Re: using userPassword instead sambaNTPassword
thank you for you quick answer, between lines:
------------------------------
Message: 4 Date: Thu, 18 Sep 2014 12:46:27 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: using userPassword instead sambaNTPassword Message-ID: <541B0C63.1080105@deployingradius.com> Content-Type: text/plain; charset=windows-1252
Nicolás Guerra wrote:
this is the server log output: # radiusd -X > log.radius I don't understand what "**WARNING: No "known good" password was found in LDAP. Are you sure that *the **user is configured correctly?*" means? It means that the server couldn't find userPassword or sambaNTPassword for the user. Thats right! I didn't realised that userPassword field in the openLDAP server is restringed to authenticated users.
so, I used my own credentials in /etc/raddb/modules/ldap file. the log changed, there's the new one. (I used my own credentials just for testing pruposes I'll change it) What I don't understand: I can read that "[ldap] user nicolas.guerra authorized to use remote access" but it continues evaluating things untill an error happen on request #8 with mschapv2 please forgive my ignorance, I'm new in freeRADIUS, I'm just trying to make it work as I'd been asked (users should authenticate with the userPassword attr). and forgive me for the long (log) response, I'm trying to do the best to help you helping me. I don't even know if I'm answering correctly to the mailing list, I can't see the thread.... What I saw is, I think is the error but I don't know what I should do with it... any help would be wellcome. in request #8: (extract) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] Creating challenge hash with username: nicolas.guerra [mschap] Client is using MS-CHAPv2 for nicolas.guerra, we need NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [nicolas.guerra] (from client owrt.router port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\327E=691 R=1" EAP-Message = 0x04d70004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\327E=691 R=1" EAP-Message = 0x04d70004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE (finish-extract) I separated requests with a "-----------------------------------" line ... adding new socket proxy address * port 36330 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.202.10.93 port 60123, id=110, length=165 User-Name = "nicolas.guerra" Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "CC-FE-3C-92-E0-1B" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x02cf0013016e69636f6c61732e677565727261 Message-Authenticator = 0xf3d2fdc1b2c7d8fd17426e83f12b3fbf # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 207 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for nicolas.guerra [ldap] expand: (uid=%u) -> (uid=nicolas.guerra) [ldap] expand: ou=People,ou=Users,dc=asse -> ou=People,ou=Users,dc=asse [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldap:389, authentication 0 [ldap] bind as uid=nicolas.guerra,ou=People,ou=Users,dc=asse/agarra to ldap:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=People,ou=Users,dc=asse, with filter (uid=nicolas.guerra) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SHA}/XmlnVvg6a3Lq4Gi1PqEBrt55FU=" [ldap] sambaNtPassword -> NT-Password == 0x4130333335363744443336453645424439394331413531463437333434344345 [ldap] looking for reply items in directory... [ldap] user nicolas.guerra authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing SHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 110 to 10.202.10.93 port 60123 EAP-Message = 0x01d0001604103d1e9b7ab042b7e6a265534b0045b9ff Message-Authenticator = 0x00000000000000000000000000000000 State = 0x758fc0dc755fc40d29544e3e28c8c2ba Finished request 0. ---------------------------------------------------------------------------------------------------- Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.202.10.93 port 60123, id=111, length=170 User-Name = "nicolas.guerra" Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "CC-FE-3C-92-E0-1B" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x02d000060319 State = 0x758fc0dc755fc40d29544e3e28c8c2ba Message-Authenticator = 0xaa3caa5271fd0a1bc95449457b875d3c # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 208 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for