SV: how to set crypted password in 'users' file?
"Min Qiu" <mqiu@globalinternetworking.com> wrote:
However, cut and past the crypted password from /etc/shadow to the entry failed:
mqiu Auth-Type := Local, User-Password == "$1$CWOjXm2v$dzjrc385t1iQXMN0"
UseL Crypt-Password := "$1$CWOjXm...
I'm using PEAP/MS-CHAPv2 for authentication. In the users file I only got the login name and a clear-text password. I really want to start using Crypt-Password, but didn't quite get that to work. Do I understand it correctly you only need to take you standard unix password from /etc/shadow and use that in users with Crypt-Password? # more /etc/shadow tom:jYyrl....:13112:::::: In users file I got: tom Crypt-Password := " jYyrl...." I didn't get that to work. What am I missing here? Couldn't really find much info on it out there. This is the debug log I got: rad_recv: Access-Request packet from host 192.168.2.4:21654, id=120, length=126 User-Name = "tom" Framed-MTU = 1400 Called-Station-Id = "000e.8401.cd50" Calling-Station-Id = "0015.0015.adaa" Message-Authenticator = 0xca4c7181b9338edb3e176297682f33f7 EAP-Message = 0x0201000801746f6d NAS-Port-Type = Wireless-802.11 NAS-Port = 268 Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = "AP1100-D2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 16 modcall[authorize]: module "preprocess" returns ok for request 16 modcall[authorize]: module "mschap" returns noop for request 16 rlm_realm: No '@' in User-Name = "tom", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 16 rlm_eap: EAP packet type response id 1 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 16 users: Matched entry tom at line 91 modcall[authorize]: module "files" returns ok for request 16 modcall: group authorize returns updated for request 16 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 16 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 16 modcall: group authenticate returns handled for request 16 Sending Access-Challenge of id 120 to 192.168.2.4:21654 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01f769bbe79093c3c406a98a01294187 Finished request 16 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.4:21654, id=121, length=238 User-Name = "tom" Framed-MTU = 1400 Called-Station-Id = "000e.8401.cd50" Calling-Station-Id = "0015.0015.adaa" Message-Authenticator = 0xcccf1d38bc8d263feddbb303acbdcb41 EAP-Message = 0x020200661900160301005b01000057030143da12d4d113043b760adb7ce542b365f5d8 806e659d5eb591e677044dd072b000003000390038003500160013000a00330032002f00 66000500040065006400630062006000150012000900140011000800030100 NAS-Port-Type = Wireless-802.11 NAS-Port = 268 State = 0x01f769bbe79093c3c406a98a01294187 Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = "AP1100-D2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 17 modcall[authorize]: module "preprocess" returns ok for request 17 modcall[authorize]: module "mschap" returns noop for request 17 rlm_realm: No '@' in User-Name = "tom", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 17 rlm_eap: EAP packet type response id 2 length 102 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 17 users: Matched entry tom at line 91 modcall[authorize]: module "files" returns ok for request 17 modcall: group authorize returns updated for request 17 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 17 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0654], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 17 modcall: group authenticate returns handled for request 17 Sending Access-Challenge of id 121 to 192.168.2.4:21654 EAP-Message = 0x0103040a19c0000007c3160301004a02000046030143da12ceeff958d58685992a9ce5 bfeb1c5e06eb608854a6bc6a0f8fd0707f1c202526f2d15e84192aa148769550a2367b5d d014351ef0535610fffdc52871e02700390016030106540b00065000064d0002b3308202 af30820218a003020102020900b646b246bff02a86300d06092a864886f70d0101040500 30818d310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b06 0355040713044f534c4f310f300d060355040a130642425320415331133011060355040b 130a66726565726164697573311b301906035504031312436c69656e7420636572746966 6963 EAP-Message = 0x617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f737430 1e170d3035313032363132333432385a170d3036313032363132333432385a30818b310b 3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713 044f534c4f310f300d060355040a130642425320415331133011060355040b130a667265 