I am migrating my RADIUS from: a) FreeBSD, FreeRADIUS 1.1.7, eDirectory lookups. to b) Solaris 10 x86, FreeRADIUS 2.0.1, Active Directory, winbindd etc. I stripped out all the LDAP stuff from the config, enabled ntlm_auth in the mschap module, changed the users file DEFAULT entry from LDAP to mschap, and bingo it works, almost! At least both "a" and "b" work for 802.1x/EAP-TTLS clients. However for other clients such as EZProxy, only "a" works.
From my new config, debug says:
+- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: No MS-CHAP-Challenge in the request ++[mschap] returns reject So it fails. My Question is: "Where is no ClearText-Password configured?" 1) Is it the RADIUS client not providing one? 2) Is it the RADIUS config that is missing something? 3) Is it the AD directory that is missing a ClearText-Password? --------------- Barry Dean Networks Team Computing Services Department Tel: 0151 794 5641 (x45641)
4) "changed the users file DEFAULT entry from LDAP to mschap"
+- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: No MS-CHAP-Challenge in the request ++[mschap] returns reject
Post the whole debug. It looks like you are trying to force mschap onto something that isn't a mschap request. Ivan Kalik Kalik Informatika ISP
Debug: ============== rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195, length=49 User-Name = "user" User-Password = "passwd" NAS-IP-Address = 138.253.XXX.XXX +- entering group authorize ++[preprocess] returns ok ++? if ("%{User-Name}" =~ /barred-user/i) expand: %{User-Name} -> user ? Evaluating ("%{User-Name}" =~ /barred-user/i) -> FALSE ++? if ("%{User-Name}" =~ /barred-user/i) -> FALSE expand: /usr/radius201/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/radius201/log/radacct/138.253.XXX.XXX/auth-detail-20080303 rlm_detail: /usr/radius201/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/radius201/log/radacct/138.253.XXX.XXX/auth-detail-20080303 expand: %t -> Mon Mar 3 11:28:08 2008 ++[auth_log] returns ok ++[mschap] returns noop ++[chap] returns noop rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Proxying request from user user to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop users: Matched entry DEFAULT at line 211 ++[files] returns ok rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type mschap auth: type "MSCHAP" +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: No MS-CHAP-Challenge in the request ++[mschap] returns reject auth: Failed to validate the user. Login incorrect: [user/passwd] (from client EZProxy port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 195 to 138.253.XXX.XXX port 47032 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195, length=49 Sending duplicate reply to client EZProxy port 47032 - ID: 195 Sending Access-Reject of id 195 to 138.253.XXX.XXX port 47032 Waking up in 4.9 seconds. Cleaning up request 0 ID 195 with timestamp +24 Ready to process requests. ================== Config: users: DEFAULT Auth-Type = mschap Acct-Session-Id = "Local", Fall-Through = Yes radiusd.conf: mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/sfw/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } If I don’t force MSCHAP in users, how else do I get the user checked against AD when the only place ntlm_auth is called is inside the mschap module? --------------- Barry Dean Networks Team
Hi,
rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195, length=49 User-Name = "user" User-Password = "passwd" NAS-IP-Address = 138.253.XXX.XXX
There. No MS-CHAP-Challenge. You are not supposed to process this packet with the rlm_mschap module. Why does it fail? ...
Config:
users:
DEFAULT Auth-Type = mschap Acct-Session-Id = "Local", Fall-Through = Yes
Write a hundred times on the blackboard: "I will not set Auth-Type." The server will figure out itself what to do. In this case, PAP.
If I don’t force MSCHAP in users, how else do I get the user checked against AD when the only place ntlm_auth is called is inside the mschap module?
You configure your AD server in the ldap {} section and uncomment the ldap stanzas in authorize and authenticate. You don't call ntlm_auth then, and that is because you don't need ntlm_auth - user authentication is done with an LDAP bind() operation with the user credentials. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
Hi,
rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195, length=49 User-Name = "user" User-Password = "passwd" NAS-IP-Address = 138.253.XXX.XXX
There. No MS-CHAP-Challenge. You are not supposed to process this packet with the rlm_mschap module. Why does >it fail? ...
I see now why this was failing. Client was doing non-MSCHAP and there was no section telling RADIUS how to authenticate this type of request.
Config:
users:
DEFAULT Auth-Type = mschap Acct-Session-Id = "Local", Fall-Through = Yes
Write a hundred times on the blackboard: "I will not set Auth-Type." The server will figure out itself what to >do. In this case, PAP.
Duly removed. I inherited the config and assumed it had been added for good reason. It works without so it has been removed.
If I don’t force MSCHAP in users, how else do I get the user checked against AD when the only place ntlm_auth is called is inside the mschap module?
You configure your AD server in the ldap {} section and uncomment the ldap stanzas in authorize and >authenticate. You don't call ntlm_auth then, and that is because you don't need ntlm_auth - user authentication >is done with an LDAP bind() operation with the user credentials.
With some pain, I now have the LDAP to AD authentication working. I have not tested *all* methods, but the ones I am interested in supporting seem to work. EAP-MD5 fails, but that is an exercise for another day if I feel I need to fix it.
Greetings,
Stefan Winter
Thanks for your help. You pointed me in the right direction which was all I needed really. --------------- Barry Dean Networks Team
participants (3)
-
Dean, Barry -
Ivan Kalik -
Stefan Winter