Freeradius/LDAP Authentication issue
Hi, First of all, sorry for my bad english. I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to authenticate users via our LDAP. I face an issue when i perform this radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/ Here is the freeradius -X debug : rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111, length=48 Sending duplicate reply to client localhost port 44928 - ID: 111 Sending Access-Reject of id 111 to 127.0.0.1 port 44928 Waking up in 2.9 seconds. Cleaning up request 2 ID 111 with timestamp +114 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111, length=48 User-Name = "toto" User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[mschap] = noop [suffix] No '@' in User-Name = "toto", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[files] = noop ++group { [ldap_1] performing user authorization for toto [ldap_1] expand: %{Stripped-User-Name} -> [ldap_1] ... expanding second conditional [ldap_1] expand: %{User-Name} -> toto [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=toto) [ldap_1] expand: ou=Users,dc=XXXX,dc=fr -> ou=Users,dc=XXXX,dc=fr [ldap_1] ldap_get_conn: Checking Id: 0 [ldap_1] ldap_get_conn: Got Id: 0 [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter (uid=toto) [ldap_1] checking if remote access for toto is allowed by uid [ldap_1] No default NMAS login sequence [ldap_1] looking for check items in directory... [ldap_1] sambaNtPassword -> NT-Password == 0x3344424445363937443731363930413736393230344245423132323833363738 [ldap_1] sambaLmPassword -> LM-Password == 0x4343463931353545334537444234353341414433423433354235313430344545 [ldap_1] userPassword -> Cleartext-Password == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap_1] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap_1] sambaNtPassword -> NT-Password == 0x3344424445363937443731363930413736393230344245423132323833363738 [ldap_1] sambaLmPassword -> LM-Password == 0x4343463931353545334537444234353341414433423433354235313430344545 [ldap_1] looking for reply items in directory... [ldap_1] user toto authorized to use remote access [ldap_1] ldap_release_conn: Release Id: 0 +++[ldap_1] = ok ++} # group = ok ++[expiration] = noop ++[logintime] = noop +} # group authorize = ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match "known good" password. Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! } # server inner-tunnel Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> toto attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 111 to 127.0.0.1 port 44928 Waking up in 4.9 seconds. Cleaning up request 3 ID 111 with timestamp +120 Ready to process requests. The user and client passwords are correct and i don't understand the following errors : WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match "known good" password. Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Thank you for your replies. Cordialement, - - Benjamin Dupalut Administrateur système et réseau Service des Moyens Informatiques Généraux (SMIG) ESIEE Paris 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex T : +33 1 45 92 66 17 benjamin.dupalut@esiee.fr www.esiee.fr / www.cci-paris-idf.fr
On Mar 23, 2016, at 1:08 PM, Benjamin Dupalut <benjamin.dupalut@esiee.fr> wrote:
First of all, sorry for my bad english.
Your English is fine.
I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to authenticate users via our LDAP. I face an issue when i perform this radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/
Is "clientpassword" the password for the client "localhost" ? Please check. The default is "testing123".
Here is the freeradius -X debug : ... +} # group authorize = ok
And note no "pap" module is in the "authorize" section. You edited the default configuration and broke it. Don't do that. The "pap" module must be listed last in the "authorize" section. See the default configuration for examples
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
That message cannot be made any clearer. The shared secret is wrong. Alan DeKok.
On Mar 24, 2016 6:11 AM, "Benjamin Dupalut" <benjamin.dupalut@esiee.fr> wrote:
Hi,
First of all, sorry for my bad english.
I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to
authenticate users via our LDAP. I face an issue when i perform this radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/ The default config the shared secret is testing123 rather than clientpassword
Here is the freeradius -X debug :
rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
length=48
Sending duplicate reply to client localhost port 44928 - ID: 111 Sending Access-Reject of id 111 to 127.0.0.1 port 44928 Waking up in 2.9 seconds. Cleaning up request 2 ID 111 with timestamp +114 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111, length=48 User-Name = "toto" User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ"
This would be the cleartext password if your secret matched.
server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[mschap] = noop [suffix] No '@' in User-Name = "toto", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[files] = noop ++group { [ldap_1] performing user authorization for toto [ldap_1] expand: %{Stripped-User-Name} -> [ldap_1] ... expanding second conditional [ldap_1] expand: %{User-Name} -> toto [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=toto) [ldap_1] expand: ou=Users,dc=XXXX,dc=fr -> ou=Users,dc=XXXX,dc=fr [ldap_1] ldap_get_conn: Checking Id: 0 [ldap_1] ldap_get_conn: Got Id: 0 [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter (uid=toto) [ldap_1] checking if remote access for toto is allowed by uid [ldap_1] No default NMAS login sequence [ldap_1] looking for check items in directory... [ldap_1] sambaNtPassword -> NT-Password == 0x3344424445363937443731363930413736393230344245423132323833363738 [ldap_1] sambaLmPassword -> LM-Password == 0x4343463931353545334537444234353341414433423433354235313430344545 [ldap_1] userPassword -> Cleartext-Password == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap_1] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap_1] sambaNtPassword -> NT-Password == 0x3344424445363937443731363930413736393230344245423132323833363738 [ldap_1] sambaLmPassword -> LM-Password == 0x4343463931353545334537444234353341414433423433354235313430344545 [ldap_1] looking for reply items in directory... [ldap_1] user toto authorized to use remote access [ldap_1] ldap_release_conn: Release Id: 0 +++[ldap_1] = ok ++} # group = ok ++[expiration] = noop ++[logintime] = noop +} # group authorize = ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match "known good" password. Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! } # server inner-tunnel Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> toto attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 111 to 127.0.0.1 port 44928 Waking up in 4.9 seconds. Cleaning up request 3 ID 111 with timestamp +120 Ready to process requests.
The user and client passwords are correct and i don't understand the following errors :
WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match "known good" password. Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Thank you for your replies.
Cordialement,
- -
Benjamin Dupalut Administrateur système et réseau Service des Moyens Informatiques Généraux (SMIG) ESIEE Paris 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex T : +33 1 45 92 66 17 benjamin.dupalut@esiee.fr www.esiee.fr / www.cci-paris-idf.fr
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes i think the shared secret are not matching thats why we see unencrypted value of user password as something else and hence it fails to match with the "known good" password.
BR,
Anirudh Malhotra
8zero2
Mail: 8zero2.in@gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in
On 24 Mar 2016, 00:00 +0530, Peter Lambrechtsen<peter@crypt.nz>, wrote:
> On Mar 24, 2016 6:11 AM, "Benjamin Dupalut"<benjamin.dupalut@esiee.fr
> wrote:
> >
> > Hi,
> >
> > First of all, sorry for my bad english.
