Hi all, I have a freeraidus server set up which uses an openLDAP back for its users and groups while it works fine for PAP passwords, it seams most clients are wanting to use CHAP. I have read that CHAP passwords will not work however on the faq its says; ' There are however provisions to extract the user password from the LDAP and make it available to the server core and the chap module' (http://wiki.freeradius.org/guide/faq). How is this done/setup? Thanks Adam
Adam Seed wrote:
I have a freeraidus server set up which uses an openLDAP back for its users and groups while it works fine for PAP passwords, it seams most clients are wanting to use CHAP. I have read that CHAP passwords will not work
Where?
however on the faq its says; ' There are however provisions to extract the user password from the LDAP and make it available to the server core and the chap module' (http://wiki.freeradius.org/guide/faq). How is this done/setup?
You configure the LDAP module, and make sure it's listed in sites-enabled/default, in the "authorize" section. FreeRADIUS will pull the password from the database, and authenticate the user. Alan DeKok.
Hi Alan, That same wiki says 'The ldap module can only work with PAP passwords since it needs to send the clear text user password to the LDAP server to authenticate the user.' I might be mis-understanding as im new to Radius, but that doesnt sound to positive. Anyway... I'm hoping to find a workaround So I checked my sites-enabled/default and it does have the LDAP module listed: (I striped out the comments and highlighted the bits I changed) -------------------------------------------------------- authorize { # auth_log chap mschap digest # wimax # IPASS suffix eap { ok = return } # unix *# files* # sql # etc_smbpasswd * ldap* # daily # checkval expiration logintime pap # Autz-Type Status-Server { # # } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # pam unix * Auth-Type LDAP {* * ldap* * }* Allow EAP authentication. eap # Auth-Type eap { # eap { # handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth # } # } } -------------------------------------------------------- In addition here is the output of my debug: -------------------------------------------------------- rad_recv: Access-Request packet from host 10.x.x.100 port 62061, id=2, length=50 User-Name = "adamjseed" CHAP-Password = 0x84bafb904d422b61c5bd8dcf5c2d4xxxx # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "adamjseed", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for adamjseed [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> adamjseed [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=adamjseed) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (uid=adamjseed) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}1hkMdaNUxxbUu/hufTrjtQ==" [ldap] looking for reply items in directory... [ldap] user adamjseed authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "adamjseed" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> adamjseed attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 2 to 10.x.x.100 port 62061 -------------------------------------------------------- Any assistant is greatly welcomed. On Mon, Mar 3, 2014 at 9:21 AM, Alan DeKok <aland@deployingradius.com>wrote:
Adam Seed wrote:
I have a freeraidus server set up which uses an openLDAP back for its users and groups while it works fine for PAP passwords, it seams most clients are wanting to use CHAP. I have read that CHAP passwords will not work
Where?
however on the faq its says; ' There are however provisions to extract the user password from the LDAP and make it available to the server core and the chap module' (http://wiki.freeradius.org/guide/faq). How is this done/setup?
You configure the LDAP module, and make sure it's listed in sites-enabled/default, in the "authorize" section.
