Setting up a VPN server with pptp and RADIUS for all sorts of clients
Hello, This is my First post on this mailing list, so sorry if I am in the wrong place!! I am having problems getting the Radius Serv to validate my VPN clients. Reading through the mail archives, I have found similar subjects, but the main difference I have is the fact that I don't have authority on the Radius Server. The main problem comes from my windows clients, I am trying to stick to the default Microsoft auth method (using ms-chap v2) to keep the client side as simple as possible. So I have set-up my pptp daemon, installed radiusclient, and have used the dictionary.microsoft from the sources of radiusclient. I must point out that authentication works using "User-Password" field (say if I am wrong, but this is a clear text password?) on 802.1X clients, and all Users in the LDAP base have a valid User-Password (but no NT/LM Passwords) The solutions I have come across until now tell me to use NT or LM password field and the problem is solved, but I can't change the layout, It has been set by "eduroam", who guides the project. So I must get my radius client to work with User-password, but I don't know where to start... A log sent from the Radius Admin shows that the mschap module fails to find User-Password (this is how I have understood it!) and refuses to validate the user. here is the part I am talking about: FROM Radius log: auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. But I am sure that the field User password contains the valid password I am trying to use. Just in case, I shall post the dictionary.microsoft I am using: # # Microsoft's VSA's, from RFC 2548 # # $Id: dictionary.microsoft,v 1.1 2004/11/14 07:26:26 paulus Exp $ # VENDOR Microsoft 311 Microsoft ATTRIBUTE MS-CHAP-Response 1 string Microsoft ATTRIBUTE MS-CHAP-Error 2 string Microsoft ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft # This is referred to as both singular and plural in the RFC. # Plural seems to make more sense. ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft ATTRIBUTE MS-CHAP-Domain 10 string Microsoft ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft ATTRIBUTE MS-BAP-Usage 13 integer Microsoft ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft ATTRIBUTE MS-RAS-Version 18 string Microsoft ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft ATTRIBUTE MS-Filter 22 string Microsoft ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft ATTRIBUTE MS-CHAP2-Response 25 string Microsoft ATTRIBUTE MS-CHAP2-Success 26 string Microsoft ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft # # Integer Translations # # MS-BAP-Usage Values VALUE MS-BAP-Usage Not-Allowed 0 VALUE MS-BAP-Usage Allowed 1 VALUE MS-BAP-Usage Required 2 # MS-ARAP-Password-Change-Reason Values VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1 VALUE MS-ARAP-PW-Change-Reason Expired-Password 2 VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3 VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4 # MS-Acct-Auth-Type Values VALUE MS-Acct-Auth-Type PAP 1 VALUE MS-Acct-Auth-Type CHAP 2 VALUE MS-Acct-Auth-Type MS-CHAP-1 3 VALUE MS-Acct-Auth-Type MS-CHAP-2 4 VALUE MS-Acct-Auth-Type EAP 5 # MS-Acct-EAP-Type Values VALUE MS-Acct-EAP-Type MD5 4 VALUE MS-Acct-EAP-Type OTP 5 VALUE MS-Acct-EAP-Type Generic-Token-Card 6 VALUE MS-Acct-EAP-Type TLS 13 I have tried to expose my problem the best I can, but If you find that something is missing, don't hesitate! Thanks, Robert PS: using other protocols (PAP for exemple) works fine, but we need mschap support!
robert wrote:
A log sent from the Radius Admin shows that the mschap module fails to find User-Password (this is how I have understood it!) and refuses to validate the user.
Yes. The server does not know what the correct password is for the user, so it can't authenticate the user. Ask the RADIUS Admin to configure a password for the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
robert wrote:
A log sent from the Radius Admin shows that the mschap module fails to find User-Password (this is how I have understood it!) and refuses to validate the user.
Yes. The server does not know what the correct password is for the user, so it can't authenticate the user.
Ask the RADIUS Admin to configure a password for the user.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry for my confusion but as I understand it, my radius client is asking for the wrong attribute, since the "User-password" is used for every other application (mail accounts, wireless connections etc), and I am sure that it is already configured. I must apologize for my lack of knowledge about freeradius, I didn't imagine that I would have any problems with this part of my project, I haven't spent much time reading about freeradius (yet :-) ). Regards, Robert
robert wrote:
A log sent from the Radius Admin shows that the mschap module fails to find User-Password (this is how I have understood it!) and refuses to validate the user.
here is the part I am talking about: FROM Radius log:
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
But I am sure that the field User password contains the valid password I am trying to use.
