Re: Failing to authenticate using FreeRadius(in OpenBSD) + XP as a client +Linksys AP (WRT54v2.2) using peap
Hi, We are authenticating the clients via 'users' file. We are sending the required file "inner-tunnel", which we found in two locations 1. /usr/local/etc/raddb/sites-enabled 2. /usr/local/etc/raddb/sites-available we are sending the both the files, with SA as suffix for the file at location /usr/local/etc/raddb/sites-available. And also sending the 'users' file. regards, Venkat ----- Original Message ----- From: Maurizio Cimaschi <mauri@unixrulez.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Failing to authenticate using FreeRadius(in OpenBSD) + XP as a client +Linksys AP (WRT54v2.2) using peap Date: Fri, 15 Aug 2008 09:41:03 +0200
Venkata LK Mula wrote:
modsingle[authenticate]: calling mschap (rlm_mschap) for request 6 rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test100 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modsingle[authenticate]: returned from mschap (rlm_mschap) for request 6 ++[mschap] returns reject modsingle[authenticate]: returned from eap (rlm_eap) for request 6 ++[eap] returns reject auth: Failed to validate the user.
It seems that all is working OK, except that you had not defining any valid source for the user password.
How are you planning to authenticate users ? (file ? pam ? ldap ? samba ? other ?)
Could you post your "inner-tunnel" configuration file ?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Venkata LK Mula wrote:
We are authenticating the clients via 'users' file.
In your "users" configuration file user "test100" (the one that log files are referring to) is "test100" Auth-Type := EAP Cleartext-Password == "venkat", Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 100, Reply-Message = "Hello 100, %u", Fall-Through = No I would modify it in this way test100 User-Password == "venkat", Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 100, Reply-Message = "Hello 100, %u", Fall-Through = No Bye.
1. /usr/local/etc/raddb/sites-enabled 2. /usr/local/etc/raddb/sites-available
Usually, in sites-enabled there shoiuld be link to sites-available.
Maurizio Cimaschi wrote:
I would modify it in this way
test100 User-Password == "venkat",
No. Use Cleartext-Password := ... This is given in the example in the FAQ. Alan DeKok.
Alan DeKok wrote:
test100 User-Password == "venkat", No. Use Cleartext-Password := ... This is given in the example in the FAQ.
I checked the example, but it's not clear to me why it is so. In my envirnoment I authenticate against an LDAP server, so according to the ldap.attrmap file the LDAP attribute "userPassword" (which contain the password in clear text form) is copied to the check-item "User-Password". While no attribute seems copied as check-item "Cleartext-Password". Still the mschap module is able to authenticate the users. Is it done "behind the curtain" by the ldap module ? In may environment da LDAP server also is used by samba; so there're also LM/NT password available (in fact, some users are not also samba users but are authenticed via radius); but while googling about using freeradius with LDAP that possibility wasn't mentioned, while I found an howto that said to add to ldap.attrmap the line: checkItem User-Password userPassword
Maurizio Cimaschi wrote:
I checked the example, but it's not clear to me why it is so.
Because User-Password is the password as entered by the user. Cleartext-Password is the "known good" password on the server. They are *not* the same. When you do EAP, there is *no* User-Password attribute in the packets. So doing "User-Password == ..." is *wrong*. There's no User-Password, so there's nothing to compare to.
In my envirnoment I authenticate against an LDAP server, so according to the ldap.attrmap file the LDAP attribute "userPassword" (which contain the password in clear text form) is copied to the check-item "User-Password". While no attribute seems copied as check-item "Cleartext-Password". Still the mschap module is able to authenticate the users.
That is a historical artifact of the server. See the big warnings in debugging mode in 2.0.x.
Is it done "behind the curtain" by the ldap module ?
No.
In may environment da LDAP server also is used by samba; so there're also LM/NT password available (in fact, some users are not also samba users but are authenticed via radius); but while googling about using freeradius with LDAP that possibility wasn't mentioned, while I found an howto that said to add to ldap.attrmap the line:
checkItem User-Password userPassword
Which is wrong. It should map to Cleartext-Password. Alan DeKok.
Alan DeKok wrote:
Because User-Password is the password as entered by the user. Cleartext-Password is the "known good" password on the server. They are *not* the same.
