freeradius3 unable authenticate ldap user through mschap

Karunagaran D karunad at ssn.edu.in
Wed Nov 6 04:14:25 CET 2019


Dear Team,

   I have configured ldap module and successfully authenticate  in radtest,
but i Unable to authenticate ldap users through mschap

Herewith I am attaching the successful ldap authentication file and
unsucessful authentication ldap users through mschap


Please help


Regards,
Karunad

-- 




D.Karunagaran
Network Administrator,
SSN College of Engineering,
Old Mahabalipuram Road, Kalavakkam -603110, Chennai, India,
Ph: +91-44-27469700/27469772   Ext: 222;

-- 
::DISCLAIMER::


---------------------------------------------------------------------
The 
contents of this e-mail and any attachment(s) are confidential and
intended 
for the named recipient(s) only. Views or opinions, if any,
presented in 
this email are solely those of the author and may not
necessarily reflect 
the views or opinions of SSN Institutions (SSN) or its
affiliates. Any form 
of reproduction, dissemination, copying, disclosure,
modification, 
distribution and / or publication of this message without the
prior written 
consent of authorized representative of SSN is strictly
prohibited. If you 
have received this email in error please delete it and
notify the sender 
immediately.

---------------------------------------------------------------------

Header of this mail should have a valid DKIM signature for the domain 
ssn.edu.in <http://www.ssn.edu.in/>
-------------- next part --------------
(0) Received Access-Request Id 42 from 127.0.0.1:52084 to 127.0.0.1:18120 length 84
(0)   User-Name = "karunad at ssn.in"
(0)   User-Password = "Dkaruna at 1974"
(0)   NAS-IP-Address = 10.101.1.55
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0x4d65d2ee404437332a75dbc9766b8ec4
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [chap] = noop
(0)     [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "ssn.in" for User-Name = "karunad at ssn.in"
(0) suffix: No such realm "ssn.in"
(0)     [suffix] = noop
(0)     update control {
(0)       &Proxy-To-Realm := LOCAL
(0)     } # update control = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (userPrincipalName=karunad at ssn.in)
(0) ldap: Performing search in "dc=ssn,dc=in" with filter "(userPrincipalName=karunad at ssn.in)", scope "sub"
(0) ldap: Waiting for search result...
Unable to chase referral "ldaps://ForestDnsZones.ssn.in/DC=ForestDnsZones,DC=ssn,DC=in" (-1: Can't contact LDAP server)
Unable to chase referral "ldaps://DomainDnsZones.ssn.in/DC=DomainDnsZones,DC=ssn,DC=in" (-1: Can't contact LDAP server)
Unable to chase referral "ldaps://ssn.in/CN=Configuration,DC=ssn,DC=in" (-1: Can't contact LDAP server)
(0) ldap: User object found at DN "CN=karunad,OU=staff,DC=ssn,DC=in"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://pad.ssn.edu.in:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)     if ((ok || updated) && User-Password && !control:Auth-Type) {
(0)     if ((ok || updated) && User-Password && !control:Auth-Type)  -> TRUE
(0)     if ((ok || updated) && User-Password && !control:Auth-Type)  {
(0)       update {
(0)         control:Auth-Type := LDAP
(0)       } # update = noop
(0)     } # if ((ok || updated) && User-Password && !control:Auth-Type)  = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(0)   Auth-Type LDAP {
rlm_ldap (ldap): Reserved connection (1)
(0) ldap: Login attempt by "karunad at ssn.in"
(0) ldap: Using user DN from request "CN=karunad,OU=staff,DC=ssn,DC=in"
(0) ldap: Waiting for bind result...
(0) ldap: Bind successful
(0) ldap: Bind as user "CN=karunad,OU=staff,DC=ssn,DC=in" was successful
rlm_ldap (ldap): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap): Connecting to ldap://pad.ssn.edu.in:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)   } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(0)   post-auth {
(0)     if (0) {
(0)     if (0)  -> FALSE
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 42 from 127.0.0.1:18120 to 127.0.0.1:52084 length 0
(0) Finished request
Waking up in 4.9 seconds.
(0) Sending duplicate reply to client localhost port 52084 - ID: 42
Waking up in 9.9 seconds.
(0) Cleaning up request packet ID 42 with timestamp +5

