Freeradius/LDAP Authentication issue

Benjamin Dupalut benjamin.dupalut at esiee.fr
Thu Mar 24 11:43:33 CET 2016


Unless i made a mistake, it should already be set. See my "inner-tunnel" :

server inner-tunnel {
listen {
        ipaddr = 127.0.0.1
        port = 18120
        type = auth
}
authorize {
     mschap
     suffix
     update control {
            Proxy-To-Realm := LOCAL
     }
     eap {
         ok = return
     }
     files
     group {
                 ldap_1
         }
     expiration
     logintime
}
authenticate {
     Auth-Type CHAP {
         chap
     }
     Auth-Type MS-CHAP {
         mschap
     }
     unix
     eap
}
session {
     radutmp
}
post-auth {
     Post-Auth-Type REJECT {
         attr_filter.access_reject
     }
}
pre-proxy {
}
post-proxy {
     eap
}
} # inner-tunnel server block



In my previous radtest, i don't set the port to 18120. Here is the new 
radtest and freeradius -X :




root at freeradius:/etc/freeradius/sites-enabled# radtest testfreeradius 
123 127.0.0.1:18120 0 testing123
Sending Access-Request of id 243 to 127.0.0.1 port 18120
     User-Name = "testfreeradius"
     User-Password = "123"
     NAS-IP-Address = 127.0.1.1
     NAS-Port = 0
     Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 18120, id=243, 
length=20




rad_recv: Access-Request packet from host 127.0.0.1 port 50017, id=243, 
length=84
     User-Name = "testfreeradius"
     User-Password = "123"
     NAS-IP-Address = 127.0.1.1
     NAS-Port = 0
     Message-Authenticator = 0x7575a48753b9ab51dcbed43d84c4e5ee
server inner-tunnel {
# Executing section authorize from file 
/etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[mschap] = noop
[suffix] No '@' in User-Name = "testfreeradius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
++group  {
[ldap_1] performing user authorization for testfreeradius
[ldap_1]     expand: %{Stripped-User-Name} ->
[ldap_1]     ... expanding second conditional
[ldap_1]     expand: %{User-Name} -> testfreeradius
[ldap_1]     expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(uid=testfreeradius)
[ldap_1]     expand: ou=Users,dc=esiee,dc=fr -> ou=Users,dc=esiee,dc=fr
   [ldap_1] ldap_get_conn: Checking Id: 0
   [ldap_1] ldap_get_conn: Got Id: 0
   [ldap_1] performing search in ou=Users,dc=esiee,dc=fr, with filter 
(uid=testfreeradius)
[ldap_1] checking if remote access for testfreeradius is allowed by uid
[ldap_1] No default NMAS login sequence
[ldap_1] looking for check items in directory...
   [ldap_1] sambaNtPassword -> NT-Password == 
0x3344424445363937443731363930413736393230344245423132323833363738
   [ldap_1] sambaLmPassword -> LM-Password == 
0x4343463931353545334537444234353341414433423433354235313430344545
   [ldap_1] userPassword -> Cleartext-Password == 
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
   [ldap_1] userPassword -> Password-With-Header == 
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
   [ldap_1] sambaNtPassword -> NT-Password == 
0x3344424445363937443731363930413736393230344245423132323833363738
   [ldap_1] sambaLmPassword -> LM-Password == 
0x4343463931353545334537444234353341414433423433354235313430344545
[ldap_1] looking for reply items in directory...
[ldap_1] user testfreeradius authorized to use remote access
   [ldap_1] ldap_release_conn: Release Id: 0
+++[ldap_1] = ok
++} # group  = ok
++[expiration] = noop
++[logintime] = noop
+} # group authorize = ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match "known good" password.
Failed to authenticate the user.
} # server inner-tunnel
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> testfreeradius
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 243 to 127.0.0.1 port 50017
Waking up in 4.9 seconds.
Cleaning up request 6 ID 243 with timestamp +6068
Ready to process requests.