> >
> > I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to
> authenticate users via our LDAP. I face an issue when i perform this
> radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/
>
> The default config the shared secret is testing123 rather than
> clientpassword
>
> >
> > Here is the freeradius -X debug :
> >
> >
> > rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
> length=48
> > Sending duplicate reply to client localhost port 44928 - ID: 111
> > Sending Access-Reject of id 111 to 127.0.0.1 port 44928
> > Waking up in 2.9 seconds.
> > Cleaning up request 2 ID 111 with timestamp +114
> > Ready to process requests.
> > rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
> length=48
> > User-Name = "toto"
> > User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ"
>
> This would be the cleartext password if your secret matched.
>
> > server inner-tunnel {
> > # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
> > +group authorize {
> > ++[mschap] = noop
> > [suffix] No '@' in User-Name = "toto", looking up realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] = noop
> > ++update control {
> > ++} # update control = noop
> > [eap] No EAP-Message, not doing EAP
> > ++[eap] = noop
> > ++[files] = noop
> > ++group {
> > [ldap_1] performing user authorization for toto
> > [ldap_1] expand: %{Stripped-User-Name} -
> > [ldap_1] ... expanding second conditional
> > [ldap_1] expand: %{User-Name} ->toto
> > [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
> (uid=toto)
> > [ldap_1] expand: ou=Users,dc=XXXX,dc=fr ->ou=Users,dc=XXXX,dc=fr
> > [ldap_1] ldap_get_conn: Checking Id: 0
> > [ldap_1] ldap_get_conn: Got Id: 0
> > [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter
> (uid=toto)
> > [ldap_1] checking if remote access for toto is allowed by uid
> > [ldap_1] No default NMAS login sequence
> > [ldap_1] looking for check items in directory...
> > [ldap_1] sambaNtPassword ->NT-Password ==
> 0x3344424445363937443731363930413736393230344245423132323833363738
> > [ldap_1] sambaLmPassword ->LM-Password ==
> 0x4343463931353545334537444234353341414433423433354235313430344545
> > [ldap_1] userPassword ->Cleartext-Password ==
> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> > [ldap_1] userPassword ->Password-With-Header ==
> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> > [ldap_1] sambaNtPassword ->NT-Password ==
> 0x3344424445363937443731363930413736393230344245423132323833363738
> > [ldap_1] sambaLmPassword ->LM-Password ==
> 0x4343463931353545334537444234353341414433423433354235313430344545
> > [ldap_1] looking for reply items in directory...
> > [ldap_1] user toto authorized to use remote access
> > [ldap_1] ldap_release_conn: Release Id: 0
> > +++[ldap_1] = ok
> > ++} # group = ok
> > ++[expiration] = noop
> > ++[logintime] = noop
> > +} # group authorize = ok
> > WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> > WARNING: Use the PAP or CHAP modules instead.
> > User-Password in the request does NOT match "known good" password.
> > Failed to authenticate the user.
> > WARNING: Unprintable characters in the password. Double-check the
> shared secret on the server and the NAS!
> > } # server inner-tunnel
> > Using Post-Auth-Type REJECT
> > # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> > +group REJECT {
> > [attr_filter.access_reject] expand: %{User-Name} ->toto
> > attr_filter: Matched entry DEFAULT at line 11
> > ++[attr_filter.access_reject] = updated
> > +} # group REJECT = updated
> > Delaying reject of request 3 for 1 seconds
> > Going to the next request
> > Waking up in 0.9 seconds.
> > Sending delayed reject for request 3
> > Sending Access-Reject of id 111 to 127.0.0.1 port 44928
> > Waking up in 4.9 seconds.
> > Cleaning up request 3 ID 111 with timestamp +120
> > Ready to process requests.
> >
> >
> > The user and client passwords are correct and i don't understand the
> following errors :
> >
> > WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> > WARNING: Use the PAP or CHAP modules instead.
> > User-Password in the request does NOT match "known good" password.
> > Failed to authenticate the user.
> > WARNING: Unprintable characters in the password. Double-check the
> shared secret on the server and the NAS!
> >
> >
> > Thank you for your replies.
> >
> > Cordialement,
> >
> > - -
> >
> > Benjamin Dupalut
> > Administrateur système et réseau
> > Service des Moyens Informatiques Généraux (SMIG)
> > ESIEE Paris
> > 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
> > T : +33 1 45 92 66 17
> > benjamin.dupalut@esiee.fr
> > www.esiee.fr / www.cci-paris-idf.fr
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Thank you for your replies.
I wrote "clientpassword" so i don't publish a private password in this
public mail. I modified the clients.conf file to set the localhost
client password to "testing123" and perform this new radtest :
root@freeradius:/etc/freeradius# radtest testfreeradius 123 127.0.0.1 0
testing123
Sending Access-Request of id 68 to 127.0.0.1 port 1812
User-Name = "testfreeradius"
User-Password = "123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=68,
length=20
Here it is the freeradius -X debug :
rad_recv: Access-Request packet from host 127.0.0.1 port 35730, id=68,
length=84
User-Name = "testfreeradius"
User-Password = "123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0xb48c8d817ebe7b7ff9cfeeefa1de6b2e
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1
[auth_log] expand:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20160324
[auth_log]
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20160324
[auth_log] expand: %t -> Thu Mar 24 10:26:33 2016
++[auth_log] = ok
++[mschap] = noop
[suffix] No '@' in User-Name = "testfreeradius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
++group {
[ldap_1] performing user authorization for testfreeradius
[ldap_1] expand: %{Stripped-User-Name} ->
[ldap_1] ... expanding second conditional
[ldap_1] expand: %{User-Name} -> testfreeradius
[ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=testfreeradius)
[ldap_1] expand: ou=Users,dc=esiee,dc=fr -> ou=Users,dc=esiee,dc=fr
[ldap_1] ldap_get_conn: Checking Id: 0
[ldap_1] ldap_get_conn: Got Id: 0
[ldap_1] performing search in ou=Users,dc=esiee,dc=fr, with filter
(uid=testfreeradius)
[ldap_1] checking if remote access for testfreeradius is allowed by uid
[ldap_1] No default NMAS login sequence
[ldap_1] looking for check items in directory...