It definitely doesn't. The server doesn't make elementary mistakes like that. Could you please post the entire output of FR run under debug (-X switch) so we can see the details.
Phil Mayers wrote:
robert wrote:
A log sent from the Radius Admin shows that the mschap module fails to find User-Password (this is how I have understood it!) and refuses to validate the user.
here is the part I am talking about: FROM Radius log:
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
But I am sure that the field User password contains the valid password I am trying to use.
It definitely doesn't. The server doesn't make elementary mistakes like that.
Could you please post the entire output of FR run under debug (-X switch) so we can see the details. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I didn't meen a mistake, but was wondering if my radiusclient had a wrong mapping, that requests NT-password instead of User-password (as an example) Here is the output from the radius server: Ready to process requests. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1050, id=109, length=152 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" MS-CHAP-Challenge = 0x68ac020b69febf7f1cf6338a1ed1c218 MS-CHAP2-Response = 0x0800e2f1b3176070ca65916fe24cce80d271000000000000000047f1823b3c33996107424059c73866a135b07e51e08c2f4a Calling-Station-Id = "yyy.yyy.yyy.yyy" NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: '/var/log/radius/radacct//detail-07022007' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%d%m%Y expands to /var/log/radius/radacct//detail-07022007 modcall[authorize]: module "detail" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Proxying request from user dupontd to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(|(&(uid=test)(ulhcharte=TRUE))(&(eduPersonPrincipalName=test)(ulhcharte=TRUE)))' radius_xlat: 'dc=univ-lehavre,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to zzz.zzz.zzz.zzz:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/ssl/certs/cachain.txt rlm_ldap: setting TLS CACert Directory to /etc/ssl/certs/ rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: bind as / to ducati.univ-lehavre.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=univ-lehavre,dc=fr, with filter (|(&(uid=test)(ulhcharte=TRUE))(&(eduPersonPrincipalName=test)(ulhcharte=TRUE))) rlm_ldap: looking for check items in directory... rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value 13 & op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 & op=11 rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 40 & op=11 rlm_ldap: Adding eduPersonPrimaryAffiliation as Class, value member & op=11 rlm_ldap: Adding ulhcharte as Filter-Id, value TRUE & op=11 rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3 & op=11 rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_checkval: Item Name: Calling-Station-Id, Value: 194.254.109.252 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs modcall[authorize]: module "checkval" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect: [test] (from client yyy.yyy.yyy.yyy port 0 cli yyy.yyy.yyy.yyy) rad_lowerpair: Stripped-User-Name now 'test' rad_rmspace_pair: Stripped-User-Name now 'test' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: '/var/log/radius/radacct//detail-07022007' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%d%m%Y expands to /var/log/radius/radacct//detail-07022007 modcall[authorize]: module "detail" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 0 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(|(&(uid=test)(ulhcharte=TRUE))(&(eduPersonPrincipalName=TEST)(ulhcharte=TRUE)))' radius_xlat: 'dc=univ-lehavre,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=univ-lehavre,dc=fr, with filter (|(&(uid=test)(ulhcharte=TRUE))(&(eduPersonPrincipalName=test)(ulhcharte=TRUE))) rlm_ldap: looking for check items in directory... rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value 13 & op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 & op=11 rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 40 & op=11 rlm_ldap: Adding eduPersonPrimaryAffiliation as Class, value member & op=11 rlm_ldap: Adding ulhcharte as Filter-Id, value TRUE & op=11 rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3 & op=11 rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_checkval: Item Name: Calling-Station-Id, Value: yyy.yyy.yyy.yyy rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs modcall[authorize]: module "checkval" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect: [test] (from client yyy.yyy.yyy.yyy port 0 cli yyy.yyy.yyy.yyy) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 109 to xxx.xxx.xxx.xxx port 1050 Regards, Robert
I didn't meen a mistake, but was wondering if my radiusclient had a wrong mapping, that requests NT-password instead of User-password (as an example) Here is the output from the radius server:
Ready to process requests. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1050, id=109, length=152 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" MS-CHAP-Challenge = 0x68ac020b69febf7f1cf6338a1ed1c218 MS-CHAP2-Response =
