FDS + Freeradius = pain.

Phil Mayers p.mayers at imperial.ac.uk
Fri Feb 3 08:56:55 CET 2006


Joey McDonald wrote:
> 
> I've got authentication working via radtest, e.g.
> 
> rad_recv: Access-Request packet from host 172.33.100.18:32811, id=116, length=56
>         User-Name = "joey"
>         User-Password = "xxxxxxxx"
>         NAS-IP-Address = 255.255.255.255
>         NAS-Port = 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for joey
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: (re)connect to ldap.example.net:389, authentication 0
> rlm_ldap: bind as cn=Directory Manager/xxxxxxx to ldap.example.net:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding userPassword as User-Password, value { & op=21

The line above looks wrong, but it never ends up being a problem because...

> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user joey authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0

...during authenticate...

> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "joey" with password "xxxxxxxx"
> rlm_ldap: user DN: uid=joey,ou=People, dc=example,dc=net
> rlm_ldap: (re)connect to ldap.example.net:389, authentication 1
> rlm_ldap: bind as uid=joey,ou=People, dc=example,dc=net/xxxxxxxx to
> ldap.example.net:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user joey authenticated succesfully

...auth-type == LDAP and an LDAP simple bind is done to answer the PAP 
request from radtest. This ONLY works with PAP because an LDAP simple 
bind needs the plaintext password.

> Login OK: [joey/xxxxxxx] (from client el-oso port 0)
> Sending Access-Accept of id 116 to 172.33.100.18:32811
> 
> So that tells me that I've got the communication to my LDAP server
> properly configured.
> 
> However when my PPTP server sends authentication requests to my radius
> server, I always get "Login incorrect: [joey/<no User-Password
> attribute>]"

Since it's a PPTP server you are almost certainly going to be using 
MS-CHAP, which requires either:

  1. The NT password hash to be in LDAP and readable by FreeRadius
  2. The plaintext password to be in LDAP and readable
  3. Samba, domain membership, winbind and the ntlm_auth plugin option 
for the mschap module

> 
> For example:
> 
> rad_recv: Access-Request packet from host 172.33.100.1:32784, id=15, length=147
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         User-Name = "joey"
>         MS-CHAP-Challenge = 0x47f01bcb27f52fa649fc0722f36c30c6
>         MS-CHAP2-Response =
> 0x92001b248ce93a1a352383f8836833afeb9a0000000000000000724f55d6a62231b22c33b33265212ecd3fa334aff76bb442
>         Calling-Station-Id = "67.41.208.129"
>         NAS-Identifier = "pptp"
>         NAS-Port = 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for joey
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding userPassword as User-Password, value { & op=21

The line directly above looks wrong - value "{" ?

So you've probably got a crypted password in LDAP, which you won't be 
able to do MS-CHAP from (unless the "crypt" happens to be "{nt}32bytes")

> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user joey authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication.
> Login incorrect: [joey/<no User-Password attribute>] (from client
> vpn-external port 0 cli 67.41.208.129)
> Sending Access-Reject of id 15 to 71.39.18.170:32784
> 
> 
> I have no idea where to troubleshoot this at this point. The usual
> suspects seem to be properly configured (ldap.attrmap, clients.conf,
> radiusd.conf and users). Anybody have thoughts? Thanks.



> 
>            --joey
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list