FreeRADIUS will pull the password from the database, and authenticate the user.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 3 Mar 2014, at 10:21, Adam Seed <adamjseed@gmail.com> wrote:
Hi Alan,
That same wiki says 'The ldap module can only work with PAP passwords since it needs to send the clear text user password to the LDAP server to authenticate the user.' I might be mis-understanding as im new to Radius, but that doesnt sound to positive. Anyway... I'm hoping to find a workaround
For CHAP you need a copy of the password in cleartext. You then pull the cleartext password out of LDAP during authorize, and compare it with the CHAP-Password (after some hashing), with the PAP module in authenticate. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi Arran, Are you saying I need to make a change to the LDAP? do you know of any information/guides I can look at? On Mon, Mar 3, 2014 at 10:30 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 3 Mar 2014, at 10:21, Adam Seed <adamjseed@gmail.com> wrote:
Hi Alan,
That same wiki says 'The ldap module can only work with PAP passwords since it needs to send the clear text user password to the LDAP server to authenticate the user.' I might be mis-understanding as im new to Radius, but that doesnt sound to positive. Anyway... I'm hoping to find a workaround
For CHAP you need a copy of the password in cleartext. You then pull the cleartext password out of LDAP during authorize, and compare it with the CHAP-Password (after some hashing), with the PAP module in authenticate.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Adam, if you are using eDirectory you might want to look into this: https://www.netiq.com/documentation/edir_radius/ Look out for the Keyword "Universal Password". if you are using AD, you might want to look into ntlm_auth. Ciao Anja
Adam Seed <adamjseed@gmail.com> 03.03.2014 13:07 >>> Hi Arran,
Are you saying I need to make a change to the LDAP? do you know of any information/guides I can look at? On Mon, Mar 3, 2014 at 10:30 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 3 Mar 2014, at 10:21, Adam Seed <adamjseed@gmail.com> wrote:
Hi Alan,
That same wiki says 'The ldap module can only work with PAP passwords since it needs to send the clear text user password to the LDAP server to authenticate the user.' I might be mis-understanding as im new to Radius, but that doesnt sound to positive. Anyway... I'm hoping to find a workaround
For CHAP you need a copy of the password in cleartext. You then pull the cleartext password out of LDAP during authorize, and compare it with the CHAP-Password (after some hashing), with the PAP module in authenticate.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Are you saying I need to make a change to the LDAP? do you know of any information/guides I can look at?
I don't know... It depends how your LDAP directory is setup. Does it have a userPassword attribute? If so what is the header on the password hash? If there's no header but it looks like base64 it's probably cleartext, in which case LDAP + CHAP will work. If it's anything else you're going to have to collect all your user's passwords and store them again in LDAP, in Cleartext to get CHAP to work. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Adam Seed wrote:
Hi Alan,
That same wiki says 'The ldap module can only work with PAP passwords since it needs to send the clear text user password to the LDAP server to authenticate the user.'
Where?
I might be mis-understanding as im new to Radius, but that doesnt sound to positive. Anyway... I'm hoping to find a workaround
That text (whatever it is) means that you can only do "bind as user" when the Access-Request contains User-Password (i.e. PAP).
So I checked my sites-enabled/default and it does have the LDAP module listed:
OK...
(I striped out the comments and highlighted the bits I changed)
Please don't post it here. It doesn't help.
In addition here is the output of my debug:
That's what we need.
[ldap] userPassword -> Password-With-Header == "{MD5}1hkMdaNUxxbUu/hufTrjtQ=="
You're storing passwords in MD5 hashed format. This is incompatible with CHAP. http://deployingradius.com/documents/protocols/compatibility.html
[chap] Cleartext-Password is required for authentication
See? I suggest believing that message. It'd true.
Any assistant is greatly welcomed.
(a) store clear-text passwords in LDAP (b) don't use CHAP. Pick one. Alan DeKok.
OK great, now I understand the root cause... I have changed my passwords in the ldap (im using openLDAP with phpldapadmin) to be clear text but still getting radius rejected issue. The log says: Cleartext-Password is required for authentication but it should be?! rad_recv: Access-Request packet from host 10.x.x.100 port 55524, id=14, length=50 User-Name = "adamjseed" CHAP-Password = 0xf9f798ccef8ac701b1f545d0dda826172a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "adamjseed", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for adamjseed [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> adamjseed [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=adamjseed) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (uid=adamjseed) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "Password01" [ldap] looking for reply items in directory... [ldap] user adamjseed authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Failed to decode Password-With-Header = "Password01" [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "adamjseed" with CHAP password *[chap] Cleartext-Password is required for authentication* ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> adamjseed attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated On Mon, Mar 3, 2014 at 1:36 PM, Alan DeKok <aland@deployingradius.com>wrote:
Adam Seed wrote:
Hi Alan,
That same wiki says 'The ldap module can only work with PAP passwords since it needs to send the clear text user password to the LDAP server to authenticate the user.'
Where?
I might be mis-understanding as im new to Radius, but that doesnt sound to positive. Anyway... I'm hoping to find a workaround
That text (whatever it is) means that you can only do "bind as user" when the Access-Request contains User-Password (i.e. PAP).
So I checked my sites-enabled/default and it does have the LDAP module listed:
OK...
