Freeradius 3 and empty password from authorization
Good morning, I couldn't authorize over my radius, when I run it with debug, I see that user password is empty: (23) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain.tld --username=%{Stripped-User-Name} --password=%{User-Password}: (23) ntlm_auth: EXPAND --username=%{Stripped-User-Name} (23) ntlm_auth: --> --username=user (23) ntlm_auth: EXPAND --password=%{User-Password} (23) ntlm_auth: --> --password= (23) ntlm_auth: ERROR: Program returned code (1) and output 'NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)' (23) [ntlm_auth] = reject (23) } # if (&User-Name =~ /@domain.tld/ || &User-Name =~ /@domain.tld/) = reject (23) } # authorize = reject (23) Invalid user (ntlm_auth: Program returned code (1) and output 'NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)'): [user] (from client controler2 port 13 cli 86-e8-4f-43-5c-9b) (23) Using Post-Auth-Type Reject User is not empty. When I try to authorize ntlm_auth from bash, all is OK (NT_STATUS_OK: Success (0x0)) What did I missed ? Thanks and best regards J.Karliak -- Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a DomainKeys/DKIM (s ADSP) a implementaci DMARC. Pokud mate problemy s dorucenim emailu, zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji. My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP) policy and implementation of the DMARC. If you've problem with sending emails to me, start using email origin methods mentioned above. Thank you.
On Apr 23, 2018, at 4:22 AM, chose <chose@ajetaci.cz> wrote:
Good morning, I couldn't authorize over my radius, when I run it with debug, I see that user password is empty:
Because the server doesn't receive a User-Password. READ the debug log. ALL OF IT. http://wiki.freeradius.org/radius-X
What did I missed ?
You didn't read the debug log. Alan DeKok.
On Apr 24, 2018, at 12:13 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 23, 2018, at 4:22 AM, chose <chose@ajetaci.cz> wrote:
Good morning, I couldn't authorize over my radius, when I run it with debug, I see that user password is empty:
Because the server doesn't receive a User-Password.
READ the debug log. ALL OF IT.
Hi, thanks for the answer. You are right - radius didn't recieved any password, where should be an error ? I'm authorizing Iphone and Windows 7 prof. , all systems asked me for login and password. Authorized wifi network is controlled by Cisco wireless controller 2504, isn't there some missconfiguration for radius ? Thanks and best regards J.Karliak (732) Received Access-Request Id 13 from 192.168.26.10:32773 to 195.123.183.11:1812 length 282 (732) User-Name = "username@domain.tld" (732) Chargeable-User-Identity = 0x00 (732) Location-Capable = Civix-Location (732) Calling-Station-Id = "a0-88-b4-43-4a-54" (732) Called-Station-Id = "88-1d-3c-42-00-00:WIFI-TEST" (732) NAS-Port = 13 (732) Cisco-AVPair = "audit-session-id=c0a8ce0a003494f65aded7cf" (732) Acct-Session-Id = "5aded7cf/a0:88:b4:43:4a:54/5397550" (732) NAS-IP-Address = 192.168.206.10 (732) NAS-Identifier = "wireless1" (732) Airespace-Wlan-Id = 2 (732) Service-Type = Framed-User (732) Framed-MTU = 1300 (732) NAS-Port-Type = Wireless-802.11 (732) Tunnel-Type:0 = VLAN (732) Tunnel-Medium-Type:0 = IEEE-802 (732) Tunnel-Private-Group-Id:0 = "75" (732) EAP-Message = 0x020200120163686f736540666e686b2e637a (732) Message-Authenticator = 0x4d80f3857dc7786c664c8ce8444372c3 (732) # Executing section authorize from file /etc/raddb/sites-enabled/default (732) authorize { (732) if (&User-Name =~ /@domain.tld/ || &User-Name =~ /@domain.tld/) { (732) if (&User-Name =~ /@domain.tld/ || &User-Name =~ /@domain.tld/) -> TRUE (732) if (&User-Name =~ /@domain.tld/ || &User-Name =~ /@domain.tld/) { (732) if ("%{request:User-Name}" =~ /^(.*)@/) { (732) EXPAND %{request:User-Name} (732) --> username@domain.tld (732) if ("%{request:User-Name}" =~ /^(.*)@/) -> TRUE (732) if ("%{request:User-Name}" =~ /^(.*)@/) { (732) update request { (732) EXPAND %{1} (732) --> username (732) Stripped-User-Name := username (732) EXPAND %{2} (732) --> (732) Realm := (732) } # update request = noop (732) } # if ("%{request:User-Name}" =~ /^(.*)@/) = noop (732) [files] = noop (732) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain.tld --username=%{Stripped-User-Name} --password=%{User-Password}: (732) ntlm_auth: EXPAND --username=%{Stripped-User-Name} (732) ntlm_auth: --> --username=username (732) ntlm_auth: EXPAND --password=%{User-Password} (732) ntlm_auth: --> --password= (732) ntlm_auth: ERROR: Program returned code (1) and output 'NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)' (732) [ntlm_auth] = reject (732) } # if (&User-Name =~ /@domain.tld/ || &User-Name =~ /@domain.tld/) = reject (732) } # authorize = reject (732) Invalid user (ntlm_auth: Program returned code (1) and output 'NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)'): [username] (from client wireless1 port 13 cli a0-88-b4-43-4a-54) Dne 2018-04-23 23:06, Arran Cudbard-Bell napsal:
On Apr 24, 2018, at 12:13 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 23, 2018, at 4:22 AM, chose <chose@ajetaci.cz> wrote:
Good morning, I couldn't authorize over my radius, when I run it with debug, I see that user password is empty:
Because the server doesn't receive a User-Password.
READ the debug log. ALL OF IT.
http://wiki.freeradius.org/radiusd-X
-Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a DomainKeys/DKIM (s ADSP) a implementaci DMARC. Pokud mate problemy s dorucenim emailu, zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji. My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP) policy and implementation of the DMARC. If you've problem with sending emails to me, start using email origin methods mentioned above. Thank you.
Hello,
You are right - radius didn't recieved any password, where should be an error ? I'm authorizing Iphone and Windows 7 prof. , all systems asked me for login and password. Authorized wifi network is controlled by Cisco wireless controller 2504, isn't there some missconfiguration for radius ?
Wireless doesn't use plaintext passwords. It's using the EAP protocol. And there it is:
(732) EAP-Message = 0x020200120163686f736540666e686b2e637a
For some reason, your FreeRADIUS configuration expects a plaintext password. That's wrong. And it's not the default shipped configuration. Maybe you want to read up on EAP authentication. And then revert your config changes to the point where EAP works out of the box. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On Apr 24, 2018, at 3:16 AM, chose <chose@ajetaci.cz> wrote: You are right - radius didn't recieved any password, where should be an error ? I'm authorizing Iphone and Windows 7 prof. , all systems asked me for login and password. Authorized wifi network is controlled by Cisco wireless controller 2504, isn't there some missconfiguration for radius ?
It's how EAP works. You've edited the default configuration and broken it. Don't do that. Follow my guide: http://deployingradius.com/ You *will* get EAP working. And, authenticate users against AD. It's all documented in great detail. Alan DeKok.
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
chose -
Stefan Winter