Hi, i have VPN mikrotik server → freeradius → openldap I have plaintext passwords for users in ldap. And all it’s okay. I encrypted users passwords in SSHA and my VPN don’t working Logs from freeradius (5) ldap: Performing search in "ou=people,dc=fusioncore,dc=local" with filter "(uid=scherevko)", scope "sub" (5) ldap: Waiting for search result... (5) ldap: User object found at DN "uid=scherevko,ou=people,dc=fusioncore,dc=local" (5) ldap: Processing user attributes (5) ldap: control:Password-With-Header += '{SSHA}y11iufAi/kWir/t/5npxER+fpUYSroNSr0VM4Q==' rlm_ldap (ldap): Released connection (11) (5) [ldap] = updated (5) [expiration] = noop (5) [logintime] = noop (5) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password (5) pap: Removing &control:Password-With-Header (5) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28 bytes (5) pap: WARNING: Auth-Type already set. Not setting to PAP (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = mschap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (5) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (5) mschap: Creating challenge hash with username: scherevko (5) mschap: Client is using MS-CHAPv2 (5) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (5) mschap: ERROR: MS-CHAP2-Response is incorrect (5) [mschap] = reject (5) } # authenticate = reject (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> scherevko (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) [eap] = noop (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (5) (5) Discarding duplicate request from client mikrotik_router port 56532 - ID: 31 due to delayed response Waking up in 0.6 seconds. (5) (5) Discarding duplicate request from client mikrotik_router port 56532 - ID: 31 due to delayed response Waking up in 0.3 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 31 from 10.10.2.176:1812 to 10.10.2.1:56532 length 103 (5) MS-CHAP-Error = "\001E=691 R=1 C=359def4fd6e2f6ec8965898ccce170c8 V=3 M=Authentication rejected" Waking up in 3.9 seconds. (5) Cleaning up request packet ID 31 with timestamp +1893 Ready to process requests
On Thu, 2020-01-23 at 11:01 +0300, Сергей Черевко via Freeradius-Users wrote:
Hi, i have VPN mikrotik server → freeradius → openldap
I have plaintext passwords for users in ldap. And all it’s okay.
I encrypted users passwords in SSHA and my VPN don’t working
SSHA is not compatible with MSCHAP. You need cleartext passwords, or NT hash. http://deployingradius.com/documents/protocols/compatibility.html -- Matthew
participants (2)
-
Matthew Newton -
Сергей Черевко