Help migrating from 1.1.7 to 2.1.10 - clear text password being lost
Hi Radius Fans, I am trying to move our current environment from 1.1.7 to 2.1.10 and are having a problem getting things to work. We have a Novell NDSLdap server which provides clear text passwords for Novell users. We are using peap-mschapv2. In looking at the logs and Eap-Messages we see: response 01 identity (username) -> server The server looks up the user in ndsldap and: Info: [ldap] Added the eDirectory password (password removed) in check items as Cleartext-Password Then the server sends a request 02 to use EAP-TLS There are a series of responses (mostly appear to be ack) and requests to get the tunnel setup which succeeds. Near the end the client sends a response (ID=8) which is a response to the mschap2 challenge. When the server is processing this response it reports: Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password. I put in some additional debugging and found that address of the request->config_item has changed from when the ldap module put the cleartext password in as a pair and when the mschap module attempts to remove it. The ldap module is called in authorize and the mschap is called in authenticate. What might be causing the request->config to be at a different location between when the clear text password is stored and when it is needed to authenticate? johnh...
On Fri, Mar 11, 2011 at 1:48 AM, John Hayward <john.hayward@wheaton.edu> wrote:
Hi Radius Fans, I am trying to move our current environment from 1.1.7 to 2.1.10 and are having a problem getting things to work.
We have a Novell NDSLdap server which provides clear text passwords for Novell users. We are using peap-mschapv2.
In looking at the logs and Eap-Messages we see: response 01 identity (username) -> server The server looks up the user in ndsldap and: Info: [ldap] Added the eDirectory password (password removed) in check items as Cleartext-Password Then the server sends a request 02 to use EAP-TLS There are a series of responses (mostly appear to be ack) and requests to get the tunnel setup which succeeds. Near the end the client sends a response (ID=8) which is a response to the mschap2 challenge. When the server is processing this response it reports: Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password.
The usual response would be http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21
From your limited info, I'd guess that the first place to look is make sure that ldap section (for ndsldap) is listed in BOTH outer tunnel (raddb/sites-enabled/default) and inner tunnel (raddb/sites-enabled/inner-tunnel)
-- Fajar
Hi Radius Fans, I am trying to move our current environment from 1.1.7 to 2.1.10 and are having a problem getting things to work.
We have a Novell NDSLdap server which provides clear text passwords for Novell users. We are using peap-mschapv2. ....
What might be causing the request->config to be at a different location between when the clear text password is stored and when it is needed to authenticate?
What happens is that when a packet is sent from the server to the client radius discards the request-config which contains the password on the identity reply. In the inner-tunnel you need to have ldap specified (as well as the default) so that it will look up the password (again). (my mistake) I was surprised that it appears that in the current environment for both default and inner-tunnel: ==== # The example below uses module failover to avoid querying all # of the following modules if the EAP module returns "ok". # Therefore, your LDAP and/or SQL servers will not be queried # for the many packets that go back and forth to set up TTLS # or PEAP. The load on those servers will therefore be reduced. # eap { ok = return } ==== That there are 3 queries to the ldap server and 3 queries to the sql server (which is a lot better than the 12 of each which occur without this option) I assumed that if radius looked up the password via ldap or sql in default it might have them for inner - but i guess the identity could be different for inner vs default. johnh...
johnh...
participants (3)
-
Fajar A. Nugraha -
John Hayward -
John.Hayward@wheaton.edu