Yet Another PEAP-MSCHAPV2 problem
I have searched through the mailing list and Google for the resolution to this, and I have found quite a bit of information, but I have not yet found the solution to my problem. I am trying to properly configure a FreeRADIUS version 3.0.9 server to authenticate wireless users using PEAP and MSCHAPv2 against a OpenLDAP version 2.4.39. I can authenticate both users that I will be discussing directly against the LDAP server correctly (using "ldapsearch"). However, only one of them work via the wireless connection. I have attached 2 files: - debi-debug.txt: the failing account full debug of radiusd -x - alex-debug.txt: the working account full debug of radiusd -x These dubugs were gathered by attempting to authenticate the same Windows 7 laptop to the 802.1x wireless network. Working laptop, working network, different outcomes with two accounts that both work when authenticated with ldapsearch. When I run the debi-debug.txt text through the web debugger, I get the following lines in red: mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication mschap: ERROR: MS-CHAP2-Response is incorrect [mschap] = reject } # Auth-Type MS-CHAP = reject MSCHAP-Error: ?E=691 R=1 Could not parse new challenge from MS-CHAP-Error: 2 ERROR: MSCHAP Failure This is what I have been searching for, but I can't find any real reason that it works for the alex account but not the debi account. I can provide whatever is needed to find the problem here, I just don't know what will be helpful. TIA! Alex
On Mon, Sep 21, 2015 at 02:57:07PM -0500, Alex Moen wrote:
(12) User-Name = "debio@ndtel.com" ... rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (7) (19) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (19) ldap: --> (uid=debio) (19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub" (19) ldap: Waiting for search result... (19) ldap: Search returned no results
^^^ this ^^^ Your LDAP search is failing for user debio... ...
(19) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (19) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (19) mschap: Creating challenge hash with username: debio@ndtel.com (19) mschap: Client is using MS-CHAPv2 (19) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(21) User-Name = "alexm@ndtel.com" ... rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (10) (28) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (28) ldap: --> (uid=alexm) (28) ldap: Performing search in "o=ndtc" with filter "(uid=alexm)", scope "sub" (28) ldap: Waiting for search result... (28) ldap: User object found at DN "uid=alexm,ou=ndtcadministration,o=ndtc" (28) ldap: Processing user attributes (28) ldap: control:Password-With-Header += 'ose55m1'
...but fine for alexm. ...
(28) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (28) pap: Removing &control:Password-With-Header ... (28) mschap: Found Cleartext-Password, hashing to create NT-Password (28) mschap: Found Cleartext-Password, hashing to create LM-Password (28) mschap: Creating challenge hash with username: alexm@ndtel.com (28) mschap: Client is using MS-CHAPv2 (28) mschap: Adding MS-CHAPv2 MPPE keys (28) [mschap] = ok
So FreeRADIUS can't get a password, hence mschap fails. When you bind as the same account FR binds as and do a search as below, does it find anything?
(19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub"
Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 09/21/2015 03:16 PM, Matthew Newton wrote:
On Mon, Sep 21, 2015 at 02:57:07PM -0500, Alex Moen wrote:
(12) User-Name = "debio@ndtel.com" ... rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (7) (19) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (19) ldap: --> (uid=debio) (19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub" (19) ldap: Waiting for search result... (19) ldap: Search returned no results
^^^ this ^^^
Your LDAP search is failing for user debio...
...
(19) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (19) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (19) mschap: Creating challenge hash with username: debio@ndtel.com (19) mschap: Client is using MS-CHAPv2 (19) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(21) User-Name = "alexm@ndtel.com" ... rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (10) (28) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (28) ldap: --> (uid=alexm) (28) ldap: Performing search in "o=ndtc" with filter "(uid=alexm)", scope "sub" (28) ldap: Waiting for search result... (28) ldap: User object found at DN "uid=alexm,ou=ndtcadministration,o=ndtc" (28) ldap: Processing user attributes (28) ldap: control:Password-With-Header += 'ose55m1'
...but fine for alexm.
...
(28) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (28) pap: Removing &control:Password-With-Header ... (28) mschap: Found Cleartext-Password, hashing to create NT-Password (28) mschap: Found Cleartext-Password, hashing to create LM-Password (28) mschap: Creating challenge hash with username: alexm@ndtel.com (28) mschap: Client is using MS-CHAPv2 (28) mschap: Adding MS-CHAPv2 MPPE keys (28) [mschap] = ok
So FreeRADIUS can't get a password, hence mschap fails.
When you bind as the same account FR binds as and do a search as below, does it find anything?
(19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub"
Matthew
In a word, yes. Here's a copy of the output from the server running FreeRADIUS: [root@ndtc-fs]# ldapsearch -x -H ldap://66.163.129.140 -D 'cn=admin,o=ndtc' -W -b 'uid=debio@ndtel.com,ou=ndtel,o=ndtc' -s sub Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=debio@ndtel.com,ou=ndtel,o=ndtc> with scope subtree # filter: (objectclass=*) # requesting: ALL # # debio@ndtel.com, ndtel, ndtc dn: uid=debio@ndtel.com,ou=ndtel,o=ndtc uid: debio@ndtel.com cn: Debi sn: O mail: debio@ndtel.com uidNumber: 640 homeDirectory: /cust/ndtel/users/debio gecos: Debi Ohma,, objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount objectClass: mailUser loginShell: /bin/bash sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaSID: S-1-5-21-3311107553-3899660464-2674327009-2280 sambaHomeDrive: F: sambaHomePath: \\ndtc-fs\cust\ndtel\users gidNumber: 500 sambaPrimaryGroupSID: S-1-5-21-3311107553-3899660464-2674327009-2001 shadowExpire: -1 sambaLMPassword: B15F999EA3OBFUSCATED!NOTHING2SEE sambaAcctFlags: [U] sambaNTPassword: 6F005855B7OBFUSCATED!NOTHING2SEE sambaPwdLastSet: 1390515443 sambaPwdMustChange: 1394403443 shadowLastChange: 16093 shadowMax: 99999 userPassword:: e1NTSEF9cEkwUUOBFUSCATED!NOTHING2SEERWJ5VFlLTVkyUzk= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -- Alex Moen NSTII North Dakota Telephone Company 701-662-6481
On Mon, Sep 21, 2015 at 03:34:19PM -0500, Alex Moen wrote:
When you bind as the same account FR binds as and do a search as below, does it find anything?
