Authentication failed from Radius server
Radius(freeradius) server has configured and integrated with Openldap server for user authentication in RHEL 5. Using radtest, NTRadPing and Radiustest (Utility) it is working fine. I got Access-Acept by using this utility. When i try from enduser through Wireless access point i may not able to authenticate. Wireless access point is configured with WPA for security.
From the radius debug level log and slapd log i can able to see that it can able to fetch username and it was successful but in the case of userPassword authetication was getting failed.
How to send the User-Password in clear text format.? Is there any way to decrypt the userpassword in RADIUS server which was coming from access point.? here is the radius debug level log rad_recv: Access-Request packet from host 192.168.1.100:1645, id=45, length=130 * User-Name = "sivaji"* Framed-MTU = 1400 Called-Station-Id = "0023.045c.3f20" Calling-Station-Id = "001f.3c78.503a" Service-Type = Login-User Message-Authenticator = 0xd56b1bff210c624ccf5b1d5c56285f10 EAP-Message = 0x0202000b01736976616a69 NAS-Port-Type = Wireless-802.11 NAS-Port = 542 NAS-Port-Id = "542" NAS-IP-Address = 192.168.1.100 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 *rlm_realm: No '@' in User-Name = "sivaji", looking up realm NULL* * rlm_realm: No such realm "NULL"* modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 157 * modcall[authorize]: module "files" returns ok for request 0* rlm_ldap: - authorize rlm_ldap: performing user authorization for sivaji *radius_xlat: '(uid=sivaji)'* *radius_xlat: 'dc=rgipt,dc=in'* rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 *rlm_ldap: bind as / to localhost:389* *rlm_ldap: waiting for bind result ...* *rlm_ldap: Bind was successful* *rlm_ldap: performing search in dc=rgipt,dc=in, with filter (uid=sivaji)* rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... *rlm_ldap: user sivaji authorized to use remote access* rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 *rlm_ldap: - authenticate* *rlm_ldap: Attribute "User-Password" is required for authentication.* * * * modcall[authenticate]: module "ldap" returns invalid for request 0* *modcall: leaving group LDAP (returns invalid) for request 0* *auth: Failed to validate the user.* *Login incorrect: [sivaji] (from client AP port 542 cli 001f.3c78.503a)* *Delaying request 0 for 1 seconds* *Finished request 0* Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 45 to 192.168.1.100 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 45 with timestamp 4960b0d2 Nothing to do. Sleeping until we see a request.
Aravind Arjunan wrote:
Radius(freeradius) server has configured and integrated with Openldap server for user authentication in RHEL 5. Using radtest, NTRadPing and Radiustest (Utility) it is working fine. I got Access-Acept by using this utility.
Yes. Because they're not doing EAP. They're doing clear-text passwords.
From the radius debug level log and slapd log i can able to see that it can able to fetch username and it was successful but in the case of userPassword authetication was getting failed.
You want to fetch the *password* from LDAP. Repeat after me: LDAP is a database. LDAP is not an authentication server.
How to send the User-Password in clear text format.?
You don't. Wireless access points don't work that way.
Is there any way to decrypt the userpassword in RADIUS server which was coming from access point.?
No.
here is the radius debug level log ... Processing the authorize section of radiusd.conf
You are running a very old version of the server. You should really upgrade.
users: Matched entry DEFAULT at line 157
Which sets Auth-Type := LDAP. This breaks EAP.
*rlm_ldap: - authenticate* *rlm_ldap: Attribute "User-Password" is required for authentication.*
Your LDAP database doesn't do EAP. This is because it's a database. (1) Do NOT set Auth-Type := LDAP (2) Test it with clear-text passwords. If that works, (3) EAP will work, too. And you should upgrade to 2.1.3. Alan DeKok.
hi Radius(freeradius) server has configured and integrated with Openldap server for user authentication in RHEL 5. Using radtest, NTRadPing and Radiustest (Utility) it is working fine. I got Access-Acept by using this utility. When i try from enduser through Wireless access point i may not able to authenticate. Wireless access point is configured with WPA for security.
From the radius debug level log and slapd log i can able to see that it can able to fetch username and it was successful but in the case of userPassword authetication was getting failed.
How to send the User-Password in clear text format.? Is there any way to decrypt the userpassword in RADIUS server which was coming from access point.? here is the radius debug level log rad_recv: Access-Request packet from host 192.168.1.100:1645, id=45, length=130 * User-Name = "sivaji"* Framed-MTU = 1400 Called-Station-Id = "0023.045c.3f20" Calling-Station-Id = "001f.3c78.503a" Service-Type = Login-User Message-Authenticator = 0xd56b1bff210c624ccf5b1d5c56285f10 EAP-Message = 0x0202000b01736976616a69 NAS-Port-Type = Wireless-802.11 NAS-Port = 542 NAS-Port-Id = "542" NAS-IP-Address = 192.168.1.100 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 *rlm_realm: No '@' in User-Name = "sivaji", looking up realm NULL* * rlm_realm: No such realm "NULL"* modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 157 * modcall[authorize]: module "files" returns ok for request 0* rlm_ldap: - authorize rlm_ldap: performing user authorization for sivaji *radius_xlat: '(uid=sivaji)'* *radius_xlat: 'dc=rgipt,dc=in'* rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 *rlm_ldap: bind as / to localhost:389* *rlm_ldap: waiting for bind result ...* *rlm_ldap: Bind was successful* *rlm_ldap: performing search in dc=rgipt,dc=in, with filter (uid=sivaji)* rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... *rlm_ldap: user sivaji authorized to use remote access* rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 *rlm_ldap: - authenticate* *rlm_ldap: Attribute "User-Password" is required for authentication.* * * * modcall[authenticate]: module "ldap" returns invalid for request 0* *modcall: leaving group LDAP (returns invalid) for request 0* *auth: Failed to validate the user.* *Login incorrect: [sivaji] (from client AP port 542 cli 001f.3c78.503a)* *Delaying request 0 for 1 seconds* *Finished request 0* Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 45 to 192.168.1.100 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 45 with timestamp 4960b0d2 Nothing to do. Sleeping until we see a request.
Aravind Arjunan wrote: ... You already asked this question, and it was already answered. If you are not going to read the replies to your questions, then you shouldn't be asking questions. Alan DeKok.
participants (2)
-
Alan DeKok -
Aravind Arjunan