<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>
<div dir="ltr">
<font style="" color="#548dd4">I am very new to radius, and </font><font style="" color="#548dd4">I
am having a problem configuring radius to authenticate by checking my
already running openldap server for authorization and then using PAP for
authentication. I am running a CentOS server where openldap is the
backed to a samba network authentication server. My comments here will
be posted in blue, radius debugging output in black, and security
changes to the output in red. I have two test runs of different
configurations but will also explain what I did throughout the the progression of my radius server
development. First I followed the directions on
"Deploying Radius" at
http://deployingradius.com/documents/configuration/pap.html. This lets
me know that the server is working, but does not have much information
about LDAP authentication and other sites I have looked over use
outdated information. So, throughout this process, I have kept track of
the changes that I have made, and saved the original configurations to
the files that I make changes to so that I can always start over again
if need be.</font><font style="" color="#548dd4"> After
the first test, I made changes to the /sites-available/default file to
uncomment the ldap line in the authorization section. I left the ldap
authentication line commented out because of further research describing
that it is not needed if I am just doing pap authentication. I used a
username and password that I know works for my network authentication. I
also made changes to the /modules/ldap file in order to connect to the
ldap database. The radius server had difficulties extracting
the userPassword from the ldap server, but pulled out the NT, LM passwords and the username just fine.</font><font style="" color="#548dd4"> I then made
one more change to the ldap module. I uncommented the line
"password_attribute = userPassword" and received the following results:</font><br><br>FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Mar 31 2010 at 00:14:28<br>Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. <br>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A <br>PARTICULAR PURPOSE. <br>You may redistribute copies of FreeRADIUS under the terms of the <br>GNU General Public License v2. <br>Starting - reading configuration files ...<br>including configuration file /etc/raddb/radiusd.conf<br>including configuration file /etc/raddb/proxy.conf<br>including configuration file /etc/raddb/clients.conf<br>including files in directory /etc/raddb/modules/<br>including configuration file /etc/raddb/modules/perl<br>including configuration file /etc/raddb/modules/inner-eap<br>including configuration file /etc/raddb/modules/checkval<br>including configuration file /etc/raddb/modules/expr<br>including configuration file /etc/raddb/modules/wimax<br>including configuration file /etc/raddb/modules/unix<br>including configuration file /etc/raddb/modules/files<br>including configuration file /etc/raddb/modules/sql_log<br>including configuration file /etc/raddb/modules/ldap<br>including configuration file /etc/raddb/modules/otp<br>including configuration file /etc/raddb/modules/echo<br>including configuration file /etc/raddb/modules/acct_unique<br>including configuration file /etc/raddb/modules/linelog<br>including configuration file /etc/raddb/modules/etc_group<br>including configuration file /etc/raddb/modules/mac2ip<br>including configuration file /etc/raddb/modules/digest<br>including configuration file /etc/raddb/modules/counter<br>including configuration file /etc/raddb/modules/attr_rewrite<br>including configuration file /etc/raddb/modules/logintime<br>including configuration file /etc/raddb/modules/sradutmp<br>including configuration file /etc/raddb/modules/chap<br>including configuration file /etc/raddb/modules/preprocess<br>including configuration file /etc/raddb/modules/always<br>including configuration file /etc/raddb/modules/policy<br>including configuration file /etc/raddb/modules/cui<br>including configuration file /etc/raddb/modules/mschap.bak<br>including configuration file /etc/raddb/modules/ippool<br>including configuration file /etc/raddb/modules/attr_filter<br>including configuration file /etc/raddb/modules/exec<br>including configuration file /etc/raddb/modules/mschap<br>including configuration file /etc/raddb/modules/radutmp<br>including configuration file /etc/raddb/modules/pam<br>including configuration file /etc/raddb/modules/passwd<br>including configuration file /etc/raddb/modules/smsotp<br>including configuration file /etc/raddb/modules/detail<br>including configuration file /etc/raddb/modules/detail.log<br>including configuration file /etc/raddb/modules/mac2vlan<br>including configuration file /etc/raddb/modules/sqlcounter_expire_on_login<br>including configuration file /etc/raddb/modules/detail.example.com<br>including configuration file /etc/raddb/modules/expiration<br>including configuration file /etc/raddb/modules/realm<br>including