Hello, has anyone sucessfully istalled FR 3.0 with authentication against eDirectory and ldap? I get the following error: "WARNING: ldap : Failed to retrieve eDirectory password" The following options are set in the ldap modul: edir = yes edir_autz = yes With FR 2.x everything works fine. Best regards, Hubert
On 5 Dec 2013, at 09:01, Hubert Kupper <kupper@uni-landau.de> wrote:
Hello,
has anyone sucessfully istalled FR 3.0 with authentication against eDirectory and ldap?
I get the following error: "WARNING: ldap : Failed to retrieve eDirectory password"
The following options are set in the ldap modul: edir = yes edir_autz = yes
With FR 2.x everything works fine.
Yes, one of our testers reported the current code works fine against eDirectory. I'll fix up the debug output so you get a more verbose error message at least. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Am 05.12.2013 10:50, schrieb Arran Cudbard-Bell:
On 5 Dec 2013, at 09:01, Hubert Kupper <kupper@uni-landau.de> wrote:
Hello,
has anyone sucessfully istalled FR 3.0 with authentication against eDirectory and ldap?
I get the following error: "WARNING: ldap : Failed to retrieve eDirectory password"
The following options are set in the ldap modul: edir = yes edir_autz = yes
With FR 2.x everything works fine. Yes, one of our testers reported the current code works fine against eDirectory.
I'll fix up the debug output so you get a more verbose error message at least.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Arran. I'm looking forward to the fix.
Hubert -- _____________________________________________ Hubert Kupper Universitaetsrechenzentrum in Landau Fortstrasse 7, D-76829 Landau Tel: +49 6341/28031173 Fax: +49 6341/28031267
Yes, one of our testers reported the current code works fine against eDirectory.
I'll fix up the debug output so you get a more verbose error message at least.
Done. Let me know what error you get. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Am 05.12.2013 12:46, schrieb Arran Cudbard-Bell:
Yes, one of our testers reported the current code works fine against eDirectory.
I'll fix up the debug output so you get a more verbose error message at least. Done. Let me know what error you get.
-Arran Hi Arran,
thanks for the fix. Now I get the following error: -------- (3) [preprocess] = ok (3) [mschap] = noop (3) suffix : No '@' in User-Name = "foo", looking up realm NULL (3) suffix : Found realm "NULL" (3) suffix : Adding Stripped-User-Name = "foo" (3) suffix : Adding Realm = "NULL" (3) suffix : Authentication realm is LOCAL. (3) [suffix] = ok (3) eap : EAP packet type response id 3 length 6 (3) eap : No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop rlm_ldap (ldap): Reserved connection (4) (3) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=foo)' (3) ldap : expand: "o=testo" -> 'o=testo' (3) ldap : Performing search in 'o=testo' with filter '(cn=foo)' (3) ldap : Waiting for search result... (3) ldap : User object found at DN "cn=foo,ou=testou,o=testo" (3) ERROR: ldap : Failed to retrieve eDirectory password: Other (e.g., implementation specific) error rlm_ldap (ldap): Released connection (4) ------- Hubert
On 6 Dec 2013, at 05:50, Hubert Kupper <kupper@uni-landau.de> wrote:
Am 05.12.2013 12:46, schrieb Arran Cudbard-Bell:
Yes, one of our testers reported the current code works fine against eDirectory.
I'll fix up the debug output so you get a more verbose error message at least. Done. Let me know what error you get.
-Arran Hi Arran,
thanks for the fix. Now I get the following error: -------- (3) [preprocess] = ok (3) [mschap] = noop (3) suffix : No '@' in User-Name = "foo", looking up realm NULL (3) suffix : Found realm "NULL" (3) suffix : Adding Stripped-User-Name = "foo" (3) suffix : Adding Realm = "NULL" (3) suffix : Authentication realm is LOCAL. (3) [suffix] = ok (3) eap : EAP packet type response id 3 length 6 (3) eap : No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop rlm_ldap (ldap): Reserved connection (4) (3) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=foo)' (3) ldap : expand: "o=testo" -> 'o=testo' (3) ldap : Performing search in 'o=testo' with filter '(cn=foo)' (3) ldap : Waiting for search result... (3) ldap : User object found at DN "cn=foo,ou=testou,o=testo" (3) ERROR: ldap : Failed to retrieve eDirectory password: Other (e.g., implementation specific) error rlm_ldap (ldap): Released connection (4)
I don't have access to an eDirectory implementation to debug. Could you provide packet traces (in the clear)? Set the connection pool to 1, and run a couple of requests few to ensure it doesn't bind, and expose your admin credentials. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Am 06.12.2013 15:29, schrieb Arran Cudbard-Bell:
On 6 Dec 2013, at 05:50, Hubert Kupper <kupper@uni-landau.de> wrote:
Am 05.12.2013 12:46, schrieb Arran Cudbard-Bell:
Yes, one of our testers reported the current code works fine against eDirectory.
I'll fix up the debug output so you get a more verbose error message at least. Done. Let me know what error you get.