[ldap_1] sambaNtPassword -> NT-Password ==
0x3344424445363937443731363930413736393230344245423132323833363738
[ldap_1] sambaLmPassword -> LM-Password ==
0x4343463931353545334537444234353341414433423433354235313430344545
[ldap_1] userPassword -> Cleartext-Password ==
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
[ldap_1] userPassword -> Password-With-Header ==
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
[ldap_1] sambaNtPassword -> NT-Password ==
0x3344424445363937443731363930413736393230344245423132323833363738
[ldap_1] sambaLmPassword -> LM-Password ==
0x4343463931353545334537444234353341414433423433354235313430344545
[ldap_1] looking for reply items in directory...
[ldap_1] user testfreeradius authorized to use remote access
[ldap_1] ldap_release_conn: Release Id: 0
+++[ldap_1] = ok
++} # group = ok
+} # group authorize = ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match "known good" password.
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> testfreeradius
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 68 to 127.0.0.1 port 35730
Waking up in 4.9 seconds.
Cleaning up request 3 ID 68 with timestamp +1377
Ready to process requests.
Here it is the client.conf file :
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
Cordialement,
- -
Benjamin Dupalut
Administrateur système et réseau
Service des Moyens Informatiques Généraux (SMIG)
ESIEE Paris
2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
T : +33 1 45 92 66 17
benjamin.dupalut@esiee.fr
www.esiee.fr / www.cci-paris-idf.fr
Le 24/03/2016 05:45, Anirudh Malhotra a écrit :
> Yes i think the shared secret are not matching thats why we see unencrypted value of user password as something else and hence it fails to match with the "known good" password.
>
> BR,
> Anirudh Malhotra
> 8zero2
> Mail: 8zero2.in@gmail.com
> Facebook: www.facebook.com/8zero2
> Twitter: @8zero2_in
> Blog: blog.8zero2.in
>
> On 24 Mar 2016, 00:00 +0530, Peter Lambrechtsen<peter@crypt.nz>, wrote:
>> On Mar 24, 2016 6:11 AM, "Benjamin Dupalut"<benjamin.dupalut@esiee.fr
>> wrote:
>>>
>>> Hi,
>>>
>>> First of all, sorry for my bad english.
>>>
>>> I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to
>> authenticate users via our LDAP. I face an issue when i perform this
>> radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/
>>
>> The default config the shared secret is testing123 rather than
>> clientpassword
>>
>>>
>>> Here is the freeradius -X debug :
>>>
>>>
>>> rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
>> length=48
>>> Sending duplicate reply to client localhost port 44928 - ID: 111
>>> Sending Access-Reject of id 111 to 127.0.0.1 port 44928
>>> Waking up in 2.9 seconds.
>>> Cleaning up request 2 ID 111 with timestamp +114
>>> Ready to process requests.
>>> rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
>> length=48
>>> User-Name = "toto"
>>> User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ"
>>
>> This would be the cleartext password if your secret matched.
>>
>>> server inner-tunnel {
>>> # Executing section authorize from file
>> /etc/freeradius/sites-enabled/inner-tunnel
>>> +group authorize {
>>> ++[mschap] = noop
>>> [suffix] No '@' in User-Name = "toto", looking up realm NULL
>>> [suffix] No such realm "NULL"
>>> ++[suffix] = noop
>>> ++update control {
>>> ++} # update control = noop
>>> [eap] No EAP-Message, not doing EAP
>>> ++[eap] = noop
>>> ++[files] = noop
>>> ++group {
>>> [ldap_1] performing user authorization for toto
>>> [ldap_1] expand: %{Stripped-User-Name} -
>>> [ldap_1] ... expanding second conditional
>>> [ldap_1] expand: %{User-Name} ->toto
>>> [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
>> (uid=toto)
>>> [ldap_1] expand: ou=Users,dc=XXXX,dc=fr ->ou=Users,dc=XXXX,dc=fr
>>> [ldap_1] ldap_get_conn: Checking Id: 0
>>> [ldap_1] ldap_get_conn: Got Id: 0
>>> [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter
>> (uid=toto)
>>> [ldap_1] checking if remote access for toto is allowed by uid
>>> [ldap_1] No default NMAS login sequence
>>> [ldap_1] looking for check items in directory...
>>> [ldap_1] sambaNtPassword ->NT-Password ==
>> 0x3344424445363937443731363930413736393230344245423132323833363738
>>> [ldap_1] sambaLmPassword ->LM-Password ==
>> 0x4343463931353545334537444234353341414433423433354235313430344545
>>> [ldap_1] userPassword ->Cleartext-Password ==
>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>>> [ldap_1] userPassword ->Password-With-Header ==
>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>>> [ldap_1] sambaNtPassword ->NT-Password ==
>> 0x3344424445363937443731363930413736393230344245423132323833363738
>>> [ldap_1] sambaLmPassword ->LM-Password ==
>> 0x4343463931353545334537444234353341414433423433354235313430344545
>>> [ldap_1] looking for reply items in directory...
>>> [ldap_1] user toto authorized to use remote access
>>> [ldap_1] ldap_release_conn: Release Id: 0
>>> +++[ldap_1] = ok
>>> ++} # group = ok
>>> ++[expiration] = noop
>>> ++[logintime] = noop
>>> +} # group authorize = ok
>>> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>>> WARNING: Use the PAP or CHAP modules instead.
>>> User-Password in the request does NOT match "known good" password.
>>> Failed to authenticate the user.
>>> WARNING: Unprintable characters in the password. Double-check the
>> shared secret on the server and the NAS!
>>> } # server inner-tunnel
>>> Using Post-Auth-Type REJECT
>>> # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
>>> +group REJECT {
>>> [attr_filter.access_reject] expand: %{User-Name} ->toto
>>> attr_filter: Matched entry DEFAULT at line 11
>>> ++[attr_filter.access_reject] = updated
>>> +} # group REJECT = updated
>>> Delaying reject of request 3 for 1 seconds
>>> Going to the next request
>>> Waking up in 0.9 seconds.
>>> Sending delayed reject for request 3
>>> Sending Access-Reject of id 111 to 127.0.0.1 port 44928
>>> Waking up in 4.9 seconds.
>>> Cleaning up request 3 ID 111 with timestamp +120
>>> Ready to process requests.
>>>
>>>
>>> The user and client passwords are correct and i don't understand the
>> following errors :
>>>
>>> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>>> WARNING: Use the PAP or CHAP modules instead.
>>> User-Password in the request does NOT match "known good" password.
>>> Failed to authenticate the user.
>>> WARNING: Unprintable characters in the password. Double-check the
>> shared secret on the server and the NAS!
>>>
>>>
>>> Thank you for your replies.
