Guillaume CAPIOD Guillaume.Capiod at ens-lsh.fr
Thu Jul 20 17:56:44 CEST 2006

Hi all,

I think i'm having problems too with EAP-TTLS / PAP with LDAP password 
stored in ssha-1.
I've newest release of freeradius : 1.1.2.

In debug mode :
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user wifilsh authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id:0
 modcall[autohrize]: module "ldap1" return ok for request 0

   users: Matched entry DEFAULT at line 172
 modcall[autohrize]: module "files" return ok for request 0
 rlm_eap: No EAP-Message, not doing EAP
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
 modcall[authorize]: module "pap" return noop for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the 
request : Rejecting the user
auth: Failed to validate the user.

and i tried several configurations in my radiusd.conf :

pap {
          encryption_scheme = sha1 (or auto_header = yes, 

EAP-TTLS / PAP authentication works good with clear password.

Can i use realm rlm_pap to crypt password in SSHA-1 ?

Do anyone have an idea for these problems ?


Matt Ashfield wrote:

>I think I'm having similar problems. Trying to do EAP-TTLS against LDAP with
>passwords stored in ssha-1 I get the following in my debug:
>rlm_ldap: Added password {SSHA}sBKY63Qm0H8T/Rx25tveoZfGaYd9Rjk45TCrWA== in
>check items
>rlm_ldap: looking for check items in directory...
>rlm_ldap: looking for reply items in directory...
>rlm_ldap: user mda authorized to use remote access
>rlm_ldap: ldap_release_conn: Release Id: 0
>  modcall[authorize]: module "ldap" returns ok for request 4
>modcall: group authorize returns ok for request 4
>  rad_check_password:  Found Auth-Type ldap
>auth: type "LDAP"
>  ERROR: Unknown value specified for Auth-Type.  Cannot perform requested
>auth: Failed to validate the user.
>The above seems to indicate to me that I was authorized, but not
>Although in my radiusd.conf, I do have the following which I assumed was
>pap {
>                encryption_scheme = sha1
>    }
>Matt Ashfield
>mda at unb.ca 
>-----Original Message-----
>From: freeradius-users-bounces+mda=unb.ca at lists.freeradius.org
>[mailto:freeradius-users-bounces+mda=unb.ca at lists.freeradius.org] On Behalf
>Of Phil Mayers
>Sent: July 15, 2006 8:09 AM
>To: FreeRadius users mailing list
>Rohaizam Abu Bakar wrote:
>>Thanks Phil..  what a stupid move to paste all that passwd.. I've 
>>changed it as soon as i get ur mail... thanks again...
>>cannot find any article related to repeating LDAP query for EAP...  pls 
>You don't need to worry about the EAP. The EAP is working fine. It's the 
>PAP request that lives inside the EAP that's failing.
>>I think the problem coz by RADIUS cannot figure out to set Auth-Type and 
>>then it require plain passwd.. When I change password to plain. with the 
>>same setting.. it's working...
>It's definitely not that. Auth-Type is being set to Local, probably by 
>the default entries in the "users" file, and the server is therefore 
>trying to compare the passwords in the PAP requests with the ones frmo 
>LDAP, which is correct. But as I said, your LDAP directory contains 
>password of the form "{crypt}sombytes". This is breaking it. You have 
>three choices:
>  1. Upgrade the server to a version which can correctly deal with the 
>"{type}" prefixes.
>  2. Re-format the passwords, either in the LDAP directory or with an 
>external script, so that the {type} is stripped and the value set in the 
>Crypt-Password attribute. For example, in radiusd.conf:
>modules {
>   ldap {
>     server = ...
>     basedn = ...
>     # do NOT copy the password attribute here, do it
>     # in ldap.attrmap instead - see below for why
>     # password_attribute
>     # other config items
>   }
>   exec strip_password_header {
>     wait = yes
>     program = "/usr/local/bin/strip_password_header.sh"
>     input_pairs = config
>     output_pairs = config
>   }
>authorize {
>   preprocess
>   eap
>   files
>   Autz-Type ttls-inner-bit {
>     ldap
>     strip_password_header
>   }
>authenticate {
>   eap
>...and in users:
># Match the PAP "inside" bit of EAP-TTLS and set the Autz-Type so
># that we only run the ldap query and crypt password rewrite then
># Also set Auth-Type to Local so the radius server will check the
># passwords
>DEFAULT	Client-IP-Address ==, Autz-Type := ttls-inner-bit, 
>Auth-Type := Local
>...and in ldap.attrmap:
>checkItem	Crypt-Password	userPassword
>...and in /usr/local/bin/strip_password_header.sh:
>stripped_pw=`echo $CRYPT_PASSWORD | sed -e 's/^{crypt}//g'`
>echo "Crypt-Password := \"$stripped_pw\""
>Basically, what this does is:
>    * do EAP
>    * when the inner PAP request happens
>      * fetch the "{crypt}foobar" from LDAP
>      * rewrite it to "foobar" with a script
>      * let the radius server compare the passwords
>  3. Stop copying the password over at all, and authenticate the PAP bit 
>with an LDAP simple bind to the directory. See the archives for many 
>posts about "LDAP simple bind PAP"
>List info/subscribe/unsubscribe? See
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list