FDS + Freeradius = pain.
Phil Mayers
p.mayers at imperial.ac.uk
Fri Feb 3 08:56:55 CET 2006
Joey McDonald wrote:
>
> I've got authentication working via radtest, e.g.
>
> rad_recv: Access-Request packet from host 172.33.100.18:32811, id=116, length=56
> User-Name = "joey"
> User-Password = "xxxxxxxx"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for joey
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: (re)connect to ldap.example.net:389, authentication 0
> rlm_ldap: bind as cn=Directory Manager/xxxxxxx to ldap.example.net:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding userPassword as User-Password, value { & op=21
The line above looks wrong, but it never ends up being a problem because...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user joey authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
...during authenticate...
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "joey" with password "xxxxxxxx"
> rlm_ldap: user DN: uid=joey,ou=People, dc=example,dc=net
> rlm_ldap: (re)connect to ldap.example.net:389, authentication 1
> rlm_ldap: bind as uid=joey,ou=People, dc=example,dc=net/xxxxxxxx to
> ldap.example.net:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user joey authenticated succesfully
...auth-type == LDAP and an LDAP simple bind is done to answer the PAP
request from radtest. This ONLY works with PAP because an LDAP simple
bind needs the plaintext password.
> Login OK: [joey/xxxxxxx] (from client el-oso port 0)
> Sending Access-Accept of id 116 to 172.33.100.18:32811
>
> So that tells me that I've got the communication to my LDAP server
> properly configured.
>
> However when my PPTP server sends authentication requests to my radius
> server, I always get "Login incorrect: [joey/<no User-Password
> attribute>]"
Since it's a PPTP server you are almost certainly going to be using
MS-CHAP, which requires either:
1. The NT password hash to be in LDAP and readable by FreeRadius
2. The plaintext password to be in LDAP and readable
3. Samba, domain membership, winbind and the ntlm_auth plugin option
for the mschap module
>
> For example:
>
> rad_recv: Access-Request packet from host 172.33.100.1:32784, id=15, length=147
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "joey"
> MS-CHAP-Challenge = 0x47f01bcb27f52fa649fc0722f36c30c6
> MS-CHAP2-Response =
> 0x92001b248ce93a1a352383f8836833afeb9a0000000000000000724f55d6a62231b22c33b33265212ecd3fa334aff76bb442
> Calling-Station-Id = "67.41.208.129"
> NAS-Identifier = "pptp"
> NAS-Port = 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for joey
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding userPassword as User-Password, value { & op=21
The line directly above looks wrong - value "{" ?
So you've probably got a crypted password in LDAP, which you won't be
able to do MS-CHAP from (unless the "crypt" happens to be "{nt}32bytes")
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user joey authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication.
> Login incorrect: [joey/<no User-Password attribute>] (from client
> vpn-external port 0 cli 67.41.208.129)
> Sending Access-Reject of id 15 to 71.39.18.170:32784
>
>
> I have no idea where to troubleshoot this at this point. The usual
> suspects seem to be properly configured (ldap.attrmap, clients.conf,
> radiusd.conf and users). Anybody have thoughts? Thanks.
>
> --joey
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list