>>>
>>> Cordialement,
>>>
>>> - -
>>>
>>> Benjamin Dupalut
>>> Administrateur système et réseau
>>> Service des Moyens Informatiques Généraux (SMIG)
>>> ESIEE Paris
>>> 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
>>> T : +33 1 45 92 66 17
>>> benjamin.dupalut@esiee.fr
>>> www.esiee.fr / www.cci-paris-idf.fr
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Set auth type as PAP or LDAP
Set pap in the end of authorize section.
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
BR,
Anirudh Malhotra
8zero2
Mail: 8zero2.in@gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in
On 24 Mar 2016, 15:07 +0530, Benjamin Dupalut<benjamin.dupalut@esiee.fr>, wrote:
> Hi,
>
> Thank you for your replies.
>
> I wrote "clientpassword" so i don't publish a private password in this
> public mail. I modified the clients.conf file to set the localhost
> client password to "testing123" and perform this new radtest :
>
> root@freeradius:/etc/freeradius# radtest testfreeradius 123 127.0.0.1 0
> testing123
> Sending Access-Request of id 68 to 127.0.0.1 port 1812
> User-Name = "testfreeradius"
> User-Password = "123"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 0
> Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=68,
> length=20
>
> Here it is the freeradius -X debug :
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 35730, id=68,
> length=84
> User-Name = "testfreeradius"
> User-Password = "123"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 0
> Message-Authenticator = 0xb48c8d817ebe7b7ff9cfeeefa1de6b2e
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> [auth_log] expand: %{Packet-Src-IP-Address} ->127.0.0.1
> [auth_log] expand:
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> ->/var/log/freeradius/radacct/127.0.0.1/auth-detail-20160324
> [auth_log]
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20160324
> [auth_log] expand: %t ->Thu Mar 24 10:26:33 2016
> ++[auth_log] = ok
> ++[mschap] = noop
> [suffix] No '@' in User-Name = "testfreeradius", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] = noop
> ++[files] = noop
> ++group {
> [ldap_1] performing user authorization for testfreeradius
> [ldap_1] expand: %{Stripped-User-Name} -
> [ldap_1] ... expanding second conditional
> [ldap_1] expand: %{User-Name} ->testfreeradius
> [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
> (uid=testfreeradius)
> [ldap_1] expand: ou=Users,dc=esiee,dc=fr ->ou=Users,dc=esiee,dc=fr
> [ldap_1] ldap_get_conn: Checking Id: 0
> [ldap_1] ldap_get_conn: Got Id: 0
> [ldap_1] performing search in ou=Users,dc=esiee,dc=fr, with filter
> (uid=testfreeradius)
> [ldap_1] checking if remote access for testfreeradius is allowed by uid
> [ldap_1] No default NMAS login sequence
> [ldap_1] looking for check items in directory...
> [ldap_1] sambaNtPassword ->NT-Password ==
> 0x3344424445363937443731363930413736393230344245423132323833363738
> [ldap_1] sambaLmPassword ->LM-Password ==
> 0x4343463931353545334537444234353341414433423433354235313430344545
> [ldap_1] userPassword ->Cleartext-Password ==
> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> [ldap_1] userPassword ->Password-With-Header ==
> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> [ldap_1] sambaNtPassword ->NT-Password ==
> 0x3344424445363937443731363930413736393230344245423132323833363738
> [ldap_1] sambaLmPassword ->LM-Password ==
> 0x4343463931353545334537444234353341414433423433354235313430344545
> [ldap_1] looking for reply items in directory...
> [ldap_1] user testfreeradius authorized to use remote access
> [ldap_1] ldap_release_conn: Release Id: 0
> +++[ldap_1] = ok
> ++} # group = ok
> +} # group authorize = ok
> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> WARNING: Use the PAP or CHAP modules instead.
> User-Password in the request does NOT match "known good" password.
> Failed to authenticate the user.
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group REJECT {
> [attr_filter.access_reject] expand: %{User-Name} ->testfreeradius
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 3 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 3
> Sending Access-Reject of id 68 to 127.0.0.1 port 35730
> Waking up in 4.9 seconds.
> Cleaning up request 3 ID 68 with timestamp +1377
> Ready to process requests.
>
> Here it is the client.conf file :
>
> client 127.0.0.1 {
> secret = testing123
> shortname = localhost
> nastype = other # localhost isn't usually a NAS...
> }
>
> Cordialement,
>
> - -
>
> Benjamin Dupalut
> Administrateur système et réseau
> Service des Moyens Informatiques Généraux (SMIG)
> ESIEE Paris
> 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
> T : +33 1 45 92 66 17
> benjamin.dupalut@esiee.fr
> www.esiee.fr / www.cci-paris-idf.fr
>
> Le 24/03/2016 05:45, Anirudh Malhotra a écrit :
> > Yes i think the shared secret are not matching thats why we see unencrypted value of user password as something else and hence it fails to match with the "known good" password.
> >
> > BR,
> > Anirudh Malhotra
> > 8zero2
> > Mail: 8zero2.in@gmail.com
> > Facebook: www.facebook.com/8zero2
> > Twitter: @8zero2_in
> > Blog: blog.8zero2.in
> >
> > On 24 Mar 2016, 00:00 +0530, Peter Lambrechtsen<peter@crypt.nz>, wrote:
> > > On Mar 24, 2016 6:11 AM, "Benjamin Dupalut"<benjamin.dupalut@esiee.fr
> > > wrote:
> > > >
> > > > Hi,
> > > >
> > > > First of all, sorry for my bad english.
> > > >
> > > > I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to
> > > authenticate users via our LDAP. I face an issue when i perform this
> > > radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/
> > >
> > > The default config the shared secret is testing123 rather than
> > > clientpassword
> > >
> > > >
> > > > Here is the freeradius -X debug :
> > > >
> > > >
> > > > rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
> > > length=48
> > > > Sending duplicate reply to client localhost port 44928 - ID: 111
> > > > Sending Access-Reject of id 111 to 127.0.0.1 port 44928
> > > > Waking up in 2.9 seconds.
> > > > Cleaning up request 2 ID 111 with timestamp +114
> > > > Ready to process requests.
> > > > rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
> > > length=48
> > > > User-Name = "toto"
> > > > User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ"
> > >
> > > This would be the cleartext password if your secret matched.