When you do EAP, there is *no* User-Password attribute in the packets. So doing "User-Password == ..." is *wrong*. There's no User-Password, so there's nothing to compare to.
OK. So the rlm_mschap will look for the internal check-Item "Cleartext-Password" and it will use that value for authentication. From share/freeradius/dictionary.freeradius.internal ATTRIBUTE Cleartext-Password 1100 string This item should be set by some module (rlm_file, rlm_ldap, possibly others) during the "authorize" state. Beside, rlm_mschap has no idea on where the passwords (in any form) are stored. Correct ?
In my envirnoment I authenticate against an LDAP server, so according to the ldap.attrmap file the LDAP attribute "userPassword" (which contain the password in clear text form) is copied to the check-item "User-Password". While no attribute seems copied as check-item "Cleartext-Password". Still the mschap module is able to authenticate the users. That is a historical artifact of the server. See the big warnings in debugging mode in 2.0.x.
In rlm_ldap I found this warning (I found just one): if (!pairfind(request->config_items, PW_CLEARTEXT_PASSWORD) && !pairfind(request->config_items, PW_USER_PASSWORD)) { DEBUG("WARNING: No \"known good\" password was found in LDAP. Are you sure that the user is configured correctly?"); } This fragment is from the "ldap_authorize" section PW_CLEARTEXT_PASSWORD is defined as value 1100 elsewhere in the source, I think in accordance with the internal dictionary file. Few lines before, it seems that it tries to copy all the attributes that smell like a password in the request; this warning is raised if there's no user pwd (from the supplicant) and/or no clear text pwd in the DB.
In may environment da LDAP server also is used by samba; so there're also LM/NT password available (in fact, some users are not also samba users but are authenticed via radius); but while googling about using freeradius with LDAP that possibility wasn't mentioned, while I found an howto that said to add to ldap.attrmap the line:
checkItem User-Password userPassword
Which is wrong. It should map to Cleartext-Password.
I understand that, but how could be possible that my users who are not samba users are able lo connect to the AP ? There's no LM/NT pwd for them, and there's also no "Cleartext-Password" because the mapping is wrong (but I've changed now). So how does rlm_mschap find the password ? I've looked the mschap_authenticate and it seems to look for LM pwd and NT pwd in the request, and to build one or both of them from the cleartext password if they're missing.
Maurizio Cimaschi wrote:
OK. So the rlm_mschap will look for the internal check-Item "Cleartext-Password" and it will use that value for authentication.
From share/freeradius/dictionary.freeradius.internal
Can I ask you to stop quoting the documentation and configuration to me? I wrote much of it. I'm familiar with it. Quoting it back at me means you're assuming I'm an idiot, and that I don't remember any of it.
This item should be set by some module (rlm_file, rlm_ldap, possibly others) during the "authorize" state. Beside, rlm_mschap has no idea on where the passwords (in any form) are stored.
Correct ?
Yes.
That is a historical artifact of the server. See the big warnings in debugging mode in 2.0.x.
In rlm_ldap I found this warning (I found just one):
Which means you didn't see the warnings when you ran it in debugging mode, if you even bothered to do that.
Few lines before, it seems that it tries to copy all the attributes that smell like a password in the request; this warning is raised if there's no user pwd (from the supplicant) and/or no clear text pwd in the DB.
Since you haven't followed instructions, you're looking at the wrong section of the code, and are wasting your time... and mine.
checkItem User-Password userPassword
Which is wrong. It should map to Cleartext-Password.
I understand that, but how could be possible that my users who are not samba users are able lo connect to the AP ?
Maybe it's magic.
There's no LM/NT pwd for them, and there's also no "Cleartext-Password" because the mapping is wrong (but I've changed now). So how does rlm_mschap find the password ?
Magic?
I've looked the mschap_authenticate and it seems to look for LM pwd and NT pwd in the request, and to build one or both of them from the cleartext password if they're missing.
Really? I didn't know that. Oh wait... I did. I have no idea why you think it's necessary to explain the code to me. Maybe you're just "thinking out loud"... but this list isn't the place to do that. Alan DeKok.
participants (3)
-
Alan DeKok -
Maurizio Cimaschi -
Venkata LK Mula