(19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub"
[root@ndtc-fs]# ldapsearch -x -H ldap://66.163.129.140 -D 'cn=admin,o=ndtc' -W -b 'uid=debio@ndtel.com,ou=ndtel,o=ndtc' -s sub
How about the same search base/filter that FreeRADIUS is doing? $ ldapsearch -x -H ldap://66.163.129.140 -D 'cn=admin,o=ndtc' -W -b 'o=ndtc' -s sub '(uid=debio)'
# extended LDIF ... # debio@ndtel.com, ndtel, ndtc dn: uid=debio@ndtel.com,ou=ndtel,o=ndtc uid: debio@ndtel.com
This isn't 'debio' - and I'm pretty sure that LDAP won't match just part of a field? AD here certainly doesn't seem to. What does the other record look like? Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Mon, Sep 21, 2015 at 11:34 PM, Alex Moen <alexm@ndtel.com> wrote:
On 09/21/2015 03:16 PM, Matthew Newton wrote:
On Mon, Sep 21, 2015 at 02:57:07PM -0500, Alex Moen wrote:
(12) User-Name = "debio@ndtel.com"
...
rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (7) (19) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (19) ldap: --> (uid=debio) (19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub" (19) ldap: Waiting for search result... (19) ldap: Search returned no results
^^^ this ^^^
Your LDAP search is failing for user debio...
...
(19) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (19) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (19) mschap: Creating challenge hash with username: debio@ndtel.com (19) mschap: Client is using MS-CHAPv2 (19) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(21) User-Name = "alexm@ndtel.com"
...
rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (10) (28) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (28) ldap: --> (uid=alexm) (28) ldap: Performing search in "o=ndtc" with filter "(uid=alexm)", scope "sub" (28) ldap: Waiting for search result... (28) ldap: User object found at DN "uid=alexm,ou=ndtcadministration,o=ndtc" (28) ldap: Processing user attributes (28) ldap: control:Password-With-Header += 'ose55m1'
...but fine for alexm.
...
(28) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (28) pap: Removing &control:Password-With-Header
...
(28) mschap: Found Cleartext-Password, hashing to create NT-Password (28) mschap: Found Cleartext-Password, hashing to create LM-Password (28) mschap: Creating challenge hash with username: alexm@ndtel.com (28) mschap: Client is using MS-CHAPv2 (28) mschap: Adding MS-CHAPv2 MPPE keys (28) [mschap] = ok
So FreeRADIUS can't get a password, hence mschap fails.
When you bind as the same account FR binds as and do a search as below, does it find anything?
(19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub"
Matthew
In a word, yes. Here's a copy of the output from the server running FreeRADIUS:
In two words - no. u != u@d
[root@ndtc-fs]# ldapsearch -x -H ldap://66.163.129.140 -D 'cn=admin,o=ndtc' -W -b 'uid=debio@ndtel.com,ou=ndtel,o=ndtc' -s sub Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=debio@ndtel.com,ou=ndtel,o=ndtc> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# debio@ndtel.com, ndtel, ndtc dn: uid=debio@ndtel.com,ou=ndtel,o=ndtc uid: debio@ndtel.com cn: Debi sn: O mail: debio@ndtel.com uidNumber: 640 homeDirectory: /cust/ndtel/users/debio gecos: Debi Ohma,, objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount objectClass: mailUser loginShell: /bin/bash sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaSID: S-1-5-21-3311107553-3899660464-2674327009-2280 sambaHomeDrive: F: sambaHomePath: \\ndtc-fs\cust\ndtel\users gidNumber: 500 sambaPrimaryGroupSID: S-1-5-21-3311107553-3899660464-2674327009-2001 shadowExpire: -1 sambaLMPassword: B15F999EA3OBFUSCATED!NOTHING2SEE sambaAcctFlags: [U] sambaNTPassword: 6F005855B7OBFUSCATED!NOTHING2SEE sambaPwdLastSet: 1390515443 sambaPwdMustChange: 1394403443 shadowLastChange: 16093 shadowMax: 99999 userPassword:: e1NTSEF9cEkwUUOBFUSCATED!NOTHING2SEERWJ5VFlLTVkyUzk=
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
-- Alex Moen NSTII North Dakota Telephone Company 701-662-6481
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK, I figured out part of this... I have multiple directories on that server. My basedn was too broad, and I was getting an answer from a different directory tree than I thought. Once I figured that out, it made sense. However, now neither account will log in properly. But, I don't have a weird discrepancy staring at me in the face. Now I just have to figure out why I can't authenticate. I know one of the differences between the "branches" of the directory tree, is that the incorrect one is using Crypt passwords, and the correct one is using SSHA passwords. Seems that the SSHA passwords are not working while the Crypt passwords do. On 09/21/2015 03:34 PM, Alex Moen wrote:
On 09/21/2015 03:16 PM, Matthew Newton wrote:
On Mon, Sep 21, 2015 at 02:57:07PM -0500, Alex Moen wrote:
(12) User-Name = "debio@ndtel.com" ... rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (7) (19) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (19) ldap: --> (uid=debio) (19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub" (19) ldap: Waiting for search result... (19) ldap: Search returned no results
^^^ this ^^^
Your LDAP search is failing for user debio...
...