> > >
> > > > server inner-tunnel {
> > > > # Executing section authorize from file
> > > /etc/freeradius/sites-enabled/inner-tunnel
> > > > +group authorize {
> > > > ++[mschap] = noop
> > > > [suffix] No '@' in User-Name = "toto", looking up realm NULL
> > > > [suffix] No such realm "NULL"
> > > > ++[suffix] = noop
> > > > ++update control {
> > > > ++} # update control = noop
> > > > [eap] No EAP-Message, not doing EAP
> > > > ++[eap] = noop
> > > > ++[files] = noop
> > > > ++group {
> > > > [ldap_1] performing user authorization for toto
> > > > [ldap_1] expand: %{Stripped-User-Name} -
> > > > [ldap_1] ... expanding second conditional
> > > > [ldap_1] expand: %{User-Name} ->toto
> > > > [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
> > > (uid=toto)
> > > > [ldap_1] expand: ou=Users,dc=XXXX,dc=fr ->ou=Users,dc=XXXX,dc=fr
> > > > [ldap_1] ldap_get_conn: Checking Id: 0
> > > > [ldap_1] ldap_get_conn: Got Id: 0
> > > > [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter
> > > (uid=toto)
> > > > [ldap_1] checking if remote access for toto is allowed by uid
> > > > [ldap_1] No default NMAS login sequence
> > > > [ldap_1] looking for check items in directory...
> > > > [ldap_1] sambaNtPassword ->NT-Password ==
> > > 0x3344424445363937443731363930413736393230344245423132323833363738
> > > > [ldap_1] sambaLmPassword ->LM-Password ==
> > > 0x4343463931353545334537444234353341414433423433354235313430344545
> > > > [ldap_1] userPassword ->Cleartext-Password ==
> > > "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> > > > [ldap_1] userPassword ->Password-With-Header ==
> > > "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> > > > [ldap_1] sambaNtPassword ->NT-Password ==
> > > 0x3344424445363937443731363930413736393230344245423132323833363738
> > > > [ldap_1] sambaLmPassword ->LM-Password ==
> > > 0x4343463931353545334537444234353341414433423433354235313430344545
> > > > [ldap_1] looking for reply items in directory...
> > > > [ldap_1] user toto authorized to use remote access
> > > > [ldap_1] ldap_release_conn: Release Id: 0
> > > > +++[ldap_1] = ok
> > > > ++} # group = ok
> > > > ++[expiration] = noop
> > > > ++[logintime] = noop
> > > > +} # group authorize = ok
> > > > WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> > > > WARNING: Use the PAP or CHAP modules instead.
> > > > User-Password in the request does NOT match "known good" password.
> > > > Failed to authenticate the user.
> > > > WARNING: Unprintable characters in the password. Double-check the
> > > shared secret on the server and the NAS!
> > > > } # server inner-tunnel
> > > > Using Post-Auth-Type REJECT
> > > > # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> > > > +group REJECT {
> > > > [attr_filter.access_reject] expand: %{User-Name} ->toto
> > > > attr_filter: Matched entry DEFAULT at line 11
> > > > ++[attr_filter.access_reject] = updated
> > > > +} # group REJECT = updated
> > > > Delaying reject of request 3 for 1 seconds
> > > > Going to the next request
> > > > Waking up in 0.9 seconds.
> > > > Sending delayed reject for request 3
> > > > Sending Access-Reject of id 111 to 127.0.0.1 port 44928
> > > > Waking up in 4.9 seconds.
> > > > Cleaning up request 3 ID 111 with timestamp +120
> > > > Ready to process requests.
> > > >
> > > >
> > > > The user and client passwords are correct and i don't understand the
> > > following errors :
> > > >
> > > > WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> > > > WARNING: Use the PAP or CHAP modules instead.
> > > > User-Password in the request does NOT match "known good" password.
> > > > Failed to authenticate the user.
> > > > WARNING: Unprintable characters in the password. Double-check the
> > > shared secret on the server and the NAS!
> > > >
> > > >
> > > > Thank you for your replies.
> > > >
> > > > Cordialement,
> > > >
> > > > - -
> > > >
> > > > Benjamin Dupalut
> > > > Administrateur système et réseau
> > > > Service des Moyens Informatiques Généraux (SMIG)
> > > > ESIEE Paris
> > > > 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
> > > > T : +33 1 45 92 66 17
> > > > benjamin.dupalut@esiee.fr
> > > > www.esiee.fr / www.cci-paris-idf.fr
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > > -
> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unless i made a mistake, it should already be set. See my "inner-tunnel" :
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
group {
ldap_1
}
expiration
logintime
}
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
} # inner-tunnel server block
In my previous radtest, i don't set the port to 18120. Here is the new
radtest and freeradius -X :
root@freeradius:/etc/freeradius/sites-enabled# radtest testfreeradius
123 127.0.0.1:18120 0 testing123
Sending Access-Request of id 243 to 127.0.0.1 port 18120
User-Name = "testfreeradius"
User-Password = "123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 18120, id=243,
length=20
rad_recv: Access-Request packet from host 127.0.0.1 port 50017, id=243,
length=84
User-Name = "testfreeradius"
User-Password = "123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x7575a48753b9ab51dcbed43d84c4e5ee
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[mschap] = noop
[suffix] No '@' in User-Name = "testfreeradius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
++group {
[ldap_1] performing user authorization for testfreeradius
[ldap_1] expand: %{Stripped-User-Name} ->
[ldap_1] ... expanding second conditional
[ldap_1] expand: %{User-Name} -> testfreeradius
[ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=testfreeradius)
[ldap_1] expand: ou=Users,dc=esiee,dc=fr -> ou=Users,dc=esiee,dc=fr
[ldap_1] ldap_get_conn: Checking Id: 0
[ldap_1] ldap_get_conn: Got Id: 0
[ldap_1] performing search in ou=Users,dc=esiee,dc=fr, with filter
(uid=testfreeradius)
[ldap_1] checking if remote access for testfreeradius is allowed by uid
[ldap_1] No default NMAS login sequence
[ldap_1] looking for check items in directory...
[ldap_1] sambaNtPassword -> NT-Password ==
0x3344424445363937443731363930413736393230344245423132323833363738
[ldap_1] sambaLmPassword -> LM-Password ==
0x4343463931353545334537444234353341414433423433354235313430344545
[ldap_1] userPassword -> Cleartext-Password ==
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
[ldap_1] userPassword -> Password-With-Header ==
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
[ldap_1] sambaNtPassword -> NT-Password ==
0x3344424445363937443731363930413736393230344245423132323833363738
[ldap_1] sambaLmPassword -> LM-Password ==
0x4343463931353545334537444234353341414433423433354235313430344545
[ldap_1] looking for reply items in directory...