657261646975733119301706035504031310526f6f74206365727469666963617465311d 301b06092a864886f70d010901160e726f6f74406c6f63616c686f737430819f300d0609 2a864886f70d010101050003818d0030818902818100eead5285b5e9f7b939a2dfc1b7fe f60a EAP-Message = 0xbd055de0ba27b2ef81244e0eabad60241727ff5fc724f36147d08ea5f9e3f0110dfb5a 2397c3906a00ab8eb28509e4a672b2c948c0b8007785f550b3908c2f49d7a113d6e7198d 9606e567fc38be816fb2acf60f18bfe56d0617ff7e651439ce9c8ed40363b5b1e4d0d96f 59a468a6650203010001a317301530130603551d25040c300a06082b0601050507030130 0d06092a864886f70d01010405000381810050aa5f1713a5025d21f128094104579eb85a 9ded57072baf72b2c0e3fbea766eb53c62e9bc2a5d1bc22f2615cc1fe88487e2d0b7e5ea a045a8ae1734a85f28e6cd70d3340c2a51bfe7b974c13b9a1a4abebe373312d1d4b987e3 2368 EAP-Message = 0x1edad7e4a54456fd7989e901485e9f2fcf7e8ed8e57fae97fb2fdd1fba5a50c683b7da 7f00039430820390308202f9a003020102020900b646b246bff02a84300d06092a864886 f70d010104050030818d310b3009060355040613024e4f310d300b060355040813044f53 4c4f310d300b060355040713044f534c4f310f300d060355040a13064242532041533113 3011060355040b130a66726565726164697573311b301906035504031312436c69656e74 206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c6f 63616c686f7374301e170d3035313032363132333432335a170d30373130323631323334 3233 EAP-Message = 0x5a30818d310b3009060355040613024e4f310d300b06 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9d55183272e7e8d147d1763ad5c8ed57 Finished request 17 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.4:21654, id=122, length=142 User-Name = "tom" Framed-MTU = 1400 Called-Station-Id = "000e.8401.cd50" Calling-Station-Id = "0015.0015.adaa" Message-Authenticator = 0xa593725371800702100eab1ea8ad7cb4 EAP-Message = 0x020300061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 268 State = 0x9d55183272e7e8d147d1763ad5c8ed57 Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = "AP1100-D2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module "preprocess" returns ok for request 18 modcall[authorize]: module "mschap" returns noop for request 18 rlm_realm: No '@' in User-Name = "tom", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 18 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 18 users: Matched entry tom at line 91 modcall[authorize]: module "files" returns ok for request 18 modcall: group authorize returns updated for request 18 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 18 modcall: group authenticate returns handled for request 18 Sending Access-Challenge of id 122 to 192.168.2.4:21654 EAP-Message = 0x010403c919000355040813044f534c4f310d300b060355040713044f534c4f310f300d 060355040a130642425320415331133011060355040b130a66726565726164697573311b 301906035504031312436c69656e74206365727469666963617465311d301b06092a8648 86f70d010901160e726f6f74406c6f63616c686f737430819f300d06092a864886f70d01 0101050003818d0030818902818100bb9dc7f9a6b879ddde091ded35f3137693d1a9fa9d 2e2f1e20e1e49c9daf077fd1c4066e8e409eda68baac046ff390baedad93e603fdde7304 6df106c9c3775eb0e024a2682faf6469e778758b9c782a11ad0dcc25edca8f9efdee96cc c1bc EAP-Message = 0x84850d853d4435da9ab22ec6c3dc4e6d9137e0ec36d705c923055aa8b900d833350203 010001a381f53081f2301d0603551d0e04160414227f0709429785a3169b9817627cd456 d617f2283081c20603551d230481ba3081b78014227f0709429785a3169b9817627cd456 d617f228a18193a4819030818d310b3009060355040613024e4f310d300b060355040813 044f534c4f310d300b060355040713044f534c4f310f300d060355040a13064242532041 5331133011060355040b130a66726565726164697573311b301906035504031312436c69 656e74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74 406c EAP-Message = 0x6f63616c686f7374820900b646b246bff02a84300c0603551d13040530030101ff300d 06092a864886f70d0101040500038181001fb7ec3488fd3b6349d6cc33b5c6451ce1c2e8 ef8db6f4818cd017991f9649141c1767553c20303e262fec4bb351cda19b403bab78aa37 236ffc78dace1a39089ff037eb911a5133bc6b1f0275cc9e68bc4c8f487a4d2cdc8e7061 34e512d7e715ca81c5a7bb6cc668ca8181e898befeab40773de8f3eb6629ecd2c79d5f74 f1160301010d0c0001090040bd26276ade89a82c9cc4fa1af559608f7824b64ef630bdf0 368d885e300720c516da851d828b40f658ffbd6060bb0b6d23e138a280c51e9944d23bc6 9d73 EAP-Message = 0xe66f000105004080781b4e0ebdfa4dde79fda9c2f99c36ba8434b8e2c6cbe4b873a6b8 f0c24494ce3ea163d3eb05d651079abef679ef2dde838e41ebafb42b534aaec821898a59 0080de2086a54d938f2c2d3a446413db13fe9eeb5d8159fed74beac2212ef1c1f809a1a6 b8275a4d21930a65094da267d45e76c039694ae341c61fbf742172b930dcd3718bf71093 8a95e8fbac60df82e40de250aace712bf1b0b0354c3f3cca05f78f8ed5789033d1d27799 