-Arran Hi Arran,
thanks for the fix. Now I get the following error: -------- (3) [preprocess] = ok (3) [mschap] = noop (3) suffix : No '@' in User-Name = "foo", looking up realm NULL (3) suffix : Found realm "NULL" (3) suffix : Adding Stripped-User-Name = "foo" (3) suffix : Adding Realm = "NULL" (3) suffix : Authentication realm is LOCAL. (3) [suffix] = ok (3) eap : EAP packet type response id 3 length 6 (3) eap : No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop rlm_ldap (ldap): Reserved connection (4) (3) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=foo)' (3) ldap : expand: "o=testo" -> 'o=testo' (3) ldap : Performing search in 'o=testo' with filter '(cn=foo)' (3) ldap : Waiting for search result... (3) ldap : User object found at DN "cn=foo,ou=testou,o=testo" (3) ERROR: ldap : Failed to retrieve eDirectory password: Other (e.g., implementation specific) error rlm_ldap (ldap): Released connection (4) I don't have access to an eDirectory implementation to debug.
Could you provide packet traces (in the clear)? Set the connection pool to 1, and run a couple of requests few to ensure it doesn't bind, and expose your admin credentials.
-Arran
Ok, I'll be out of office next week. I do the packet traces when I'm back. Regards, Hubert
(3) ldap : User object found at DN "cn=foo,ou=testou,o=testo" (3) ERROR: ldap : Failed to retrieve eDirectory password: Other (e.g., implementation specific) error rlm_ldap (ldap): Released connection (4)
Ok, found a few more error codes in the eDir docs, and modified it to print out the actual error code number. Hopefully there'll be something more useful in the logs now. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hello, I'm the one who validated that the eDir code is working ;) Could you tell me which version of eDir you are running ? On my side with eDir 8.8 it works well. Olivier B. On 06.12.2013 06:50, Hubert Kupper wrote:
Am 05.12.2013 12:46, schrieb Arran Cudbard-Bell:
Yes, one of our testers reported the current code works fine against eDirectory.
I'll fix up the debug output so you get a more verbose error message at least. Done. Let me know what error you get.
-Arran Hi Arran,
thanks for the fix. Now I get the following error: -------- (3) [preprocess] = ok (3) [mschap] = noop (3) suffix : No '@' in User-Name = "foo", looking up realm NULL (3) suffix : Found realm "NULL" (3) suffix : Adding Stripped-User-Name = "foo" (3) suffix : Adding Realm = "NULL" (3) suffix : Authentication realm is LOCAL. (3) [suffix] = ok (3) eap : EAP packet type response id 3 length 6 (3) eap : No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop rlm_ldap (ldap): Reserved connection (4) (3) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=foo)' (3) ldap : expand: "o=testo" -> 'o=testo' (3) ldap : Performing search in 'o=testo' with filter '(cn=foo)' (3) ldap : Waiting for search result... (3) ldap : User object found at DN "cn=foo,ou=testou,o=testo" (3) ERROR: ldap : Failed to retrieve eDirectory password: Other (e.g., implementation specific) error rlm_ldap (ldap): Released connection (4) ------- Hubert
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
Hello, we have version 8.8 running too. How is your ldap config? Regards, Hubert Am 12.12.2013 07:09, schrieb Olivier Beytrison:
Hello,
I'm the one who validated that the eDir code is working ;)
Could you tell me which version of eDir you are running ?
On my side with eDir 8.8 it works well.
Olivier B.
On 06.12.2013 06:50, Hubert Kupper wrote:
Am 05.12.2013 12:46, schrieb Arran Cudbard-Bell:
Yes, one of our testers reported the current code works fine against eDirectory.
I'll fix up the debug output so you get a more verbose error message at least. Done. Let me know what error you get.
-Arran Hi Arran,
thanks for the fix. Now I get the following error: -------- (3) [preprocess] = ok (3) [mschap] = noop (3) suffix : No '@' in User-Name = "foo", looking up realm NULL (3) suffix : Found realm "NULL" (3) suffix : Adding Stripped-User-Name = "foo" (3) suffix : Adding Realm = "NULL" (3) suffix : Authentication realm is LOCAL. (3) [suffix] = ok (3) eap : EAP packet type response id 3 length 6 (3) eap : No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop rlm_ldap (ldap): Reserved connection (4) (3) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=foo)' (3) ldap : expand: "o=testo" -> 'o=testo' (3) ldap : Performing search in 'o=testo' with filter '(cn=foo)' (3) ldap : Waiting for search result... (3) ldap : User object found at DN "cn=foo,ou=testou,o=testo" (3) ERROR: ldap : Failed to retrieve eDirectory password: Other (e.g., implementation specific) error rlm_ldap (ldap): Released connection (4) ------- Hubert
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- _____________________________________________ Hubert Kupper Universitaetsrechenzentrum in Landau Fortstrasse 7, D-76829 Landau Tel: +49 6341/28031173 Fax: +49 6341/28031267
On 16.12.2013 07:53, Hubert Kupper wrote:
Hello,
we have version 8.8 running too. How is your ldap config?