-------------- next part --------------
1) Received Access-Request Id 93 from 127.0.0.1:22779 to 127.0.0.1:18120 length 140
(1)   User-Name = "karunad at ssn.in"
(1)   NAS-IP-Address = 10.101.1.55
(1)   NAS-Port = 0
(1)   Message-Authenticator = 0xf87798a006cb2ea17d22ed83720d3664
(1)   MS-CHAP-Challenge = 0x0eb44659f4fa7e2e
(1)   MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000089f7ff5b31e7c1358756a7f84920a35b7e3e994604b59765
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [chap] = noop
(1) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(1)     [mschap] = ok
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "ssn.in" for User-Name = "karunad at ssn.in"
(1) suffix: No such realm "ssn.in"
(1)     [suffix] = noop
(1)     update control {
(1)       &Proxy-To-Realm := LOCAL
(1)     } # update control = noop
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1)     [files] = noop
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 168 seconds
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 167 seconds
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 167 seconds
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 157 seconds
rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 156 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 156 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (6): Hit idle_timeout, was idle for 156 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldap://pad.ssn.edu.in:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (7)
(1) ldap: EXPAND (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap:    --> (userPrincipalName=karunad at ssn.in)
(1) ldap: Performing search in "dc=ssn,dc=in" with filter "(userPrincipalName=karunad at ssn.in)", scope "sub"
(1) ldap: Waiting for search result...
Unable to chase referral "ldaps://ForestDnsZones.ssn.in/DC=ForestDnsZones,DC=ssn,DC=in" (-1: Can't contact LDAP server)
Unable to chase referral "ldaps://DomainDnsZones.ssn.in/DC=DomainDnsZones,DC=ssn,DC=in" (-1: Can't contact LDAP server)
Unable to chase referral "ldaps://ssn.in/CN=Configuration,DC=ssn,DC=in" (-1: Can't contact LDAP server)
(1) ldap: User object found at DN "CN=karunad,OU=staff,DC=ssn,DC=in"
(1) ldap: Processing user attributes
(1) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(1) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (7)
Need 2 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (8), 1 of 31 pending slots used
rlm_ldap (ldap): Connecting to ldap://pad.ssn.edu.in:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1)     [ldap] = ok
(1)     if ((ok || updated) && User-Password && !control:Auth-Type) {
(1)     if ((ok || updated) && User-Password && !control:Auth-Type)  -> FALSE
(1)     [expiration] = noop
(1)     [logintime] = noop
(1)     [pap] = noop
(1)   } # authorize = ok
(1) Found Auth-Type = mschap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(1)   authenticate {
(1) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
(1) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
(1) mschap: Client is using MS-CHAPv1 with NT-Password
(1) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
(1) mschap: ERROR: MS-CHAP2-Response is incorrect
(1)     [mschap] = reject
(1)   } # authenticate = reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> karunad at ssn.in
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     update outer.session-state {
(1)       ERROR: Mapping "&request:Module-Failure-Message" -> "&Module-Failure-Message" invalid in this context
(1)     } # update outer.session-state = invalid
(1)   } # Post-Auth-Type REJECT = invalid
(1) Delaying response for 1.000000 seconds
Waking up in 0.1 seconds.
Waking up in 0.8 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 93 from 127.0.0.1:18120 to 127.0.0.1:22779 length 61
(1)   MS-CHAP-Error = "\000E=691 R=1 C=c46688b2ef798f02 V=2"
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 93 with timestamp +167



More information about the Freeradius-Users mailing list