cde792a039a14a50e6f923662b6a6da34d03a9b1dad916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe587790d87edd421fd760ed8b79baaf5 Finished request 18 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.4:21654, id=123, length=276 User-Name = "tom" Framed-MTU = 1400 Called-Station-Id = "000e.8401.cd50" Calling-Station-Id = "0015.0015.adaa" Message-Authenticator = 0xe46a52fc04818d9d38a198f1bf467c50 EAP-Message = 0x0204008c190016030100461000004200401956b7a782c3ab01a817f72f7d57ba9f512f 37ee81d23f258450a3bfbe137146d1430bd6940591585c9f8276b3cfe3db7782ee27656f a5948d3cf0818d83edd81403010001011603010030a8e41dd1f61c4a47083ac2b58605c0 5847306b109d5038dd412c77f790c627ec38c5a5813ea9edd0da4e9cacade1ee34 NAS-Port-Type = Wireless-802.11 NAS-Port = 268 State = 0xe587790d87edd421fd760ed8b79baaf5 Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = "AP1100-D2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module "preprocess" returns ok for request 19 modcall[authorize]: module "mschap" returns noop for request 19 rlm_realm: No '@' in User-Name = "tom", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 19 rlm_eap: EAP packet type response id 4 length 140 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 19 users: Matched entry tom at line 91 modcall[authorize]: module "files" returns ok for request 19 modcall: group authorize returns updated for request 19 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 19 modcall: group authenticate returns handled for request 19 Sending Access-Challenge of id 123 to 192.168.2.4:21654 EAP-Message = 0x0105004119001403010001011603010030ce2c434e35fb212ac38231785cfe6254011f 6ba35117e4646cf00bbf953c6b066f22bcee4cc8b3ef5cc39256db3caaeb Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf025fd8e565713ab2d84e5c2e70d458d Finished request 19 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.4:21654, id=124, length=142 User-Name = "tom" Framed-MTU = 1400 Called-Station-Id = "000e.8401.cd50" Calling-Station-Id = "0015.0015.adaa" Message-Authenticator = 0x67a54a6c52f34f3fb1c2345eab772beb EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 268 State = 0xf025fd8e565713ab2d84e5c2e70d458d Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = "AP1100-D2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 20 modcall[authorize]: module "preprocess" returns ok for request 20 modcall[authorize]: module "mschap" returns noop for request 20 rlm_realm: No '@' in User-Name = "tom", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 20 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 20 users: Matched entry tom at line 91 modcall[authorize]: module "files" returns ok for request 20 modcall: group authorize returns updated for request 20 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 20 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 20 modcall: group authenticate returns handled for request 20 Sending Access-Challenge of id 124 to 192.168.2.4:21654 EAP-Message = 0x0106005019001703010020861055143e567a7983ee6fdee7b96ee5ac168b27f53cfa7a 483a887edb3e5fad1703010020274966df3940b946f0133ab5b369666fa2b951a8dcef3a 33a39e1f0149fd0a2c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4351dc490c0b5fa9ce050331e95b4a8c Finished request 20 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.4:21654, id=125, length=216 User-Name = "tom" Framed-MTU = 1400 Called-Station-Id = "000e.8401.cd50" Calling-Station-Id = "0015.0015.adaa" Message-Authenticator = 0xb74a9c2705a1e4a5bb285e1f237f6907 EAP-Message = 0x0206005019001703010020b98d88b09105603c50aed6c63b0a496280dc967239c0dcf7 b0fc6d44d4066f8417030100209b45c361ff602db1f721657022bc562ccd60e2944d0909 2b3f584ca382208a66 NAS-Port-Type = Wireless-802.11 NAS-Port = 268 State = 0x4351dc490c0b5fa9ce050331e95b4a8c Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = "AP1100-D2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 21 modcall[authorize]: module "preprocess" returns ok for request 21 modcall[authorize]: module "mschap" returns noop for request 21 rlm_realm: No '@' in User-Name = "tom", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 21 rlm_eap: EAP packet type response id 6 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 21 users: Matched entry tom at line 91 modcall[authorize]: module "files" returns ok for request 21 modcall: group authorize returns updated for request 21 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 