Nothing really special in the config. Almost a vanilla one (except an update {} block that I have removed here) ldap { server = "my-ldap-server" port = 636 identity = "cn=admin" password = xxxxxxxxxx base_dn = "ou=people,o=org" edir = yes edir_autz = yes user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" } group { base_dn = "${..base_dn}" filter = "(objectClass=posixGroup)" membership_attribute = "memberOf" } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=frClient)' attribute { identifier = 'frClientIdentifier' secret = 'frClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes timeout = 10 timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { } pool { start = 5 min = 4 max = 10 spare = 3 uses = 0 lifetime = 0 idle_timeout = 60 } } -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
On 16 Dec 2013, at 07:23, Olivier Beytrison <olivier@heliosnet.org> wrote:
On 16.12.2013 07:53, Hubert Kupper wrote:
Hello,
we have version 8.8 running too. How is your ldap config?
Nothing really special in the config. Almost a vanilla one (except an update {} block that I have removed here)
Ok, that's interesting. So this may be a configuration issue LDAP side. Could you please git pull, and the build the latest 3.0.x. As I mentioned previously, I added some more error codes I found in the eDir docs, and added the integer error number to the debug output. Hopefully it will output something meaningful... It would be nice to know if any changes are required in the eDirectory configuration between 2.2.x and 3.0.x so we can document them. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi, I did a git pull but the build failed. ./configure shows following: checking for krb5-config... not-found checking krb5-config CFLAGS... checking krb5-config LDFLAGS... checking krb5-config reported version... (0) checking krb5-config reported vendor... checking canonical API type... HEIMDAL checking for krb5_is_thread_safe in -lkrb5... yes configure: creating ./config.status config.status: creating all.mk make quits with: <command-line>: In function 'rlm_krb5_error': <command-line>:83:6: warning: assignment discards 'const' qualifier from pointer target type [enabled by default] <command-line>: In function 'krb5_auth': <command-line>:366:2: error: unknown type name 'krb5_verify_opt' <command-line>:400:2: warning: implicit declaration of function 'krb5_verify_opt_init' [-Wimplicit-function-declaration] <command-line>:400:2: warning: nested extern declaration of 'krb5_verify_opt_init' [-Wnested-externs] <command-line>:401:2: warning: implicit declaration of function 'krb5_verify_opt_set_ccache' [-Wimplicit-function-declaration] <command-line>:401:2: warning: nested extern declaration of 'krb5_verify_opt_set_ccache' [-Wnested-externs] <command-line>:412:2: warning: implicit declaration of function 'krb5_verify_opt_set_keytab' [-Wimplicit-function-declaration] <command-line>:412:2: warning: nested extern declaration of 'krb5_verify_opt_set_keytab' [-Wnested-externs] <command-line>:413:2: warning: implicit declaration of function 'krb5_verify_opt_set_secure' [-Wimplicit-function-declaration] <command-line>:413:2: warning: nested extern declaration of 'krb5_verify_opt_set_secure' [-Wnested-externs] <command-line>:416:3: warning: implicit declaration of function 'krb5_verify_opt_set_service' [-Wimplicit-function-declaration] <command-line>:416:3: warning: nested extern declaration of 'krb5_verify_opt_set_service' [-Wnested-externs] <command-line>:425:2: warning: implicit declaration of function 'krb5_verify_user_opt' [-Wimplicit-function-declaration] <command-line>:425:2: warning: nested extern declaration of 'krb5_verify_user_opt' [-Wnested-externs] make: *** [build/objs/src/modules/rlm_krb5/rlm_krb5.lo] Fehler 1 Am 16.12.2013 15:46, schrieb Arran Cudbard-Bell:
On 16 Dec 2013, at 07:23, Olivier Beytrison <olivier@heliosnet.org> wrote:
On 16.12.2013 07:53, Hubert Kupper wrote:
Hello,
we have version 8.8 running too. How is your ldap config?
Nothing really special in the config. Almost a vanilla one (except an update {} block that I have removed here) Ok, that's interesting. So this may be a configuration issue LDAP side.
Could you please git pull, and the build the latest 3.0.x. As I mentioned previously, I added some more error codes I found in the eDir docs, and added the integer error number to the debug output.
Hopefully it will output something meaningful...
It would be nice to know if any changes are required in the eDirectory configuration between 2.2.x and 3.0.x so we can document them.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- _____________________________________________ Hubert Kupper Universitaetsrechenzentrum in Landau Fortstrasse 7, D-76829 Landau Tel: +49 6341/28031173 Fax: +49 6341/28031267
On 17 Dec 2013, at 09:14, Hubert Kupper <kupper@uni-landau.de> wrote:
Hi,
I did a git pull but the build failed. ./configure shows following:
checking for krb5-config... not-found checking krb5-config CFLAGS... checking krb5-config LDFLAGS... checking krb5-config reported version... (0) checking krb5-config reported vendor... checking canonical API type... HEIMDAL checking for krb5_is_thread_safe in -lkrb5... yes configure: creating ./config.status config.status: creating all.mk
ug, try now... Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi Olivier, which linux distribution have you running with FR 3? We have OpenSuse 13.1 64Bit. Regards, Hubert Am 16.12.2013 08:23, schrieb Olivier Beytrison:
On 16.12.2013 07:53, Hubert Kupper wrote:
Hello,
we have version 8.8 running too. How is your ldap config?