configuration file /etc/raddb/modules/pap<br>including configuration file /etc/raddb/modules/smbpasswd<br>including configuration file /etc/raddb/eap.conf<br>including configuration file /etc/raddb/policy.conf<br>including files in directory /etc/raddb/sites-enabled/<br>including configuration file /etc/raddb/sites-enabled/default<br>including configuration file /etc/raddb/sites-enabled/control-socket<br>including configuration file /etc/raddb/sites-enabled/inner-tunnel<br>group = radiusd<br>user = radiusd<br>including dictionary file /etc/raddb/dictionary<br>main {<br> prefix = "/usr"<br> localstatedir = "/var"<br> logdir = "/var/log/radius"<br> libdir = "/usr/lib64/freeradius"<br> radacctdir = "/var/log/radius/radacct"<br> hostname_lookups = no<br> max_request_time = 30<br> cleanup_delay = 5<br> max_requests = 1024<br> allow_core_dumps = no<br> pidfile = "/var/run/radiusd/radiusd.pid"<br> checkrad = "/usr/sbin/checkrad"<br> debug_level = 0<br> proxy_requests = yes<br> log {<br> stripped_names = no<br> auth = no<br> auth_badpass = no<br> auth_goodpass = no<br> }<br> security {<br> max_attributes = 200<br> reject_delay = 1<br> status_server = yes<br> }<br>}<br>radiusd: #### Loading Realms and Home Servers ####<br> proxy server {<br> retry_delay = 5<br> retry_count = 3<br> default_fallback = no<br> dead_time = 120<br> wake_all_if_all_dead = no<br> }<br> home_server localhost {<br> ipaddr = 127.0.0.1<br> port = 1812<br> type = "auth"<br> secret = "testing123"<br> response_window = 20<br> max_outstanding = 65536<br> require_message_authenticator = no<br> zombie_period = 40<br> status_check = "status-server"<br> ping_interval = 30<br> check_interval = 30<br> num_answers_to_alive = 3<br> num_pings_to_alive = 3<br> revive_interval = 120<br> status_check_timeout = 4<br> irt = 2<br> mrt = 16<br> mrc = 5<br> mrd = 30<br> }<br> home_server_pool my_auth_failover {<br> type = fail-over<br> home_server = localhost<br> }<br> realm example.com {<br> auth_pool = my_auth_failover<br> }<br> realm LOCAL {<br> }<br>radiusd: #### Loading Clients ####<br> client localhost {<br> ipaddr = 127.0.0.1<br> require_message_authenticator = no<br> secret = "testing123"<br> shortname = "localhost"<br> nastype = "other"<br> }<br>radiusd: #### Instantiating modules ####<br> instantiate {<br> Module: Linked to module rlm_exec<br> Module: Instantiating exec<br> exec {<br> wait = no<br> input_pairs = "request"<br> shell_escape = yes<br> }<br> Module: Linked to module rlm_expr<br> Module: Instantiating expr<br> Module: Linked to module rlm_expiration<br> Module: Instantiating expiration<br> expiration {<br> reply-message = "Password Has Expired "<br> }<br> Module: Linked to module rlm_logintime<br> Module: Instantiating logintime<br> logintime {<br> reply-message = "You are calling outside your allowed timespan "<br> minimum-timeout = 60<br> }<br> }<br>radiusd: #### Loading Virtual Servers ####<br>server inner-tunnel {<br> modules {<br> Module: Checking authenticate {...} for more modules to load<br> Module: Linked to module rlm_pap<br> Module: Instantiating pap<br> pap {<br> encryption_scheme = "auto"<br> auto_header = no<br> }<br> Module: Linked to module rlm_chap<br> Module: Instantiating chap<br> Module: Linked to module rlm_mschap<br> Module: Instantiating mschap<br> mschap {<br> use_mppe = yes<br> require_encryption = no<br> require_strong = no<br> with_ntdomain_hack = no<br> }<br> Module: Linked to module rlm_unix<br> Module: Instantiating unix<br> unix {<br> radwtmp = "/var/log/radius/radwtmp"<br> }<br> Module: Linked to module rlm_eap<br> Module: Instantiating eap<br> eap {<br> default_eap_type = "md5"<br> timer_expire = 60<br> ignore_unknown_eap_types = yes<br> cisco_accounting_username_bug = no<br> max_sessions = 2048<br> }<br> Module: Linked to sub-module rlm_eap_md5<br> Module: Instantiating eap-md5<br> Module: Linked to sub-module rlm_eap_leap<br> Module: Instantiating eap-leap<br> Module: Linked to sub-module rlm_eap_gtc<br> Module: Instantiating eap-gtc<br> gtc {<br> challenge = "Password: "<br> auth_type = "PAP"<br> }<br> Module: Linked to sub-module rlm_eap_tls<br> Module: Instantiating eap-tls<br> tls {<br> rsa_key_exchange = no<br> dh_key_exchange = yes<br> rsa_key_length = 512<br> dh_key_length = 512<br> verify_depth = 0<br> pem_file_type = yes<br> private_key_file = "/etc/raddb/certs/server.pem"<br> certificate_file = "/etc/raddb/certs/server.pem"<br> CA_file = "/etc/raddb/certs/ca.pem"<br> private_key_password = "whatever"<br> dh_file = "/etc/raddb/certs/dh"<br> random_file = "/etc/raddb/certs/random"<br> fragment_size = 1024<br> include_length = yes<br> check_crl = no<br> cipher_list = "DEFAULT"<br> make_cert_command = "/etc/raddb/certs/bootstrap"<br> cache {<br> enable = no<br> lifetime = 24<br> max_entries = 255<br> }<br> }<br> Module: Linked to sub-module rlm_eap_ttls<br> Module: Instantiating eap-ttls<br> ttls {<br> default_eap_type = "md5"<br> copy_request_to_tunnel = no<br> use_tunneled_reply = no<br> virtual_server = "inner-tunnel"<br> include_length = yes<br> }<br> Module: Linked to sub-module rlm_eap_peap<br> Module: Instantiating eap-peap<br> peap {<br> default_eap_type = "mschapv2"<br> copy_request_to_tunnel = no<br> use_tunneled_reply = no<br> proxy_tunneled_request_as_eap = yes<br> virtual_server = "inner-tunnel"<br> }<br> Module: Linked to sub-module rlm_eap_mschapv2<br> Module: Instantiating eap-mschapv2<br> mschapv2 {<br> with_ntdomain_hack = no<br> }<br> Module: Checking authorize {...