Checking Id: 0
   [ldap_1] ldap_get_conn: Got Id: 0
   [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter 
(uid=toto)
[ldap_1] checking if remote access for toto is allowed by uid
[ldap_1] No default NMAS login sequence
[ldap_1] looking for check items in directory...
   [ldap_1] sambaNtPassword -> NT-Password == 
0x3344424445363937443731363930413736393230344245423132323833363738
   [ldap_1] sambaLmPassword -> LM-Password == 
0x4343463931353545334537444234353341414433423433354235313430344545
   [ldap_1] userPassword -> Cleartext-Password == 
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
   [ldap_1] userPassword -> Password-With-Header == 
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
   [ldap_1] sambaNtPassword -> NT-Password == 
0x3344424445363937443731363930413736393230344245423132323833363738
   [ldap_1] sambaLmPassword -> LM-Password == 
0x4343463931353545334537444234353341414433423433354235313430344545
[ldap_1] looking for reply items in directory...
[ldap_1] user toto authorized to use remote access
   [ldap_1] ldap_release_conn: Release Id: 0
+++[ldap_1] = ok
++} # group  = ok
++[expiration] = noop
++[logintime] = noop
+} # group authorize = ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match "known good" password.
Failed to authenticate the user.
   WARNING: Unprintable characters in the password.  Double-check the 
shared secret on the server and the NAS!
} # server inner-tunnel
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> toto
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 111 to 127.0.0.1 port 44928
Waking up in 4.9 seconds.
Cleaning up request 3 ID 111 with timestamp +120
Ready to process requests.


The user and client passwords are correct and i don't understand the 
following errors :

WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match "known good" password.
Failed to authenticate the user.
   WARNING: Unprintable characters in the password.  Double-check the 
shared secret on the server and the NAS!


Thank you for your replies.

Cordialement,

- -

Benjamin Dupalut
Administrateur système et réseau
Service des Moyens Informatiques Généraux (SMIG)
ESIEE Paris
2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
T : +33 1 45 92 66 17
benjamin.dupalut at esiee.fr
www.esiee.fr / www.cci-paris-idf.fr