Cordialement,

- -

Benjamin Dupalut
Administrateur système et réseau
Service des Moyens Informatiques Généraux (SMIG)
ESIEE Paris
2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
T : +33 1 45 92 66 17
benjamin.dupalut at esiee.fr
www.esiee.fr / www.cci-paris-idf.fr

Le 24/03/2016 10:58, Anirudh Malhotra a écrit :
> Set auth type as PAP or LDAP
> Set pap in the end of authorize section.
>
> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>
> BR,
> Anirudh Malhotra
> 8zero2
> Mail: 8zero2.in at gmail.com
> Facebook: www.facebook.com/8zero2
> Twitter: @8zero2_in
> Blog: blog.8zero2.in
>
> On 24 Mar 2016, 15:07 +0530, Benjamin Dupalut<benjamin.dupalut at esiee.fr>, wrote:
>> Hi,
>>   
>> Thank you for your replies.
>>   
>> I wrote "clientpassword" so i don't publish a private password in this
>> public mail. I modified the clients.conf file to set the localhost
>> client password to "testing123" and perform this new radtest :
>>   
>> root at freeradius:/etc/freeradius# radtest testfreeradius 123 127.0.0.1 0
>> testing123
>> Sending Access-Request of id 68 to 127.0.0.1 port 1812
>> User-Name = "testfreeradius"
>> User-Password = "123"
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 0
>> Message-Authenticator = 0x00000000000000000000000000000000
>> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=68,
>> length=20
>>   
>> Here it is the freeradius -X debug :
>>   
>> rad_recv: Access-Request packet from host 127.0.0.1 port 35730, id=68,
>> length=84
>> User-Name = "testfreeradius"
>> User-Password = "123"
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 0
>> Message-Authenticator = 0xb48c8d817ebe7b7ff9cfeeefa1de6b2e
>> # Executing section authorize from file
>> /etc/freeradius/sites-enabled/default
>> +group authorize {
>> ++[preprocess] = ok
>> [auth_log] expand: %{Packet-Src-IP-Address} ->127.0.0.1
>> [auth_log] expand:
>> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> ->/var/log/freeradius/radacct/127.0.0.1/auth-detail-20160324
>> [auth_log]
>> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20160324
>> [auth_log] expand: %t ->Thu Mar 24 10:26:33 2016
>> ++[auth_log] = ok
>> ++[mschap] = noop
>> [suffix] No '@' in User-Name = "testfreeradius", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] = noop
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] = noop
>> ++[files] = noop
>> ++group {
>> [ldap_1] performing user authorization for testfreeradius
>> [ldap_1] expand: %{Stripped-User-Name} -
>> [ldap_1] ... expanding second conditional
>> [ldap_1] expand: %{User-Name} ->testfreeradius
>> [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
>> (uid=testfreeradius)
>> [ldap_1] expand: ou=Users,dc=esiee,dc=fr ->ou=Users,dc=esiee,dc=fr
>> [ldap_1] ldap_get_conn: Checking Id: 0
>> [ldap_1] ldap_get_conn: Got Id: 0
>> [ldap_1] performing search in ou=Users,dc=esiee,dc=fr, with filter
>> (uid=testfreeradius)
>> [ldap_1] checking if remote access for testfreeradius is allowed by uid
>> [ldap_1] No default NMAS login sequence
>> [ldap_1] looking for check items in directory...
>> [ldap_1] sambaNtPassword ->NT-Password ==
>> 0x3344424445363937443731363930413736393230344245423132323833363738
>> [ldap_1] sambaLmPassword ->LM-Password ==
>> 0x4343463931353545334537444234353341414433423433354235313430344545
>> [ldap_1] userPassword ->Cleartext-Password ==
>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>> [ldap_1] userPassword ->Password-With-Header ==
>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>> [ldap_1] sambaNtPassword ->NT-Password ==
>> 0x3344424445363937443731363930413736393230344245423132323833363738
>> [ldap_1] sambaLmPassword ->LM-Password ==