} for more modules to load<br> Module: Linked to module rlm_realm<br> Module: Instantiating suffix<br> realm suffix {<br> format = "suffix"<br> delimiter = "@"<br> ignore_default = no<br> ignore_null = no<br> }<br> Module: Linked to module rlm_files<br> Module: Instantiating files<br> files {<br> usersfile = "/etc/raddb/users"<br> acctusersfile = "/etc/raddb/acct_users"<br> preproxy_usersfile = "/etc/raddb/preproxy_users"<br> compat = "no"<br> }<br> Module: Checking session {...} for more modules to load<br> Module: Linked to module rlm_radutmp<br> Module: Instantiating radutmp<br> radutmp {<br> filename = "/var/log/radius/radutmp"<br> username = "%{User-Name}"<br> case_sensitive = yes<br> check_with_nas = yes<br> perm = 384<br> callerid = yes<br> }<br> Module: Checking post-proxy {...} for more modules to load<br> Module: Checking post-auth {...} for more modules to load<br> Module: Linked to module rlm_attr_filter<br> Module: Instantiating attr_filter.access_reject<br> attr_filter attr_filter.access_reject {<br> attrsfile = "/etc/raddb/attrs.access_reject"<br> key = "%{User-Name}"<br> }<br> } # modules<br>} # server<br>server {<br> modules {<br> Module: Checking authenticate {...} for more modules to load<br> Module: Checking authorize {...} for more modules to load<br> Module: Linked to module rlm_preprocess<br> Module: Instantiating preprocess<br> preprocess {<br> huntgroups = "/etc/raddb/huntgroups"<br> hints = "/etc/raddb/hints"<br> with_ascend_hack = no<br> ascend_channels_per_line = 23<br> with_ntdomain_hack = no<br> with_specialix_jetstream_hack = no<br> with_cisco_vsa_hack = no<br> with_alvarion_vsa_hack = no<br> }<br> Module: Linked to module rlm_ldap<br> Module: Instantiating ldap<br> ldap {<br> server = "localhost"<br> port = 389<br> password = "<font style="" color="#ff0000">LdapPassword</font>"<br> identity = "<font style="" color="#ff0000">cn=Admin,dc=domain,dc=com</font>"<br> net_timeout = 1<br> timeout = 4<br> timelimit = 3<br> tls_mode = no<br> start_tls = no<br> tls_require_cert = "allow"<br> tls {<br> start_tls = no<br> require_cert = "allow"<br> }<br> basedn = "dc=ndoa,dc=state,dc=nv,dc=us"<br> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"<br> base_filter = "(objectclass=radiusprofile)"<br> password_attribute = "userPassword"<br> auto_header = no<br> access_attr_used_for_allow = yes<br> groupname_attribute = "cn"<br>
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"<br> dictionary_mapping = "/etc/raddb/ldap.attrmap"<br> ldap_debug = 0<br> ldap_connections_number = 5<br> compare_check_items = no<br> do_xlat = yes<br> set_auth_type = yes<br> }<br>rlm_ldap: Registering ldap_groupcmp for Ldap-Group<br>rlm_ldap: Registering ldap_xlat with xlat_name ldap<br>rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section.<br>rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap<br>rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$<br>rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$<br>rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type<br>rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use<br>rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id<br>rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id<br>rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password<br>rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password<br>rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password<br>rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password<br>rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password<br>rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT<br>rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration<br>rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address<br>rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type<br>rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol<br>rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address<br>rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask<br>rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route<br>rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing<br>rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id<br>rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU<br>rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression<br>rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host<br>rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service<br>rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port<br>rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number<br>rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id<br>rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network<br>rlm_ldap: