OK great, now I understand the root cause... I have changed my passwords in the ldap (im using openLDAP with phpldapadmin) to be clear text but still getting radius rejected issue. The log says: Cleartext-Password is required for authentication but it should be?! rad_recv: Access-Request packet from host 10.x.x.100 port 55524, id=14, length=50 User-Name = "adamjseed" CHAP-Password = 0xf9f798ccef8ac701b1f545d0dda826172a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "adamjseed", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for adamjseed [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> adamjseed [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=adamjseed) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (uid=adamjseed) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "Password01" [ldap] looking for reply items in directory... [ldap] user adamjseed authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Failed to decode Password-With-Header = "Password01" [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "adamjseed" with CHAP password *[chap] Cleartext-Password is required for authentication* ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> adamjseed attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated On Mon, Mar 3, 2014 at 1:36 PM, Alan DeKok <aland@deployingradius.com>wrote:
Adam Seed wrote:
Hi Alan,
That same wiki says 'The ldap module can only work with PAP passwords since it needs to send the clear text user password to the LDAP server to authenticate the user.'
Where?
I might be mis-understanding as im new to Radius, but that doesnt sound to positive. Anyway... I'm hoping to find a workaround
That text (whatever it is) means that you can only do "bind as user" when the Access-Request contains User-Password (i.e. PAP).
So I checked my sites-enabled/default and it does have the LDAP module listed:
OK...
(I striped out the comments and highlighted the bits I changed)
Please don't post it here. It doesn't help.
In addition here is the output of my debug:
That's what we need.
[ldap] userPassword -> Password-With-Header == "{MD5}1hkMdaNUxxbUu/hufTrjtQ=="
You're storing passwords in MD5 hashed format. This is incompatible with CHAP.
http://deployingradius.com/documents/protocols/compatibility.html
[chap] Cleartext-Password is required for authentication
See? I suggest believing that message. It'd true.
Any assistant is greatly welcomed.
(a) store clear-text passwords in LDAP
(b) don't use CHAP.
Pick one.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html