>> 0x4343463931353545334537444234353341414433423433354235313430344545
>> [ldap_1] looking for reply items in directory...
>> [ldap_1] user testfreeradius authorized to use remote access
>> [ldap_1] ldap_release_conn: Release Id: 0
>> +++[ldap_1] = ok
>> ++} # group = ok
>> +} # group authorize = ok
>> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>> WARNING: Use the PAP or CHAP modules instead.
>> User-Password in the request does NOT match "known good" password.
>> Failed to authenticate the user.
>> Using Post-Auth-Type REJECT
>> # Executing group from file /etc/freeradius/sites-enabled/default
>> +group REJECT {
>> [attr_filter.access_reject] expand: %{User-Name} ->testfreeradius
>> attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] = updated
>> +} # group REJECT = updated
>> Delaying reject of request 3 for 1 seconds
>> Going to the next request
>> Waking up in 0.9 seconds.
>> Sending delayed reject for request 3
>> Sending Access-Reject of id 68 to 127.0.0.1 port 35730
>> Waking up in 4.9 seconds.
>> Cleaning up request 3 ID 68 with timestamp +1377
>> Ready to process requests.
>>   
>> Here it is the client.conf file :
>>   
>> client 127.0.0.1 {
>> secret = testing123
>> shortname = localhost
>> nastype = other # localhost isn't usually a NAS...
>> }
>>   
>> Cordialement,
>>   
>> - -
>>   
>> Benjamin Dupalut
>> Administrateur système et réseau
>> Service des Moyens Informatiques Généraux (SMIG)
>> ESIEE Paris
>> 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
>> T : +33 1 45 92 66 17
>> benjamin.dupalut at esiee.fr
>> www.esiee.fr / www.cci-paris-idf.fr
>>   
>> Le 24/03/2016 05:45, Anirudh Malhotra a écrit :
>>> Yes i think the shared secret are not matching thats why we see unencrypted value of user password as something else and hence it fails to match with the "known good" password.
>>>   
>>> BR,
>>> Anirudh Malhotra
>>> 8zero2
>>> Mail: 8zero2.in at gmail.com
>>> Facebook: www.facebook.com/8zero2
>>> Twitter: @8zero2_in
>>> Blog: blog.8zero2.in
>>>   
>>> On 24 Mar 2016, 00:00 +0530, Peter Lambrechtsen<peter at crypt.nz>, wrote:
>>>> On Mar 24, 2016 6:11 AM, "Benjamin Dupalut"<benjamin.dupalut at esiee.fr
>>>> wrote:
>>>>>   
>>>>> Hi,
>>>>>   
>>>>> First of all, sorry for my bad english.
>>>>>   
>>>>> I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to
>>>> authenticate users via our LDAP. I face an issue when i perform this
>>>> radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/
>>>>   
>>>> The default config the shared secret is testing123 rather than
>>>> clientpassword
>>>>   
>>>>>   
>>>>> Here is the freeradius -X debug :
>>>>>   
>>>>>   
>>>>> rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
>>>> length=48
>>>>> Sending duplicate reply to client localhost port 44928 - ID: 111
>>>>> Sending Access-Reject of id 111 to 127.0.0.1 port 44928
>>>>> Waking up in 2.9 seconds.
>>>>> Cleaning up request 2 ID 111 with timestamp +114
>>>>> Ready to process requests.
>>>>> rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
>>>> length=48
>>>>> User-Name = "toto"
>>>>> User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ"
>>>>   
>>>> This would be the cleartext password if your secret matched.
>>>>   
>>>>> server inner-tunnel {
>>>>> # Executing section authorize from file
>>>> /etc/freeradius/sites-enabled/inner-tunnel
>>>>> +group authorize {
>>>>> ++[mschap] = noop
>>>>> [suffix] No '@' in User-Name = "toto", looking up realm NULL
>>>>> [suffix] No such realm "NULL"
>>>>> ++[suffix] = noop
>>>>> ++update control {
>>>>> ++} # update control = noop
>>>>> [eap] No EAP-Message, not doing EAP
>>>>> ++[eap] = noop
>>>>> ++[files] = noop
>>>>> ++group {
