Re: ldap machine account auth tutorial
On 01/02/10 16:04, cd wrote:
thanks Phil
but it looks like that i get an access-accept without ldap password validation ??!
Please don't email me directly; I'm on the list.
rad_recv: Access-Request packet from host 192.168.10.254 port 1024, id=151, length=136 NAS-IP-Address = 10.172.253.110 NAS-Port-Type = Ethernet Service-Type = Framed-User Message-Authenticator = 0xe35737afd4fb25d9a9cab4dc24bffa77 NAS-Port = 10 Framed-MTU = 1490 User-Name = "host/crid72-42ee2079" Calling-Station-Id = "00-0C-29-7E-44-54" EAP-Message = 0x020d001901686f73742f6372696437322d3432656532303739
SNIP; your LDAP debugging level is way, way too high. It's very hard to read the debugging output.
rlm_ldap: sambaNtPassword -> NT-Password == 0x3241384242423239424546354639314230324146363837323930414442344637
[ldap_admin] performing user authorization for host/crid72-42ee2079
...why are you running 2 LDAP modules?
+++[ldap_sw] returns ok ++- policy redundant returns ok rlm_ldap: Entering ldap_groupcmp()
Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel Sending Access-Challenge of id 151 to 192.168.10.254 port 1024 EAP-Message = 0x010e002e1a010e002910924d24419c6082e80c304f8d76c22109686f73742f6372696437322d3432656532303739 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x517b79b8517563ae61de7219537f52df
Ok, so EAP challenge sent.
Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap
So it's using PEAP. Then after lots and lots of unnecessary LDAP debug output:
Sending Access-Accept of id 161 to 192.168.10.254 port 1024 User-Name = "host/crid72-42ee2079" MS-MPPE-Recv-Key = 0xc83951c8f97b57386194b58be2d66edbe3a7b37cbaead57df65c61d64cea65e1 MS-MPPE-Send-Key = 0xeefc2477dc12da93c583c05676c8474a66fd2ad11b1cd90ef3ff575dcf876010 EAP-Message = 0x03170004 Message-Authenticator = 0x00000000000000000000000000000000
It succeeds. So what's the problem? Radius looked the NT password up in LDAP, and did a PEAP/MS-CHAP against it. It worked.
Excuse me I didn't want to email you directly. I run 2 LDAP modules because i would like to put machines in good VLAN after authentification. that my next problem ;) I work on it ... but i don't know to begin :p Le 01/02/2010 17:34, Phil Mayers a écrit :
On 01/02/10 16:04, cd wrote:
thanks Phil
but it looks like that i get an access-accept without ldap password validation ??!
Please don't email me directly; I'm on the list.
rad_recv: Access-Request packet from host 192.168.10.254 port 1024, id=151, length=136 NAS-IP-Address = 10.172.253.110 NAS-Port-Type = Ethernet Service-Type = Framed-User Message-Authenticator = 0xe35737afd4fb25d9a9cab4dc24bffa77 NAS-Port = 10 Framed-MTU = 1490 User-Name = "host/crid72-42ee2079" Calling-Station-Id = "00-0C-29-7E-44-54" EAP-Message = 0x020d001901686f73742f6372696437322d3432656532303739
SNIP; your LDAP debugging level is way, way too high. It's very hard to read the debugging output.
rlm_ldap: sambaNtPassword -> NT-Password == 0x3241384242423239424546354639314230324146363837323930414442344637
[ldap_admin] performing user authorization for host/crid72-42ee2079
...why are you running 2 LDAP modules?
+++[ldap_sw] returns ok ++- policy redundant returns ok rlm_ldap: Entering ldap_groupcmp()
Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel Sending Access-Challenge of id 151 to 192.168.10.254 port 1024 EAP-Message = 0x010e002e1a010e002910924d24419c6082e80c304f8d76c22109686f73742f6372696437322d3432656532303739
Message-Authenticator = 0x00000000000000000000000000000000 State = 0x517b79b8517563ae61de7219537f52df
Ok, so EAP challenge sent.
Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap
So it's using PEAP. Then after lots and lots of unnecessary LDAP debug output:
Sending Access-Accept of id 161 to 192.168.10.254 port 1024 User-Name = "host/crid72-42ee2079" MS-MPPE-Recv-Key = 0xc83951c8f97b57386194b58be2d66edbe3a7b37cbaead57df65c61d64cea65e1 MS-MPPE-Send-Key = 0xeefc2477dc12da93c583c05676c8474a66fd2ad11b1cd90ef3ff575dcf876010 EAP-Message = 0x03170004 Message-Authenticator = 0x00000000000000000000000000000000
It succeeds. So what's the problem?
Radius looked the NT password up in LDAP, and did a PEAP/MS-CHAP against it. It worked. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Christophe Deze -
Phil Mayers