nicolas.guerra [ldap] expand: (uid=%u) -> (uid=nicolas.guerra) [ldap] expand: ou=People,ou=Users,dc=asse -> ou=People,ou=Users,dc=asse [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=People,ou=Users,dc=asse, with filter (uid=nicolas.guerra) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SHA}/XmlnVvg6a3Lq4Gi1PqEBrt55FU=" [ldap] sambaNtPassword -> NT-Password == 0x4130333335363744443336453645424439394331413531463437333434344345 [ldap] looking for reply items in directory... [ldap] user nicolas.guerra authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing SHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 111 to 10.202.10.93 port 60123 EAP-Message = 0x01d100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x758fc0dc745ed90d29544e3e28c8c2ba Finished request 1. ---------------------------------------------------------------------------------------------------- Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.202.10.93 port 60123, id=112, length=360 User-Name = "nicolas.guerra" Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "CC-FE-3C-92-E0-1B" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x02d100c4190016030100b9010000b50301541c5f77f1fb5c2f403841c322cd32b8198da4dfb21658a7e643dc090cae8d8d000048c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000 State = 0x758fc0dc745ed90d29544e3e28c8c2ba Message-Authenticator = 0x60dae326fc0a6efe3d5cc042ea835a8d # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 209 length 196 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00b9], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 112 to 10.202.10.93 port 60123 EAP-Message = 0x01d2040019c0000009fa1603010039020000350301c34bb4650235a81b087a7e68b5932a9ff64b385f4ec3faaf0d073e42ea530c4400c01400000dff01000100000b000403000102160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966 EAP-Message = 0x696361746520417574686f72697479301e170d3134303931363137323134315a170d3135303931363137323134315a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100afa13573b912b82fd8025f526ff2bc70b8371704e2510a26129eb3d54796df7f22d8bbc9ce0fb3448e014e29c1b20c EAP-Message = 0x4de2aa9783db9b05345135ac8a5e92ce7cdf7ff49630bf177d021fc7848da6f58af5da030034ee5adf1702583661c1432aaf54a20ce6dfb65a7ffcaa9f0083fc34e1c1400eed077530d4d7fbe43a08999ddf62729260ccc4f72d0035ae652e3fb4d45970076a36b5eba4179e7e6e6533a76db9289f655b893db73bcea09be225305809a58d4e712bd84ab6329296a094084a3ec6676e5c587317ac8a5723489da908549a2c488f1b4f0ca95e8898fb01a93b713372d04e9dd9116284e66d23c15148c7425011b84786c36fa9a2806b73a50203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505 EAP-Message = 0x0003820101008acb01f1683233a751f9b8dcd10c329952ecfa30603fdd7b386457c33d79df337b29b0f36f8a24cf333bd3f93599b421599592827ad9e30945740794c8bbad36adec4bf7594a83915ac87a0c11d11ca33e04071e8c32751ebff88251bff5bdda323e9d2f1ff7440b4261fef69f8d72fb3fde26f61d4446ed9489111333e07c65c4de79b34dc1ec83f5ae9d5899bc4e1b7dda162c589d282c8c130bfd20265fd0e04500289c7dc01554ed5d619430ac5ea2cf44670e77077860b6dff0d49ada5273b5cd4ae52b302a71a6dd1e690570f607794ebe064ade22719d50edafa312cf6da9828e0bda9eb47ae1d4019abce3dca4f317eaf9eda6 EAP-Message = 0xd971ed8de12a89d46a0004ab Message-Authenticator = 0x00000000000000000000000000000000 State = 0x758fc0dc775dd90d29544e3e28c8c2ba Finished request 2. ---------------------------------------------------------------------------------------------------- Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.202.10.93 port 60123, id=113, length=170 User-Name = "nicolas.guerra" Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "CC-FE-3C-92-E0-1B" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x02d200061900 State = 0x758fc0dc775dd90d29544e3e28c8c2ba Message-Authenticator = 0x6eae8c26c731b1ecabbbe332d4017abf # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 210 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 113 to 10.202.10.93 port 60123 EAP-Message = 0x01d303fc1940308204a73082038fa003020102020900d5ab86f540cf1f35300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3134303931363137323134315a170d3135303931363137323134315a308193310b3009060355040613024652310f300d06035504080c EAP-Message = 0x065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b3b7b19437c3b749740072eaa7cddc4dd3db5d45fc383764e7e185c0b7ba81db004234b894fa5c2ea5403aec1917f0a9870340f07ec225bd862ac31a6b8382f1c00c70db4494ed08bf499c0b878f716ffe524f09705cc8279d55f6ef600a88b0 