Hi All, I got a problem with my freeradius server 2-2.1.7-7 PAP knew we're using NT-Password, but it still using CRYPT encryption Can anyone give me some help? Really appreciate for the coming help rad_recv: Access-Request packet from host 192.168.8.190 port 10598, id=184, length=92 User-Name = "liuyang" User-Password = "398765" NAS-IP-Address = 127.0.0.1 NAS-Identifier = "sshd" NAS-Port = 9573 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "192.168.8.118" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "liuyang", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated rlm_ldap: Entering ldap_groupcmp() [files] expand: dc=smsgrp,dc=com -> dc=smsgrp,dc=com [files] expand: %{Stripped-User-Name} -> [files] expand: %{User-Name} -> liuyang [files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=liuyang) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=smsgrp,dc=com, with filter (uid=liuyang) rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass =GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dliu yang\2cou\3dUsers\2cou\3dAccounts\2cdc\3dsmsgrp\2cdc\3dcom))(&(objectClass=G roupOfUniqueNames)(uniquemember=cn\3dliu yang\2cou\3dUsers\2cou\3dAccounts\2cdc\3dsmsgrp\2cdc\3dcom))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=smsgrp,dc=com, with filter (&(cn=domain_users)(|(&(objectClass=GroupOfNames)(member=cn\3dliu yang\2cou\3dUsers\2cou\3dAccounts\2cdc\3dsmsgrp\2cdc\3dcom))(&(objectClass=G roupOfUniqueNames)(uniquemember=cn\3dliu yang\2cou\3dUsers\2cou\3dAccounts\2cdc\3dsmsgrp\2cdc\3dcom)))) rlm_ldap::ldap_groupcmp: User found in group domain_users rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for liuyang [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> liuyang [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=liuyang) [ldap] expand: dc=smsgrp,dc=com -> dc=smsgrp,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=smsgrp,dc=com, with filter (uid=liuyang) [ldap] looking for check items in directory... rlm_ldap: pcnMicrosoftNTPassword -> NT-Password == 0x3941383936454439353845383741424246443546313634414231464145434543 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user liuyang authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "398765" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Best Regards, Liuyang
On Wed, Jun 22, 2011 at 5:41 PM, liuyang <liu-yang@sms-grp.com> wrote:
Hi All,
I got a problem with my freeradius server 2-2.1.7-7
PAP knew we’re using NT-Password, but it still using CRYPT encryption
Did you try upgrading? I'm using 2.1.10, and a simple test with users file and LM/NT-Password shows pap can do the right thing. On my system the debug log goes something like this rad_recv: Access-Request packet from host 127.0.0.1 port 40049, id=103, length=60 User-Name = "testuser" User-Password = "testpass" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 ... [files] users: Matched entry testuser at line 2 ++++[files] returns ok [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "testpass" [pap] Using NT encryption. [pap] expand: %{User-Password} -> testpass [pap] NT-Hash of testpass = 35ccba9168b1d5ca6093b4b7d56c619b [pap] expand: %{mschap:NT-Hash %{User-Password}} -> 35ccba9168b1d5ca6093b4b7d56c619b [pap] User authenticated successfully ++[pap] returns ok Login OK: [testuser] (from client localhost port 0) WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/default Sending Access-Accept of id 103 to 127.0.0.1 port 40049 -- Fajar
Hi Fajar, First of all thanks for your reply but I won't upgrade it unless I can confirm this is a bug of my version because I am not familiar with the upgrade. I'd like to know is there any misconfiguration can cause this problem? Hoping someone knows this Regards, LiuYang -----Original Message----- From: freeradius-users-bounces+liu-yang=sms-grp.com@lists.freeradius.org [mailto:freeradius-users-bounces+liu-yang=sms-grp.com@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Wednesday, 22 June, 2011 7:00 PM To: FreeRadius users mailing list Subject: Re: pap authenticate issue On Wed, Jun 22, 2011 at 5:41 PM, liuyang <liu-yang@sms-grp.com> wrote:
Hi All,
I got a problem with my freeradius server 2-2.1.7-7
PAP knew we're using NT-Password, but it still using CRYPT encryption
Did you try upgrading? I'm using 2.1.10, and a simple test with users file and LM/NT-Password shows pap can do the right thing. On my system the debug log goes something like this rad_recv: Access-Request packet from host 127.0.0.1 port 40049, id=103, length=60 User-Name = "testuser" User-Password = "testpass" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 ... [files] users: Matched entry testuser at line 2 ++++[files] returns ok [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "testpass" [pap] Using NT encryption. [pap] expand: %{User-Password} -> testpass [pap] NT-Hash of testpass = 35ccba9168b1d5ca6093b4b7d56c619b [pap] expand: %{mschap:NT-Hash %{User-Password}} -> 35ccba9168b1d5ca6093b4b7d56c619b [pap] User authenticated successfully ++[pap] returns ok Login OK: [testuser] (from client localhost port 0) WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/default Sending Access-Accept of id 103 to 127.0.0.1 port 40049 -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Fajar A. Nugraha -
liuyang