>>>>> [ldap_1] performing user authorization for toto
>>>>> [ldap_1] expand: %{Stripped-User-Name} -
>>>>> [ldap_1] ... expanding second conditional
>>>>> [ldap_1] expand: %{User-Name} ->toto
>>>>> [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
>>>> (uid=toto)
>>>>> [ldap_1] expand: ou=Users,dc=XXXX,dc=fr ->ou=Users,dc=XXXX,dc=fr
>>>>> [ldap_1] ldap_get_conn: Checking Id: 0
>>>>> [ldap_1] ldap_get_conn: Got Id: 0
>>>>> [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter
>>>> (uid=toto)
>>>>> [ldap_1] checking if remote access for toto is allowed by uid
>>>>> [ldap_1] No default NMAS login sequence
>>>>> [ldap_1] looking for check items in directory...
>>>>> [ldap_1] sambaNtPassword ->NT-Password ==
>>>> 0x3344424445363937443731363930413736393230344245423132323833363738
>>>>> [ldap_1] sambaLmPassword ->LM-Password ==
>>>> 0x4343463931353545334537444234353341414433423433354235313430344545
>>>>> [ldap_1] userPassword ->Cleartext-Password ==
>>>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>>>>> [ldap_1] userPassword ->Password-With-Header ==
>>>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>>>>> [ldap_1] sambaNtPassword ->NT-Password ==
>>>> 0x3344424445363937443731363930413736393230344245423132323833363738
>>>>> [ldap_1] sambaLmPassword ->LM-Password ==
>>>> 0x4343463931353545334537444234353341414433423433354235313430344545
>>>>> [ldap_1] looking for reply items in directory...
>>>>> [ldap_1] user toto authorized to use remote access
>>>>> [ldap_1] ldap_release_conn: Release Id: 0
>>>>> +++[ldap_1] = ok
>>>>> ++} # group = ok
>>>>> ++[expiration] = noop
>>>>> ++[logintime] = noop
>>>>> +} # group authorize = ok
>>>>> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>>>>> WARNING: Use the PAP or CHAP modules instead.
>>>>> User-Password in the request does NOT match "known good" password.
>>>>> Failed to authenticate the user.
>>>>> WARNING: Unprintable characters in the password. Double-check the
>>>> shared secret on the server and the NAS!
>>>>> } # server inner-tunnel
>>>>> Using Post-Auth-Type REJECT
>>>>> # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
>>>>> +group REJECT {
>>>>> [attr_filter.access_reject] expand: %{User-Name} ->toto
>>>>> attr_filter: Matched entry DEFAULT at line 11
>>>>> ++[attr_filter.access_reject] = updated
>>>>> +} # group REJECT = updated
>>>>> Delaying reject of request 3 for 1 seconds
>>>>> Going to the next request
>>>>> Waking up in 0.9 seconds.
>>>>> Sending delayed reject for request 3
>>>>> Sending Access-Reject of id 111 to 127.0.0.1 port 44928
>>>>> Waking up in 4.9 seconds.
>>>>> Cleaning up request 3 ID 111 with timestamp +120
>>>>> Ready to process requests.
>>>>>   
>>>>>   
>>>>> The user and client passwords are correct and i don't understand the
>>>> following errors :
>>>>>   
>>>>> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>>>>> WARNING: Use the PAP or CHAP modules instead.
>>>>> User-Password in the request does NOT match "known good" password.
>>>>> Failed to authenticate the user.
>>>>> WARNING: Unprintable characters in the password. Double-check the
>>>> shared secret on the server and the NAS!
>>>>>   
>>>>>   
>>>>> Thank you for your replies.
>>>>>   
>>>>> Cordialement,
>>>>>   
>>>>> - -
>>>>>   
>>>>> Benjamin Dupalut
>>>>> Administrateur système et réseau
>>>>> Service des Moyens Informatiques Généraux (SMIG)
>>>>> ESIEE Paris
>>>>> 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
>>>>> T : +33 1 45 92 66 17
>>>>> benjamin.dupalut at esiee.fr
>>>>> www.esiee.fr / www.cci-paris-idf.fr
>>>>>   
>>>>> -
>>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>   
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list