(19) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (19) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (19) mschap: Creating challenge hash with username: debio@ndtel.com (19) mschap: Client is using MS-CHAPv2 (19) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(21) User-Name = "alexm@ndtel.com" ... rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (10) (28) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (28) ldap: --> (uid=alexm) (28) ldap: Performing search in "o=ndtc" with filter "(uid=alexm)", scope "sub" (28) ldap: Waiting for search result... (28) ldap: User object found at DN "uid=alexm,ou=ndtcadministration,o=ndtc" (28) ldap: Processing user attributes (28) ldap: control:Password-With-Header += 'ose55m1'
...but fine for alexm.
...
(28) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (28) pap: Removing &control:Password-With-Header ... (28) mschap: Found Cleartext-Password, hashing to create NT-Password (28) mschap: Found Cleartext-Password, hashing to create LM-Password (28) mschap: Creating challenge hash with username: alexm@ndtel.com (28) mschap: Client is using MS-CHAPv2 (28) mschap: Adding MS-CHAPv2 MPPE keys (28) [mschap] = ok
So FreeRADIUS can't get a password, hence mschap fails.
When you bind as the same account FR binds as and do a search as below, does it find anything?
(19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub"
Matthew
In a word, yes. Here's a copy of the output from the server running FreeRADIUS:
[root@ndtc-fs]# ldapsearch -x -H ldap://66.163.129.140 -D 'cn=admin,o=ndtc' -W -b 'uid=debio@ndtel.com,ou=ndtel,o=ndtc' -s sub Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=debio@ndtel.com,ou=ndtel,o=ndtc> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# debio@ndtel.com, ndtel, ndtc dn: uid=debio@ndtel.com,ou=ndtel,o=ndtc uid: debio@ndtel.com cn: Debi sn: O mail: debio@ndtel.com uidNumber: 640 homeDirectory: /cust/ndtel/users/debio gecos: Debi Ohma,, objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount objectClass: mailUser loginShell: /bin/bash sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaSID: S-1-5-21-3311107553-3899660464-2674327009-2280 sambaHomeDrive: F: sambaHomePath: \\ndtc-fs\cust\ndtel\users gidNumber: 500 sambaPrimaryGroupSID: S-1-5-21-3311107553-3899660464-2674327009-2001 shadowExpire: -1 sambaLMPassword: B15F999EA3OBFUSCATED!NOTHING2SEE sambaAcctFlags: [U] sambaNTPassword: 6F005855B7OBFUSCATED!NOTHING2SEE sambaPwdLastSet: 1390515443 sambaPwdMustChange: 1394403443 shadowLastChange: 16093 shadowMax: 99999 userPassword:: e1NTSEF9cEkwUUOBFUSCATED!NOTHING2SEERWJ5VFlLTVkyUzk=
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
-- Alex Moen NSTII North Dakota Telephone Company 701-662-6481
On Mon, Sep 21, 2015 at 04:18:32PM -0500, Alex Moen wrote:
I have multiple directories on that server. My basedn was too broad, and I was getting an answer from a different directory tree than I thought.
OK.
Now I just have to figure out why I can't authenticate. I know one of the differences between the "branches" of the directory tree, is that the incorrect one is using Crypt passwords, and the correct one is using SSHA passwords. Seems that the SSHA passwords are not working while the Crypt passwords do.
It's impossible to authenticate MSCHAP with Crypt or SSHA. Your first e-mail had this:
(29) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (29) ldap: --> (uid=alexm) (29) ldap: Performing search in "o=ndtc" with filter "(uid=alexm)", scope "sub" (29) ldap: Waiting for search result... (29) ldap: User object found at DN "uid=alexm,ou=ndtcadministration,o=ndtc" (29) ldap: Processing user attributes (29) ldap: control:Password-With-Header += 'ose55m1'
So it must have been getting a plain text password. The next e-mail had:
# debio@ndtel.com, ndtel, ndtc dn: uid=debio@ndtel.com,ou=ndtel,o=ndtc uid: debio@ndtel.com ... sambaLMPassword: B15F999EA3OBFUSCATED!NOTHING2SEE sambaAcctFlags: [U] sambaNTPassword: 6F005855B7OBFUSCATED!NOTHING2SEE ... userPassword:: e1NTSEF9cEkwUUOBFUSCATED!NOTHING2SEERWJ5VFlLTVkyUzk=
so there you've got userPassword (I presume plaintext) and sambaNTPassword, which is NTLM and can be used for MSCHAPv2. Nothing else will work. What does the debug output look like now? What attribute is the ldap module looking for to get the password? Is there a NTLM or plaintext password in the record you are using? Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
First of all, thanks for the input, Matthew! It is really nice to get good feedback from knowledgeable people! On 09/21/2015 04:39 PM, Matthew Newton wrote:
On Mon, Sep 21, 2015 at 04:18:32PM -0500, Alex Moen wrote:
I have multiple directories on that server. My basedn was too broad, and I was getting an answer from a different directory tree than I thought.
OK.
Now I just have to figure out why I can't authenticate. I know one of the differences between the "branches" of the directory tree, is that the incorrect one is using Crypt passwords, and the correct one is using SSHA passwords. Seems that the SSHA passwords are not working while the Crypt passwords do.
It's impossible to authenticate MSCHAP with Crypt or SSHA.
Your first e-mail had this:
(29) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (29) ldap: --> (uid=alexm) (29) ldap: Performing search in "o=ndtc" with filter "(uid=alexm)", scope "sub" (29) ldap: Waiting for search result... (29) ldap: User object found at DN "uid=alexm,ou=ndtcadministration,o=ndtc" (29) ldap: Processing user attributes
So it must have been getting a plain text password.