Nothing really special in the config. Almost a vanilla one (except an update {} block that I have removed here)
ldap { server = "my-ldap-server" port = 636 identity = "cn=admin" password = xxxxxxxxxx base_dn = "ou=people,o=org" edir = yes edir_autz = yes user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" } group { base_dn = "${..base_dn}" filter = "(objectClass=posixGroup)" membership_attribute = "memberOf" } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=frClient)' attribute { identifier = 'frClientIdentifier' secret = 'frClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes timeout = 10 timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { } pool { start = 5 min = 4 max = 10 spare = 3 uses = 0 lifetime = 0 idle_timeout = 60 } }
Hello, On 17.12.2013 08:24, Hubert Kupper wrote:
Hi Olivier,
which linux distribution have you running with FR 3? We have OpenSuse 13.1 64Bit. Our freeradius run on Ubuntu 12.04. I was thinking yesterday that it could have something to do with the openldap version maybe.
You said in your first mail that it 2.X was running fine with eDir. Was it also running on OpenSuse 13.1 ? Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
Am 17.12.2013 08:32, schrieb Olivier Beytrison:
Hello,
On 17.12.2013 08:24, Hubert Kupper wrote:
Hi Olivier,
which linux distribution have you running with FR 3? We have OpenSuse 13.1 64Bit. Our freeradius run on Ubuntu 12.04. I was thinking yesterday that it could have something to do with the openldap version maybe.
You said in your first mail that it 2.X was running fine with eDir. Was it also running on OpenSuse 13.1 ?
Olivier
Hello, I have installed the FR 2 rpm included in OpenSuse 13.1 but it did'nt works. The error is NDS error (-669). I had souch an issue years ago. The problem was the 64 bit version of Suse. Hubert
On 17/12/2013 10:25 PM, "Hubert Kupper" <kupper@uni-landau.de> wrote:
Am 17.12.2013 08:32, schrieb Olivier Beytrison:
Hello,
On 17.12.2013 08:24, Hubert Kupper wrote:
Hi Olivier,
which linux distribution have you running with FR 3? We have OpenSuse 13.1 64Bit.
Our freeradius run on Ubuntu 12.04. I was thinking yesterday that it could have something to do with the openldap version maybe.
You said in your first mail that it 2.X was running fine with eDir. Was it also running on OpenSuse 13.1 ?
Olivier
Hello,
I have installed the FR 2 rpm included in OpenSuse 13.1 but it did'nt
works. The error is NDS error (-669). I had souch an issue years ago. The problem was the 64 bit version of Suse. A -669 means you got the password or secret wrong. So that is a normal error response.
Hubert
- List info/subscribe/unsubscribe? See
Am 17.12.2013 10:29, schrieb Peter Lambrechtsen:
On 17/12/2013 10:25 PM, "Hubert Kupper" <kupper@uni-landau.de <mailto:kupper@uni-landau.de>> wrote:
Am 17.12.2013 08:32, schrieb Olivier Beytrison:
Hello,
On 17.12.2013 08:24, Hubert Kupper wrote:
Hi Olivier,
which linux distribution have you running with FR 3? We have OpenSuse 13.1 64Bit.
Our freeradius run on Ubuntu 12.04. I was thinking yesterday that it could have something to do with the openldap version maybe.
You said in your first mail that it 2.X was running fine with eDir. Was it also running on OpenSuse 13.1 ?
Olivier
Hello,
I have installed the FR 2 rpm included in OpenSuse 13.1 but it
did'nt works. The error is NDS error (-669). I had souch an issue years ago. The problem was the 64 bit version of Suse.
A -669 means you got the password or secret wrong. So that is a normal error response.
I know. But the password is ok and works with OpenSuse 12.3 and FR 2.x The response seems to be triggered by a mismatch of FR and OpenSuse 13.1 and eDir.
I know. But the password is ok and works with OpenSuse 12.3 and FR 2.x The response seems to be triggered by a mismatch of FR and OpenSuse 13.1 and eDir.
If you get packet captures of each then we can do a comparison and figure out what changes. -Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Am 17.12.2013 12:22, schrieb Arran Cudbard-Bell:
I know. But the password is ok and works with OpenSuse 12.3 and FR 2.x The response seems to be triggered by a mismatch of FR and OpenSuse 13.1 and eDir. If you get packet captures of each then we can do a comparison and figure out what changes.
-Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
Here is a part of the result from radiusd -X. Do you want a wireshark capture too? Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy address * port 1814 Listening on proxy address * port 1814 Ready to process requests rad_recv: Access-Request packet from host 192.168.200.6 port 32770, id=87, length=215 User-Name = 'foo' Calling-Station-Id = '84-4b-f5-39-8a-f8' Called-Station-Id = 'd8-24-bd-2e-4c-c0:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec806000400e552b040e3' NAS-IP-Address = 192.168.200.6 NAS-Identifier = 'xxx' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '150' EAP-Message = 0x0202000a0170726f6265 Message-Authenticator = 0x918dcc4fcbdefa81607d26e56be961ad (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) ? if (!User-Name) (0) ? if (!User-Name) -> FALSE (0) ? if (User-Name != "%{tolower:%{User-Name}}") (0) expand: "%{tolower:%{User-Name}}" -> 'foo' (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) ? if (User-Name =~ / /) (0) ? if (User-Name =~ / /) -> FALSE (0) ? if (User-Name =~ /@.*@/ ) (0) ? if (User-Name =~ /@.*@/ ) -> FALSE (0) ? if (User-Name =~ /\\.\\./ ) (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) ? if (User-Name =~ /\\.$/) (0) ? if (User-Name =~ /\\.$/) -> FALSE (0) ? if (User-Name =~ /@\\./) (0) ? if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [mschap] = noop (0) suffix : No '@' in User-Name = "foo", looking up realm NULL (0) suffix : Found realm "NULL" (0) suffix : Adding Stripped-User-Name = "foo" (0) suffix : Adding Realm = "NULL" (0) suffix : Authentication realm is LOCAL (0) [suffix] = ok (0) eap : EAP packet type response id 2 length 10 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_md5 to process EAP data rlm_eap_md5: Issuing Challenge (0) eap : New EAP session, adding 'State' attribute to reply 0x2813582828105cdd (0) [eap] = handled (0) } # authenticate = handled Sending Access-Challenge of id 87 from 192.168.1.56 port 1812 to 192.168.200.6 port 32770 EAP-Message = 0x0103001604109fd6f971b8b39a9e70ac72f7924821d6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2813582828105cdd2c29910179c66dfc (0) Finished request 0. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host 192.168.200.6 port 32770, id=88, length=229 User-Name = 'foo' Calling-Station-Id = '84-4b-f5-39-8a-f8' Called-Station-Id = 'd8-24-bd-2e-4c-c0:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec806000400e552b040e3' NAS-IP-Address = 192.168.200.6 NAS-Identifier = 'xxx' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '150' EAP-Message = 0x020300060319 State = 0x2813582828105cdd2c29910179c66dfc Message-Authenticator = 0x3225e79c9679af40be71f2f6c951c86a (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) ? if (!User-Name) (1) ? if (!User-Name) -> FALSE (1) ? if (User-Name != "%{tolower:%{User-Name}}") (1) expand: "%{tolower:%{User-Name}}" -> 'foo' (1) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) ? if (User-Name =~ / /) (1) ? if (User-Name =~ / /) -> FALSE (1) ? if (User-Name =~ /@.*@/ ) (1) ? if (User-Name =~ /@.*@/ ) -> FALSE (1) ? if (User-Name =~ /\\.\\./ ) (1) ? if (User-Name =~ /\\.\\./ ) -> FALSE (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) ? if (User-Name =~ /\\.$/) (1) ? if (User-Name =~ /\\.$/) -> FALSE (1) ? if (User-Name =~ /@\\./) (1) ? if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [mschap] = noop (1) suffix : No '@' in User-Name = "foo", looking up realm NULL (1) suffix : Found realm "NULL" (1) suffix : Adding Stripped-User-Name = "foo" (1) suffix : Adding Realm = "NULL" (1) suffix : Authentication realm is LOCAL (1) [suffix] = ok (1) eap : EAP packet type response id 3 length 6 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop rlm_ldap (ldap): Reserved connection (0) (1) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=foo)' (1) ldap : expand: "o=org" -> 'o=org' (1) ldap : Performing search in 'o=org' with filter '(cn=foo)' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "cn=foo,ou=test,o=org" (1) ERROR: ldap : Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to 192.168.1.35:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (1) [ldap] = fail (1) } # authorize = fail (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject : expand: "%{User-Name}" -> 'foo' (1) attr_filter.access_reject : Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) ldap : expand: "." -> '.' (1) ldap : expand: "Authenticated at %S" -> 'Authenticated at 2013-12-17 13:22:30' rlm_ldap (ldap): Reserved connection (1) (1) ldap : Using user DN from request "cn=foo,ou=test,o=org" (1) ldap : Modifying object with DN "cn=foo,ou=test,o=org" (1) ldap : Waiting for modify result... rlm_ldap (ldap): Released connection (1) (1) [ldap] = reject (1) } # Post-Auth-Type REJECT = reject (1) Finished request 1. Waking up in 0.2 seconds. Waking up in 0.7 seconds. (1) Sending delayed reject Sending Access-Reject of id 88 from 192.168.1.56 port 1812 to 192.168.200.6 port 32770 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 87 with timestamp +28 Waking up in 1.0 seconds. (1) Cleaning up request packet ID 88 with timestamp +28 Ready to process requests
On 17.12.2013 13:38, Hubert Kupper wrote:
Am 17.12.2013 12:22, schrieb Arran Cudbard-Bell: rlm_ldap (ldap): Reserved connection (0) (1) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=foo)' (1) ldap : expand: "o=org" -> 'o=org' (1) ldap : Performing search in 'o=org' with filter '(cn=foo)' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "cn=foo,ou=test,o=org" (1) ERROR: ldap : Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to 192.168.1.35:389
389 ???? you're not using ldaps ? IIRC Novell doesn't allow the NMAS Password retrieval over a non secure channel Try using a ldaps connection ! At the same time those request are logged in eDirectory, you can check with NDSTrace what's going on ! Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
On 17 Dec 2013, at 14:38, Olivier Beytrison <olivier@heliosnet.org> wrote:
On 17.12.2013 13:38, Hubert Kupper wrote:
Am 17.12.2013 12:22, schrieb Arran Cudbard-Bell: rlm_ldap (ldap): Reserved connection (0) (1) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=foo)' (1) ldap : expand: "o=org" -> 'o=org' (1) ldap : Performing search in 'o=org' with filter '(cn=foo)' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "cn=foo,ou=test,o=org" (1) ERROR: ldap : Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to 192.168.1.35:389
389 ???? you're not using ldaps ? IIRC Novell doesn't allow the NMAS Password retrieval over a non secure channel
Try using a ldaps connection !