EAP-Message = 0x7c4d1cfde4865b0d9ffe7314310cdb5c14d2786fae4462d34262013d9c03f06b1a6bbf69e163541ab58779f51bdcc8a663246d348073c3fb883062230376582241e5245d7de924413dd67de781725665e401327da74e589ba47368930b7d47e479cfa39d0b7ddaf519b51236af553ff14a4fd928707eaa3e4914eea7f120837419d835671e26141cae3e5a9c045b68575644093e5cacfbadb96ab0b20bbc8bdd0203010001a381fb3081f8301d0603551d0e04160414e940086d09ae6bcdc91359bd3b7bd0138a324eee3081c80603551d230481c03081bd8014e940086d09ae6bcdc91359bd3b7bd0138a324eeea18199a48196308193310b30090603 EAP-Message = 0x55040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479820900d5ab86f540cf1f35300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100aebc9b750a6480391b6008b55c2b76239994a4f09d3993f3a0251aa7c8dad1e6ced9e1c93c2fc1b415032dd921ccef6ac1d7332c60f02696755bd58e5881598a67c4be EAP-Message = 0x7eb7a01ad619cdc2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x758fc0dc765cd90d29544e3e28c8c2ba Finished request 3. ---------------------------------------------------------------------------------------------------- Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.202.10.93 port 60123, id=114, length=170 User-Name = "nicolas.guerra" Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "CC-FE-3C-92-E0-1B" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x02d300061900 State = 0x758fc0dc765cd90d29544e3e28c8c2ba Message-Authenticator = 0x23be58d15054ac08fbc61b9725de6196 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 211 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 114 to 10.202.10.93 port 60123 EAP-Message = 0x01d402141900b35df66c79b2e8a5fd95c2cbce6f8a6c31f3f68e1bb8890d2395864369dbfedef72ec4c5a25a662caa210ba4a52ab332e0e99be658a7ec7a86748695839fe311d3c90117aee79f0205b269acabe8a500de4cd82742820a54d4b805ec2d9e804c4d54237e40028ddc35f92e73f898e3383aac604ab00c06b47280082c34c52506fe7a698094624005a0565cc55e00981955e23a91b08ed599a4c084da30d391b086700f293cfe65d28f1dbeac08334dc63305d8ffda160301014b0c00014703001741046bf779deb26b3a00147bfc828b2dd37d7146093d3c623d019c7807fde7f7e564f7a82db3c5f010985e780406ae3ca60e0ddd3075 EAP-Message = 0x5af6893f0a9123ca2d0ed939010053c086399f89b4efd66812a9810b0b68a3399a4e5f0d9a34c1464a9ffce377b3581e0f8c967a9e9bbe6b6e8ed09abf64c6e6f405a6e210460ea809a5b1e3ca54f9d8bdb99fefe0ff886992ace5a37a090c8e0f89e8aa2fd83d40f0155380dd315a98b09c00dbaddb94e0c2736ffbdc7761d9d35f620124e2e634254cc2984e5ad5cdacf5ae812a8bce6c254627a9ccaeabe90b2aff0411c3e24b413f34221f9fdbe555b28c07a4fccd627e88221d5c3c7fc89806b69d19b022d7a77c49f43b7e3fc296ffa1eade7b800354b9bcf8a55706b8d4a84a9272777559134a2607226aa8aa53aa819d7f6d507ef76733fbd5 EAP-Message = 0xba0100beda55de08992a0b3f1617cd467216030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x758fc0dc715bd90d29544e3e28c8c2ba Finished request 4. ---------------------------------------------------------------------------------------------------- Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.202.10.93 port 60123, id=115, length=304 User-Name = "nicolas.guerra" Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "CC-FE-3C-92-E0-1B" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x02d4008c19001603010046100000424104220903dc432a650822abd314074ad4da1c8cd9a64ee5f3b1c4fd683f55123474ab0e75971961eb7dd9bf9d8fee9c7d229d1b7a8aaf878ccaeb1526f4fbbd7acb1403010001011603010030bb6cdd1b1f819aa774fe3c3a110d727b102165ea4f318531e59fe283012957463317b698ec19e7b17e60bd897c5aeb3b State = 0x758fc0dc715bd90d29544e3e28c8c2ba Message-Authenticator = 0xd51bf47ab1ffb51a8e51d3c979b85507 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 212 length 140 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 115 to 10.202.10.93 port 60123 EAP-Message = 0x01d5004119001403010001011603010030eec36f8df623b996a242deb85e5d6e8cc399e042573d203f6ae8fde11180b72892593271bc6e78105e3dc2cb9b0623c8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x758fc0dc705ad90d29544e3e28c8c2ba Finished request 5. ---------------------------------------------------------------------------------------------------- Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.202.10.93 port 60123, id=116, length=170 User-Name = "nicolas.guerra" Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "CC-FE-3C-92-E0-1B" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x02d500061900 State = 0x758fc0dc705ad90d29544e3e28c8c2ba Message-Authenticator = 0x55b03c926c5d2f691ef1c5eeee696692 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 213 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 116 to 10.202.10.93 port 60123 EAP-Message = 0x01d6002b19001703010020e66c65be4f4be8a88875791677fedac7ef1aa06f7bd92d2009530c41423bc599 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x758fc0dc7359d90d29544e3e28c8c2ba Finished request 6. ---------------------------------------------------------------------------------------------------- Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.202.10.93 port 60123, id=117, length=260 User-Name = "nicolas.guerra" Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "CC-FE-3C-92-E0-1B" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x02d600601900170301002027fb3b79542161d3bfc95b9f5f01bb8ed3bdad3872d0d0549416e4c93fe6c6661703010030adf8467bdc9f43ffd4a575132ca5cf02e5ced919f3db7f6847849ac56c12dbaf55e2da928d055270e5636cd1f7ddcc58 State = 0x758fc0dc7359d90d29544e3e28c8c2ba Message-Authenticator = 0x341fb223e4ead1c285adc542e876c37d # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 214 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - nicolas.guerra [peap] Got inner identity 'nicolas.guerra' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02d60013016e69636f6c61732e677565727261 server { [peap] Setting User-Name to nicolas.guerra Sending tunneled request EAP-Message = 0x02d60013016e69636f6c61732e677565727261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "nicolas.guerra" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 214 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for nicolas.guerra [ldap] expand: (uid=%u) -> (uid=nicolas.guerra) [ldap] expand: ou=People,ou=Users,dc=asse -> ou=People,ou=Users,dc=asse [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=People,ou=Users,dc=asse, with filter (uid=nicolas.guerra) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SHA}/XmlnVvg6a3Lq4Gi1PqEBrt55FU=" [ldap] sambaNtPassword -> NT-Password == 0x4130333335363744443336453645424439394331413531463437333434344345 [ldap] looking for reply items in directory... [ldap] user nicolas.guerra authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing SHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x01d700281a01d7002310e86768d290336a6f6d694b29526dbdd16e69636f6c61732e677565727261 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ca01c286c7706e53c31e18b5384bf9d [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x01d700281a01d7002310e86768d290336a6f6d694b29526dbdd16e69636f6c61732e677565727261 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ca01c286c7706e53c31e18b5384bf9d [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 117 to 10.202.10.93 port 60123 EAP-Message = 0x01d7004b19001703010040c71c581fbb0f992915f77a68e7135a7a993c67b553a8e0958ed5a7021f618190b0870a1b7d08dea450d503e6c73d72573cffd411e16ec14c5ba31a943debca9b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x758fc0dc7258d90d29544e3e28c8c2ba Finished request 7. ---------------------------------------------------------------------------------------------------- Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.202.10.93 port 60123, id=118, length=308 User-Name = "nicolas.guerra" Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "CC-FE-3C-92-E0-1B" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x02d70090190017030100209835c1d89f49fdb76e75cd34277f212fc8cc278e367921ffa9478b42692eaf8e17030100604b96f15e88a6ba84c20147c1fe51666a8f9125627a13a1ac11f9ca77dc6396ebadd292f86f127d82ad3978a241e91dfc2481eb4f6ff3eb3384783187b96701664d911eda135737760c5a4b6deb23426f7cc911c0f60bed737c968e367f786d4a State = 0x758fc0dc7258d90d29544e3e28c8c2ba Message-Authenticator = 0x700e1dfd1e83b3facaee70a3186359cc # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 215 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x02d700491a02d70044311c19091f3449e4e03104da134036f30600000000000000008ab01c93903f478ea476adde1223019cbba6d2afc9839d98006e69636f6c61732e677565727261 server { [peap] Setting User-Name to nicolas.guerra Sending tunneled request EAP-Message = 