Dear all, My Supplicant is a WinXP-Client, EAP-Type is MD5-Challenge. My Authenticator is a Cisco Catalyst 3750 I try to do a 802.1X Authentication for a user listet in a LDAP-database. When i do a MD5-Challenge it does not work. Do i have a problem with MD5-encrypted passwords? My configuration files follows below... Thanks in advance.... The LDAP-Authentication seems to work, here is the freeradius -X output after radtest: Debian# radtest schlapp Gerti1000 localhost 1645 testing123 rad_recv: Access-Request packet from host 127.0.0.1:32852, id=247, length=59 User-Name = "schlapp" User-Password = "Gerti1000" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "schlapp", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry schlapp at line 87 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for schlapp radius_xlat: '(&(sAMAccountname=schlapp)(objectClass=person))' radius_xlat: 'DC=winlab,DC=rsnhm,DC=t-com,DC=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.187.64.3:389, authentication 0 rlm_ldap: bind as CN=Robert Huber,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de/Gerti1000 to 10.187.64.3:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=winlab,DC=rsnhm,DC=t-com,DC=de, with filter (&(sAMAccountname=schlapp)(objectClass=person)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user schlapp authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "schlapp" with password "Gerti1000" rlm_ldap: user DN: CN=schlapp hut,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de rlm_ldap: (re)connect to 10.187.64.3:389, authentication 1 rlm_ldap: bind as CN=schlapp hut,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de/Gerti1000 to 10.187.64.3:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user schlapp authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: leaving group LDAP (returns ok) for request 0 Login OK: [schlapp/Gerti1000] (from client localhost port 1645) Sending Access-Accept of id 247 to 127.0.0.1 port 32852 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... But when i try to use my WinXP-Client, EAP says: rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select Here is the entire freeradius -X output: rad_recv: Access-Request packet from host 10.187.0.15:1645, id=174, length=129 User-Name = "schlapp" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" EAP-Message = 0x0202000c017363686c617070 Message-Authenticator = 0x7a4a5ff5030a44b2fcee7b79d3aac47c NAS-Port = 60003 NAS-Port-Type = Virtual NAS-IP-Address = 10.187.0.15 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "schlapp", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry schlapp at line 83 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for schlapp radius_xlat: '(&(sAMAccountname=schlapp)(objectClass=person))' radius_xlat: 'DC=winlab,DC=rsnhm,DC=t-com,DC=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.187.64.3:389, authentication 0 rlm_ldap: bind as CN=Robert Huber,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de/Gerti1000 to 10.187.64.3:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=winlab,DC=rsnhm,DC=t-com,DC=de, with filter (&(sAMAccountname=schlapp)(objectClass=person)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user schlapp authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 174 to 10.187.0.15 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4172a142a08feeb924f2a128e5ddef32 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.187.0.15:1645, id=175, length=141 User-Name = "schlapp" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" EAP-Message = 0x020300060304 Message-Authenticator = 0x71486fbf711a2bbd7b14377510a81beb NAS-Port = 60003 NAS-Port-Type = Virtual State = 0x4172a142a08feeb924f2a128e5ddef32 NAS-IP-Address = 10.187.0.15 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "schlapp", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry schlapp at line 83 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for schlapp radius_xlat: '(&(sAMAccountname=schlapp)(objectClass=person))' radius_xlat: 'DC=winlab,DC=rsnhm,DC=t-com,DC=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=winlab,DC=rsnhm,DC=t-com,DC=de, with filter (&(sAMAccountname=schlapp)(objectClass=person)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user schlapp authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/md5 rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 175 to 10.187.0.15 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x01040016041033c920c71b4f300c45c31a67d56acce6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x166498a3095698d1df3c6b3827bdd631 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.187.0.15:1645, id=176, length=164 User-Name = "schlapp" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" EAP-Message = 0x0204001d04108ade4625748baf1353f8c786e23d72527363686c617070 Message-Authenticator = 0x28e98702a7aec9aec73273be08999cee NAS-Port = 60003 NAS-Port-Type = Virtual State = 0x166498a3095698d1df3c6b3827bdd631 NAS-IP-Address = 10.187.0.15 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "schlapp", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 4 length 29 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry schlapp at line 83 modcall[authorize]: module "files" returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for schlapp radius_xlat: '(&(sAMAccountname=schlapp)(objectClass=person))' radius_xlat: 'DC=winlab,DC=rsnhm,DC=t-com,DC=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=winlab,DC=rsnhm,DC=t-com,DC=de, with filter (&(sAMAccountname=schlapp)(objectClass=person)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user schlapp authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 2 modcall: leaving group authenticate (returns invalid) for request 2 auth: Failed to validate the user. Login incorrect: [schlapp/<no User-Password attribute>] (from client M4DEMRCO0000015 port 60003 cli 00-0B-5D-84-AE-CA) Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.187.0.15:1645, id=176, length=164 Sending Access-Reject of id 176 to 10.187.0.15 port 1645 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... my users: ------------ schlapp Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 50 my eap.conf -------------- eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes } mschapv2 { } } my radiusd.conf ----------------- prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" } ldap { server = "10.187.64.3" identity = "CN=Robert Kastl,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de" password = Gerti1000 basedn = "DC=winlab,DC=rsnhm,DC=t-com,DC=de" filter = "(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess chap mschap suffix eap files ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } my ldap.attrmap ------------------- checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem checkItem Auth-Type radiusAuthType checkItem Simultaneous-Use radiusSimultaneousUse checkItem Called-Station-Id radiusCalledStationId checkItem Calling-Station-Id radiusCallingStationId checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem SMB-Account-CTRL-TEXT acctFlags checkItem Expiration radiusExpiration checkItem NAS-IP-Address radiusNASIpAddress replyItem Service-Type radiusServiceType replyItem Framed-Protocol radiusFramedProtocol replyItem Framed-IP-Address radiusFramedIPAddress replyItem Framed-IP-Netmask radiusFramedIPNetmask replyItem Framed-Route radiusFramedRoute replyItem Framed-Routing radiusFramedRouting replyItem Filter-Id radiusFilterId replyItem Framed-MTU radiusFramedMTU replyItem Framed-Compression radiusFramedCompression replyItem Login-IP-Host radiusLoginIPHost replyItem Login-Service radiusLoginService replyItem Login-TCP-Port radiusLoginTCPPort replyItem Callback-Number radiusCallbackNumber replyItem Callback-Id radiusCallbackId replyItem Framed-IPX-Network radiusFramedIPXNetwork replyItem Class radiusClass replyItem Session-Timeout radiusSessionTimeout replyItem Idle-Timeout radiusIdleTimeout replyItem Termination-Action radiusTerminationAction replyItem Login-LAT-Service radiusLoginLATService replyItem Login-LAT-Node radiusLoginLATNode replyItem Login-LAT-Group radiusLoginLATGroup replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone replyItem Port-Limit radiusPortLimit replyItem Login-LAT-Port radiusLoginLATPort replyItem Reply-Message radiusReplyMessage Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2
robiwan@arcor.de wrote:
I try to do a 802.1X Authentication for a user listet in a LDAP-database. When i do a MD5-Challenge it does not work. Do i have a problem with MD5-encrypted passwords?
No. You have NOT configured LDAP to return a clear-text password to FreeRADIUS. Do that, and EAP-MD5 will work. Alan DeKok.
participants (2)
-
Alan DeKok -
robiwan@arcor.de