21 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - tom rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x0206000801746f6d PEAP: Got tunneled identity of tom PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to tom PEAP: Sending tunneled request EAP-Message = 0x0206000801746f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "tom" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 21 modcall[authorize]: module "preprocess" returns ok for request 21 modcall[authorize]: module "mschap" returns noop for request 21 rlm_realm: No '@' in User-Name = "tom", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 21 rlm_eap: EAP packet type response id 6 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 21 users: Matched entry tom at line 91 modcall[authorize]: module "files" returns ok for request 21 modcall: group authorize returns updated for request 21 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 21 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 21 modcall: group authenticate returns handled for request 21 PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x0107001d1a0107001810f559eab1de040978486cc8240bc9fc38746f6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x87e2826b16f8823836e26ab0eb30ea43 PEAP: Processing from tunneled session code 13f990 11 EAP-Message = 0x0107001d1a0107001810f559eab1de040978486cc8240bc9fc38746f6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x87e2826b16f8823836e26ab0eb30ea43 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 21 modcall: group authenticate returns handled for request 21 Sending Access-Challenge of id 125 to 192.168.2.4:21654 EAP-Message = 0x0107006019001703010020e3b653d595d25e64701bedcbf517dab7528b7daa7011a867 c75fcbc5aa3848f01703010030d47a1361647a15fad7d74625539b6c5e48aaef79a73b14 376c819190100a72c4bb4e3f4732ad303a36e8841934e43de7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc8c29a6f523c9436faf6b89c2be76270 Finished request 21 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.4:21654, id=126, length=264 User-Name = "tom" Framed-MTU = 1400 Called-Station-Id = "000e.8401.cd50" Calling-Station-Id = "0015.0015.adaa" Message-Authenticator = 0x9d2ad1b239f7b15e750e94398f63000b EAP-Message = 0x02070080190017030100209878c315a02346056bdf20f975ef71910a1a3499443cbae0 33def49166ea9f4c1703010050c3c779df9414a351e45f38633330f0c9b43e27141c6959 115b1a2c8041e551d8ba4da1f4b35356a6eb94b879d1f0f441136e707266df25a79e6238 4b6b6c3c388bb5156f1e39bd8f73972a62783b31ee NAS-Port-Type = Wireless-802.11 NAS-Port = 268 State = 0xc8c29a6f523c9436faf6b89c2be76270 Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = "AP1100-D2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 22 modcall[authorize]: module "preprocess" returns ok for request 22 modcall[authorize]: module "mschap" returns noop for request 22 rlm_realm: No '@' in User-Name = "tom", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 22 rlm_eap: EAP packet type response id 7 length 128 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 22 users: Matched entry tom at line 91 modcall[authorize]: module "files" returns ok for request 22 modcall: group authorize returns updated for request 22 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 22 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x0207003e1a020700393142075ce59f9f56c20c9450dacfb16719000000000000000082 6eced611d60ee5d7210dae21fc092feea130cda60dc20b00746f6d PEAP: Setting User-Name to tom PEAP: Adding old state with 87 e2 PEAP: Sending tunneled request EAP-Message = 0x0207003e1a020700393142075ce59f9f56c20c9450dacfb16719000000000000000082 6eced611d60ee5d7210dae21fc092feea130cda60dc20b00746f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "tom" State = 0x87e2826b16f8823836e26ab0eb30ea43 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 22 modcall[authorize]: module "preprocess" returns ok for request 22 modcall[authorize]: module "mschap" returns noop for request 22 rlm_realm: No '@' in User-Name = "tom", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 22 rlm_eap: EAP packet type response id 7 length 62 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 22 users: Matched entry tom at line 91 modcall[authorize]: module "files" returns ok for request 22 modcall: group authorize returns updated for request 22 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 22 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 22 