Hi I’m still trying to get this working. I’m using an XP machine plugged into an edge switch acting as a NAS. I’m using the PEAP/MSCHAP in XP to authenticate against an LDAP directory. In that directory, we have created an attribute called ntPasssword which I have populated with the word ‘password’ (create, I know!). Below is what I get when I run in debug mode. In ldap.attrmap I have the line: checkItem NT-Password ntPassword in radiusd.conf in my ldap declaration, I have: password_attribute = ntPassword I can’t quite figure out what’s going on below. Looks to me like the passwords are not matching. Any advice is appreciated. Thanks rad_recv: Access-Request packet from host 11.2.19.3 port 2048, id=3, length=102 NAS-IP-Address = 11.2.19.3 NAS-Port-Type = Ethernet Service-Type = Framed-User Message-Authenticator = 0xfbe3f8eb4dd656189f641a6aef2a8e59 NAS-Port = 2 Framed-MTU = 1490 User-Name = "mda" Calling-Station-Id = "00-11-25-81-1D-DA" EAP-Message = 0x02030008016d6461 Wed Jun 11 09:42:02 2008 : Debug: +- entering group authorize Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[preprocess] returns ok Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 1 Wed Jun 11 09:42:02 2008 : Debug: rlm_realm: No '@' in User-Name = "mda", looking up realm NULL Wed Jun 11 09:42:02 2008 : Debug: rlm_realm: No such realm "NULL" Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[suffix] returns noop Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling unbldap (rlm_ldap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: - authorize Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: performing user authorization for mda Wed Jun 11 09:42:02 2008 : Debug: WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Wed Jun 11 09:42:02 2008 : Debug: expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=mda) Wed Jun 11 09:42:02 2008 : Debug: expand: ou=people,dc=unb,dc=ca -> ou=people,dc=unb,dc=ca Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: performing search in ou=people,dc=unb,dc=ca, with filter (uid=mda) Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: Added User-Password = å,¬gA??"J;???¦Ëm in check items Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: looking for check items in directory... Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0xe52cac67419a9a224a3b108f3fa6cb6d Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: looking for reply items in directory... Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: user mda authorized to use remote access Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from unbldap (rlm_ldap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[unbldap] returns ok Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[mschap] returns noop Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[mschap] returns noop Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 1 Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[files] returns noop Wed Jun 11 09:42:02 2008 : Debug: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Wed Jun 11 09:42:02 2008 : Debug: !!! Replacing User-Password in config items with Cleartext-Password. !!! Wed Jun 11 09:42:02 2008 : Debug: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Wed Jun 11 09:42:02 2008 : Debug: !!! Please update your configuration so that the "known good" !!! Wed Jun 11 09:42:02 2008 : Debug: !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Wed Jun 11 09:42:02 2008 : Debug: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Wed Jun 11 09:42:02 2008 : Debug: auth: type Local Wed Jun 11 09:42:02 2008 : Debug: auth: No User-Password or CHAP-Password attribute in the request Wed Jun 11 09:42:02 2008 : Debug: auth: Failed to validate the user. Wed Jun 11 09:42:02 2008 : Auth: Login incorrect: [mda] (from client hh932 port 2 cli 00-11-25-81-1D-DA) Wed Jun 11 09:42:02 2008 : Debug: Delaying reject of request 1 for 1 seconds Wed Jun 11 09:42:02 2008 : Debug: Going to the next request Wed Jun 11 09:42:02 2008 : Debug: Waking up in 0.9 seconds. Wed Jun 11 09:42:03 2008 : Debug: Sending delayed reject for request 1 Sending Access-Reject of id 3 to 11.2.19.3 port 2048 Wed Jun 11 09:42:03 2008 : Debug: Waking up in 4.9 seconds. Wed Jun 11 09:42:08 2008 : Debug: Cleaning up request 1 ID 3 with timestamp +355 Wed Jun 11 09:42:08 2008 : Debug: Ready to process requests. Matt mda@unb.ca -----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 11:21 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question eapol_test from wpa_supplicant JRadius Simulator Ivan Kalik Kalik Informatika ISP Dana 10/6/2008, "Matt Ashfield" <mda@unb.ca> piše:
I'd like to test this with PEAP/MSCHAP requests if possible. Is there a howto? Clearly I'm down the wrong path here.
Matt mda@unb.ca
-----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 11:02 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question
FreeRADIUS-Proxied-To == 127.0.0.1 will match only for eap requests. You can't test for it with pap requests (radtest).
Ivan Kalik Kalik Informatika ISP
Dana 10/6/2008, "Matt Ashfield" <mda@unb.ca> piše:
I thought it would get referenced because in my users file I have:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group == staff, Autz-Type := Ldap1 User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=staff, Tunnel-Type=VLAN, Fall-Through = no
And in huntgroups I have this. Although I am unsure if this is correct. UNBFWSS NAS-IP-Address == 127.0.0.1
Matt mda@unb.ca
-----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 10:36 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question
The password that is being supplied by radtest is in plain-text, should I be supplying it in ntPassword-encrypted format?
No.
It looks to me like I have something wrong with my authenticate section.
My authorize section looks like: authorize { preprocess chap mschap suffix eap Autz-Type Ldap1 { redundant-load-balance{ unbldap unbldap2 } mschap } }
Not really. You just haven't called that Autz-Type anywhere.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html