Or enable start TLS. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 17 Dec 2013, at 16:06, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 17 Dec 2013, at 14:38, Olivier Beytrison <olivier@heliosnet.org> wrote:
On 17.12.2013 13:38, Hubert Kupper wrote:
Am 17.12.2013 12:22, schrieb Arran Cudbard-Bell: rlm_ldap (ldap): Reserved connection (0) (1) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=foo)' (1) ldap : expand: "o=org" -> 'o=org' (1) ldap : Performing search in 'o=org' with filter '(cn=foo)' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "cn=foo,ou=test,o=org" (1) ERROR: ldap : Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to 192.168.1.35:389
389 ???? you're not using ldaps ? IIRC Novell doesn't allow the NMAS Password retrieval over a non secure channel
Try using a ldaps connection !
Or enable start TLS.
Which Novell docs indicate was added in 8.7. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Am 17.12.2013 17:06, schrieb Arran Cudbard-Bell:
On 17 Dec 2013, at 14:38, Olivier Beytrison <olivier@heliosnet.org> wrote:
On 17.12.2013 13:38, Hubert Kupper wrote:
Am 17.12.2013 12:22, schrieb Arran Cudbard-Bell: rlm_ldap (ldap): Reserved connection (0) (1) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=foo)' (1) ldap : expand: "o=org" -> 'o=org' (1) ldap : Performing search in 'o=org' with filter '(cn=foo)' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "cn=foo,ou=test,o=org" (1) ERROR: ldap : Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to 192.168.1.35:389 389 ???? you're not using ldaps ? IIRC Novell doesn't allow the NMAS Password retrieval over a non secure channel
Try using a ldaps connection ! Or enable start TLS.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team Bingo. You are right. When I use ldaps the ldap bind was successful now. With FR 2.x on OpenSuse 12.3 ldap and ldaps work both. By the way now I get the following error:
server inner-tunnel { (9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) [chap] = noop (9) [mschap] = noop (9) suffix : No '@' in User-Name = "dumm", looking up realm NULL (9) suffix : Found realm "NULL" (9) suffix : Adding Stripped-User-Name = "dumm" (9) suffix : Adding Realm = "NULL" (9) suffix : Authentication realm is LOCAL (9) [suffix] = ok (9) update control { (9) Proxy-To-Realm := 'LOCAL' (9) } # update control = noop (9) eap : EAP packet type response id 11 length 63 (9) eap : No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) [files] = noop rlm_ldap (ldap): Reserved connection (2) (9) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=dumm)' (9) ldap : expand: "o=org" -> 'o=org' (9) ldap : Performing search in 'o=org' with filter '(cn=dumm)' (9) ldap : Waiting for search result... (9) ldap : User object found at DN "cn=Dumm,ou=test1,ou=test,o=org" (9) ldap : Added eDirectory password in check items as Cleartext-Password = pwddummy (9) ldap : Binding as user for eDirectory authorization checks (9) ldap : Waiting for bind result... (9) ldap : Bind successful (9) ldap : Bind as user "cn=Dumm,ou=test1,ou=test,o=org" was successful rlm_ldap (ldap): Released connection (2) (9) [ldap] = ok (9) [expiration] = noop (9) [logintime] = noop (9) WARNING: pap : Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap : Expiring EAP session with state 0xa4e4c03ea4efda08 (9) eap : Finished EAP session with state 0xa4e4c03ea4efda08 (9) eap : Previous EAP request found for state 0xa4e4c03ea4efda08, released from the list (9) eap : Peer sent MSCHAPv2 (26) (9) eap : EAP MSCHAPv2 (26) (9) eap : Calling eap_mschapv2 to process EAP data (9) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) eap_mschapv2 : Auth-Type MS-CHAP { (9) mschap : Creating challenge hash with username: dumm (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password (9) mschap : FAILED: MS-CHAP2-Response is incorrect (9) [mschap] = reject (9) } # Auth-Type MS-CHAP = reject (9) eap : Freeing handler (9) [eap] = reject (9) } # authenticate = reject (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) Post-Auth-Type REJECT { (9) ldap : expand: "." -> '.' (9) ldap : expand: "Authenticated at %S" -> 'Authenticated at 2013-12-18 09:16:37' rlm_ldap (ldap): Reserved connection (2) (9) ldap : Using user DN from request "cn=Dumm,ou=test1,ou=test,o=org" (9) ldap : Waiting for bind result... (9) ldap : Bind successful (9) ldap : Modifying object with DN "cn=Dumm,ou=test1,ou=test,o=org" (9) ldap : Waiting for modify result... rlm_ldap (ldap): Released connection (2) (9) [ldap] = reject (9) } # Post-Auth-Type REJECT = reject } # server inner-tunnel (9) eap_peap : Got tunneled reply code 3 MS-CHAP-Error = '\013E=691 R=1' EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap : Got tunneled reply RADIUS code 3 MS-CHAP-Error = '\013E=691 R=1' EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap : Tunneled authentication was rejected (9) eap_peap : FAILURE (9) eap : New EAP session, adding 'State' attribute to reply 0x4c9dbfee4591a60a (9) [eap] = handled (9) } # authenticate = handled Sending Access-Challenge of id 121 from 139.14.1.56 port 1812 to 139.14.200.6 port 32770 EAP-Message = 0x010c002b1900170301002042ce42556a179e73d4a55cd52bbf954cb5b0bce96996e4442f472d1e5257185a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4c9dbfee4591a60a5d313de2c42289f5 (9) Finished request 9. (10) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed Hubert
