<div dir="ltr"><div><br>freeradius: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 15:16:50<br><br></div>Rather old one, but it is not a new system, I just have to add this feature. It the upgrade is needed, it's ok, but it will take some time to stop the production.<br><div><br></div><div>Full output of freeradius -X after command<br><br>radtest -t pap abx n*************W localhost 0 secret<br><br>=======================================================================<br><br>Ready to process requests.<br>rad_recv: Access-Request packet from host 127.0.0.1 port 51020, id=47, length=55<br> User-Name = "abx"<br> User-Password = "n*************W"<br> NAS-IP-Address = 192.168.3.5<br> NAS-Port = 0<br># Executing section authorize from file /etc/freeradius/sites-enabled/default<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/<a href="http://127.0.0.1/auth-detail-20141230">127.0.0.1/auth-detail-20141230</a><br>[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/<a href="http://127.0.0.1/auth-detail-20141230">127.0.0.1/auth-detail-20141230</a><br>[auth_log] expand: %t -> Tue Dec 30 16:30:56 2014<br>++[auth_log] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "abx", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[files] returns noop<br>++- entering policy redundant {...}<br>[local] performing user authorization for abx<br>[local] expand: %{Stripped-User-Name} -> <br>[local] ... expanding second conditional<br>[local] expand: %{User-Name} -> abx<br>[local] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=abx)<br>[local] expand: dc=ourcorp,dc=net -> dc=ourcorp,dc=net<br> [local] ldap_get_conn: Checking Id: 0<br> [local] ldap_get_conn: Got Id: 0<br> [local] performing search in dc=ourcorp,dc=net, with filter (uid=abx)<br>[local] checking if remote access for abx is allowed by dialupAccess<br>[local] Added User-Password = 1D*************************************9B in check items<br>[local] No default NMAS login sequence<br>[local] looking for check items in directory...<br> [local] sambaNtPassword -> NT-Password == 0x31***********************************************************************42<br> [local] sambaLmPassword -> LM-Password == 0x42***********************************************************************36<br>[local] looking for reply items in directory...<br> [local] radiusFramedIPAddress -> Framed-IP-Address = 10.0.0.198<br>[local] user abx authorized to use remote access<br> [local] ldap_release_conn: Release Id: 0<br>+++[local] returns ok<br>++- policy redundant returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] Normalizing NT-Password from hex encoding<br>[pap] Normalizing LM-Password from hex encoding<br>++[pap] returns updated<br>Found Auth-Type = PAP<br>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br>!!! Replacing User-Password in config items with Cleartext-Password. !!!<br>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br>!!! Please update your configuration so that the "known good" !!!<br>!!! clear text password is in Cleartext-Password, and not in User-Password. !!!<br>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br># Executing group from file /etc/freeradius/sites-enabled/default<br>+- entering group PAP {...}<br>[pap] login attempt with password "n****************W"<br>[pap] Using clear text password "1D********************************9B"<br>[pap] Passwords don't match<br>++[pap] returns reject<br>Failed to authenticate the user.<br>Login incorrect (rlm_pap: CLEAR TEXT password check failed): [abx/n***********************W] (from client localhost port 0)<br>Using Post-Auth-Type Reject<br># Executing group from file /etc/freeradius/sites-enabled/default<br>+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -> abx<br> attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>Delaying reject of request 2 for 1 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 2<br>Sending Access-Reject of id 47 to 127.0.0.1 port 51020<br>Waking up in 4.9 seconds.<br>Cleaning up request 2 ID 47 with timestamp +66<br>Ready to process requests.<br>============================================================================<br><br><br></div><div>I can guess the problem is here<br>[local] Added User-Password = 1D*************************************9B in check items<br><br></div><div>It should be NT-Password, not User-Password, right?<br></div><div>But how to fix it...<br></div><div><br><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 30, 2014 at 3:13 PM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">On Dec 30, 2014, at 4:46 AM, sb <<a href="mailto:superabx@gmail.com">superabx@gmail.com</a>> wrote:<br>
> I'm trying to authenticate users from LDAP with FreeRadius by PAP protocol. Passwords are stored in LDAP in NT-hash. It's not my idea, I just have to do it.<br>
<br>
</span> It works.<br>
<span class=""><br>
> When I do<br>
><br>
> radtest -t pap ....<br>
><br>
> I see from freeradius -X:<br>
><br>
> [pap] login attempt with password "n*******W"<br>
</span>> [pap] Using clear text password "1D******************************9B”<br>
<br>
No, that is not ALL of what you see. It’s an edited portion.<br>
<br>
When we say we need the debug output, we don’t mean we want random lines from part of the debug output. We want ALL of the debug output. There may be something important in the REST of the debug output. We may need that piece to solve the problem.<br>
<br>
By editing the debug output, you’ve made it difficult for us to help you.<br>
<br>
And which version are you running? That may help, too.<br>
<span class=""><font color="#888888"><br>
Alan DeKok.<br>
</font></span><div class=""><div class="h5"><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br></div></div></div>