Free Radius 2.1.1 showing clear text password at the debug mode
Hello, I'm new to Radius. So basically i tried to setup 2 Radius server, one runs on our SLES 10 PROD (Radius and Novell LDAP sit on the same server) - this is works fine using eap_mschapv2 authentication. Radius version is 1.X. We use Radius to authenticate our wireless and get LDAP authentication. So no issue with this. Second server - SLES 11 ; i get the installer directly from Novell and its use version 2.1.1. So it seems the config way is different but i did try match with the Radius 1.X config (just a dffierent module i guess). Everything works fine, except 1 things. In Radius 1.x - SLES 10 when i run radiusd -X ; i don't see the user password (which is good). but in Radius 2.1.1 i can see it clearly ... how can i eliminate this cleartext password being showed there? I'm new to this authentication method or eap_mschap protocol, so please bear with me :) *[peap] Got tunnled request EAP-Message = 0x020a00061a03 server (null) { PEAP: Setting User-Name to sdholakia2 Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "sdholakia2" State = 0xf32f92c4f22588e5c2ccbfc052ff2f65 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[control] returns noop ++[mschap] returns noop ++[unix] returns notfound ++[control] returns notfound [eap] EAP packet type response id 10 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for sdholakia2 [ldap] expand: (uid=%u) -> (uid=sdholakia2) [ldap] expand: ou=Active,ou=Users,o=FSID -> ou=Active,ou=Users,o=FSID rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Active,ou=Users,o=FSID, with filter (uid=sdhoakia2) [ldap] Added the eDirectory password Test in check items as Cleartext-Passwrd [ldap] looking for check items in directory...* While at radiusd -X of the radius 1.X i can only see *Added the eDirectory password * *[ldap] looking for check items in directory... * Best Regards, Danny
Hi,
I'm new to Radius. So basically i tried to setup 2 Radius server, one runs on our SLES 10 PROD (Radius and Novell LDAP sit on the same server) - this is works fine using eap_mschapv2 authentication. Radius version is 1.X. We use Radius to authenticate our wireless and get LDAP authentication. So no issue with this.
debugging is all about debugging - finding out the problems - hence things are shown. the password is shown because there could be a mismatch. back in the 1.x day some things were still opaque....ongoing debates of 'users password is wrong' : 'oh no it isnt' : 'oh yes it is' : 'oh no it.....oh wait, yes, their password was wrong'. pointless.
Second server - SLES 11 ; i get the installer directly from Novell and its use version 2.1.1. So it seems the config way is different but i did try match with the Radius 1.X config (just a dffierent module i guess).
ummm, hope you didnt just copy/paste the configs. you need to ensure that the 2.x config has the right options pset...but not configured in the same way. there is a reason why its FreeRADIUS 2.x rather than 1.x - you need to adapt your config for the new version. alan
On 21.02.2013 10:15, Danny Kurniawan wrote:
In Radius 1.x - SLES 10 when i run radiusd -X ; i don't see the user password (which is good). but in Radius 2.1.1 i can see it clearly ... how can i eliminate this cleartext password being showed there? I'm new to this authentication method or eap_mschap protocol, so please bear with me :)
/[peap] Got tunnled request EAP-Message = 0x020a00061a03 server (null) { PEAP: Setting User-Name to sdholakia2 Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "sdholakia2" State = 0xf32f92c4f22588e5c2ccbfc052ff2f65 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[control] returns noop ++[mschap] returns noop ++[unix] returns notfound ++[control] returns notfound [eap] EAP packet type response id 10 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for sdholakia2 [ldap] expand: (uid=%u) -> (uid=sdholakia2) [ldap] expand: ou=Active,ou=Users,o=FSID -> ou=Active,ou=Users,o=FSID rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Active,ou=Users,o=FSID, with filter (uid=sdhoakia2) [ldap] Added the eDirectory password Test in check items as Cleartext-Passwrd [ldap] looking for check items in directory.../
That's how it has been hard-coded in FR2.X and FR3. It is indeed arguable. For debugging eDirectory integration, it's quite nice. But you really have to restrict access to the freeradius server, so no one can start it with -X or run radmin debug. We could by default not output the password, and if you really need to see it, just echo control:Cleartext-Password after ldap.authorize Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Danny Kurniawan -
Olivier Beytrison