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for tom with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 22 modcall: group Auth-Type returns reject for request 22 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 22 modcall: group authenticate returns reject for request 22 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 13d510 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 22 modcall: group authenticate returns handled for request 22 Sending Access-Challenge of id 126 to 192.168.2.4:21654 EAP-Message = 0x010800501900170301002034ec685c2b912545f1031530f58388b24aece3d1c5a1e6ad 7524be8fae97e666170301002092e90a5a4fa826732e0e6f7d40e5f7e2e479be944828ac 1cfc5c834ce25d63ee Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcf7e24cad3cbebfbecc69ab44ffbf055 Finished request 22 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.4:21654, id=127, length=216 User-Name = "tom" Framed-MTU = 1400 Called-Station-Id = "000e.8401.cd50" Calling-Station-Id = "0015.0015.adaa" Message-Authenticator = 0x23d78c9d414b457846d9b2e67ac8a3fb EAP-Message = 0x02080050190017030100208eae795e2f64e1197538b8b8d43a62e36a5fc554ab74ce71 9c4792f5c8f1950e1703010020c246d14d200e1f734767a119ea00370e15b84bbf8cf0e0 de160acdaa668d6fab NAS-Port-Type = Wireless-802.11 NAS-Port = 268 State = 0xcf7e24cad3cbebfbecc69ab44ffbf055 Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = "AP1100-D2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 23 modcall[authorize]: module "preprocess" returns ok for request 23 modcall[authorize]: module "mschap" returns noop for request 23 rlm_realm: No '@' in User-Name = "tom", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 23 rlm_eap: EAP packet type response id 8 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 23 users: Matched entry tom at line 91 modcall[authorize]: module "files" returns ok for request 23 modcall: group authorize returns updated for request 23 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 23 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 23 modcall: group authenticate returns invalid for request 23 auth: Failed to validate the user. Delaying request 23 for 1 seconds Finished request 23 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.4:21654, id=127, length=216 Sending Access-Reject of id 127 to 192.168.2.4:21654 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 16 ID 120 with timestamp 43da12ce Cleaning up request 17 ID 121 with timestamp 43da12ce Cleaning up request 18 ID 122 with timestamp 43da12ce Cleaning up request 19 ID 123 with timestamp 43da12ce Cleaning up request 20 ID 124 with timestamp 43da12ce Cleaning up request 21 ID 125 with timestamp 43da12ce Cleaning up request 22 ID 126 with timestamp 43da12ce Cleaning up request 23 ID 127 with timestamp 43da12ce Nothing to do. Sleeping until we see a request.
hi, the interesting part of the log posted is: rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 22 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for tom with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 22 modcall: group Auth-Type returns reject for request 22 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 22 modcall: group authenticate returns reject for request 22 auth: Failed to validate the user. this would suggest that you havent configured the mschapv2 part correctly or that you havent defined a password attribute for 'tom' correctly in your users.conf file. have you defined a Crypt-Local eg (and I'm not going to be 100% accurate here because I havent had a setup done this way for a long time) USER Auth-Type := Crypt-Local, Password == "CRYPTEDPASSWORD" Alan
Torkel Mathisen wrote:
"Min Qiu" <mqiu@globalinternetworking.com> wrote:
However, cut and past the crypted password from /etc/shadow to the entry failed:
mqiu Auth-Type := Local, User-Password == "$1$CWOjXm2v$dzjrc385t1iQXMN0" UseL Crypt-Password := "$1$CWOjXm...
I'm using PEAP/MS-CHAPv2 for authentication. In the users file I only got the login name and a clear-text password.
I really want to start using Crypt-Password, but didn't quite get that to work.
You cannot use the unix crypt password value for the MS-CHAP algorithm. The MS-CHAP module requires either the MD4-based NT password hash, the plaintext password from which it can derive the NT has, or callout to Samba & domain membership.
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Phil Mayers -
Torkel Mathisen