(I striped out the comments and highlighted the bits I changed)
Please don't post it here. It doesn't help.
In addition here is the output of my debug:
That's what we need.
[ldap] userPassword -> Password-With-Header == "{MD5}1hkMdaNUxxbUu/hufTrjtQ=="
You're storing passwords in MD5 hashed format. This is incompatible with CHAP.
http://deployingradius.com/documents/protocols/compatibility.html
[chap] Cleartext-Password is required for authentication
See? I suggest believing that message. It'd true.
Any assistant is greatly welcomed.
(a) store clear-text passwords in LDAP
(b) don't use CHAP.
Pick one.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adam Seed wrote:
I have changed my passwords in the ldap (im using openLDAP with phpldapadmin) to be clear text but still getting radius rejected issue.
Well... READING the debug output would help.
[pap] Failed to decode Password-With-Header = "Password01"
So... you didn't put a header onto the password. You DID put one for MD5. e.g. {MD5}dg373h30 You'll need to use {clear}Password01 Alan DeKok.
hmm, Any idea on how to include the header? all I changed was the type in the password filed from MD5 to Clear On Mon, Mar 3, 2014 at 2:13 PM, Alan DeKok <aland@deployingradius.com>wrote:
Adam Seed wrote:
I have changed my passwords in the ldap (im using openLDAP with phpldapadmin) to be clear text but still getting radius rejected issue.
Well... READING the debug output would help.
[pap] Failed to decode Password-With-Header = "Password01"
So... you didn't put a header onto the password. You DID put one for MD5.
e.g. {MD5}dg373h30
You'll need to use {clear}Password01
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adam Seed wrote:
hmm, Any idea on how to include the header? all I changed was the type in the password filed from MD5 to Clear
grab the v2.x.x branch from https://github.com/FreeRADIUS/freeradius-server/ I put a patch into rlm_pap in December. It assumes that the password is clear-text if it can't find a header. Alan DeKok.
Finally got that working - Thanks Alan. Are there any plans to put this assumption in version 3? On Mon, Mar 3, 2014 at 4:17 PM, Alan DeKok <aland@deployingradius.com>wrote:
Adam Seed wrote:
hmm, Any idea on how to include the header? all I changed was the type in the password filed from MD5 to Clear
grab the v2.x.x branch from
https://github.com/FreeRADIUS/freeradius-server/
I put a patch into rlm_pap in December. It assumes that the password is clear-text if it can't find a header.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 3 Mar 2014, at 20:15, Adam Seed <adamjseed@gmail.com> wrote:
Finally got that working - Thanks Alan. Are there any plans to put this assumption in version 3?
Done. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi, I just tried this on radiusd: FreeRADIUS Version 3.1.0 (git #b2d5a45), for host x86_64-unknown-linux-gnu, built on Mar 4 2014 at 11:31:20 but hitting the same error: rad_recv: Access-Request packet from host 10.x.x.100 port 65050, id=45, length=50 User-Name = 'adamjseed' CHAP-Password = 0x64173a8adfdfb68e273ea9add77fa0e984 (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) ? if (!User-Name) (2) ? if (!User-Name) -> FALSE (2) ? if (User-Name != "%{tolower:%{User-Name}}") (2) expand: "%{tolower:%{User-Name}}" -> 'adamjseed' (2) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (2) ? if (User-Name =~ / /) (2) ? if (User-Name =~ / /) -> FALSE (2) ? if (User-Name =~ /@.*@/ ) (2) ? if (User-Name =~ /@.*@/ ) -> FALSE (2) ? if (User-Name =~ /\\.\\./ ) (2) ? if (User-Name =~ /\\.\\./ ) -> FALSE (2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) ? if (User-Name =~ /\\.$/) (2) ? if (User-Name =~ /\\.$/) -> FALSE (2) ? if (User-Name =~ /@\\./) (2) ? if (User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) chap : Setting 'Auth-Type := CHAP' (2) [chap] = ok (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "adamjseed", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : No EAP-Message, not doing EAP (2) [eap] = noop (2) [files] = noop rlm_ldap (ldap): Reserved connection (4) (2) ldap : expand: "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(uid=adamjseed)' (2) ldap : expand: "dc=example,dc=com" -> 'dc=example,dc=com' (2) ldap : Performing search in 'dc=example,dc=com' with filter '(uid=adamjseed)', scope 'sub' (2) ldap : Waiting for search result... (2) ldap : User object found at DN "cn=adamjseed,ou=users,dc=example,dc=com" (2) ldap : Processing user attributes (2) ldap : control:Password-With-Header += 'Password01' rlm_ldap (ldap): Released connection (4) (2) [-ldap] = ok (2) [expiration] = noop (2) [logintime] = noop (2) WARNING: pap : Auth-Type already set. Not setting to PAP (2) [pap] = noop (2) } # authorize = ok (2) Found Auth-Type = CHAP (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Auth-Type CHAP { (2) chap : Login attempt by "adamjseed" with CHAP password (2) ERROR: chap : Cleartext password is required for authentication (2) [chap] = invalid (2) } # Auth-Type CHAP = invalid (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject : expand: "%{User-Name}" -> 'adamjseed' (2) attr_filter.access_reject : Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (2) [eap] = noop (2) remove_reply_message_if_eap remove_reply_message_if_eap { (2) ? if (reply:EAP-Message && reply:Reply-Message) (2) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (2) else else { (2) [noop] = noop (2) } # else else = noop (2) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = update On Mon, Mar 3, 2014 at 10:01 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 3 Mar 2014, at 20:15, Adam Seed <adamjseed@gmail.com> wrote:
Finally got that working - Thanks Alan. Are there any plans to put this assumption in version 3?
Done.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
replaced with v3.0.x branch, getting a slightly different error. Im 100% the passwords line up. rad_recv: Access-Request packet from host 10.x.x.100 port 61392, id=49, length=50 User-Name = 'adamjseed' CHAP-Password = 0x79c646622409adfd85b69f1f58428f0658 (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) ? if (!User-Name) (2) ? if (!User-Name) -> FALSE (2) ? if (User-Name != "%{tolower:%{User-Name}}") (2) expand: "%{tolower:%{User-Name}}" -> 'adamjseed' (2) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (2) ? if (User-Name =~ / /) (2) ? if (User-Name =~ / /) -> FALSE (2) ? if (User-Name =~ /@.*@/ ) (2) ? if (User-Name =~ /@.*@/ ) -> FALSE (2) ? if (User-Name =~ /\\.\\./ ) (2) ? if (User-Name =~ /\\.\\./ ) -> FALSE (2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) ? if (User-Name =~ /\\.$/) (2) ? if (User-Name =~ /\\.$/) -> FALSE (2) ? if (User-Name =~ /@\\./) (2) ? if (User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) chap : Setting 'Auth-Type := CHAP' (2) [chap] = ok (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "adamjseed", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : No EAP-Message, not doing EAP (2) [eap] = noop (2) [files] = noop rlm_ldap (ldap): Reserved connection (4) (2) ldap : expand: "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(uid=adamjseed)' (2) ldap : expand: "dc=example,dc=com" -> 'dc=example,dc=com' (2) ldap : Performing search in 'dc=example,dc=com' with filter '(uid=adamjseed)', scope 'sub' (2) ldap : Waiting for search result... (2) ldap : User object found at DN "cn=adamjseed,ou=users,dc=example,dc=com" (2) ldap : Processing user attributes (2) ldap : control:Password-With-Header += 'Password01' rlm_ldap (ldap): Released connection (4) rlm_ldap (ldap): Closing connection (0): Too many free connections (5 > 3) rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 118 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 118 seconds rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 118 seconds (2) [-ldap] = ok (2) [expiration] = noop (2) [logintime] = noop (2) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (2) WARNING: pap : Auth-Type already set. Not setting to PAP (2) [pap] = noop (2) } # authorize = ok (2) Found Auth-Type = CHAP (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Auth-Type CHAP { (2) chap : Login attempt by "adamjseed" with CHAP password (2) chap : Comparing with "known good" Cleartext-Password (2) ERROR: chap : Password is comparison failed: password is incorrect (2) [chap] = reject (2) } # Auth-Type CHAP = reject (2) Failed to authenticate the user. (2) Using Post-Auth-Type Reject (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject : expand: "%{User-Name}" -> 'adamjseed' (2) attr_filter.access_reject : Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (2) [eap] = noop (2) remove_reply_message_if_eap remove_reply_message_if_eap { (2) ? if (reply:EAP-Message && reply:Reply-Message) (2) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (2) else else { (2) [noop] = noop (2) } # else else = noop (2) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying reject of request 2 for 1 seconds Waking up in 0.3 seconds. On Tue, Mar 4, 2014 at 6:03 PM, Alan DeKok <aland@deployingradius.com>wrote:
Adam Seed wrote:
I just tried this on radiusd: FreeRADIUS Version 3.1.0 (git #b2d5a45),
Please use the v3.0.x branch from git. I've pushed a fix.