LDAP radiusClass mapped to RADIUS Class<br>rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout<br>rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout<br>rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action<br>rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service<br>rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node<br>rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group<br>rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link<br>rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network<br>rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone<br>rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit<br>rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port<br>rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message<br>rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type<br>rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type<br>rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id<br>conns: 0x2f50730<br> Module: Checking preacct {...} for more modules to load<br> Module: Linked to module rlm_acct_unique<br> Module: Instantiating acct_unique<br> acct_unique {<br> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br> }<br> Module: Checking accounting {...} for more modules to load<br> Module: Linked to module rlm_detail<br> Module: Instantiating detail<br> detail {<br> detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br> header = "%t"<br> detailperm = 384<br> dirperm = 493<br> locking = no<br> log_packet_header = no<br> }<br> Module: Instantiating attr_filter.accounting_response<br> attr_filter attr_filter.accounting_response {<br> attrsfile = "/etc/raddb/attrs.accounting_response"<br> key = "%{User-Name}"<br> }<br> Module: Checking session {...} for more modules to load<br> Module: Checking post-proxy {...} for more modules to load<br> Module: Checking post-auth {...} for more modules to load<br> } # modules<br>} # server<br>radiusd: #### Opening IP addresses and Ports ####<br>listen {<br> type = "auth"<br> ipaddr = *<br> port = 0<br>}<br>listen {<br> type = "acct"<br> ipaddr = *<br> port = 0<br>}<br>listen {<br> type = "control"<br> listen {<br> socket = "/var/run/radiusd/radiusd.sock"<br> }<br>}<br>Listening on authentication address * port 1812<br>Listening on accounting address * port 1813<br>Listening on command file /var/run/radiusd/radiusd.sock<br>Listening on proxy address * port 1814<br>Ready to process requests.<br>rad_recv: Access-Request packet from host 127.0.0.1 port 54977, id=196, length=59<br> User-Name = "<font style="" color="#ff0000">username</font>"<br> User-Password = "<font style="" color="#ff0000">Password</font>"<br> NAS-IP-Address = <font style="" color="#ff0000">localhost</font><br> NAS-Port = 2<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "<font style="" color="#ff0000">username</font>", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[unix] returns updated<br>++[files] returns noop<br>[ldap] performing user authorization for <font style="" color="#ff0000">username</font><br>[ldap] expand: %{Stripped-User-Name} -> <br>[ldap] expand: %{User-Name} -> <font style="" color="#ff0000">username</font><br>[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=<font style="" color="#ff0000">username</font>)<br>[ldap] expand: <font style="" color="#ff0000">dc=domain,dc=com</font> -> <font style="" color="#ff0000">dc=domain,dc=com</font><br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: attempting LDAP reconnection<br>rlm_ldap: (re)connect to localhost:389, authentication 0<br>rlm_ldap: bind as <font style="" color="#ff0000">cn=Admin,dc=domain,dc=com</font>/<font style="" color="#ff0000">LdapPassword</font> to localhost:389<br>rlm_ldap: waiting for bind result ...<br>rlm_ldap: Bind was successful<br>rlm_ldap: performing search in <font style="" color="#ff0000">dc=domain,dc=com</font>, with filter (uid=<font style="" color="#ff0000">username</font>)<br>[ldap] Added User-Password = {SSHA}<font style="" color="#ff0000">encryptedPassword</font> in check items<br>[ldap] looking for check items in directory...<br>rlm_ldap: sambaNtPassword -> NT-Password == <font style="" color="#ff0000">encryptedNTpassword</font><br>rlm_ldap: sambaLmPassword -> LM-Password == <font style="" color="#ff0000">encryptedLMpassword</font><br>[ldap] looking for reply items in directory...<br>[ldap] user <font style="" color="#ff0000">username</font> authorized to use remote access<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>++[ldap] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] Normalizing NT-Password from hex encoding<br>[pap] Normalizing LM-Password from hex encoding<br>++[pap] returns updated<br>Found Auth-Type = PAP<br>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br>!!! Replacing User-Password in config items with Cleartext-Password. !!!<br>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br>!!! Please update your configuration so that the "known good" !!!