The next e-mail had:
# debio@ndtel.com, ndtel, ndtc dn: uid=debio@ndtel.com,ou=ndtel,o=ndtc uid: debio@ndtel.com ... sambaLMPassword: B15F999EA3OBFUSCATED!NOTHING2SEE sambaAcctFlags: [U] sambaNTPassword: 6F005855B7OBFUSCATED!NOTHING2SEE ... userPassword:: e1NTSEF9cEkwUUOBFUSCATED!NOTHING2SEERWJ5VFlLTVkyUzk=
so there you've got userPassword (I presume plaintext)
Nope. It's definitely an ssha. Her password is not 50 characters long. But it would definitely explain why it's not working, if SSHA passwords won't work.
and sambaNTPassword, which is NTLM and can be used for MSCHAPv2. Nothing else will work.
What does the debug output look like now? What attribute is the ldap module looking for to get the password? Is there a NTLM or plaintext password in the record you are using?
Matthew
Yes, there are NTLM passwords on the accounts I want to use, since they are the same authentication mechanism used for our Samba server... So, I have switched (in the /etc/raddb/mods-available/ldap file) from: control:Password-With-Header += 'userPassword' to: control:Password-With-Header += 'sambaNTPassword' It did not help, here's the debug: (0) Received Access-Request Id 141 from 192.168.255.112:51351 to 192.168.255.5:1812 length 195 (0) User-Name = "alexm@ndtel.com" (0) NAS-IP-Address = 192.168.255.112 (0) NAS-Identifier = "0418d620086c" (0) NAS-Port = 0 (0) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x" (0) Calling-Station-Id = "C4-85-08-F5-2C-10" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) EAP-Message = 0x0253001401616c65786d406e6474656c2e636f6d (0) Message-Authenticator = 0x7799e9c43e42407c6ab8c899513dd40e (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (!&User-Name) { (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) { (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "ndtel.com" for User-Name = "alexm@ndtel.com" (0) suffix: Found realm "ndtel.com" (0) suffix: Adding Stripped-User-Name = "alexm" (0) suffix: Adding Realm = "ndtel.com" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: Peer sent EAP Response (code 2) ID 83 length 20 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: Flushing SSL sessions (of #0) (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 84 length 6 (0) eap: EAP session adding &reply:State = 0x2b5395752b078cc5 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 141 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0 (0) EAP-Message = 0x015400061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x2b5395752b078cc5b4eb6d412c1f1224 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 142 from 192.168.255.112:51351 to 192.168.255.5:1812 length 332 (1) User-Name = "alexm@ndtel.com" (1) NAS-IP-Address = 192.168.255.112 (1) NAS-Identifier = "0418d620086c" (1) NAS-Port = 0 (1) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x" (1) Calling-Station-Id = "C4-85-08-F5-2C-10" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) EAP-Message = 0x0254008b198000000081160301007c01000078030156007d08a87d8597598082bbaa005c4251db39a4722c74d60048d33bc90bdeb820c73e063cc970e85b38f61e11652d3c96ba288807dc179deb631decc5b033fe790018c014c013c00ac0090035002f00380032000a00130005000401000017000a00 (1) State = 0x2b5395752b078cc5b4eb6d412c1f1224 (1) Message-Authenticator = 0x2c232cd9435e251a02a7ca3233707200 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (!&User-Name) { (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) { (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "ndtel.com" for User-Name = "alexm@ndtel.com" (1) suffix: Found realm "ndtel.com" (1) suffix: Adding Stripped-User-Name = "alexm" (1) suffix: Adding Realm = "ndtel.com" (1) suffix: Authentication realm is LOCAL (1) [suffix] = ok (1) eap: Peer sent EAP Response (code 2) ID 84 length 139 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x2b5395752b078cc5 (1) eap: Finished EAP session with state 0x2b5395752b078cc5 (1) eap: Previous EAP request found for state 0x2b5395752b078cc5, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 129 bytes (1) eap_peap: Got complete TLS record (129 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< TLS 1.0 Handshake [length 007c], ClientHello (1) eap_peap: TLS_accept: SSLv3 read client hello A (1) eap_peap: >>> TLS 1.0 Handshake [length 0059], ServerHello (1) eap_peap: TLS_accept: SSLv3 write server hello A (1) eap_peap: >>> TLS 1.0 Handshake [length 08b0], Certificate (1) eap_peap: TLS_accept: SSLv3 write certificate A (1) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (1) eap_peap: TLS_accept: SSLv3 write key exchange A (1) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap: TLS_accept: SSLv3 write server done A (1) eap_peap: TLS_accept: SSLv3 flush data (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 85 length 1004 (1) eap: EAP session adding &reply:State = 0x2b5395752a068cc5 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 142 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0 (1) EAP-Message = 0x015503ec19c000000a6c160301005902000055030156007d07f4135b60d176b1cbdd312b383a5726641da87c3bfa65bbe5520a425a2007a1e52adb07eb9959c70ab0dfdede48fbecbfec67e300869caa54803c88e4aac01400000dff01000100000b00040300010216030108b00b0008ac0008a90003d0 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x2b5395752a068cc5b4eb6d412c1f1224 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 143 from 192.168.255.112:51351 to 192.168.255.5:1812 length 199 (2) User-Name = "alexm@ndtel.com" (2) NAS-IP-Address = 192.168.255.112 (2) NAS-Identifier = "0418d620086c" (2) NAS-Port = 0 (2) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x" (2) Calling-Station-Id = "C4-85-08-F5-2C-10" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) EAP-Message = 0x025500061900 (2) State = 0x2b5395752a068cc5b4eb6d412c1f1224 (2) Message-Authenticator = 0x5f5bd3c85ca4a8a951f2f756feef1fa4 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (!&User-Name) { (2) if (!