The "master" branch is under heavy development, and may not always work correctly.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ok, I have narrowed down the issue... Your right it does work but not in one case, here are my test cases: LDAP: dc=adamjseed,dc=co,dc=uk Admin User: cn=admin,dc=adamjseed,dc=co,dc=uk I have two users: cn=adamjseed,ou=users,dc=adamjseed,dc=co,dc=uk cn=guest,ou=users,dc=adamjseed,dc=co,dc=uk what's important is that the uid=cn in both cases guest works where adamjseed doesnt, if I change the uid (not cn) of adamjseed to adamjseed1 it then does work. im guessing its conflicting with the dn? On Wed, Mar 5, 2014 at 11:11 AM, Alan DeKok <aland@deployingradius.com>wrote:
Adam Seed wrote:
replaced with v3.0.x branch, getting a slightly different error. Im 100% the passwords line up.
Well... it works for me. I've also added tests to ensure that the new code works in all expected circumstances.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adam Seed wrote:
I have two users:
cn=adamjseed,ou=users,dc=adamjseed,dc=co,dc=uk cn=guest,ou=users,dc=adamjseed,dc=co,dc=uk
what's important is that the uid=cn in both cases
guest works where adamjseed doesnt, if I change the uid (not cn) of adamjseed to adamjseed1 it then does work.
im guessing its conflicting with the dn?
I don't see how. FreeRADIUS just queries LDAP for a password. FreeRADIUs doesn't care about cn, dn, or anything else. LDAP returns the password, and FreeRADIUS uses it. Run the queries manually. Be sure that LDAP is returning the correct password in both cases. Alan DeKok.
ok, something very strange is going on!!!! so I have been fiddling around with it getting a mix of accepted and rejected commands and the only thing I have pined it down to is the password... Some passwords work, some dont im not sure if there is some kind of caching going on. It appears my older passwords i was using during inital testing dont work... The password I get back from ldap in the debug is always correct and matches what I have put into the test utility but some get rejected. Any ideas why? On Wed, Mar 5, 2014 at 1:18 PM, Alan DeKok <aland@deployingradius.com>wrote:
Adam Seed wrote:
I have two users:
cn=adamjseed,ou=users,dc=adamjseed,dc=co,dc=uk cn=guest,ou=users,dc=adamjseed,dc=co,dc=uk
what's important is that the uid=cn in both cases
guest works where adamjseed doesnt, if I change the uid (not cn) of adamjseed to adamjseed1 it then does work.
im guessing its conflicting with the dn?
I don't see how. FreeRADIUS just queries LDAP for a password. FreeRADIUs doesn't care about cn, dn, or anything else. LDAP returns the password, and FreeRADIUS uses it.
Run the queries manually. Be sure that LDAP is returning the correct password in both cases.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
so as an example, I changed the user adamjseed password to oracle and it works, then changed it to oracle01 and it doesnt and then to oracle9999 which does... all of which are passwords I have never used before in this setup. Is there anymore debugging I can enable? On Wed, Mar 5, 2014 at 3:30 PM, Adam Seed <adamjseed@gmail.com> wrote:
ok, something very strange is going on!!!!
so I have been fiddling around with it getting a mix of accepted and rejected commands and the only thing I have pined it down to is the password... Some passwords work, some dont im not sure if there is some kind of caching going on. It appears my older passwords i was using during inital testing dont work...
The password I get back from ldap in the debug is always correct and matches what I have put into the test utility but some get rejected. Any ideas why?
