hello, I try to set up a Radius server with an LDAP server, but I have this problem ldap] login attempt by "toto" with password "tK�O�?�?v?3:)5�8" [ldap] user DN: uid=toto,ou=people,dc=tem-tsp,dc=eu [ldap] (re)connect to 127.0.0.1:389, authentication 1 [ldap] bind as uid=toto,ou=people,dc=tem-tsp,dc=eu/tK�O�?�?v?3:)5�8 to 127.0.0.1:389 [ldap] waiting for bind result ... the password in LDAP is encoded in MD5 ----- kahina akkouche -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-OpenLdap-tp5713846.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
or is the problem, I'm on it for a while and I can not find, thank you for your help I look. the password is stored in clear in the LDAP database here are the logs User-Name = "toto" User-Password = "q4\277Kj\016deЭ\227\225\016\204b\033" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "toto", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for toto [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> toto [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=toto) [ldap] expand: dc=tem-tsp,dc=eu -> dc=tem-tsp,dc=eu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 127.0.0.1:389, authentication 0 [ldap] bind as cn=admin,dc=tem-tsp,dc=eu/secret to 127.0.0.1:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=tem-tsp,dc=eu, with filter (uid=toto) [ldap] Added User-Password = titi in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "titi" [ldap] looking for reply items in directory... [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "33" [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802 [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN [ldap] user toto authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Config already contains "known good" password. Ignoring Password-With-Header ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "q4�Kj?deЭ????b?" [pap] Using clear text password "titi" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> toto attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 162 to 127.0.0.1 port 56657 Waking up in 4.9 seconds. Cleaning up request 0 ID 162 with timestamp +7 Ready to process requests. ----- kahina akkouche -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-OpenLdap-tp5713846p571385... Sent from the FreeRadius - User mailing list archive at Nabble.com.
it is I need to replace or Replacing User-Password in config items with cleartext-Password? in the LDAP directory or file in LDAP freeradius ----- kahina akkouche -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-OpenLdap-tp5713846p571385... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
or is the problem, I'm on it for a while and I can not find, thank you for your help I look.
User-Name = "toto" User-Password = "q4\277Kj\016deЭ\227\225\016\204b\033"
look. that isnt right - that would have the real password. you have incorrect shared secret. look at the full debug log it will say so alan
the request is: User-Name = "toto" User-Password = "titi" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 I used LDAP and password are stored in MD5. configuration eap.conf eap { default_eap_type = ttls } ttls { default_eap_type = md5 } configuration /sites-enabled# vim default : authorize { preprocess eap { ok = return } ldap pap } authenticate { Auth-Type PAP { pap } eap } } configuration etc/freeradius/sites-enabled# vim inner-tunnel This is the same as I used LDAP and password are stored in MD5. ----- kahina akkouche -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-OpenLdap-tp5713846p571385... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi, On Wed, Jun 20, 2012 at 01:53:13AM -0700, akkouche wrote:
here are the logs
User-Name = "toto" User-Password = "q4\277Kj\016deЭ\227\225\016\204b\033" ...
On Wed, Jun 20, 2012 at 05:27:58AM -0700, akkouche wrote:
the request is: User-Name = "toto" User-Password = "titi" ...
How many people need to tell you? Your shared secret is wrong. You send one password, and the RADIUS server sees a different one. Your shared secret is wrong. Check your shared secret matches in clients.conf and on your NAS. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Matthew Newton wrote:
How many people need to tell you?
I've banned nabble.com from the list. They can no longer subscribe. The number of *good* questions from nabble is very low. The number of *terrible* questions is very large. Most people using nabble can't seen to understand the most basic concepts. Rather than waste our time any more, they've been banned whole-sale. To re-iterate for everyone reading this: Asking *good* questions is fine. Trying to figure things out is fine. Not understanding is fine. Being lazy and unwilling to read the documentation is not acceptable. Alan DeKok.
no is the same in the client.conf file and pass it in the request is pass ----- kahina akkouche -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-OpenLdap-tp5713846p571386... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
no is the same in the client.conf file and pass it in the request is pass
if you say that the secret is the same in the client.conf file as it is in the NAS then there are 2 options 1) the NAS or client is buggy 2) you are editing the wrong client.conf - look at the debug file and see which files it is reading alan
akkouche wrote:
or is the problem, I'm on it for a while and I can not find, thank you for your help I look.
Then you haven't tried. At all. And don't send messages to me off-list. I'm not your personal tech support.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
It's *still* a mystery after that? You're not trying. Alan DeKok.
nor is the same in the client.conf file and pass it in the request is pass ----- kahina akkouche -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-OpenLdap-tp5713846p571386... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (4)
-
akkouche -
alan buxey -
Alan DeKok -
Matthew Newton