<br>!!! clear text password is in Cleartext-Password, and not in User-Password. !!!<br>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br>+- entering group PAP {...}<br>[pap] login attempt with password "<font style="" color="#ff0000">Password</font>"<br>[pap] Using CRYPT encryption.<br>[pap] Passwords don't match<br>++[pap] returns reject<br>Failed to authenticate the user.<br>Using Post-Auth-Type Reject<br>+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -> <font style="" color="#ff0000">username</font><br> attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>Delaying reject of request 0 for 1 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 0<br>Sending Access-Reject of id 196 to 127.0.0.1 port 54977<br>Waking up in 4.9 seconds.<br><br><font style="" color="#548dd4">After
this failed attempt, I figured that PAP was not configured properly for
my ldap authentication so I made a change to the /modules/pap file:
"auto_header = yes". I tested this configuration and saw that PAP was
still trying to authenticate my SSHA password with CRYPT so I added
"encryption_scheme = "ssha" " to the pap module file. and get this
result:</font><font style="" color="#548dd4"><br></font><br>FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Mar 31 2010 at 00:14:28<br>Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. <br>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A <br>PARTICULAR PURPOSE. <br>You may redistribute copies of FreeRADIUS under the terms of the <br>GNU General Public License v2. <br>Starting - reading configuration files ...<br>including configuration file /etc/raddb/radiusd.conf<br>including configuration file /etc/raddb/proxy.conf<br>including configuration file /etc/raddb/clients.conf<br>including files in directory /etc/raddb/modules/<br>including configuration file /etc/raddb/modules/perl<br>including configuration file /etc/raddb/modules/inner-eap<br>including configuration file /etc/raddb/modules/checkval<br>including configuration file /etc/raddb/modules/expr<br>including configuration file /etc/raddb/modules/wimax<br>including configuration file /etc/raddb/modules/unix<br>including configuration file /etc/raddb/modules/files<br>including configuration file /etc/raddb/modules/sql_log<br>including configuration file /etc/raddb/modules/ldap<br>including configuration file /etc/raddb/modules/otp<br>including configuration file /etc/raddb/modules/echo<br>including configuration file /etc/raddb/modules/acct_unique<br>including configuration file /etc/raddb/modules/linelog<br>including configuration file /etc/raddb/modules/etc_group<br>including configuration file /etc/raddb/modules/mac2ip<br>including configuration file /etc/raddb/modules/digest<br>including configuration file /etc/raddb/modules/counter<br>including configuration file /etc/raddb/modules/attr_rewrite<br>including configuration file /etc/raddb/modules/logintime<br>including configuration file /etc/raddb/modules/sradutmp<br>including configuration file /etc/raddb/modules/chap<br>including configuration file /etc/raddb/modules/preprocess<br>including configuration file /etc/raddb/modules/always<br>including configuration file /etc/raddb/modules/policy<br>including configuration file /etc/raddb/modules/cui<br>including configuration file /etc/raddb/modules/mschap.bak<br>including configuration file /etc/raddb/modules/ippool<br>including configuration file /etc/raddb/modules/attr_filter<br>including configuration file /etc/raddb/modules/exec<br>including configuration file /etc/raddb/modules/mschap<br>including configuration file /etc/raddb/modules/radutmp<br>including configuration file /etc/raddb/modules/pam<br>including configuration file /etc/raddb/modules/passwd<br>including configuration file /etc/raddb/modules/smsotp<br>including configuration file /etc/raddb/modules/detail<br>including configuration file /etc/raddb/modules/detail.log<br>including configuration file /etc/raddb/modules/mac2vlan<br>including configuration file /etc/raddb/modules/sqlcounter_expire_on_login<br>including configuration file /etc/raddb/modules/detail.example.com<br>including configuration file /etc/raddb/modules/expiration<br>including configuration file /etc/raddb/modules/realm<br>including configuration file /etc/raddb/modules/pap<br>including configuration file /etc/raddb/modules/smbpasswd<br>including configuration file /etc/raddb/eap.conf<br>including configuration file /etc/raddb/policy.conf<br>including files in directory /etc/raddb/sites-enabled/<br>including configuration file /etc/raddb/sites-enabled/default<br>including configuration file /etc/raddb/sites-enabled/control-socket<br>including configuration file /etc/raddb/sites-enabled/inner-tunnel<br>group = radiusd<br>user = radiusd<br>including dictionary file /etc/raddb/dictionary<br>main {<br> prefix = "/usr"<br> localstatedir = "/var"<br> logdir = "/var/log/radius"<br> libdir = "/usr/lib64/freeradius"<br> radacctdir = "/var/log/radius/radacct"<br> hostname_lookups = no<br> max_request_time = 30<br> cleanup_delay = 5<br> max_requests = 1024<br> allow_core_dumps = no<br> pidfile = "/var/run/radiusd/radiusd.pid"<br> checkrad = "/usr/sbin/checkrad"<br> debug_level = 0<br> proxy_requests = yes<br> log {<br> stripped_names = no<br> auth = no<br> auth_badpass = no<br> auth_goodpass = no<br> }<br> security {<br> max_attributes = 200<br> reject_delay = 1<br> status_server = yes<br> }<br>}<br>radiusd: #### Loading Realms and Home Servers ####<br> proxy server {<br> retry_delay = 5<br> retry_count = 3<br> default_fallback = no<br> dead_time = 120<br> wake_all_if_all_dead = no<br> }<br> home_server localhost {<br> ipaddr = 127.0.0.1<br> port = 1812<br> type = "auth"<br> secret = "testing123"<br> response_window = 20<br> max_outstanding = 65536<br> require_message_authenticator = no<br> zombie_period = 40<br> status_check = "status-server"<br> ping_interval = 30<br> check_interval = 30<br> num_answers_to_alive = 3<br> num_pings_to_alive = 3<br> revive_interval = 120<br> status_check_timeout = 4<br> irt = 2<br> mrt = 16<br> mrc = 5<br> mrd = 30<br> }<br> home_server_pool my_auth_failover {<br> type = fail-over<br> home_server = localhost<br> }<br> realm example.com {<br> auth_pool = my_auth_failover<br> }<br> realm LOCAL {<br> }<br>radiusd: #### Loading Clients ####<br> client localhost {<br> ipaddr = 127.0.0.1<br> require_message_authenticator = no<br> secret = "testing123"<br> shortname = "localhost"<br> nastype = "other"<br> }<br>radiusd: #### Instantiating modules ####<br> instantiate {<br> Module: Linked to module rlm_exec<br> Module: Instantiating exec<br> exec {<br> wait = no<br> input_pairs = "request"<br> shell_escape = yes<br> }<br> Module: Linked to module rlm_expr<br> Module: Instantiating expr<br> Module: Linked to module rlm_expiration<br> Module: Instantiating expiration<br> expiration {<br> reply-message = "Password Has Expired "<br> }<br> Module: Linked to module rlm_logintime<br> Module: Instantiating logintime<br> logintime {<br> reply-message = "You are calling outside your allowed timespan "<br> minimum-timeout = 60<br> }<br> }<br>radiusd: #### Loading Virtual Servers ####<br>server inner-tunnel {<br> modules {<br> Module: Checking authenticate {...} for more modules to load<br> Module: Linked to module rlm_pap<br> Module: Instantiating pap<br> pap {<br> encryption_scheme = "ssha"<br> auto_header = yes<br> }<br> Module: Linked to module rlm_chap<br> Module: Instantiating chap<br> Module: Linked to module rlm_mschap<br> Module: Instantiating mschap<br> mschap {<br> use_mppe = yes<br> require_encryption = no<br> require_strong = no<br> with_ntdomain_hack = no<br> }<br> Module: Linked to module rlm_unix<br> Module: Instantiating unix<br> unix {<br> radwtmp = "/var/log/radius/radwtmp"<br> }<br> Module: Linked to module rlm_eap<br> Module: Instantiating eap<br> eap {<br> default_eap_type = "md5"<br> timer_expire = 60<br> ignore_unknown_eap_types = yes<br> cisco_accounting_username_bug = no<br> max_sessions = 2048<br> }<br> Module: Linked to sub-module rlm_eap_md5<br> Module: Instantiating eap-md5<br> Module: Linked to sub-module rlm_eap_leap<br> Module: Instantiating eap-leap<br> Module: Linked to sub-module rlm_eap_gtc<br> Module: Instantiating eap-gtc<br> gtc {<br> challenge = "Password: "<br> auth_type = "PAP"<br> }<br> Module: Linked to sub-module rlm_eap_tls<br> Module: Instantiating eap-tls<br> tls {<br> rsa_key_exchange = no<br> dh_key_exchange = yes<br> rsa_key_length = 512<br> dh_key_length = 512<br> verify_depth = 0<br> pem_file_type = yes<br> private_key_file = "/etc/raddb/certs/server.pem"<br> certificate_file = "/etc/raddb/certs/server.pem"<br> CA_file = "/etc/raddb/certs/ca.pem"<br> private_key_password = "whatever"<br> dh_file = "/etc/raddb/certs/dh"<br> random_file = "/etc/raddb/certs/random"<br> fragment_size = 1024<br> include_length = yes<br> check_crl = no<br> cipher_list = "DEFAULT"<br> make_cert_command = "/etc/raddb/certs/bootstrap"<br> cache {<br> enable = no<br> lifetime = 24<br> max_entries = 255<br> }<br> }<br> Module: Linked to sub-module rlm_eap_ttls<br> Module: Instantiating eap-ttls<br> ttls {<br> default_eap_type = "md5"<br> copy_request_to_tunnel = no<br> use_tunneled_reply = no<br> virtual_server = "inner-tunnel"<br> include_length = yes<br> }<br> Module: Linked to sub-module rlm_eap_peap<br> Module: Instantiating eap-peap<br> peap {<br> default_eap_type = "mschapv2"<br> copy_request_to_tunnel = no<br> use_tunneled_reply = no<br> proxy_tunneled_request_as_eap = yes<br> virtual_server = "inner-tunnel"<br> }<br> Module: Linked to sub-module rlm_eap_mschapv2<br> Module: Instantiating eap-mschapv2<br> mschapv2 {<br> with_ntdomain_hack = no<br> }<br> Module: Checking authorize {...} for more modules to load<br> Module: Linked to module rlm_realm<br> Module: Instantiating suffix<br> realm suffix {<br> format = "suffix"<br> delimiter = "@"<br> ignore_default = no<br> ignore_null = no<br> }<br> Module: Linked to module rlm_files<br> Module: Instantiating files<br> files {<br> usersfile = "/etc/raddb/users"<br> acctusersfile = "/etc/raddb/acct_users"<br> preproxy_usersfile = "/etc/raddb/preproxy_users"<br> compat = "no"<br> }<br> Module: Checking session {...