Hi, I try to convert our freeradius2 setup to a new freeradius3 configuration. A setup with TTLS + PAP is working, but when I switch to PEAP I'll get the following output. Any idea, or a howto with a LDAP-Provider with NT-Hashes? radiusd: FreeRADIUS Version 3.0.12, for host x86_64-pc-linux-gnu, built on Aug 10 2017 at 07:05:06 (10) redundant { rlm_ldap (server1): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (server1): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (server1): Connecting to ldap://ldap1.DOMAIN:389 rlm_ldap (server1): Waiting for bind result... rlm_ldap (server1): Bind successful rlm_ldap (server1): Reserved connection (0) (10) server1: EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(radiusaccessattribute=EDUROAM)) (10) server1: --> (&(uid=whans)(radiusaccessattribute=EDUROAM)) (10) server1: Performing search in "ou=user,DOMAIN" with filter "(&(uid=whans)(radiusaccessattribute=EDUROAM))", scope "sub" (10) server1: Waiting for search result... (10) server1: User object found at DN "uid=whans,ou=W,ou=Mitarbeiter,ou=User,DOMAIN" (10) server1: Processing user attributes (10) server1: control:NT-Password := 0x3144364643424433303630373744363633453233373735453535423346324535 rlm_ldap (server1): Released connection (0) rlm_ldap (server1): Need 2 more connections to reach 10 spares rlm_ldap (server1): Opening additional connection (1), 1 of 31 pending slots used rlm_ldap (server1): Connecting to ldap://ldap1.leuphana.de:389 rlm_ldap (server1): Waiting for bind result... rlm_ldap (server1): Bind successful (10) [server1] = updated (10) } # redundant = updated (10) [mschap] = noop (10) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes (10) pap: No User-Password attribute in the request. Cannot do PAP (10) [pap] = noop (10) } # authorize = updated (10) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (10) Failed to authenticate the user (10) Using Post-Auth-Type Reject Regrads Carsten
On Aug 28, 2018, at 4:11 AM, Carsten Schulze <carsten.schulze@leuphana.de> wrote:
I try to convert our freeradius2 setup to a new freeradius3 configuration.
It's better to start with the default v3 configuration, and then gradually add pieces from the v2 config. That way it starts off as working. And, you can tell when it breaks, and what change broke it.
A setup with TTLS + PAP is working, but when I switch to PEAP I'll get the following output.
Any idea, or a howto with a LDAP-Provider with NT-Hashes?
The problem isn't LDAP or NT hashes.
radiusd: FreeRADIUS Version 3.0.12, for host x86_64-pc-linux-gnu, built on Aug 10 2017 at 07:05:06
... (10) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes (10) pap: No User-Password attribute in the request. Cannot do PAP (10) [pap] = noop (10) } # authorize = updated (10) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
For one, you didn't post the *full* debug output as suggested here: http://wiki.freeradius.org/list-help That would have let us know exactly what was going on. Without that, my best guess is that you deleted the "eap" module from the "inner-tunnel" virtual server. Add it back (as per the default config), and it should work. Alan DeKok.
Hi Alan, thanks for your help again. I used the v3 default config with one exception, the default inner-tunnel. I added the ldap provider to it and changed the modules/eap back to point on that -> success. Regards Carsten Am 28.08.2018 um 13:55 schrieb Alan DeKok:
On Aug 28, 2018, at 4:11 AM, Carsten Schulze <carsten.schulze@leuphana.de> wrote:
I try to convert our freeradius2 setup to a new freeradius3 configuration. It's better to start with the default v3 configuration, and then gradually add pieces from the v2 config. That way it starts off as working. And, you can tell when it breaks, and what change broke it.
A setup with TTLS + PAP is working, but when I switch to PEAP I'll get the following output.
Any idea, or a howto with a LDAP-Provider with NT-Hashes? The problem isn't LDAP or NT hashes.
radiusd: FreeRADIUS Version 3.0.12, for host x86_64-pc-linux-gnu, built on Aug 10 2017 at 07:05:06
... (10) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes (10) pap: No User-Password attribute in the request. Cannot do PAP (10) [pap] = noop (10) } # authorize = updated (10) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject For one, you didn't post the *full* debug output as suggested here: http://wiki.freeradius.org/list-help
That would have let us know exactly what was going on.
Without that, my best guess is that you deleted the "eap" module from the "inner-tunnel" virtual server. Add it back (as per the default config), and it should work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Mit freundlichen Grüßen Dipl. Inform. (FH) Carsten Schulze Medien- und Informationszentrum (MIZ) Leuphana Universität Lüneburg Universitätsallee 1, C7.206 21335 Lüneburg Fon 04131.677-1241 Fax 04131.677-1246
participants (2)
-
Alan DeKok -
Carsten Schulze