<div dir="ltr"><div><div><div><div><div><div><div><div><div>Hello<br><br></div>I have a working installation of freeradius2, providing AAA on my wlan by using ldap stored users.<br></div>I am trying to upgrade to freeradius3, but I met a problem.<br>
</div>As far as I understood, the ldap attribute previusly mapped through the ldap.attrmap file now must be mapped by an update statement, so in the ldap module configuration I configured:<br><br> update {<br> control:Password-With-Header += 'userPassword'<br>
control:NT-Password := 'sambaNTPassword'<br> }<br><br></div><div>I know that this is working because in the debug I see:<br><br>..<br>(12) 8021x1 : User object found at DN "uid=XXXXXXX<br>(12) 8021x1 : Processing user attributes<br>
(12) 8021x1 : control:Password-With-Header += '{SHA}XXXXXXXXXXXXXXXXXXXX'<br>(12) 8021x1 : control:NT-Password := 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<br>rlm_ldap (8021x1): Released connection (4)<br>
<br></div>But when I try to authenticate I have this error:<br><br>(12) Found Auth-Type = EAP<br>(12) # Executing group from file /ofb/freeradius/etc/raddb/sites-enabled/default<br>(12) authenticate {<br>(12) eap : Expiring EAP session with state 0x08682d8c08653729<br>
(12) eap : Finished EAP session with state 0x08682d8c08653729<br>(12) eap : Previous EAP request found for state 0x08682d8c08653729, released from the list<br>(12) eap : Peer sent MSCHAPv2 (26)<br>(12) eap : EAP MSCHAPv2 (26)<br>
(12) eap : Calling eap_mschapv2 to process EAP data<br>(12) eap_mschapv2 : # Executing group from file /ofb/freeradius/etc/raddb/sites-enabled/default<br>(12) eap_mschapv2 : Auth-Type MS-CHAP {<br>(12) mschap : No Cleartext-Password configured. Cannot create LM-Password<br>
(12) ERROR: mschap : NT-Password has not been normalized by the "pap" module. Authentication will fail.<br>(12) mschap : Creating challenge hash with username: XXX<br>(12) mschap : Client is using MS-CHAPv2 for XXX, we need NT-Password<br>
(12) mschap : FAILED: No NT/LM-Password. Cannot perform authentication.<br>(12) mschap : FAILED: MS-CHAP2-Response is incorrect<br>(12) [mschap] = reject<br>(12) } # Auth-Type MS-CHAP = reject<br>(12) eap : Freeing handler<br>
(12) [eap] = reject<br>(12) } # authenticate = reject<br>(12) Failed to authenticate the user.<br>(12) Using Post-Auth-Type Reject<br>(12) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.<br>
} # server default<br>(12) eap_peap : Got tunneled reply code 3<br> MS-CHAP-Error = '\rE=691 R=1'<br> EAP-Message = 0x040d0004<br> Message-Authenticator = 0x00000000000000000000000000000000<br>(12) eap_peap : Got tunneled reply RADIUS code 3<br>
MS-CHAP-Error = '\rE=691 R=1'<br> EAP-Message = 0x040d0004<br> Message-Authenticator = 0x00000000000000000000000000000000<br>(12) eap_peap : Tunneled authentication was rejected.<br>(12) eap_peap : FAILURE<br>
<br></div>I took a peek at the rlm_mschap.c code and I saw that the part "validating" the NT-Password is oddly different from version 2 to version 3, as v2 was:<br><br> nt_password = pairfind(request->config_items, PW_NT_PASSWORD);<br>
if (nt_password) {<br> if ((nt_password->length == 16) ||<br> ((nt_password->length == 32) &&<br> (fr_hex2bin(nt_password->vp_strvalue,<br> nt_password->vp_octets, 16) == 16))) {<br>
RDEBUG2("Found NT-Password");<br> nt_password->length = 16;<br><br></div>while v3 has:<br><br> nt_password = pairfind(request->config_items, PW_NT_PASSWORD, 0, TAG_ANY);<br> if (nt_password) {<br>
if (nt_password->length == 16) {<br> RDEBUG2("Found NT-Password");<br> } else {<br> RWDEBUG("NT-Password has not been normalized by the 'pap' module. Authentication will fail");<br>
nt_password = NULL;<br> }<br><br></div>I use samba's mkntpwd to generate NT hashes, and it generare 32 chars long hashes....so how could i have those hashes "normalized by pap" in my configuration? am i missing some key difference between the 2 versions?<br>
<br></div>Thanks<br></div>Futhwo<br></div>