Hello, Alan! Thank you very much for your explanation. I fixed one of my problems. But there is one more, unfortunately. Could you please tell me why some clients still can't log in: (100) User-Name = "userlogin" (100) NAS-Port = 158 (100) State = 0xdfe5d421d9edcd166308d87da9087b41 (100) EAP-Message = 0x020800351900170303002abc4c2d588a812994d7637b8cf7c8e557548e904bb34346565f494f3aaa80e6d18234158a7c557d7aa815 (100) Message-Authenticator = 0x2234a8c507c202ab49305ca9dfd9cd31 (100) Acct-Session-Id = "8O2.1x811d6dbc00069635" (100) NAS-Port-Id = "ge-6/0/25.0" (100) Calling-Station-Id = "68-05-ca-1c-a5-b0" (100) Called-Station-Id = "88-e0-f3-b0-d6-00" (100) NAS-IP-Address = 192.168.7.2 (100) NAS-Identifier = "sw-ex6210" (100) NAS-Port-Type = Ethernet (100) session-state: No cached attributes (100) # Executing section authorize from file /etc/raddb/sites-enabled/default (100) authorize { (100) if (!control:Cleartext-Password && &User-Password) { (100) if (!control:Cleartext-Password && &User-Password) -> FALSE (100) if (config:User-Password && config:Cleartext-Password) { (100) if (config:User-Password && config:Cleartext-Password) -> FALSE (100) [preprocess] = ok (100) [chap] = noop (100) [mschap] = noop (100) suffix: Checking for suffix after "@" (100) suffix: No '@' in User-Name = "userlogin", looking up realm NULL (100) suffix: No such realm "NULL" (100) [suffix] = noop (100) eap: Peer sent EAP Response (code 2) ID 8 length 53 (100) eap: Continuing tunnel setup (100) [eap] = ok (100) } # authorize = ok (100) Found Auth-Type = eap (100) # Executing group from file /etc/raddb/sites-enabled/default (100) authenticate { (100) eap: Expiring EAP session with state 0xf92482fcf82c861b (100) eap: Finished EAP session with state 0xdfe5d421d9edcd16 (100) eap: Previous EAP request found for state 0xdfe5d421d9edcd16, released from the list (100) eap: Peer sent packet with method EAP PEAP (25) (100) eap: Calling submodule eap_peap to process data (100) eap_peap: Continuing EAP-TLS (100) eap_peap: [eaptls verify] = ok (100) eap_peap: Done initial handshake (100) eap_peap: [eaptls process] = ok (100) eap_peap: Session established. Decoding tunneled attributes (100) eap_peap: PEAP state phase2 (100) eap_peap: EAP method MD5 (4) (100) eap_peap: Got tunneled request (100) eap_peap: EAP-Message = 0x0208001604103e503e5f6c109089add772abaf6ec360 (100) eap_peap: Setting User-Name to userlogin (100) eap_peap: Sending tunneled request to default (100) eap_peap: EAP-Message = 0x0208001604103e503e5f6c109089add772abaf6ec360 (100) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (100) eap_peap: User-Name = "userlogin" (100) eap_peap: State = 0xf92482fcf82c861be33a289febd6a3c6 (100) Virtual server default received request (100) EAP-Message = 0x0208001604103e503e5f6c109089add772abaf6ec360 (100) FreeRADIUS-Proxied-To = 127.0.0.1 (100) User-Name = "userlogin" (100) State = 0xf92482fcf82c861be33a289febd6a3c6 (100) WARNING: Outer and inner identities are the same. User privacy is compromised. (100) server default { (100) session-state: No cached attributes (100) # Executing section authorize from file /etc/raddb/sites-enabled/default (100) authorize { (100) if (!control:Cleartext-Password && &User-Password) { (100) if (!control:Cleartext-Password && &User-Password) -> FALSE (100) if (config:User-Password && config:Cleartext-Password) { (100) if (config:User-Password && config:Cleartext-Password) -> FALSE (100) [preprocess] = ok (100) [chap] = noop (100) [mschap] = noop (100) suffix: Checking for suffix after "@" (100) suffix: No '@' in User-Name = "userlogin", looking up realm NULL (100) suffix: No such realm "NULL" (100) [suffix] = noop (100) eap: Peer sent EAP Response (code 2) ID 8 length 22 (100) eap: No EAP Start, assuming it's an on-going EAP conversation (100) [eap] = updated (100) sql-wifi: EXPAND %{User-Name} (100) sql-wifi: --> userlogin (100) sql-wifi: SQL-User-Name set to 'userlogin' rlm_sql (sql-wifi): Reserved connection (0) (100) sql-wifi: EXPAND SELECT wifi_id as id, username, 'NT-Password' as attribute, pass_hash, ':=' as op FROM wifiusers WHERE username = '%{SQL-User-Name}' ORDER BY id (100) sql-wifi: --> SELECT wifi_id as id, username, 'NT-Password' as attribute, pass_hash, ':=' as op FROM wifiusers WHERE username = 'userlogin' ORDER BY id (100) sql-wifi: Executing select query: SELECT wifi_id as id, username, 'NT-Password' as attribute, pass_hash, ':=' as op FROM wifiusers WHERE username = 'userlogin' ORDER BY id (100) sql-wifi: User found in radcheck table (100) sql-wifi: Conditional check items matched, merging assignment check items (100) sql-wifi: NT-Password := 0xc6fd69aa559296b7835e39ef243c7304 (100) sql-wifi: EXPAND SELECT id, UserName, Attribute, Value, op FROM msk_wifi_attrs WHERE username = '%{SQL-User-Name}' ORDER BY id (100) sql-wifi: --> SELECT id, UserName, Attribute, Value, op FROM msk_wifi_attrs WHERE username = 'userlogin' ORDER BY id (100) sql-wifi: Executing select query: SELECT id, UserName, Attribute, Value, op FROM msk_wifi_attrs WHERE username = 'userlogin' ORDER BY id (100) sql-wifi: EXPAND SELECT 'Officewifi' as GroupName FROM wifiusers WHERE UserName='%{SQL-User-Name}' (100) sql-wifi: --> SELECT 'Officewifi' as GroupName FROM wifiusers WHERE UserName='userlogin' (100) sql-wifi: Executing select query: SELECT 'Officewifi' as GroupName FROM wifiusers WHERE UserName='userlogin' (100) sql-wifi: User found in the group table (100) sql-wifi: EXPAND SELECT wifi_id as id, 'Officewifi' as GroupName, 'NT-Password' as attribute, pass_hash, ':=' as op FROM wifiusers WHERE Username = '%{SQL-User-Name}' ORDER BY id (100) sql-wifi: --> SELECT wifi_id as id, 'Officewifi' as GroupName, 'NT-Password' as attribute, pass_hash, ':=' as op FROM wifiusers WHERE Username = 'userlogin' ORDER BY id (100) sql-wifi: Executing select query: SELECT wifi_id as id, 'Officewifi' as GroupName, 'NT-Password' as attribute, pass_hash, ':=' as op FROM wifiusers WHERE Username = 'userlogin' ORDER BY id (100) sql-wifi: Group "Officewifi": Conditional check items matched (100) sql-wifi: Group "Officewifi": Merging assignment check items (100) sql-wifi: NT-Password := 0xc6fd69aa559296b7835e39ef243c7304 (100) sql-wifi: EXPAND SELECT wifi_id as id, 'Officewifi' as GroupName, 'NT-Password' as attribute, pass_hash, ':=' as op FROM wifiusers WHERE Username = '%{SQL-User-Name}' ORDER BY id (100) sql-wifi: --> SELECT wifi_id as id, 'Officewifi' as GroupName, 'NT-Password' as attribute, pass_hash, ':=' as op FROM wifiusers WHERE Username = 'userlogin' ORDER BY id (100) sql-wifi: Executing select query: SELECT wifi_id as id, 'Officewifi' as GroupName, 'NT-Password' as attribute, pass_hash, ':=' as op FROM wifiusers WHERE Username = 'userlogin' ORDER BY id (100) sql-wifi: Group "Officewifi": Merging reply items (100) sql-wifi: NT-Password := 0xc6fd69aa559296b7835e39ef243c7304 rlm_sql (sql-wifi): Released connection (0) (100) [sql-wifi] = ok (100) pap: WARNING: Auth-Type already set. Not setting to PAP (100) [pap] = noop (100) } # authorize = updated (100) Found Auth-Type = eap (100) # Executing group from file /etc/raddb/sites-enabled/default (100) authenticate { (100) eap: Expiring EAP session with state 0xf92482fcf82c861b (100) eap: Finished EAP session with state 0xf92482fcf82c861b (100) eap: Previous EAP request found for state 0xf92482fcf82c861b, released from the list (100) eap: Peer sent packet with method EAP MD5 (4) (100) eap: Calling submodule eap_md5 to process data (100) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5 authentication (100) eap: ERROR: Failed continuing EAP MD5 (4) session. EAP sub-module failed (100) eap: Sending EAP Failure (code 4) ID 8 length 4 (100) eap: Failed in EAP select (100) [eap] = invalid (100) } # authenticate = invalid (100) Failed to authenticate the user I suppose, the main problem from this string: (100) eap_peap: EAP method MD5 (4) But, I haven't enabled this type of authorization: eap { default_eap_type = peap Neither in ttls-section as well: ttls { tls = tls-common default_eap_type = peap copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" } Probably I should have two versions of hashes for wifi and ethernet authorization? пт, 21 дек. 2018 г. в 00:13, Alan DeKok <aland@deployingradius.com>:
On Dec 20, 2018, at 6:18 PM, Anton Kiryushkin <swood@fotofor.biz> wrote:
You're right. My fault. Please see log below:
Thanks.
... (9) sql-wifi: Conditional check items matched, merging assignment check items (9) sql-wifi: NT-Password := 0x6336623331333036323736373866653636626166393538616561356566363138
Again... that's all ASCII data. You've taken the hex form of the string:
c6b3130627678fe66baf958aea5ef618
And instead of just putting this into SQL:
NT-Password := 0xc6b3130627678fe66baf958aea5ef618
You've converted the ASCII representation to hex again... and then set that as the NT password.
Don't do that.
... (9) eap_mschapv2: Auth-Type MS-CHAP { (9) mschap: WARNING: NT-Password found but incorrect length, expected 16 bytes got 12 bytes. Authentication may fail
And the NT password is mangled, as noted above.
Why are you converting the hex string to ASCII *twice*? Just take the output of smbencrypt, put a "0x" in front of it, and set it as NT-Password in the database:
Again:
$ smbencrypt hello LM Hash NT Hash -------------------------------- -------------------------------- FDA95FBECA288D44AAD3B435B51404EE 066DDFD4EF0E9CD7C256FE77191EF43C
And then:
NT-Password := 0x066DDFD4EF0E9CD7C256FE77191EF43C
You *don't* have to hex-encode the hex output of smbencrypt.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best regards, Anton Kiryushkin