0x02d700491a02d70044311c19091f3449e4e03104da134036f30600000000000000008ab01c93903f478ea476adde1223019cbba6d2afc9839d98006e69636f6c61732e677565727261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "nicolas.guerra" State = 0x6ca01c286c7706e53c31e18b5384bf9d server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 215 length 73 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for nicolas.guerra [ldap] expand: (uid=%u) -> (uid=nicolas.guerra) [ldap] expand: ou=People,ou=Users,dc=asse -> ou=People,ou=Users,dc=asse [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=People,ou=Users,dc=asse, with filter (uid=nicolas.guerra) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SHA}/XmlnVvg6a3Lq4Gi1PqEBrt55FU=" [ldap] sambaNtPassword -> NT-Password == 0x4130333335363744443336453645424439394331413531463437333434344345 [ldap] looking for reply items in directory... [ldap] user nicolas.guerra authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing SHA1-Password from base64 encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] Creating challenge hash with username: nicolas.guerra [mschap] Client is using MS-CHAPv2 for nicolas.guerra, we need NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [nicolas.guerra] (from client owrt.router port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\327E=691 R=1" EAP-Message = 0x04d70004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\327E=691 R=1" EAP-Message = 0x04d70004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 118 to 10.202.10.93 port 60123 EAP-Message = 0x01d8002b19001703010020d5506a188aabe243b4c5f1e81acdb4fabe9e3d06d055452811e01a36ce82ed11 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x758fc0dc7d57d90d29544e3e28c8c2ba Finished request 8. ---------------------------------------------------------------------------------------------------- Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.202.10.93 port 60123, id=119, length=244 User-Name = "nicolas.guerra" Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "CC-FE-3C-92-E0-1B" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x02d80050190017030100207fff7c342b74c4a5dde99e439121d0feceb470c7af0f3ea5fc9a66b018378ff31703010020dd29b9c76f0e0ef43897c9faa106195329ee837cefdcae0cd5fd3a02d0b2b4bf State = 0x758fc0dc7d57d90d29544e3e28c8c2ba Message-Authenticator = 0xfd4d513844b07230d93f9ea59d759116 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 216 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [nicolas.guerra] (from client owrt.router port 1 cli CC-FE-3C-92-E0-1B) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> nicolas.guerra attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 119 to 10.202.10.93 port 60123 EAP-Message = 0x04d80004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. Cleaning up request 0 ID 110 with timestamp +40 Cleaning up request 1 ID 111 with timestamp +40 Cleaning up request 2 ID 112 with timestamp +40 Cleaning up request 3 ID 113 with timestamp +40 Cleaning up request 4 ID 114 with timestamp +40 Cleaning up request 5 ID 115 with timestamp +40 Cleaning up request 6 ID 116 with timestamp +40 Cleaning up request 7 ID 117 with timestamp +40 Cleaning up request 8 ID 118 with timestamp +40 Waking up in 1.0 seconds. Cleaning up request 9 ID 119 with timestamp +40 Ready to process requests.
and, why if I enter sambaNTPassword works fine? No idea.
Alan DeKok.
On 19.09.2014 20:26, Nicolás Guerra wrote:
please forgive my ignorance, I'm new in freeRADIUS, I'm just trying to make it work as I'd been asked (users should authenticate with the userPassword attr).
You can't. Unless the userPassword attributed stores the password in plain text, it is mathematically impossible to get this to work with MS-CHAPv2. And by saying "impossible" I mean "impossible". It will never work. It can never work. Stop trying to get it to work. You have some options: a) Store the password also in a different attribute in plain text. Use that instead of the userPassword attribute for MS-CHAPv2. b) Store the password also in the sambaNTPassword attribute, hashed in the format it needs to be. c) Don't use MS-CHAPv2 but PAP. This will not work with any Windows prior to Windows 8. If you need to support Windows XP/Vista/7 without additional tools, this is no option for you. Grüße, Sven.
participants (2)
-
Nicolás Guerra -
Sven Hartge