[ldap_1] user testfreeradius authorized to use remote access
[ldap_1] ldap_release_conn: Release Id: 0
+++[ldap_1] = ok
++} # group = ok
++[expiration] = noop
++[logintime] = noop
+} # group authorize = ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match "known good" password.
Failed to authenticate the user.
} # server inner-tunnel
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> testfreeradius
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 243 to 127.0.0.1 port 50017
Waking up in 4.9 seconds.
Cleaning up request 6 ID 243 with timestamp +6068
Ready to process requests.
Cordialement,
- -
Benjamin Dupalut
Administrateur système et réseau
Service des Moyens Informatiques Généraux (SMIG)
ESIEE Paris
2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
T : +33 1 45 92 66 17
benjamin.dupalut@esiee.fr
www.esiee.fr / www.cci-paris-idf.fr
Le 24/03/2016 10:58, Anirudh Malhotra a écrit :
> Set auth type as PAP or LDAP
> Set pap in the end of authorize section.
>
> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>
> BR,
> Anirudh Malhotra
> 8zero2
> Mail: 8zero2.in@gmail.com
> Facebook: www.facebook.com/8zero2
> Twitter: @8zero2_in
> Blog: blog.8zero2.in
>
> On 24 Mar 2016, 15:07 +0530, Benjamin Dupalut<benjamin.dupalut@esiee.fr>, wrote:
>> Hi,
>>
>> Thank you for your replies.
>>
>> I wrote "clientpassword" so i don't publish a private password in this
>> public mail. I modified the clients.conf file to set the localhost
>> client password to "testing123" and perform this new radtest :
>>
>> root@freeradius:/etc/freeradius# radtest testfreeradius 123 127.0.0.1 0
>> testing123
>> Sending Access-Request of id 68 to 127.0.0.1 port 1812
>> User-Name = "testfreeradius"
>> User-Password = "123"
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 0
>> Message-Authenticator = 0x00000000000000000000000000000000
>> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=68,
>> length=20
>>
>> Here it is the freeradius -X debug :
>>
>> rad_recv: Access-Request packet from host 127.0.0.1 port 35730, id=68,
>> length=84
>> User-Name = "testfreeradius"
>> User-Password = "123"
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 0
>> Message-Authenticator = 0xb48c8d817ebe7b7ff9cfeeefa1de6b2e
>> # Executing section authorize from file
>> /etc/freeradius/sites-enabled/default
>> +group authorize {
>> ++[preprocess] = ok
>> [auth_log] expand: %{Packet-Src-IP-Address} ->127.0.0.1
>> [auth_log] expand:
>> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> ->/var/log/freeradius/radacct/127.0.0.1/auth-detail-20160324
>> [auth_log]
>> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20160324
>> [auth_log] expand: %t ->Thu Mar 24 10:26:33 2016
>> ++[auth_log] = ok
>> ++[mschap] = noop
>> [suffix] No '@' in User-Name = "testfreeradius", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] = noop
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] = noop
>> ++[files] = noop
>> ++group {
>> [ldap_1] performing user authorization for testfreeradius
>> [ldap_1] expand: %{Stripped-User-Name} -
>> [ldap_1] ... expanding second conditional
>> [ldap_1] expand: %{User-Name} ->testfreeradius
>> [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
>> (uid=testfreeradius)
>> [ldap_1] expand: ou=Users,dc=esiee,dc=fr ->ou=Users,dc=esiee,dc=fr
>> [ldap_1] ldap_get_conn: Checking Id: 0
>> [ldap_1] ldap_get_conn: Got Id: 0
>> [ldap_1] performing search in ou=Users,dc=esiee,dc=fr, with filter
>> (uid=testfreeradius)
>> [ldap_1] checking if remote access for testfreeradius is allowed by uid
>> [ldap_1] No default NMAS login sequence
>> [ldap_1] looking for check items in directory...
>> [ldap_1] sambaNtPassword ->NT-Password ==
>> 0x3344424445363937443731363930413736393230344245423132323833363738
>> [ldap_1] sambaLmPassword ->LM-Password ==
>> 0x4343463931353545334537444234353341414433423433354235313430344545
>> [ldap_1] userPassword ->Cleartext-Password ==
>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>> [ldap_1] userPassword ->Password-With-Header ==
>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>> [ldap_1] sambaNtPassword ->NT-Password ==
>> 0x3344424445363937443731363930413736393230344245423132323833363738
>> [ldap_1] sambaLmPassword ->LM-Password ==
>> 0x4343463931353545334537444234353341414433423433354235313430344545
>> [ldap_1] looking for reply items in directory...
>> [ldap_1] user testfreeradius authorized to use remote access
>> [ldap_1] ldap_release_conn: Release Id: 0
>> +++[ldap_1] = ok
>> ++} # group = ok
>> +} # group authorize = ok
>> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>> WARNING: Use the PAP or CHAP modules instead.
>> User-Password in the request does NOT match "known good" password.
>> Failed to authenticate the user.
>> Using Post-Auth-Type REJECT
>> # Executing group from file /etc/freeradius/sites-enabled/default
>> +group REJECT {
>> [attr_filter.access_reject] expand: %{User-Name} ->testfreeradius
>> attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] = updated
>> +} # group REJECT = updated
>> Delaying reject of request 3 for 1 seconds
>> Going to the next request
>> Waking up in 0.9 seconds.
>> Sending delayed reject for request 3
>> Sending Access-Reject of id 68 to 127.0.0.1 port 35730
>> Waking up in 4.9 seconds.
>> Cleaning up request 3 ID 68 with timestamp +1377
>> Ready to process requests.
>>
>> Here it is the client.conf file :
>>
>> client 127.0.0.1 {
>> secret = testing123
>> shortname = localhost
>> nastype = other # localhost isn't usually a NAS...
>> }
>>
>> Cordialement,
>>
>> - -
>>
>> Benjamin Dupalut
>> Administrateur système et réseau
>> Service des Moyens Informatiques Généraux (SMIG)
>> ESIEE Paris
>> 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
>> T : +33 1 45 92 66 17
>> benjamin.dupalut@esiee.fr
>> www.esiee.fr / www.cci-paris-idf.fr
>>
>> Le 24/03/2016 05:45, Anirudh Malhotra a écrit :
>>> Yes i think the shared secret are not matching thats why we see unencrypted value of user password as something else and hence it fails to match with the "known good" password.