Am Mittwoch, 18. Dezember 2013, 09:56:04 schrieb Hubert Kupper:
Am 17.12.2013 17:06, schrieb Arran Cudbard-Bell:
On 17 Dec 2013, at 14:38, Olivier Beytrison <olivier@heliosnet.org> wrote:
On 17.12.2013 13:38, Hubert Kupper wrote:
Am 17.12.2013 12:22, schrieb Arran Cudbard-Bell: rlm_ldap (ldap): Reserved connection (0) (1) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=foo)' (1) ldap : expand: "o=org" -> 'o=org' (1) ldap : Performing search in 'o=org' with filter '(cn=foo)' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "cn=foo,ou=test,o=org" (1) ERROR: ldap : Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to 192.168.1.35:389
389 ???? you're not using ldaps ? IIRC Novell doesn't allow the NMAS Password retrieval over a non secure channel
Try using a ldaps connection !
Or enable start TLS.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
Bingo. You are right. When I use ldaps the ldap bind was successful now. With FR 2.x on OpenSuse 12.3 ldap and ldaps work both. By the way now I get the following error:
server inner-tunnel { (9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) [chap] = noop (9) [mschap] = noop (9) suffix : No '@' in User-Name = "dumm", looking up realm NULL (9) suffix : Found realm "NULL" (9) suffix : Adding Stripped-User-Name = "dumm" (9) suffix : Adding Realm = "NULL" (9) suffix : Authentication realm is LOCAL (9) [suffix] = ok (9) update control { (9) Proxy-To-Realm := 'LOCAL' (9) } # update control = noop (9) eap : EAP packet type response id 11 length 63 (9) eap : No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) [files] = noop rlm_ldap (ldap): Reserved connection (2) (9) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=dumm)' (9) ldap : expand: "o=org" -> 'o=org' (9) ldap : Performing search in 'o=org' with filter '(cn=dumm)' (9) ldap : Waiting for search result... (9) ldap : User object found at DN "cn=Dumm,ou=test1,ou=test,o=org" (9) ldap : Added eDirectory password in check items as Cleartext-Password = pwddummy (9) ldap : Binding as user for eDirectory authorization checks (9) ldap : Waiting for bind result... (9) ldap : Bind successful (9) ldap : Bind as user "cn=Dumm,ou=test1,ou=test,o=org" was successful rlm_ldap (ldap): Released connection (2) (9) [ldap] = ok (9) [expiration] = noop (9) [logintime] = noop (9) WARNING: pap : Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap : Expiring EAP session with state 0xa4e4c03ea4efda08 (9) eap : Finished EAP session with state 0xa4e4c03ea4efda08 (9) eap : Previous EAP request found for state 0xa4e4c03ea4efda08, released from the list (9) eap : Peer sent MSCHAPv2 (26) (9) eap : EAP MSCHAPv2 (26) (9) eap : Calling eap_mschapv2 to process EAP data (9) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) eap_mschapv2 : Auth-Type MS-CHAP { (9) mschap : Creating challenge hash with username: dumm (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password (9) mschap : FAILED: MS-CHAP2-Response is incorrect (9) [mschap] = reject (9) } # Auth-Type MS-CHAP = reject (9) eap : Freeing handler (9) [eap] = reject (9) } # authenticate = reject (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) Post-Auth-Type REJECT { (9) ldap : expand: "." -> '.' (9) ldap : expand: "Authenticated at %S" -> 'Authenticated at 2013-12-18 09:16:37' rlm_ldap (ldap): Reserved connection (2) (9) ldap : Using user DN from request "cn=Dumm,ou=test1,ou=test,o=org" (9) ldap : Waiting for bind result... (9) ldap : Bind successful (9) ldap : Modifying object with DN "cn=Dumm,ou=test1,ou=test,o=org" (9) ldap : Waiting for modify result... rlm_ldap (ldap): Released connection (2) (9) [ldap] = reject (9) } # Post-Auth-Type REJECT = reject } # server inner-tunnel (9) eap_peap : Got tunneled reply code 3 MS-CHAP-Error = '\013E=691 R=1' EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap : Got tunneled reply RADIUS code 3 MS-CHAP-Error = '\013E=691 R=1' EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap : Tunneled authentication was rejected (9) eap_peap : FAILURE (9) eap : New EAP session, adding 'State' attribute to reply 0x4c9dbfee4591a60a (9) [eap] = handled (9) } # authenticate = handled Sending Access-Challenge of id 121 from 139.14.1.56 port 1812 to 139.14.200.6 port 32770 EAP-Message = 0x010c002b1900170301002042ce42556a179e73d4a55cd52bbf954cb5b0bce96996e4442f47 2d1e5257185a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4c9dbfee4591a60a5d313de2c42289f5 (9) Finished request 9.
