On Wed, Dec 31, 2014 at 3:34 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 30, 2014, at 10:58 AM, sb <superabx@gmail.com> wrote:
Thank you, Alan! I will try to upgrade to 2.2.6.
That’s really the best solution.
Upgraded to 2.2.6, nothing changes. ======================================================================================================= # radiusd -v radiusd: FreeRADIUS Version 2.2.6, for host x86_64-unknown-linux-gnu, built on Jan 2 2015 at 13:43:16 rad_recv: Access-Request packet from host 127.0.0.1 port 32834, id=32, length=55 User-Name = "abx" User-Password = "n***********W" NAS-IP-Address = 192.168.203.235 NAS-Port = 0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1 [auth_log] expand: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20150102 [auth_log] /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20150102 [auth_log] expand: %t -> Fri Jan 2 15:07:04 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "abx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[files] = noop ++policy redundant { [local] performing user authorization for abx [local] expand: %{Stripped-User-Name} -> [local] ... expanding second conditional [local] expand: %{User-Name} -> abx [local] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=abx) [local] expand: dc=ourcorp,dc=net -> dc=ourcorp,dc=net [local] ldap_get_conn: Checking Id: 0 [local] ldap_get_conn: Got Id: 0 [local] attempting LDAP reconnection [local] (re)connect to localhost:389, authentication 0 [local] setting TLS CACert File to certs/ourcorp.net.ca.cer [local] setting TLS CACert Directory to /etc/ssl/certs [local] setting TLS Cert File to certs/wildcard.ourcorp.net.cer [local] setting TLS Key File to certs/wildcard.ourcorp.net.key [local] bind as cn=readuser,dc=ourcorp,dc=net/******* to localhost:389 [local] waiting for bind result ... [local] Bind was successful [local] performing search in dc=ourcorp,dc=net, with filter (uid=abx) [local] checking if remote access for abx is allowed by dialupAccess [local] Added User-Password = 1D*********************9B in check items [local] looking for check items in directory... [local] sambaNtPassword -> NT-Password == 0x31**********************************************************42 [local] sambaLmPassword -> LM-Password == 0x42**********************************************************36 [local] looking for reply items in directory... [local] radiusFramedIPAddress -> Framed-IP-Address = 10.0.0.198 [local] user abx authorized to use remote access [local] ldap_release_conn: Release Id: 0 +++[local] = ok ++} # policy redundant = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding ++[pap] = updated +} # group authorize = updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group PAP { [pap] login attempt with password "n**************W" [pap] Using clear text password "1D********************9B" [pap] Passwords don't match ++[pap] = reject +} # group PAP = reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> abx attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 32 to 127.0.0.1 port 32834 Waking up in 4.9 seconds. Cleaning up request 0 ID 32 with timestamp +4 Ready to process requests. ============================================================================ I can not understand why is this: [local] Added User-Password = 1D*********************9B in check items There is nothing of User-Password in ldap.attrmap, why the radius adds it from sambaLmPassword? I can not put cleartext passwords in LDAP, so I have to work with NT-hashed passwords only. So, how to tell the radius that User-Password and Cleartext-Password are empty and it has to operate with NT-Password? I believe it should be smth simple that I forgot to do...