>>>
>>> BR,
>>> Anirudh Malhotra
>>> 8zero2
>>> Mail: 8zero2.in@gmail.com
>>> Facebook: www.facebook.com/8zero2
>>> Twitter: @8zero2_in
>>> Blog: blog.8zero2.in
>>>
>>> On 24 Mar 2016, 00:00 +0530, Peter Lambrechtsen<peter@crypt.nz>, wrote:
>>>> On Mar 24, 2016 6:11 AM, "Benjamin Dupalut"<benjamin.dupalut@esiee.fr
>>>> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> First of all, sorry for my bad english.
>>>>>
>>>>> I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to
>>>> authenticate users via our LDAP. I face an issue when i perform this
>>>> radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/
>>>>
>>>> The default config the shared secret is testing123 rather than
>>>> clientpassword
>>>>
>>>>>
>>>>> Here is the freeradius -X debug :
>>>>>
>>>>>
>>>>> rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
>>>> length=48
>>>>> Sending duplicate reply to client localhost port 44928 - ID: 111
>>>>> Sending Access-Reject of id 111 to 127.0.0.1 port 44928
>>>>> Waking up in 2.9 seconds.
>>>>> Cleaning up request 2 ID 111 with timestamp +114
>>>>> Ready to process requests.
>>>>> rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
>>>> length=48
>>>>> User-Name = "toto"
>>>>> User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ"
>>>>
>>>> This would be the cleartext password if your secret matched.
>>>>
>>>>> server inner-tunnel {
>>>>> # Executing section authorize from file
>>>> /etc/freeradius/sites-enabled/inner-tunnel
>>>>> +group authorize {
>>>>> ++[mschap] = noop
>>>>> [suffix] No '@' in User-Name = "toto", looking up realm NULL
>>>>> [suffix] No such realm "NULL"
>>>>> ++[suffix] = noop
>>>>> ++update control {
>>>>> ++} # update control = noop
>>>>> [eap] No EAP-Message, not doing EAP
>>>>> ++[eap] = noop
>>>>> ++[files] = noop
>>>>> ++group {
>>>>> [ldap_1] performing user authorization for toto
>>>>> [ldap_1] expand: %{Stripped-User-Name} -
>>>>> [ldap_1] ... expanding second conditional
>>>>> [ldap_1] expand: %{User-Name} ->toto
>>>>> [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
>>>> (uid=toto)
>>>>> [ldap_1] expand: ou=Users,dc=XXXX,dc=fr ->ou=Users,dc=XXXX,dc=fr
>>>>> [ldap_1] ldap_get_conn: Checking Id: 0
>>>>> [ldap_1] ldap_get_conn: Got Id: 0
>>>>> [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter
>>>> (uid=toto)
>>>>> [ldap_1] checking if remote access for toto is allowed by uid
>>>>> [ldap_1] No default NMAS login sequence
>>>>> [ldap_1] looking for check items in directory...
>>>>> [ldap_1] sambaNtPassword ->NT-Password ==
>>>> 0x3344424445363937443731363930413736393230344245423132323833363738
>>>>> [ldap_1] sambaLmPassword ->LM-Password ==
>>>> 0x4343463931353545334537444234353341414433423433354235313430344545
>>>>> [ldap_1] userPassword ->Cleartext-Password ==
>>>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>>>>> [ldap_1] userPassword ->Password-With-Header ==
>>>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>>>>> [ldap_1] sambaNtPassword ->NT-Password ==
>>>> 0x3344424445363937443731363930413736393230344245423132323833363738
>>>>> [ldap_1] sambaLmPassword ->LM-Password ==
>>>> 0x4343463931353545334537444234353341414433423433354235313430344545
>>>>> [ldap_1] looking for reply items in directory...
>>>>> [ldap_1] user toto authorized to use remote access
>>>>> [ldap_1] ldap_release_conn: Release Id: 0
>>>>> +++[ldap_1] = ok
>>>>> ++} # group = ok
>>>>> ++[expiration] = noop
>>>>> ++[logintime] = noop
>>>>> +} # group authorize = ok
>>>>> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>>>>> WARNING: Use the PAP or CHAP modules instead.
>>>>> User-Password in the request does NOT match "known good" password.
>>>>> Failed to authenticate the user.
>>>>> WARNING: Unprintable characters in the password. Double-check the
>>>> shared secret on the server and the NAS!
>>>>> } # server inner-tunnel
>>>>> Using Post-Auth-Type REJECT
>>>>> # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
>>>>> +group REJECT {
>>>>> [attr_filter.access_reject] expand: %{User-Name} ->toto
>>>>> attr_filter: Matched entry DEFAULT at line 11
>>>>> ++[attr_filter.access_reject] = updated
>>>>> +} # group REJECT = updated
>>>>> Delaying reject of request 3 for 1 seconds
>>>>> Going to the next request
>>>>> Waking up in 0.9 seconds.
>>>>> Sending delayed reject for request 3
>>>>> Sending Access-Reject of id 111 to 127.0.0.1 port 44928
>>>>> Waking up in 4.9 seconds.
>>>>> Cleaning up request 3 ID 111 with timestamp +120
>>>>> Ready to process requests.
>>>>>
>>>>>
>>>>> The user and client passwords are correct and i don't understand the
>>>> following errors :
>>>>>
>>>>> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>>>>> WARNING: Use the PAP or CHAP modules instead.
>>>>> User-Password in the request does NOT match "known good" password.
>>>>> Failed to authenticate the user.
>>>>> WARNING: Unprintable characters in the password. Double-check the
>>>> shared secret on the server and the NAS!
>>>>>
>>>>>
>>>>> Thank you for your replies.
>>>>>
>>>>> Cordialement,
>>>>>
>>>>> - -
>>>>>
>>>>> Benjamin Dupalut
>>>>> Administrateur système et réseau
>>>>> Service des Moyens Informatiques Généraux (SMIG)
>>>>> ESIEE Paris
>>>>> 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
>>>>> T : +33 1 45 92 66 17
>>>>> benjamin.dupalut@esiee.fr
>>>>> www.esiee.fr / www.cci-paris-idf.fr
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unless i made a mistake, it should already be set. See my "inner-tunnel" :
Radtest does not run through the inner-tunnel though. inner-tunnel is only invoked if you do an EAP authentication, and considering that radtest does not speak EAP (eapol_test does), you're testing the outer tunnel, i.e. the 'default' server. If you connect to localhost on port 18120 and it works, then you're testing the inner-tunnel server. Also, as much as you're sending us the FR debug output for the request, you haven't sent the *full* debug output that gives us clues as to what the rest of your configuration looks like. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Radtest does not run through the inner-tunnel though. inner-tunnel is only invoked if you do an EAP authentication, and considering that radtest does not speak EAP (eapol_test does), you're testing the outer tunnel, i.e. the 'default' server. I set the IP address to "127.0.0.1:18120" and the debug output is : server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel Doesn't that means it run trough the inner-tunnel ? If you connect to localhost on port 18120 and it works, then you're testing the inner-tunnel server. What do you mean by "connect" ? Also, as much as you're sending us the FR debug output for the request, you haven't sent the *full* debug output that gives us clues as to what the rest of your configuration looks like. I thought i sent the full debug output. I copy/paste all the output from freeradius -X. Do you want me to copy/paste my configurations files like i did with the "clients" file ? Sorry if I did not clearly understand your explanations. My English is maybe not good enough.