0x0800e2f1b3176070ca65916fe24cce80d271000000000000000047f1823b 3c33996107424059c73866a135b07e51e08c2f4a
Calling-Station-Id = "yyy.yyy.yyy.yyy" NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: '/var/log/radius/radacct//detail-07022007' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%d%m%Y expands to /var/log/radius/radacct//detail-07022007 modcall[authorize]: module "detail" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Proxying request from user dupontd to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat:
'(|(&(uid=test)(ulhcharte=TRUE))(&(eduPersonPrincipalName=test )(ulhcharte=TRUE)))'
radius_xlat: 'dc=univ-lehavre,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to zzz.zzz.zzz.zzz:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/ssl/certs/cachain.txt rlm_ldap: setting TLS CACert Directory to /etc/ssl/certs/ rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: bind as / to ducati.univ-lehavre.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=univ-lehavre,dc=fr, with filter
(|(&(uid=test)(ulhcharte=TRUE))(&(eduPersonPrincipalName=test) (ulhcharte=TRUE)))
rlm_ldap: looking for check items in directory... rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value 13 & op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 & op=11 rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 40 & op=11 rlm_ldap: Adding eduPersonPrimaryAffiliation as Class, value member & op=11 rlm_ldap: Adding ulhcharte as Filter-Id, value TRUE & op=11 rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3 & op=11
You see nothing like "Adding userPassword" here. For instance you could have something like: rlm_ldap: Added password rlm_ldap: Adding myldapNTPassword Could the freeradius admin check: * the ldap {} section: see the "password_attribute =" line (till FR 1.1.4) * the mapping in ldap.attrmap
rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
How is/are your password(s) stored on the Ldap directory: in clear text, MD5-hashed, SHA-Hased, NTLM-Hashed ? What is/are the Ldap attribute(s) used to store your password(s) ? Thibault
Thibault Le Meur wrote:
I didn't meen a mistake, but was wondering if my radiusclient had a wrong mapping, that requests NT-password instead of User-password (as an example) Here is the output from the radius server:
Ready to process requests. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1050, id=109, length=152 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" MS-CHAP-Challenge = 0x68ac020b69febf7f1cf6338a1ed1c218 MS-CHAP2-Response =
0x0800e2f1b3176070ca65916fe24cce80d271000000000000000047f1823b 3c33996107424059c73866a135b07e51e08c2f4a
Calling-Station-Id = "yyy.yyy.yyy.yyy" NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: '/var/log/radius/radacct//detail-07022007' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%d%m%Y expands to /var/log/radius/radacct//detail-07022007 modcall[authorize]: module "detail" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Proxying request from user dupontd to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat:
'(|(&(uid=test)(ulhcharte=TRUE))(&(eduPersonPrincipalName=test )(ulhcharte=TRUE)))'
radius_xlat: 'dc=univ-lehavre,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to zzz.zzz.zzz.zzz:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/ssl/certs/cachain.txt rlm_ldap: setting TLS CACert Directory to /etc/ssl/certs/ rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: bind as / to ducati.univ-lehavre.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=univ-lehavre,dc=fr, with filter
(|(&(uid=test)(ulhcharte=TRUE))(&(eduPersonPrincipalName=test) (ulhcharte=TRUE)))
rlm_ldap: looking for check items in directory... rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value 13 & op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 & op=11 rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 40 & op=11 rlm_ldap: Adding eduPersonPrimaryAffiliation as Class, value member & op=11 rlm_ldap: Adding ulhcharte as Filter-Id, value TRUE & op=11 rlm_ldap: Adding macAddress as Mac-Addr, value 00:30:48:24:A9:C3 & op=11
You see nothing like "Adding userPassword" here.
For instance you could have something like: rlm_ldap: Added password rlm_ldap: Adding myldapNTPassword
Could the freeradius admin check: * the ldap {} section: see the "password_attribute =" line (till FR 1.1.4) * the mapping in ldap.attrmap
rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dupontd with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
How is/are your password(s) stored on the Ldap directory: in clear text, MD5-hashed, SHA-Hased, NTLM-Hashed ? What is/are the Ldap attribute(s) used to store your password(s) ?
Thibault
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Thibault, I checked with the admin, the passwords are MD5 hashed. I insisted a bit more to get the admin to try a different user, this time a "real" one, and the auth passed with no problem. I am sorry, there must be a problem with the test user I was using. Thank you for all the time you spent on my problem, and globally, for investing your time helping people like me! Regards, Robert
participants (4)
-
Alan DeKok -
Phil Mayers -
robert -
Thibault Le Meur