Hi Alan I understood the pointed out contents and deleted . I'm sorry for bothering you. When you run it again, you will be told that there is no NT / LM password. Where should I look next? --------- lm_ldap (ldap_regularusers): Reserved connection (0) (6) ldap_regularusers: EXPAND (&(!(employeeType=participant))(!(employeeType=trainee))(!(tutPersonAccountStatus=03))(!(tutPersonAccountStatus=04))(uid=%{%{Stripped-User-Name}:-%{User-Name}})) (6) ldap_regularusers: --> (&(!(employeeType=participant))(!(employeeType=trainee))(!(tutPersonAccountStatus=03))(!(tutPersonAccountStatus=04))(uid=yanagi)) (6) ldap_regularusers: Performing search in "ou=Users,dc=edu,dc=tut,dc=ac,dc=jp" with filter "(&(!(employeeType=participant))(!(employeeType=trainee))(!(tutPersonAccountStatus=03))(!(tutPersonAccountStatus=04))(uid=yanagi))", scope "sub" (6) ldap_regularusers: Waiting for search result... (6) ldap_regularusers: User object found at DN "uid=yanagi,ou=Users,dc=edu,dc=tut,dc=ac,dc=jp" (6) ldap_regularusers: Processing user attributes (6) ldap_regularusers: control:NT-Password := 0x4243353030433041363439353842434531393638383936303344464645343530 (6) ldap_regularusers: control:User-Password := 'BC500C0A64958BCE196889603DFFE450' (6) ldap_regularusers: control:Password-With-Header := '{SSHA256}Q1iLz8Pc/mkXU/hniRsu3/rpWKOVdjAU/4t2iLynZqdIPFIYPW0elA==' rlm_ldap (ldap_regularusers): Released connection (0) (6) [ldap_regularusers] = updated (6) } # if (&outer.request:Called-Station-SSID == 'BLUE') = updated (6) } # if (&outer.request:NAS-IP-Address =~ /^192\.168\.10\.1[2]{1}$/ || &outer.request:NAS-IP-Address == "192.168.200.240" || &outer.request:NAS-IP-Address == "localhost") = updated (6) [expiration] = noop (6) [logintime] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Expiring EAP session with state 0x826df85d8265e230 (6) eap: Finished EAP session with state 0x826df85d8265e230 (6) eap: Previous EAP request found for state 0x826df85d8265e230, released from the list (6) eap: Peer sent packet with method EAP MSCHAPv2 (26) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) eap_mschapv2: authenticate { (6) mschap: WARNING: NT-Password has not been normalized by the 'pap' module (likely still in hex format). Authentication may fail (6) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (6) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (6) mschap: Creating challenge hash with username: yanagi (6) mschap: Client is using MS-CHAPv2 (6) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (6) mschap: ERROR: MS-CHAP2-Response is incorrect (6) [mschap] = reject (6) } # authenticate = reject (6) eap: Sending EAP Failure (code 4) ID 8 length 4 (6) eap: Freeing handler (6) [eap] = reject (6) } # authenticate = reject (6) Failed to authenticate the user (6) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [yanagi/<via Auth-Type = eap>] (from client n-test port 0 via TLS tunnel) (6) Using Post-Auth-Type Reject (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) Post-Auth-Type REJECT { (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> yanagi (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) update outer.session-state { (6) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication' (6) } # update outer.session-state = noop (6) } # Post-Auth-Type REJECT = updated (6) } # server inner-tunnel (6) Virtual server sending reply (6) MS-CHAP-Error = "\010E=691 R=1 C=0d87b3e853acf17d17b03a4b37641556 V=3 M=Authentication failed" (6) EAP-Message = 0x04080004 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_ttls: Got tunneled Access-Reject (6) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (6) eap: Sending EAP Failure (code 4) ID 8 length 4 2019年8月13日(火) 11:31 Alan DeKok <aland@deployingradius.com>:
On Aug 12, 2019, at 10:25 PM, Yuya Yanagi <peacefull64@gmail.com> wrote:
That seems pretty clear. Don't set "Auth-Type := LDAP". It's not needed.
Does that mean commenting out the Auth-Type LDAP part of the authentication section?
No.
Read my message. I said to DELETE the section that did:
update control { Auth-Type := LDAP }
Read this:
(6) update control { (6) &Auth-Type := LDAP (6) } # update control = noop
Don't do that. It's breaking the server.
Delete those lines from your configuration. The user should then be able to authenticate.
DELETE that section. Don't delete ANOTHER section.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html