On Wed, Mar 5, 2014 at 1:18 PM, Alan DeKok <aland@deployingradius.com>wrote:
Adam Seed wrote:
I have two users:
cn=adamjseed,ou=users,dc=adamjseed,dc=co,dc=uk cn=guest,ou=users,dc=adamjseed,dc=co,dc=uk
what's important is that the uid=cn in both cases
guest works where adamjseed doesnt, if I change the uid (not cn) of adamjseed to adamjseed1 it then does work.
im guessing its conflicting with the dn?
I don't see how. FreeRADIUS just queries LDAP for a password. FreeRADIUs doesn't care about cn, dn, or anything else. LDAP returns the password, and FreeRADIUS uses it.
Run the queries manually. Be sure that LDAP is returning the correct password in both cases.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I think i have it! I dont think it allows passwords of 8 chars, anyone confirm? On Wed, Mar 5, 2014 at 3:40 PM, Adam Seed <adamjseed@gmail.com> wrote:
so as an example, I changed the user adamjseed password to oracle and it works, then changed it to oracle01 and it doesnt and then to oracle9999 which does... all of which are passwords I have never used before in this setup.
Is there anymore debugging I can enable?
On Wed, Mar 5, 2014 at 3:30 PM, Adam Seed <adamjseed@gmail.com> wrote:
ok, something very strange is going on!!!!
so I have been fiddling around with it getting a mix of accepted and rejected commands and the only thing I have pined it down to is the password... Some passwords work, some dont im not sure if there is some kind of caching going on. It appears my older passwords i was using during inital testing dont work...
The password I get back from ldap in the debug is always correct and matches what I have put into the test utility but some get rejected. Any ideas why?
On Wed, Mar 5, 2014 at 1:18 PM, Alan DeKok <aland@deployingradius.com>wrote:
Adam Seed wrote:
I have two users:
cn=adamjseed,ou=users,dc=adamjseed,dc=co,dc=uk cn=guest,ou=users,dc=adamjseed,dc=co,dc=uk
what's important is that the uid=cn in both cases
guest works where adamjseed doesnt, if I change the uid (not cn) of adamjseed to adamjseed1 it then does work.
im guessing its conflicting with the dn?
I don't see how. FreeRADIUS just queries LDAP for a password. FreeRADIUs doesn't care about cn, dn, or anything else. LDAP returns the password, and FreeRADIUS uses it.
Run the queries manually. Be sure that LDAP is returning the correct password in both cases.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adam Seed wrote:
so as an example, I changed the user adamjseed password to oracle and it works, then changed it to oracle01 and it doesnt and then to oracle9999 which does... all of which are passwords I have never used before in this setup.
Is there anymore debugging I can enable?
Do a "git pull" of v3.0.x. I've pushed some more debug messages. Then, run "radiusd -Xx" and post just the pieces about the chap module. Alan DeKok.
Alan, the new pull seems to be working fine... no issue with any passwords. Hopefully this will be the end. Thanks for the help! On Wed, Mar 5, 2014 at 3:54 PM, Alan DeKok <aland@deployingradius.com>wrote:
Adam Seed wrote:
so as an example, I changed the user adamjseed password to oracle and it works, then changed it to oracle01 and it doesnt and then to oracle9999 which does... all of which are passwords I have never used before in this setup.
Is there anymore debugging I can enable?
Do a "git pull" of v3.0.x. I've pushed some more debug messages.
Then, run "radiusd -Xx" and post just the pieces about the chap module.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adam Seed wrote:
so I have been fiddling around with it getting a mix of accepted and rejected commands and the only thing I have pined it down to is the password... Some passwords work, some dont im not sure if there is some kind of caching going on. It appears my older passwords i was using during inital testing dont work...
FreeRADIUS doesn't cache passwords.
The password I get back from ldap in the debug is always correct and matches what I have put into the test utility but some get rejected. Any ideas why?
Nope. Try putting the password into the "users" file, and not using ldap. If that doesn't work, something weird is going on. Alan DeKok.
participants (4)
-
Adam Seed -
Alan DeKok -
Anja Ruckdaeschel -
Arran Cudbard-Bell