&User-Name) -> FALSE (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) { (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "ndtel.com" for User-Name = "alexm@ndtel.com" (2) suffix: Found realm "ndtel.com" (2) suffix: Adding Stripped-User-Name = "alexm" (2) suffix: Adding Realm = "ndtel.com" (2) suffix: Authentication realm is LOCAL (2) [suffix] = ok (2) eap: Peer sent EAP Response (code 2) ID 85 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x2b5395752a068cc5 (2) eap: Finished EAP session with state 0x2b5395752a068cc5 (2) eap: Previous EAP request found for state 0x2b5395752a068cc5, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer ACKed our handshake fragment (2) eap_peap: [eaptls verify] = request (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 86 length 1000 (2) eap: EAP session adding &reply:State = 0x2b53957529058cc5 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Sent Access-Challenge Id 143 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0 (2) EAP-Message = 0x015603e81940cb266556c619c5b2efa5b201a6104aeffbbebb8cfd465f6a691bd7b1d49fb2d61b1273cc603b2a22bbabcde5c31eabc6bbff16f1a1e487f5daded9fe6ffc9dfacbdac64c43825dee4e2a378bcc2859de84c80339fd6dedd41a13450004d3308204cf308203b7a0030201020209008be4d1 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x2b53957529058cc5b4eb6d412c1f1224 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 144 from 192.168.255.112:51351 to 192.168.255.5:1812 length 199 (3) User-Name = "alexm@ndtel.com" (3) NAS-IP-Address = 192.168.255.112 (3) NAS-Identifier = "0418d620086c" (3) NAS-Port = 0 (3) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x" (3) Calling-Station-Id = "C4-85-08-F5-2C-10" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) EAP-Message = 0x025600061900 (3) State = 0x2b53957529058cc5b4eb6d412c1f1224 (3) Message-Authenticator = 0xd3e01d5515d908d68255faec3260845a (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (!&User-Name) { (3) if (!&User-Name) -> FALSE (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@.*@/ ) { (3) if (&User-Name =~ /@.*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "ndtel.com" for User-Name = "alexm@ndtel.com" (3) suffix: Found realm "ndtel.com" (3) suffix: Adding Stripped-User-Name = "alexm" (3) suffix: Adding Realm = "ndtel.com" (3) suffix: Authentication realm is LOCAL (3) [suffix] = ok (3) eap: Peer sent EAP Response (code 2) ID 86 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x2b53957529058cc5 (3) eap: Finished EAP session with state 0x2b53957529058cc5 (3) eap: Previous EAP request found for state 0x2b53957529058cc5, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 87 length 686 (3) eap: EAP session adding &reply:State = 0x2b53957528048cc5 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Sent Access-Challenge Id 144 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0 (3) EAP-Message = 0x015702ae19000101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100b707329146869fa84ff08f2d837b56ab01c7cf46e55fb12e73f7b6ca691d156b9074 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x2b53957528048cc5b4eb6d412c1f1224 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 145 from 192.168.255.112:51351 to 192.168.255.5:1812 length 337 (4) User-Name = "alexm@ndtel.com" (4) NAS-IP-Address = 192.168.255.112 (4) NAS-Identifier = "0418d620086c" (4) NAS-Port = 0 (4) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x" (4) Calling-Station-Id = "C4-85-08-F5-2C-10" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) EAP-Message = 0x02570090198000000086160301004610000042410455ca43a7135c4be04545956605bef0fc43060d7b6424b1a3a8695208df444e7bc01db682e6ac08edf16c67d3b65177079ad1b1ea38a836e644c5e62aea16c70b1403010001011603010030aba63c661b4e12a06cc03e8e8f1ffacecbf16db600a91b (4) State = 0x2b53957528048cc5b4eb6d412c1f1224 (4) Message-Authenticator = 0x0cc3c5467a3f3f16ee6cba2fcb75eb36 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (!&User-Name) { (4) if (!&User-Name) -> FALSE (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@.*@/ ) { (4) if (&User-Name =~ /@.*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "ndtel.com" for User-Name = "alexm@ndtel.com" (4) suffix: Found realm "ndtel.com" (4) suffix: Adding Stripped-User-Name = "alexm" (4) suffix: Adding Realm = "ndtel.com" (4) suffix: Authentication realm is LOCAL (4) [suffix] = ok (4) eap: Peer sent EAP Response (code 2) ID 87 length 144 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x2b53957528048cc5 (4) eap: Finished EAP session with state 0x2b53957528048cc5 (4) eap: Previous EAP request found for state 0x2b53957528048cc5, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 134 bytes (4) eap_peap: Got complete TLS record (134 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (4) eap_peap: TLS_accept: SSLv3 read client key exchange A (4) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished (4) eap_peap: TLS_accept: SSLv3 read finished A (4) eap_peap: >>> TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap: TLS_accept: SSLv3 write change cipher spec A (4) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished (4) eap_peap: TLS_accept: SSLv3 write finished A (4) eap_peap: TLS_accept: SSLv3 flush data (4) eap_peap: (other): SSL negotiation finished successfully (4) eap_peap: SSL Connection Established (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 88 length 65 (4) eap: EAP session adding &reply:State = 0x2b5395752f0b8cc5 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Sent Access-Challenge Id 145 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0 (4) EAP-Message = 0x0158004119001403010001011603010030a4cd503e6da77ff57e0056cb61bdcedf2749156a5e0e09557d2ef58df6677e67ddb4d3b38925d566b0f7e8cba57ff8f8 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x2b5395752f0b8cc5b4eb6d412c1f1224 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 146 from 192.168.255.112:51351 to 192.168.255.5:1812 length 199 (5) User-Name = "alexm@ndtel.com" (5) NAS-IP-Address = 192.168.255.112 (5) NAS-Identifier = "0418d620086c" (5) NAS-Port = 0 (5) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x" (5) Calling-Station-Id = "C4-85-08-F5-2C-10" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) EAP-Message = 0x025800061900 (5) State = 0x2b5395752f0b8cc5b4eb6d412c1f1224 (5) Message-Authenticator = 0x2698bbfc6ee24f44a45e0ec60b8c97bb (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (!&User-Name) { (5) if (!&User-Name) -> FALSE (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@.*@/ ) { (5) if (&User-Name =~ /@.*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "ndtel.com" for User-Name = "alexm@ndtel.com" (5) suffix: Found realm "ndtel.com" (5) suffix: Adding Stripped-User-Name = "alexm" (5) suffix: Adding Realm = "ndtel.com" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) eap: Peer sent EAP Response (code 2) ID 88 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x2b5395752f0b8cc5 (5) eap: Finished EAP session with state 0x2b5395752f0b8cc5 (5) eap: Previous EAP request found for state 0x2b5395752f0b8cc5, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished (5) eap_peap: [eaptls verify] = success (5) eap_peap: [eaptls process] = success (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state TUNNEL ESTABLISHED (5) eap: Sending EAP Request (code 1) ID 89 length 43 (5) eap: EAP session adding &reply:State = 0x2b5395752e0a8cc5 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Sent Access-Challenge Id 146 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0 (5) EAP-Message = 0x0159002b1900170301002034aef62f575a790ac3ba19862d79f445a223065a3811dbcab04e90397978bafc (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x2b5395752e0a8cc5b4eb6d412c1f1224 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 147 from 192.168.255.112:51351 to 192.168.255.5:1812 length 252 (6) User-Name = "alexm@ndtel.com" (6) NAS-IP-Address = 192.168.255.112 (6) NAS-Identifier = "0418d620086c" (6) NAS-Port = 0 (6) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x" (6) Calling-Station-Id = "C4-85-08-F5-2C-10" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) EAP-Message = 0x0259003b19001703010030fa3bbb6faacd50c65acef4cceeda0df4a2477dbaf0d9ca50b4b2adbb2903ffd890689831552546f43061e6f54622e538 (6) State = 0x2b5395752e0a8cc5b4eb6d412c1f1224 (6) Message-Authenticator = 0x4f72249e337a17d25b4f292f9ea9d8f2 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (!&User-Name) { (6) if (!&User-Name) -> FALSE (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@.*@/ ) { (6) if (&User-Name =~ /@.*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "ndtel.com" for User-Name = "alexm@ndtel.com" (6) suffix: Found realm "ndtel.com" (6) suffix: Adding Stripped-User-Name = "alexm" (6) suffix: Adding Realm = "ndtel.com" (6) suffix: Authentication realm is LOCAL (6) [suffix] = ok (6) eap: Peer sent EAP Response (code 2) ID 89 length 59 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x2b5395752e0a8cc5 (6) eap: Finished EAP session with state 0x2b5395752e0a8cc5 (6) eap: Previous EAP request found for state 0x2b5395752e0a8cc5, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY (6) eap_peap: Identity - alexm@ndtel.com (6) eap_peap: Got inner identity 'alexm@ndtel.com' (6) eap_peap: Setting default EAP type for tunneled EAP session (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x0259001401616c65786d406e6474656c2e636f6d (6) eap_peap: Setting User-Name to alexm@ndtel.com (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x0259001401616c65786d406e6474656c2e636f6d (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "alexm@ndtel.com" (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x0259001401616c65786d406e6474656c2e636f6d (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "alexm@ndtel.com" (6) server inner-tunnel { (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "ndtel.com" for User-Name = "alexm@ndtel.com" (6) suffix: Found realm "ndtel.com" (6) suffix: Adding Stripped-User-Name = "alexm" (6) suffix: Adding Realm = "ndtel.com" (6) suffix: Authentication realm is LOCAL (6) [suffix] = ok (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 89 length 20 (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: Issuing Challenge (6) eap: Sending EAP Request (code 1) ID 90 length 42 (6) eap: EAP session adding &reply:State = 0xf624fb83f67ee10e (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x015a002a1a015a002510f20c2d72f97808a7a844122e0208f35d667265657261646975732d332e302e39 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xf624fb83f67ee10e1d676a0188257602 (6) eap_peap: Got tunneled reply code 11 (6) eap_peap: EAP-Message = 0x015a002a1a015a002510f20c2d72f97808a7a844122e0208f35d667265657261646975732d332e302e39 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0xf624fb83f67ee10e1d676a0188257602 (6) eap_peap: Got tunneled reply RADIUS code 11 (6) eap_peap: EAP-Message = 0x015a002a1a015a002510f20c2d72f97808a7a844122e0208f35d667265657261646975732d332e302e39 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: State = 0xf624fb83f67ee10e1d676a0188257602 (6) eap_peap: Got tunneled Access-Challenge (6) eap: Sending EAP Request (code 1) ID 90 length 75 (6) eap: EAP session adding &reply:State = 0x2b5395752d098cc5 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/raddb/sites-enabled/default (6) Sent Access-Challenge Id 147 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0 (6) EAP-Message = 0x015a004b190017030100401d3547312c7cd75375fc325fcd9b61cc8eaca97275259a317e33860f55923efa11fa6d01c8c671c4c6176ea78896e58d84aad593d17d8372c598c413faba6c1e (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x2b5395752d098cc5b4eb6d412c1f1224 (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 148 from 192.168.255.112:51351 to 192.168.255.5:1812 length 300 (7) User-Name = "alexm@ndtel.com" (7) NAS-IP-Address = 192.168.255.112 (7) NAS-Identifier = "0418d620086c" (7) NAS-Port = 0 (7) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x" (7) Calling-Station-Id = "C4-85-08-F5-2C-10" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) EAP-Message = 0x025a006b19001703010060fb9cfd910dffbfe36a6c35d00b8a8f8eed0f3538749e722a1c8dcac3c6872a80380a472698c8503b7b97317016615ec22f2a3b39c99aeffd620ed4d8f86405908c7ed2345a349b00eaef972b79b5bc5b5cff84b7c76aecd76d1ed5879055965b (7) State = 0x2b5395752d098cc5b4eb6d412c1f1224 (7) Message-Authenticator = 0xa36d8b1e8ea7282f6ba40ef571f556e6 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (!&User-Name) { (7) if (!&User-Name) -> FALSE (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@.*@/ ) { (7) if (&User-Name =~ /@.*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "ndtel.com" for User-Name = "alexm@ndtel.com" (7) suffix: Found realm "ndtel.com" (7) suffix: Adding Stripped-User-Name = "alexm" (7) suffix: Adding Realm = "ndtel.com" (7) suffix: Authentication realm is LOCAL (7) [suffix] = ok (7) eap: Peer sent EAP Response (code 2) ID 90 length 107 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xf624fb83f67ee10e (7) eap: Finished EAP session with state 0x2b5395752d098cc5 (7) eap: Previous EAP request found for state 0x2b5395752d098cc5, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state phase2 (7) eap_peap: EAP method MSCHAPv2 (26) (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x025a004a1a025a004531c17f260aff8f5a75e22e9ed3383b33f2000000000000000063b3c01788f9019f61200d41d77ccc45c4623596563de07e00616c65786d406e6474656c2e636f6d (7) eap_peap: Setting User-Name to alexm@ndtel.com (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x025a004a1a025a004531c17f260aff8f5a75e22e9ed3383b33f2000000000000000063b3c01788f9019f61200d41d77ccc45c4623596563de07e00616c65786d406e6474656c2e636f6d (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "alexm@ndtel.com" (7) eap_peap: State = 0xf624fb83f67ee10e1d676a0188257602 (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x025a004a1a025a004531c17f260aff8f5a75e22e9ed3383b33f2000000000000000063b3c01788f9019f61200d41d77ccc45c4623596563de07e00616c65786d406e6474656c2e636f6d (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "alexm@ndtel.com" (7) State = 0xf624fb83f67ee10e1d676a0188257602 (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "ndtel.com" for User-Name = "alexm@ndtel.com" (7) suffix: Found realm "ndtel.com" (7) suffix: Adding Stripped-User-Name = "alexm" (7) suffix: Adding Realm = "ndtel.com" (7) suffix: Authentication realm is LOCAL (7) [suffix] = ok (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 90 length 74 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated rlm_ldap (ldap): Reserved connection (0) (7) ldap: EXPAND (uid=%{User-Name}) (7) ldap: --> (uid=alexm@ndtel.com) (7) ldap: Performing search in "ou=ndtel,o=ndtc" with filter "(uid=alexm@ndtel.com)", scope "sub" (7) ldap: Waiting for search result... (7) ldap: User object found at DN "uid=alexm@ndtel.com,ou=ndtel,o=ndtc" (7) ldap: Processing user attributes (7) ldap: control:Password-With-Header += 'CF1189B22D7E43F062F8E1A4AE1B8418' rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): 0 of 5 connections in use. Need more spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (7) [ldap] = updated (7) [expiration] = noop (7) [logintime] = noop (7) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (7) pap: Removing &control:Password-With-Header (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0xf624fb83f67ee10e (7) eap: Finished EAP session with state 0xf624fb83f67ee10e (7) eap: Previous EAP request found for state 0xf624fb83f67ee10e, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) eap_mschapv2: Auth-Type MS-CHAP { (7) mschap: Found Cleartext-Password, hashing to create NT-Password (7) mschap: Found Cleartext-Password, hashing to create LM-Password (7) mschap: Creating challenge hash with username: alexm@ndtel.com (7) mschap: Client is using MS-CHAPv2 (7) mschap: ERROR: MS-CHAP2-Response is incorrect (7) [mschap] = reject (7) } # Auth-Type MS-CHAP = reject (7) MSCHAP-Error: ZE=691 R=1 (7) Could not parse new challenge from MS-CHAP-Error: 2 (7) ERROR: MSCHAP Failure (7) eap: Sending EAP Request (code 1) ID 91 length 18 (7) eap: EAP session adding &reply:State = 0xf624fb83f77fe10e (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x015b00121a045a000d453d36393120523d31 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xf624fb83f77fe10e1d676a0188257602 (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: EAP-Message = 0x015b00121a045a000d453d36393120523d31 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xf624fb83f77fe10e1d676a0188257602 (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x015b00121a045a000d453d36393120523d31 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xf624fb83f77fe10e1d676a0188257602 (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 91 length 59 (7) eap: EAP session adding &reply:State = 0x2b5395752c088cc5 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/raddb/sites-enabled/default (7) Sent Access-Challenge Id 148 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0 (7) EAP-Message = 0x015b003b19001703010030c12e30aa61c15629dac014d387dadd7ccaa4f9a143aec072484f5f5c2258d6a8e949dbb905ab5b7ddd126b0e2b0d6a5e (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x2b5395752c088cc5b4eb6d412c1f1224 (7) Finished request Waking up in 4.9 seconds. (0) <done>: Cleaning up request packet ID 141 with timestamp +27 (1) <done>: Cleaning up request packet ID 142 with timestamp +27 (2) <done>: Cleaning up request packet ID 143 with timestamp +27 (3) <done>: Cleaning up request packet ID 144 with timestamp +27 (4) <done>: Cleaning up request packet ID 145 with timestamp +27 (5) <done>: Cleaning up request packet ID 146 with timestamp +27 (6) <done>: Cleaning up request packet ID 147 with timestamp +27 (7) <done>: Cleaning up request packet ID 148 with timestamp +27 Ready to process requests
On Mon, Sep 21, 2015 at 05:02:05PM -0500, Alex Moen wrote:
...
sambaLMPassword: B15F999EA3OBFUSCATED!NOTHING2SEE sambaAcctFlags: [U] sambaNTPassword: 6F005855B7OBFUSCATED!NOTHING2SEE ... userPassword:: e1NTSEF9cEkwUUOBFUSCATED!NOTHING2SEERWJ5VFlLTVkyUzk=
so there you've got userPassword (I presume plaintext)
Nope. It's definitely an ssha. Her password is not 50 characters long. But it would definitely explain why it's not working, if SSHA passwords won't work.