(10) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed
Hubert
As far as I can see, you need the NT-Password for that user, if you use mschapv2:
(9) mschap : Creating challenge hash with username: dumm (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password (9) mschap : FAILED: MS-CHAP2-Response is incorrect
Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 18.12.2013 09:56, Hubert Kupper wrote:
Bingo. You are right. When I use ldaps the ldap bind was successful now. With FR 2.x on OpenSuse 12.3 ldap and ldaps work both.
Good news !
(9) ldap : Added eDirectory password in check items as Cleartext-Password = pwddummy
Is that the password you used to test the authentication ?
(9) mschap : Creating challenge hash with username: dumm (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password (9) mschap : FAILED: MS-CHAP2-Response is incorrect (9) [mschap] = reject
It looks like you provided the wrong password. Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
On 18 Dec 2013, at 09:16, Olivier Beytrison <olivier@heliosnet.org> wrote:
On 18.12.2013 09:56, Hubert Kupper wrote:
Bingo. You are right. When I use ldaps the ldap bind was successful now. With FR 2.x on OpenSuse 12.3 ldap and ldaps work both.
Good news !
(9) ldap : Added eDirectory password in check items as Cleartext-Password = pwddummy
Is that the password you used to test the authentication ?
(9) mschap : Creating challenge hash with username: dumm (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password
That's a bit misleading... I'll edit that message.
(9) mschap : FAILED: MS-CHAP2-Response is incorrect (9) [mschap] = reject
It looks like you provided the wrong password.
Agreed. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Am 18.12.2013 10:16, schrieb Olivier Beytrison:
On 18.12.2013 09:56, Hubert Kupper wrote:
Bingo. You are right. When I use ldaps the ldap bind was successful now. With FR 2.x on OpenSuse 12.3 ldap and ldaps work both. Good news !
(9) ldap : Added eDirectory password in check items as Cleartext-Password = pwddummy Is that the password you used to test the authentication ?
(9) mschap : Creating challenge hash with username: dumm (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password (9) mschap : FAILED: MS-CHAP2-Response is incorrect (9) [mschap] = reject It looks like you provided the wrong password.
Olivier no, I used "pwddummy" only in my posting. In my tests I used the right password for the testuser dumm. With our other FR servers, the testuser and password works fine!
Hubert
On 18 Dec 2013, at 09:54, Hubert Kupper <kupper@uni-landau.de> wrote:
Am 18.12.2013 10:16, schrieb Olivier Beytrison:
On 18.12.2013 09:56, Hubert Kupper wrote:
Bingo. You are right. When I use ldaps the ldap bind was successful now. With FR 2.x on OpenSuse 12.3 ldap and ldaps work both. Good news !
(9) ldap : Added eDirectory password in check items as Cleartext-Password = pwddummy Is that the password you used to test the authentication ?
(9) mschap : Creating challenge hash with username: dumm (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password (9) mschap : FAILED: MS-CHAP2-Response is incorrect (9) [mschap] = reject It looks like you provided the wrong password.
Olivier no, I used "pwddummy" only in my posting. In my tests I used the right password for the testuser dumm. With our other FR servers, the testuser and password works fine!
update request { Tmp-String-0 := "%{debug_attr:control:}" } Add that after the call to the mshcap module, it should show that the Cleartext-Password has been transformed into an NT-Password. NT-Passwords are unsalted, so compute the NT-Password hash of the password you're entering, verify it matches the hash. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (5)
-
Arran Cudbard-Bell -
Hubert Kupper -
Michael Schwartzkopff -
Olivier Beytrison -
Peter Lambrechtsen