} for more modules to load<br> Module: Linked to module rlm_radutmp<br> Module: Instantiating radutmp<br> radutmp {<br> filename = "/var/log/radius/radutmp"<br> username = "%{User-Name}"<br> case_sensitive = yes<br> check_with_nas = yes<br> perm = 384<br> callerid = yes<br> }<br> Module: Checking post-proxy {...} for more modules to load<br> Module: Checking post-auth {...} for more modules to load<br> Module: Linked to module rlm_attr_filter<br> Module: Instantiating attr_filter.access_reject<br> attr_filter attr_filter.access_reject {<br> attrsfile = "/etc/raddb/attrs.access_reject"<br> key = "%{User-Name}"<br> }<br> } # modules<br>} # server<br>server {<br> modules {<br> Module: Checking authenticate {...} for more modules to load<br> Module: Checking authorize {...} for more modules to load<br> Module: Linked to module rlm_preprocess<br> Module: Instantiating preprocess<br> preprocess {<br> huntgroups = "/etc/raddb/huntgroups"<br> hints = "/etc/raddb/hints"<br> with_ascend_hack = no<br> ascend_channels_per_line = 23<br> with_ntdomain_hack = no<br> with_specialix_jetstream_hack = no<br> with_cisco_vsa_hack = no<br> with_alvarion_vsa_hack = no<br> }<br> Module: Linked to module rlm_ldap<br> Module: Instantiating ldap<br> ldap {<br> server = "localhost"<br> port = 389<br> password = "<font style="" color="#ff0000">LdapPassword</font>"<br> identity = "<font style="" color="#ff0000">cn=Admin,dc=domain,dc=com</font>"<br> net_timeout = 1<br> timeout = 4<br> timelimit = 3<br> tls_mode = no<br> start_tls = no<br> tls_require_cert = "allow"<br> tls {<br> start_tls = no<br> require_cert = "allow"<br> }<br> basedn = "<font style="" color="#ff0000">dc=domain,dc=com</font>"<br> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"<br> base_filter = "(objectclass=radiusprofile)"<br> password_attribute = "userPassword"<br> auto_header = no<br> access_attr_used_for_allow = yes<br> groupname_attribute = "cn"<br>
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"<br> dictionary_mapping = "/etc/raddb/ldap.attrmap"<br> ldap_debug = 0<br> ldap_connections_number = 5<br> compare_check_items = no<br> do_xlat = yes<br> set_auth_type = yes<br> }<br>rlm_ldap: Registering ldap_groupcmp for Ldap-Group<br>rlm_ldap: Registering ldap_xlat with xlat_name ldap<br>rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section.<br>rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap<br>rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$<br>rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$<br>rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type<br>rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use<br>rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id<br>rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id<br>rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password<br>rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password<br>rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password<br>rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password<br>rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password<br>rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT<br>rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration<br>rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address<br>rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type<br>rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol<br>rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address<br>rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask<br>rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route<br>rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing<br>rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id<br>rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU<br>rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression<br>rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host<br>rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service<br>rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port<br>rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number<br>rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id<br>rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network<br>rlm_ldap: LDAP radiusClass mapped to RADIUS Class<br>rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout<br>rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout<br>rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action<br>rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service<br>rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node<br>rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group<br>rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link<br>rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network<br>rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone<br>rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit<br>rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port<br>rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message<br>rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type<br>rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type<br>rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id<br>conns: 0x189ff7c0<br> Module: Checking preacct {...