Hi all, We've got our freeradius servers working with LDAP fine, except for CHAP. Originally, the logs were saying "Invalid user \\user", but we fixed that by enabling an option in radiusd.conf. Now, when we dial up without encrypted password enabled, the connection comes through successfully. However, when we enable the encrypted password option and try again, we get: Thu Dec 15 18:12:52 2005 : Auth: Login incorrect (rlm_ldap: empty password supplied): [username/] (from client 123.123.123.123 port 3088 cli 2125550404) Its saying the password is empty, but we are indeed using a password. Does anyone have any ideas? We've followed the instructions in the FAQ (CHAP above LDAP in the authorize section, no := Auth-Type, etc.)..... it just doesn't seem to want to recognize that a password is being entered. For the record, no query hits the LDAP server during a CHAP authentication...... so its obviously something with the config of freeradius. Thanks for any help! -Matt
Matt Juszczak wrote:
Hi all,
We've got our freeradius servers working with LDAP fine, except for CHAP. Originally, the logs were saying "Invalid user \\user", but we fixed that by enabling an option in radiusd.conf.
Now, when we dial up without encrypted password enabled, the connection comes through successfully. However, when we enable the encrypted password option and try again, we get:
Thu Dec 15 18:12:52 2005 : Auth: Login incorrect (rlm_ldap: empty password supplied): [username/] (from client 123.123.123.123 port 3088 cli 2125550404)
Its saying the password is empty, but we are indeed using a password.
Does anyone have any ideas? We've followed the instructions in the FAQ (CHAP above LDAP in the authorize section, no := Auth-Type, etc.)..... it just doesn't seem to want to recognize that a password is being entered.
For the record, no query hits the LDAP server during a CHAP authentication...... so its obviously something with the config of freeradius.
You've posted no debugging output or config, so it's difficult to tell, but: To do CHAP, you must have: 1. The PLAINTEXT password in the LDAP server 2. The Radius server permitted to read that attribute 3. The ldap module configured to put whatever that attribute is (usually userPassword) into the radius "User-Passord", using the "password_attribute" option of the ldap module 4. "chap" above "pap" in the authorize (which you've got) 5. "chap" anywhere in authenticate
Thanks for any help!
-Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
To do CHAP, you must have:
1. The PLAINTEXT password in the LDAP server 2. The Radius server permitted to read that attribute 3. The ldap module configured to put whatever that attribute is (usually userPassword) into the radius "User-Passord", using the "password_attribute" option of the ldap module 4. "chap" above "pap" in the authorize (which you've got) 5. "chap" anywhere in authenticate
Hiya, We have all of those set. The password is stored plain text in userPassword. The radius server has read access to that attribute. The ldap module is configured in radiusd.conf for that attribute. Chap is above pap, and chap is also in authenticate {}. The password is still showing up as "blank" when they dial up, before it even hits the LDAP server. Is there debugging output I could send you that might help with this? Regards, Matt
Hi all,
We've got our freeradius servers working with LDAP fine, except for CHAP. Originally, the logs were saying "Invalid user \\user", but we fixed that by enabling an option in radiusd.conf.
Now, when we dial up without encrypted password enabled, the connection comes through successfully. However, when we enable the encrypted password option and try again, we get:
Thu Dec 15 18:12:52 2005 : Auth: Login incorrect (rlm_ldap: empty password supplied): [username/] (from client 123.123.123.123 port 3088 cli 2125550404)
Its saying the password is empty, but we are indeed using a password.
Does anyone have any ideas? We've followed the instructions in the FAQ (CHAP above LDAP in the authorize section, no := Auth-Type, etc.)..... it just doesn't seem to want to recognize that a password is being entered.
For the record, no query hits the LDAP server during a CHAP authentication...... so its obviously something with the config of freeradius.
We've narrowed the problem down. When a user with Windows XP connects using CHAP, we get a successful connection with CHAP. However, a user using Windows ME or Windows 98 with "use encrypted password" are the ones causing the above error and not working. -Matt
participants (2)
-
Matt Juszczak -
Phil Mayers