<div dir="ltr">OK great, now I understand the root cause... <div><br></div><div>I have changed my passwords in the ldap (im using openLDAP with phpldapadmin) to be clear text but still getting radius rejected issue.</div><div>
<br></div><div>The log says: Cleartext-Password is required for authentication but it should be?!</div><div><br></div><div><div>rad_recv: Access-Request packet from host 10.x.x.100 port 55524, id=14, length=50</div><div> User-Name = "adamjseed"</div>
<div> CHAP-Password = 0xf9f798ccef8ac701b1f545d0dda826172a</div><div># Executing section authorize from file /etc/freeradius/sites-enabled/default</div><div>+- entering group authorize {...}</div><div>++[preprocess] returns ok</div>
<div>[chap] Setting 'Auth-Type := CHAP'</div><div>++[chap] returns ok</div><div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "adamjseed", looking up realm NULL</div>
<div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] No EAP-Message, not doing EAP</div><div>++[eap] returns noop</div><div>[ldap] performing user authorization for adamjseed</div>
<div>[ldap] expand: %{Stripped-User-Name} -></div><div>[ldap] ... expanding second conditional</div><div>[ldap] expand: %{User-Name} -> adamjseed</div><div>[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=adamjseed)</div>
<div>[ldap] expand: dc=example,dc=com -> dc=example,dc=com</div><div> [ldap] ldap_get_conn: Checking Id: 0</div><div> [ldap] ldap_get_conn: Got Id: 0</div><div> [ldap] performing search in dc=example,dc=com, with filter (uid=adamjseed)</div>
<div>[ldap] No default NMAS login sequence</div><div>[ldap] looking for check items in directory...</div><div> [ldap] userPassword -> Password-With-Header == "Password01"</div><div>[ldap] looking for reply items in directory...</div>
<div>[ldap] user adamjseed authorized to use remote access</div><div> [ldap] ldap_release_conn: Release Id: 0</div><div>++[ldap] returns ok</div><div>++[expiration] returns noop</div><div>++[logintime] returns noop</div>
<div>[pap] Failed to decode Password-With-Header = "Password01"</div><div>[pap] WARNING: Auth-Type already set. Not setting to PAP</div><div>++[pap] returns noop</div><div>Found Auth-Type = CHAP</div><div># Executing group from file /etc/freeradius/sites-enabled/default</div>
<div>+- entering group CHAP {...}</div><div>[chap] login attempt by "adamjseed" with CHAP password</div><div><b>[chap] Cleartext-Password is required for authentication</b></div><div>++[chap] returns invalid</div>
<div>Failed to authenticate the user.</div><div>Using Post-Auth-Type Reject</div><div># Executing group from file /etc/freeradius/sites-enabled/default</div><div>+- entering group REJECT {...}</div><div>[attr_filter.access_reject] expand: %{User-Name} -> adamjseed</div>
<div> attr_filter: Matched entry DEFAULT at line 11</div><div>++[attr_filter.access_reject] returns updated</div></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Mar 3, 2014 at 1:36 PM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">Adam Seed wrote:<br>
> Hi Alan,<br>
><br>
> That same wiki says 'The ldap module can only work with PAP passwords<br>
> since it needs to send the clear text user password to the LDAP server<br>
> to authenticate the user.'<br>
<br>
</div> Where?<br>
<div class=""><br>
> I might be mis-understanding as im new to<br>
> Radius, but that doesnt sound to positive. Anyway... I'm hoping to find<br>
> a workaround<br>
<br>
</div> That text (whatever it is) means that you can only do "bind as user"<br>
when the Access-Request contains User-Password (i.e. PAP).<br>
<div class=""><br>
<br>
> So I checked my sites-enabled/default and it does have the LDAP module<br>
> listed:<br>
<br>
</div> OK...<br>
<div class=""><br>
> (I striped out the comments and highlighted the bits I changed)<br>
<br>
<br>
</div> Please don't post it here. It doesn't help.<br>
<div class=""><br>
> In addition here is the output of my debug:<br>
<br>
</div> That's what we need.<br>
<div class="">> [ldap] userPassword -> Password-With-Header ==<br>
> "{MD5}1hkMdaNUxxbUu/hufTrjtQ=="<br>
<br>
</div> You're storing passwords in MD5 hashed format. This is incompatible<br>
with CHAP.<br>
<br>
<a href="http://deployingradius.com/documents/protocols/compatibility.html" target="_blank">http://deployingradius.com/documents/protocols/compatibility.html</a><br>
<div class=""><br>
> [chap] Cleartext-Password is required for authentication<br>
<br>
</div> See? I suggest believing that message. It'd true.<br>
<div class=""><br>
> Any assistant is greatly welcomed.<br>
<br>
</div> (a) store clear-text passwords in LDAP<br>
<br>
(b) don't use CHAP.<br>
<br>
Pick one.<br>
<div class="HOEnZb"><div class="h5"><br>
Alan DeKok.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br></div>