} for more modules to load<br> Module: Linked to module rlm_acct_unique<br> Module: Instantiating acct_unique<br> acct_unique {<br> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br> }<br> Module: Checking accounting {...} for more modules to load<br> Module: Linked to module rlm_detail<br> Module: Instantiating detail<br> detail {<br> detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br> header = "%t"<br> detailperm = 384<br> dirperm = 493<br> locking = no<br> log_packet_header = no<br> }<br> Module: Instantiating attr_filter.accounting_response<br> attr_filter attr_filter.accounting_response {<br> attrsfile = "/etc/raddb/attrs.accounting_response"<br> key = "%{User-Name}"<br> }<br> Module: Checking session {...} for more modules to load<br> Module: Checking post-proxy {...} for more modules to load<br> Module: Checking post-auth {...} for more modules to load<br> } # modules<br>} # server<br>radiusd: #### Opening IP addresses and Ports ####<br>listen {<br> type = "auth"<br> ipaddr = *<br> port = 0<br>}<br>listen {<br> type = "acct"<br> ipaddr = *<br> port = 0<br>}<br>listen {<br> type = "control"<br> listen {<br> socket = "/var/run/radiusd/radiusd.sock"<br> }<br>}<br>Listening on authentication address * port 1812<br>Listening on accounting address * port 1813<br>Listening on command file /var/run/radiusd/radiusd.sock<br>Listening on proxy address * port 1814<br>Ready to process requests.<br>rad_recv: Access-Request packet from host 127.0.0.1 port 41127, id=231, length=59<br> User-Name = "<font style="" color="#ff0000">username</font>"<br> User-Password = "<font style="" color="#ff0000">Password</font>"<br> NAS-IP-Address = <font style="" color="#ff0000">localhost</font><br> NAS-Port = 2<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "<font style="" color="#ff0000">username</font>", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[unix] returns updated<br>++[files] returns noop<br>[ldap] performing user authorization for <font style="" color="#ff0000">username</font><br>[ldap] expand: %{Stripped-User-Name} -> <br>[ldap] expand: %{User-Name} -> <font style="" color="#ff0000">username</font><br>[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=<font style="" color="#ff0000">username</font>)<br>[ldap] expand: <font style="" color="#ff0000">dc=domain,dc=com</font> -> <font style="" color="#ff0000">dc=domain,dc=com</font><br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: attempting LDAP reconnection<br>rlm_ldap: (re)connect to localhost:389, authentication 0<br>rlm_ldap: bind as<font style="" color="#ff0000"> cn=Admin,dc=domain,dc=com</font>/<font style="" color="#ff0000">LdapPassword</font> to localhost:389<br>rlm_ldap: waiting for bind result ...<br>rlm_ldap: Bind was successful<br>rlm_ldap: performing search in <font style="" color="#ff0000">dc=domain,dc=com</font>, with filter (uid=<font style="" color="#ff0000">username</font>)<br>[ldap] Added User-Password = {SSHA}<font style="" color="#ff0000">encryptedPassword</font> in check items<br>[ldap] looking for check items in directory...<br>rlm_ldap: sambaNtPassword -> NT-Password == <font style="" color="#ff0000">encryptedNTpassword</font><br>rlm_ldap: sambaLmPassword -> LM-Password == <font style="" color="#ff0000">encryptedLMpassword</font><br>[ldap] looking for reply items in directory...<br>[ldap] user <font style="" color="#ff0000">username</font> authorized to use remote access<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>++[ldap] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] Normalizing NT-Password from hex encoding<br>[pap] Normalizing LM-Password from hex encoding<br>[pap] Normalizing SSHA1-Password from base64 encoding<br>++[pap] returns updated<br>Found Auth-Type = PAP<br>+- entering group PAP {...}<br>[pap] login attempt with password "<font style="" color="#ff0000">Password</font>"<br>[pap] No password configured for the user. Cannot do authentication<br>++[pap] returns fail<br>Failed to authenticate the user.<br>Using Post-Auth-Type Reject<br>+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -> <font style="" color="#ff0000">username</font><br> attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>Delaying reject of request 0 for 1 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 0<br>Sending Access-Reject of id 231 to 127.0.0.1 port 41127<br>Waking up in 4.9 seconds.<br>Cleaning up request 0 ID 231 with timestamp +2<br>Ready to process requests.<br><br><font style="" color="#548dd4">I
do not know if I am even heading in the right direction, but I would
appreciate any help to get this working. Thanks in advance.</font> </div> </div></body>
</html>