Freeradius open-ldap Auth
Hello Folks, Am trying to set up authentication using open ldap and freeradius. When I run a radtest for one of my users in ldap, i receive access-accept msg But when I try authenticating from a windows or Mac Os user I don't succeed. Below is my debug out-put when i try to authenticate from a windows machine Waking up in 3.3 seconds. (7) Received Access-Request Id 107 from 10.106.1.205:51262 to 196.43.180.27:1812 length 346 (7) User-Name = "dmusoke@umu.ac.ug" (7) NAS-IP-Address = 10.106.1.205 (7) NAS-Identifier = "8a8a2055b8c8" (7) Called-Station-Id = "8A-8A-20-55-B8-C8:ICT-TEST" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Calling-Station-Id = "34-CF-F6-DA-C0-FA" (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) Acct-Session-Id = "D4000DCC2E7E294C" (7) Acct-Multi-Session-Id = "404A761D1E6EC7B3" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027076 (7) WLAN-AKM-Suite = 1027073 (7) Framed-MTU = 1400 (7) EAP-Message = 0x02da006b1900170303006000000000000000024e01010a4300b62285fefdeb4077f49488e885300adb0b4889fbb5c10f8704a78bff8c25c35d5ac6ec6251511bba311e6773d4e2bf82cc2f75c1b1d0f95ad4125f45d763928b6a9cc31fa0d84abd06f4fcb67d6fe801ff99 (7) State = 0xa8ec0dfaae3614327b0f2a0ced9765ca (7) Message-Authenticator = 0xc878a00d7e991c569dbc46e760bd29c8 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "umu.ac.ug" for User-Name = "dmusoke@umu.ac.ug" (7) suffix: Found realm "umu.ac.ug" (7) suffix: Adding Realm = "umu.ac.ug" (7) suffix: Authentication realm is LOCAL (7) [suffix] = ok (7) eap: Peer sent EAP Response (code 2) ID 218 length 107 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xb2a21f7db2780593 (7) eap: Finished EAP session with state 0xa8ec0dfaae361432 (7) eap: Previous EAP request found for state 0xa8ec0dfaae361432, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x02da004c1a02da004731a9a56b3b7817dd1e49fa6e1f5ea8c240000000000000000093c169d66ec81330d82a821926ad3be2a76365126cb4ccaf00646d75736f6b6540756d752e61632e7567 (7) eap_peap: Setting User-Name to dmusoke@umu.ac.ug (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x02da004c1a02da004731a9a56b3b7817dd1e49fa6e1f5ea8c240000000000000000093c169d66ec81330d82a821926ad3be2a76365126cb4ccaf00646d75736f6b6540756d752e61632e7567 (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "dmusoke@umu.ac.ug" (7) eap_peap: State = 0xb2a21f7db27805937dbad257c82d792b (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x02da004c1a02da004731a9a56b3b7817dd1e49fa6e1f5ea8c240000000000000000093c169d66ec81330d82a821926ad3be2a76365126cb4ccaf00646d75736f6b6540756d752e61632e7567 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "dmusoke@umu.ac.ug" (7) State = 0xb2a21f7db27805937dbad257c82d792b (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "umu.ac.ug" for User-Name = "dmusoke@umu.ac.ug" (7) suffix: Found realm "umu.ac.ug" (7) suffix: Adding Realm = "umu.ac.ug" (7) suffix: Authentication realm is LOCAL (7) [suffix] = ok (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 218 length 76 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop rlm_ldap (ldap): Reserved connection (1) (7) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (uid=dmusoke@umu.ac.ug) (7) ldap: Performing search in "dc=umu,dc=ac,dc=ug" with filter "(uid= dmusoke@umu.ac.ug)", scope "sub" (7) ldap: Waiting for search result... (7) ldap: User object found at DN "cn=dmusoke@umu.ac.ug ,ou=staff,dc=umu,dc=ac,dc=ug" (7) ldap: Processing user attributes (7) ldap: control:Password-With-Header += '{SSHA}wkHhU0bWVfwT6X5lZVtI4+lD8Bd3ZmYv' rlm_ldap (ldap): Released connection (1) Need 4 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used rlm_ldap (ldap): Connecting to ldap://196.43.180.28:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (7) [ldap] = updated (7) [expiration] = noop (7) [logintime] = noop (7) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password (7) pap: Removing &control:Password-With-Header (7) pap: Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24 bytes (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0xb2a21f7db2780593 (7) eap: Finished EAP session with state 0xb2a21f7db2780593 (7) eap: Previous EAP request found for state 0xb2a21f7db2780593, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) eap_mschapv2: authenticate { (7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (7) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (7) mschap: Creating challenge hash with username: dmusoke@umu.ac.ug (7) mschap: Client is using MS-CHAPv2 (7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (7) mschap: ERROR: MS-CHAP2-Response is incorrect (7) [mschap] = reject (7) } # authenticate = reject (7) eap: Sending EAP Failure (code 4) ID 218 length 4 (7) eap: Freeing handler (7) [eap] = reject (7) } # authenticate = reject (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> dmusoke@umu.ac.ug (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) update outer.session-state { (7) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication' (7) } # update outer.session-state = noop (7) } # Post-Auth-Type REJECT = updated (7) } # server inner-tunnel (7) Virtual server sending reply (7) MS-CHAP-Error = "\332E=691 R=1 C=a647d2920e720b1be308ea4a20115ec7 V=3 M=Authentication rejected" (7) EAP-Message = 0x04da0004 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Got tunneled reply code 3 (7) eap_peap: MS-CHAP-Error = "\332E=691 R=1 C=a647d2920e720b1be308ea4a20115ec7 V=3 M=Authentication rejected" (7) eap_peap: EAP-Message = 0x04da0004 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Got tunneled reply RADIUS code 3 (7) eap_peap: MS-CHAP-Error = "\332E=691 R=1 C=a647d2920e720b1be308ea4a20115ec7 V=3 M=Authentication rejected" (7) eap_peap: EAP-Message = 0x04da0004 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: Tunneled authentication was rejected (7) eap_peap: FAILURE (7) eap: Sending EAP Request (code 1) ID 219 length 46 (7) eap: EAP session adding &reply:State = 0xa8ec0dfaaf371432 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" (7) Sent Access-Challenge Id 107 from 196.43.180.27:1812 to 10.106.1.205:51262 length 0 (7) EAP-Message = 0x01db002e19001703030023d9a6aef0855958dee03f672cdd1211150670d06a1d3bfee502e4cc34ef1b2e235a66d0 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xa8ec0dfaaf3714327b0f2a0ced9765ca (7) Finished request *RegardsDavid Musoke* *ICT Department* *Mob: +256773731776* * +256757414650* --
On Dec 1, 2020, at 10:02 AM, David Musoke <dmusoke@umu.ac.ug> wrote:
Hello Folks, Am trying to set up authentication using open ldap and freeradius. When I run a radtest for one of my users in ldap, i receive access-accept msg But when I try authenticating from a windows or Mac Os user I don't succeed.
Yes.
Below is my debug out-put when i try to authenticate from a windows machine
Reading it helps.
... rlm_ldap (ldap): Connecting to ldap://196.43.180.28:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (7) [ldap] = updated (7) [expiration] = noop (7) [logintime] = noop (7) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password (7) pap: Removing &control:Password-With-Header (7) pap: Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24 bytes
That's a nice password format.
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (7) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (7) mschap: Creating challenge hash with username: dmusoke@umu.ac.ug (7) mschap: Client is using MS-CHAPv2 (7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
The MS-CHAP module is telling you what it needs. Hint: it's not SSHA1-Password. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok.
participants (2)
-
Alan DeKok -
David Musoke