Regards, - - Benjamin Dupalut Administrateur systeme et reseau Service des Moyens Informatiques Generaux (SMIG) ESIEE Paris 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex T : +33 1 45 92 66 17 [1]benjamin.dupalut@esiee.fr [2]www.esiee.fr / [3]www.cci-paris-idf.fr References 1. mailto:benjamin.dupalut@esiee.fr 2. http://www.esiee.fr/ 3. http://www.cci-paris-idf.fr/
I set the IP address to "127.0.0.1:18120" and the debug output is : server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel Doesn't that means it run trough the inner-tunnel ?
Yes, that's what I meant by connecting to port 18120.
I thought i sent the full debug output. I copy/paste all the output from freeradius -X. Do you want me to copy/paste my configurations files like i did with the "clients" file ?
When you run freeradius -X, the debug starts with the copyright notice at the top. You don't have to worry about passwords being exposed, because in newer versions you'll see "<<< secret >>>" instead of the real password/client secret. :-) This tends to help people like Alan and Arran when they're trying to help you.
You don't have pap listed in your auth config.... Is PAP necessary if i already set LDAP ?
Yes, looking at some of the output:
[ldap_1] looking for check items in directory... [ldap_1] sambaNtPassword -> NT-Password == 0x3344424445363937443731363930413736393230344245423132323833363738 [ldap_1] sambaLmPassword -> LM-Password == 0x4343463931353545334537444234353341414433423433354235313430344545 [ldap_1] userPassword -> Cleartext-Password == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap_1] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
You receive NT-Password and LM-Password back, as well as Password-With-Header with a '{MD5}' header in it. PAP will deal with that password... Include 'pap' in the authorize section *after* ldap_1, then in the authenticate section add the PAP type back in: Auth-Type PAP { Pap } Try it then. If you're adding this into the inner-tunnel, make sure you tell radtest to connect to localhost:18120. With Regards Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
You don't have pap listed in your auth config....and you've got something setting Auth type to local (in your users file? ) alan
You don't have pap listed in your auth config....
Is PAP necessary if i already set LDAP ?
and you've got something setting Auth type to local (in your users file? )
here is my "users" file : DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP Where else can the "Auth type : local" parameter be set ? Cordialement, - - Benjamin Dupalut Administrateur système et réseau Service des Moyens Informatiques Généraux (SMIG) ESIEE Paris 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex T : +33 1 45 92 66 17 benjamin.dupalut@esiee.fr www.esiee.fr / www.cci-paris-idf.fr Le 24/03/2016 12:50, Alan Buxey a écrit :
You don't have pap listed in your auth config....and you've got something setting Auth type to local (in your users file? )
alan
On Mar 24, 2016, at 6:43 AM, Benjamin Dupalut <benjamin.dupalut@esiee.fr> wrote:
Unless i made a mistake, it should already be set. See my "inner-tunnel" :
You edited the file and broke the server. Don't do that. Start with the default configuration. It works. Then, make changes for your local LDAP server, etc. Test each change before making another change. Alan DeKok.
On Mar 24, 2016, at 5:33 AM, Benjamin Dupalut <benjamin.dupalut@esiee.fr> wrote:
Thank you for your replies.
I wrote "clientpassword" so i don't publish a private password in this public mail. I modified the clients.conf file to set the localhost client password to "testing123" and perform this new radtest :
The shared secrets have to match. In this test, they match. In your previous test, they did not match.
root@freeradius:/etc/freeradius# radtest testfreeradius 123 127.0.0.1 0 testing123 Sending Access-Request of id 68 to 127.0.0.1 port 1812 User-Name = "testfreeradius" User-Password = "123"
Is that the correct password?
WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead.
And you haven't listed "pap" in the "authorize" section, as I suggested. Are you reading the replies to your posts?
User-Password in the request does NOT match "known good" password.
That's definitive. The users password is not "123". Alan DeKok.
I restart from a clean installation . I have to set up a freeradius server for a 802.1x authentication for wifi users via our openLDAP. Can you, please, recommend me some documentations so i start over on correct bases ? Thank you for your advices. Cordialement, - - Benjamin Dupalut Administrateur système et réseau Service des Moyens Informatiques Généraux (SMIG) ESIEE Paris 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex T : +33 1 45 92 66 17 benjamin.dupalut@esiee.fr www.esiee.fr / www.cci-paris-idf.fr Le 24/03/2016 14:32, Alan DeKok a écrit :
On Mar 24, 2016, at 5:33 AM, Benjamin Dupalut <benjamin.dupalut@esiee.fr> wrote:
Thank you for your replies.
I wrote "clientpassword" so i don't publish a private password in this public mail. I modified the clients.conf file to set the localhost client password to "testing123" and perform this new radtest : The shared secrets have to match. In this test, they match. In your previous test, they did not match.
root@freeradius:/etc/freeradius# radtest testfreeradius 123 127.0.0.1 0 testing123 Sending Access-Request of id 68 to 127.0.0.1 port 1812 User-Name = "testfreeradius" User-Password = "123" Is that the correct password? WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. And you haven't listed "pap" in the "authorize" section, as I suggested.
Are you reading the replies to your posts?
User-Password in the request does NOT match "known good" password. That's definitive. The users password is not "123".
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 25, 2016, at 4:06 AM, Benjamin Dupalut <benjamin.dupalut@esiee.fr> wrote:
I restart from a clean installation . I have to set up a freeradius server for a 802.1x authentication for wifi users via our openLDAP. Can you, please, recommend me some documentations so i start over on correct bases ?
Don't break the configuration. If you don't understand what something does, leave it alone. Make small changes, and test them. Change one thing at a time. Read "man radiusd". This process is documented there. Alan DeKok.
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Anirudh Malhotra -
Benjamin Dupalut -
Peter Lambrechtsen -
Stefan Paetow