sorry for spamming, i just want to understand *OpenLDAP knows the clear text password:* [ldap] userPassword -> Cleartext-Password == "test " [ldap] userPassword -> NT-Password == 0x7465737420 *=> supposed to be the hash password* [ldap] looking for reply items in directory... [ldap] user bernard authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} *Is the inner tunnel part of the MSCHAPv2 is failing because it doesn't kwow the way of dealing with the password supplied ?* *Adding into ldap.attrmap the userPassword -> NT-Password is enough to produce a correct NT hash password? *[mschap] Invalid NT-Password * * [mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE
thank u for your quick reply i fixed bernard's password in ldap so: [ldap] userPassword -> Cleartext-Password == "test" [ldap] userPassword -> NT-Password == 0x74657374 i added the password_radius_attribute = "NT-Password" but still the same: [mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect 2010/3/15 Alan Buxey <A.L.M.Buxey@lboro.ac.uk>
Hi,
[ldap] userPassword -> Cleartext-Password == "test "
note the space at the end. your password is 'test ' not just 'test'
is this deliberate? check your LDAP!
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
[mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect
get rid of the NT-Password LDAP hook if you're not using it. alan
Hi, you mean by commenting mschap in autorize and authenticate section? thanks 2010/3/15 Alan Buxey <A.L.M.Buxey@lboro.ac.uk>
Hi,
[mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect
get rid of the NT-Password LDAP hook if you're not using it.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
forgot what i said. i commented the line: #checkItem NT-password userPassword in ldap.attrmap and it works!!!!!! THANK U ALAN!!!! you saved me!!!! 2010/3/15 omega bk <omegabk@gmail.com>
Hi,
you mean by commenting mschap in autorize and authenticate section?
thanks
2010/3/15 Alan Buxey <A.L.M.Buxey@lboro.ac.uk>
Hi,
[mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect
get rid of the NT-Password LDAP hook if you're not using it.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
another question? how freeradius deal with simultaneous mutiple access? thanks
Am 15.03.2010 um 11:35 schrieb omega bk:
sorry for spamming, i just want to understand
OpenLDAP knows the clear text password:
[ldap] userPassword -> Cleartext-Password == "test " [ldap] userPassword -> NT-Password == 0x7465737420 => supposed to be the hash password
I doub very much that this is a hash: 0x74: t 0x65: e 0x73: s 0x74: t 0x20: space (all in ASCII) Have you tried *not* to define a NT-Password and let Freeradius calculate from the Cleartext-Password what it needs? [...] Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
participants (3)
-
Alan Buxey -
Nicolas Goutte -
omega bk