Freeradius/LDAP Authentication issue

Stefan Paetow Stefan.Paetow at jisc.ac.uk
Thu Mar 24 14:33:09 CET 2016 

>   I set the IP address to "127.0.0.1:18120" and the debug output is :
>   server inner-tunnel {
>   # Executing section authorize from file
>   /etc/freeradius/sites-enabled/inner-tunnel
>   Doesn't that means it run trough the inner-tunnel ?

Yes, that's what I meant by connecting to port 18120.

>   I thought i sent the full debug output. I copy/paste all the output
>   from freeradius -X. Do you want me to copy/paste my configurations
>   files like i did with the "clients" file ?

When you run freeradius -X, the debug starts with the copyright notice at
the top. You don't have to worry about passwords being exposed, because in
newer versions you'll see "<<< secret >>>" instead of the real
password/client secret. :-)

This tends to help people like Alan and Arran when they're trying to help
you.

>> You don't have pap listed in your auth config....
> Is PAP necessary if i already set LDAP ?

Yes, looking at some of the output:

> [ldap_1] looking for check items in directory...
> [ldap_1] sambaNtPassword -> NT-Password ==
> 0x3344424445363937443731363930413736393230344245423132323833363738
> [ldap_1] sambaLmPassword -> LM-Password ==
> 0x4343463931353545334537444234353341414433423433354235313430344545
> [ldap_1] userPassword -> Cleartext-Password ==
> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> [ldap_1] userPassword -> Password-With-Header ==
> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="

You receive NT-Password and LM-Password back, as well as
Password-With-Header with a '{MD5}' header in it. PAP will deal with that
password... Include 'pap' in the authorize section *after* ldap_1, then in
the authenticate section add the PAP type back in:

Auth-Type PAP {
        Pap
}

Try it then. If you're adding this into the inner-tunnel, make sure you
tell radtest to connect to localhost:18120.

With Regards


Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. JiscĀ¹s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a
company limited by guarantee which is registered in England under Company
No. number 2881024, VAT No. GB 197 0632 86. The registered office is:
Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T
01235 822200.




>

More information about the Freeradius-Users mailing list