Hi, I decided to install free radius 2.1.6-2 to test it and then to upgrade my existing versions in my servers. I configured my free radius to use ldap. When I tried to authenticate from the new radius it gave me the following message "from radius -X". Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Note that when I wrote the password encrypted "like *%@&ksjd%@sdgsadgjhsb" I was able to login but when I wrote the password in clear text "like test" I failed to login. I tried to search in the internet about this message but I didn't find a suitable solution for it.. Any Ideas regarding this message?? Regards, Wessam
I decided to install free radius 2.1.6-2 to test it and then to upgrade my existing versions in my servers. I configured my free radius to use ldap. When I tried to authenticate from the new radius it gave me the following message "from radius -X".
Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
Note that when I wrote the password encrypted "like *%@&ksjd%@sdgsadgjhsb" I was able to login but when I wrote the password in clear text "like test" I failed to login.
Password in ldap probably has a header. You can ignore the message then, because server will convert User-Password to appropriate password attribute on it's own (Crypt-Password for {crypt}, SHA-Password for {sha} etc.) if auto-header is enabled. Post the whole debug. Ivan Kalik Kalik Informatika ISP
Thanks Ivan for your reply. Here is the ldap configuration section: ldap { server = "x.x.x.x" identity = "cn=username" password = password basedn = "ou=email,o=data,c=eg" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" password_header = "{CRYPT}" ldap_connections_number = 100 timeout = 15 timelimit = 10 net_timeout = 5 tls { start_tls = no } profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" dictionary_mapping = ${confdir}/ldap.attrmap password_attribute = radiususerPassword } and here is the debug message ++[ldap] returns ok Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "123456" [pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> username attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Thanks for your support. Wessam On Thu, Sep 24, 2009 at 1:37 PM, Ivan Kalik <tnt@kalik.net> wrote:
I decided to install free radius 2.1.6-2 to test it and then to upgrade my existing versions in my servers. I configured my free radius to use ldap. When I tried to authenticate from the new radius it gave me the following message "from radius -X".
Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
Note that when I wrote the password encrypted "like *%@&ksjd%@sdgsadgjhsb" I was able to login but when I wrote the password in clear text "like test" I failed to login.
Password in ldap probably has a header. You can ignore the message then, because server will convert User-Password to appropriate password attribute on it's own (Crypt-Password for {crypt}, SHA-Password for {sha} etc.) if auto-header is enabled. Post the whole debug.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
what I can see that Radius couldn't encrypt clear text password. For example when I send the password in clear text like "123456" it rejects me but when I send it encrypted like "&^%$%$%JGjgjg(&%%^njahjahs" I was able to login without any problems. Note that I changed my real password and its encryption to secure my data. On Thu, Sep 24, 2009 at 3:01 PM, Alan DeKok <aland@deployingradius.com>wrote:
wessam seleem wrote: ...
[pap] login attempt with password "123456" [pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs"
Your shared secret is wrong. Fix it.
See the FAQ for more details.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
what I can see that Radius couldn't encrypt clear text password. For example when I send the password in clear text like "123456" it rejects me but when I send it encrypted like "&^%$%$%JGjgjg(&%%^njahjahs" I was able to login without any problems. Note that I changed my real password and its encryption to secure my data.
You have fixed the encryption with password_header in your ldap configuration. You can't fix the header and then use password with different encryption (or unencrypted). Server works as expected. Ivan Kalik Kalik Informatika ISP
09/24/2009 04:12 PM, wessam seleem::
Note that I changed my real password and its encryption to secure my data.
By the way, As far as I know (And I might know nothing), encryption _is_ because guessing the password from it's encrypted hash is _not_ possible. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 34 29 155 34
participants (4)
-
Alan DeKok -
Ivan Kalik -
Rakotomandimby Mihamina -
wessam seleem