You can forget about trying to use that one then. Though I'm slightly confused where the plaintext password came from in the first debug output. But that doesn't really matter.
Yes, there are NTLM passwords on the accounts I want to use, since they are the same authentication mechanism used for our Samba server...
So, I have switched (in the /etc/raddb/mods-available/ldap file) from: control:Password-With-Header += 'userPassword' to: control:Password-With-Header += 'sambaNTPassword'
Password-With-Header expects a {...} header at the start (see the man page for rlm_pap). So you can either use unlang to add the header on, or just update NT-Password instead, as in the ldap config. So in mods-enabled/ldap update {}, comment out control:Password-With-Header += 'userPassword', then uncomment # control:NT-Password := 'ntPassword' and set it to control:NT-Password := 'sambaNTPassword'
(7) ldap: User object found at DN "uid=alexm@ndtel.com,ou=ndtel,o=ndtc" (7) ldap: Processing user attributes (7) ldap: control:Password-With-Header += 'CF1189B22D7E43F062F8E1A4AE1B8418'
^^^ rlm_ldap gets sambaNTPassword and puts it in Password-With-Header
rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): 0 of 5 connections in use. Need more spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (7) [ldap] = updated (7) [expiration] = noop (7) [logintime] = noop (7) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
^^^ rlm_pap checks the passwords are in a good form. Here it notices that Password-With-Header doesn't have a header, so it copies it to Cleartext-Password and then removes it.
(7) pap: Removing &control:Password-With-Header (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0xf624fb83f67ee10e (7) eap: Finished EAP session with state 0xf624fb83f67ee10e (7) eap: Previous EAP request found for state 0xf624fb83f67ee10e, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) eap_mschapv2: Auth-Type MS-CHAP { (7) mschap: Found Cleartext-Password, hashing to create NT-Password (7) mschap: Found Cleartext-Password, hashing to create LM-Password
^^^ rlm_mschap notices that Cleartext-Password exists (which actually contains the NT-Password), and hashes that again and puts it in NT-Password. What you really want is that value in NT-Password directly, which the above ldap config should do. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 09/21/2015 05:49 PM, Matthew Newton wrote:
So, I have switched (in the /etc/raddb/mods-available/ldap file) from: control:Password-With-Header += 'userPassword' to: control:Password-With-Header += 'sambaNTPassword'
Password-With-Header expects a {...} header at the start (see the man page for rlm_pap). So you can either use unlang to add the header on, or just update NT-Password instead, as in the ldap config.
So in mods-enabled/ldap update {}, comment out control:Password-With-Header += 'userPassword', then uncomment
# control:NT-Password := 'ntPassword'
and set it to
control:NT-Password := 'sambaNTPassword'
This fixed it. Thanks so much for the help Matthew! I would not have figured this out on my own! Hopefully this can help someone else! I've been working with radius and LDAP for years now. Not these versions, of course, which are so much more refined and versatile. But, these services are such that once you get them up and running, you rarely have to touch them again. Like, in years. Unless you're trying to do something new, which is when you are exposed to the new and improved versions. Since they are so robust and well-made, you have to relearn everything. It's quite a testament to the developers of these software packages, and I don't think they get enough credit or thanks. So, a huge THANK YOU to the developers for putting so much time and effort into this for us!!! Alex
Hi,
of the differences between the "branches" of the directory tree, is that the incorrect one is using Crypt passwords, and the correct one is using SSHA passwords. Seems that the SSHA passwords are not working while the Crypt passwords do.
well, as others have pointed out, theres an issue with the format of the name too. uid=xxxxx must match, you cant look for uid=user and expect uid=user@realm to match - so you may want to vary your ldap query based on the username - perhaps do a user-name check if theres a realm thats not handled properly? how does your LDAP server present the password? LDAP is not an authentication system, its an 'oracle' of values - so you may need to tell FreeRADIUS what format the reply value is - read the LDAP and FreeRADIUS password format docs eg http://wiki.freeradius.org/modules/rlm_ldap alan
Hi Alan, Yeah, I figured that out once I found that I was barking up the wrong... um... branch. I have modified my config to look for the full user@domain, as it is in our UIDs. Thanks for the link, I will read through that. Half the battle is finding the proper information. I am changing to use the Samba NT Password field, since I'm using MSCHAPv2 and this is the only field (other than a cleartext password field) that will work. Still running into issues, though, and now it's quitting time... Thanks!!! Alex On 09/21/2015 04:55 PM, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
of the differences between the "branches" of the directory tree, is that the incorrect one is using Crypt passwords, and the correct one is using SSHA passwords. Seems that the SSHA passwords are not working while the Crypt passwords do.
well, as others have pointed out, theres an issue with the format of the name too. uid=xxxxx must match, you cant look for uid=user and expect uid=user@realm to match - so you may want to vary your ldap query based on the username - perhaps do a user-name check if theres a realm thats not handled properly?
how does your LDAP server present the password? LDAP is not an authentication system, its an 'oracle' of values - so you may need to tell FreeRADIUS what format the reply value is - read the LDAP and FreeRADIUS password format docs
eg http://wiki.freeradius.org/modules/rlm_ldap
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Alex Moen NSTII North Dakota Telephone Company 701-662-6481
Alex Moen wrote:
Now I just have to figure out why I can't authenticate. I know one of the differences between the "branches" of the directory tree, is that the incorrect one is using Crypt passwords, and the correct one is using SSHA passwords. Seems that the SSHA passwords are not working while the Crypt passwords do.
Maybe you're misinterpreting your test results: AFAIK MS-CHAPv2 works with NT password hash (LDAP attribute sambaNTPassword). It cannot work with any hashed LDAP userPassword value. Check first whether userPassword and sambaNTPassword are "in sync" (hashes derived from the same clear-text password). Ciao, Michael.
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alex Moen -
Isaac Boukris -
Matthew Newton -
Michael Ströder