FreeRadius unable to read password from LDAP query to win2008 AD
Using FreeRadius on Ubuntu 12.04 FreeRadius is communicating with Windows 2008 R2 Active Directory server. I have MS-CHAP authentication working fine. This is used for VPN. I am setting up LDAP authorization and CHAP authentication. This will be used for router login. The router has the radius configuration pointing to FreeRadius box.
From the logs, the LDAP authorization appears to bind correctly but is unable to retrieve a clear password for the user account and thus user cannot be authenticated with CHAP.
[ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? I believe above indicates that no data is received from LDAP query and no password is retrieved. I have attached relevant debug log output and config files. http://freeradius.1045715.n5.nabble.com/file/n5711532/freeradius_-_x.txt freeradius_-_x.txt output from running freeradius server in debug mode http://freeradius.1045715.n5.nabble.com/file/n5711532/router_connection_atte... router_connection_attempt.txt output from connection attempt for router http://freeradius.1045715.n5.nabble.com/file/n5711532/default.txt default.txt /etc/freeradius/sites-available/default http://freeradius.1045715.n5.nabble.com/file/n5711532/inner-tunnel.txt inner-tunnel.txt /etc/freeradius/sites-available/inner-tunnel http://freeradius.1045715.n5.nabble.com/file/n5711532/ldap.txt ldap.txt /etc/freeradius/modules/ldap -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-unable-to-read-password-f... Sent from the FreeRadius - User mailing list archive at Nabble.com.
sonyisda1 <esj@tpri.com> wrote:
Using FreeRadius on Ubuntu 12.04 FreeRadius is communicating with Windows 2008 R2 Active Directory server. I have MS-CHAP authentication working fine. This is used for VPN.
I am setting up LDAP authorization and CHAP authentication. This will be used for router login. The router has the radius configuration pointing to FreeRadius box.
From the logs, the LDAP authorization appears to bind correctly but is unable to retrieve a clear password for the user account and thus user cannot be authenticated with CHAP.
Active directory does not *have* plaintext passwords. Even the ones it does have (nt hash) cannot be read out via ldap or any other method (short of rooting the box). Therefore, chap against ad ldap is impossible. See the protocol compatibility guide on deployingradius.com -- Sent from my phone. Please excuse brevity and typos.
From the Connection Attempt file, the request comes in with CHAP-Challenge and CHAP-Password. That is why CHAP is being chosen as the authentication method.
Basically the user is being authorized through LDAP but LDAP does not do authentication so what do you recommend for authentication then? Thanks! -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-unable-to-read-password-f... Sent from the FreeRadius - User mailing list archive at Nabble.com.
sonyisda1 wrote:
From the Connection Attempt file, the request comes in with CHAP-Challenge and CHAP-Password. That is why CHAP is being chosen as the authentication method.
Basically the user is being authorized through LDAP but LDAP does not do authentication so what do you recommend for authentication then?
FreeRADIUS. It's an authentication server. LDAP is a database. But... this means storing passwords in a form which can be used by the authentication server. Or, it means using an authentication protocol (e.g. MS-CHAP) which is compatible with the database. Don't blame us. Blame Microsoft for making a database which contains data it won't return in queries. Alan DeKok.
participants (3)
-
Alan DeKok -
Phil Mayers -
sonyisda1