On Tue, Dec 30, 2014 at 5:00 PM, Alan DeKok <aland@deployingradius.com> wrote:
Full output of freeradius -X after command
[local] performing search in dc=ourcorp,dc=net, with filter (uid=abx) [local] checking if remote access for abx is allowed by dialupAccess [local] Added User-Password = 1D*************************************9B in check items
And… that’s the issue. You’ve configured it to get the User-Password from LDAP.
Yes, but how to prevent it? I have nothing about User-Password in freeradius configs: ================================================================= /etc/freeradius# grep -R User-Password * attrs.pre-proxy:# User-Password =* ANY, attrs.pre-proxy: #User-Password =* ANY, eap.conf: # User-Password, or the NT-Password attributes. eap.conf: # the User-Password. eap.conf: # is put into a User-Password attribute, eap.conf: # the module will look for a User-Password experimental.conf: # packets containing a User-Password attribute. modules/ntlm_auth: program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" modules/smsotp:# The module does not check the User-Password, this should be done with modules/detail: # Certain attributes such as User-Password may be modules/detail: # User-Password modules/sql_log: ('%{User-Name}', '%{User-Password:-Chap-Password}', \ modules/detail.log: User-Password modules/detail.log: # User-Password modules/pap:# In this case, the module will look inside of the User-Password modules/ldap:# Access-Request packet contains a clear-text User-Password modules/ldap: # By default, if the packet contains a User-Password, root@ukv69:/etc/freeradius# =================================================================== Everything is commented, exclude ntlm_auth and detail.log, I believe both are not what I have to change. ldap.attrmap: =================================================================== checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem checkItem Auth-Type radiusAuthType checkItem Simultaneous-Use radiusSimultaneousUse checkItem Called-Station-Id radiusCalledStationId checkItem Calling-Station-Id radiusCallingStationId checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem LM-Password sambaLmPassword checkItem NT-Password sambaNtPassword checkItem LM-Password dBCSPwd checkitem Password-With-Header userPassword checkItem SMB-Account-CTRL-TEXT acctFlags checkItem Expiration radiusExpiration checkItem NAS-IP-Address radiusNASIpAddress ====================================================================
[local] No default NMAS login sequence [local] looking for check items in directory... [local] sambaNtPassword -> NT-Password == 0x31***********************************************************************42
That means it’s not using the NT-Password.
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
It helps to READ these messages and fix the problem. If you had done that, it would have worked.
I've tried, but there is nothing about User-Password in configs, so I can not replace it with Cleartext-Password.