freeradius3 + openldap + mschapv2
Hello I have a working installation of freeradius2, providing AAA on my wlan by using ldap stored users. I am trying to upgrade to freeradius3, but I met a problem. As far as I understood, the ldap attribute previusly mapped through the ldap.attrmap file now must be mapped by an update statement, so in the ldap module configuration I configured: update { control:Password-With-Header += 'userPassword' control:NT-Password := 'sambaNTPassword' } I know that this is working because in the debug I see: .. (12) 8021x1 : User object found at DN "uid=XXXXXXX (12) 8021x1 : Processing user attributes (12) 8021x1 : control:Password-With-Header += '{SHA}XXXXXXXXXXXXXXXXXXXX' (12) 8021x1 : control:NT-Password := 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX rlm_ldap (8021x1): Released connection (4) But when I try to authenticate I have this error: (12) Found Auth-Type = EAP (12) # Executing group from file /ofb/freeradius/etc/raddb/sites-enabled/default (12) authenticate { (12) eap : Expiring EAP session with state 0x08682d8c08653729 (12) eap : Finished EAP session with state 0x08682d8c08653729 (12) eap : Previous EAP request found for state 0x08682d8c08653729, released from the list (12) eap : Peer sent MSCHAPv2 (26) (12) eap : EAP MSCHAPv2 (26) (12) eap : Calling eap_mschapv2 to process EAP data (12) eap_mschapv2 : # Executing group from file /ofb/freeradius/etc/raddb/sites-enabled/default (12) eap_mschapv2 : Auth-Type MS-CHAP { (12) mschap : No Cleartext-Password configured. Cannot create LM-Password (12) ERROR: mschap : NT-Password has not been normalized by the "pap" module. Authentication will fail. (12) mschap : Creating challenge hash with username: XXX (12) mschap : Client is using MS-CHAPv2 for XXX, we need NT-Password (12) mschap : FAILED: No NT/LM-Password. Cannot perform authentication. (12) mschap : FAILED: MS-CHAP2-Response is incorrect (12) [mschap] = reject (12) } # Auth-Type MS-CHAP = reject (12) eap : Freeing handler (12) [eap] = reject (12) } # authenticate = reject (12) Failed to authenticate the user. (12) Using Post-Auth-Type Reject (12) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. } # server default (12) eap_peap : Got tunneled reply code 3 MS-CHAP-Error = '\rE=691 R=1' EAP-Message = 0x040d0004 Message-Authenticator = 0x00000000000000000000000000000000 (12) eap_peap : Got tunneled reply RADIUS code 3 MS-CHAP-Error = '\rE=691 R=1' EAP-Message = 0x040d0004 Message-Authenticator = 0x00000000000000000000000000000000 (12) eap_peap : Tunneled authentication was rejected. (12) eap_peap : FAILURE I took a peek at the rlm_mschap.c code and I saw that the part "validating" the NT-Password is oddly different from version 2 to version 3, as v2 was: nt_password = pairfind(request->config_items, PW_NT_PASSWORD); if (nt_password) { if ((nt_password->length == 16) || ((nt_password->length == 32) && (fr_hex2bin(nt_password->vp_strvalue, nt_password->vp_octets, 16) == 16))) { RDEBUG2("Found NT-Password"); nt_password->length = 16; while v3 has: nt_password = pairfind(request->config_items, PW_NT_PASSWORD, 0, TAG_ANY); if (nt_password) { if (nt_password->length == 16) { RDEBUG2("Found NT-Password"); } else { RWDEBUG("NT-Password has not been normalized by the 'pap' module. Authentication will fail"); nt_password = NULL; } I use samba's mkntpwd to generate NT hashes, and it generare 32 chars long hashes....so how could i have those hashes "normalized by pap" in my configuration? am i missing some key difference between the 2 versions? Thanks Futhwo
On 28.05.2014 11:31, futhwo wrote:
(12) ERROR: mschap : NT-Password has not been normalized by the "pap" module. Authentication will fail.
did you see it ? did you add "pap" at the end of your authorize {} section ? I guess not :) Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
That did the trick :) thanks a lot! As i said, i missed a difference between the versions. Anyway, just for personal culture, why wasn't it necessary in v 2 and is in v 3? I do not have pap instantiated in authorize in my working v2 On Wed, May 28, 2014 at 11:50 AM, Olivier Beytrison <olivier@heliosnet.org>wrote:
On 28.05.2014 11:31, futhwo wrote:
(12) ERROR: mschap : NT-Password has not been normalized by the "pap" module. Authentication will fail.
did you see it ?
did you add "pap" at the end of your authorize {} section ?
I guess not :)
Olivier
--
Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 28.05.2014 12:05, futhwo wrote:
Anyway, just for personal culture, why wasn't it necessary in v 2 and is in v 3? I do not have pap instantiated in authorize in my working v2
I'll let Alan or Arran answer that one. This might be specified in raddb/readme.rst maybe :) Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
On 28 May 2014, at 13:10, Olivier Beytrison <olivier@heliosnet.org> wrote:
On 28.05.2014 12:05, futhwo wrote:
Anyway, just for personal culture, why wasn't it necessary in v 2 and is in v 3? I do not have pap instantiated in authorize in my working v2
I'll let Alan or Arran answer that one.
It's odd, and i'm not quite sure what's happening with that one, it should just work without normalisation. I've done some fairly major tweaking of the code to ensure that if ntPassword is a binary attribute in LDAP, it's contents will not be molested on the way to the buffer in the NT-Password octets attribute. If it doesn't work, i'd still like to get this fixed as it's stupid to have to call the pap module just to convert the NT-Password from a hex string to it's binary form. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (3)
-
Arran Cudbard-Bell -
futhwo -
Olivier Beytrison