ldap and MD5-Challenge
robiwan at arcor.de
robiwan at arcor.de
Wed Jun 7 15:35:25 CEST 2006
Dear all,
My Supplicant is a WinXP-Client, EAP-Type is MD5-Challenge.
My Authenticator is a Cisco Catalyst 3750
I try to do a 802.1X Authentication for a user listet in a LDAP-database.
When i do a MD5-Challenge it does not work. Do i have a problem with MD5-encrypted passwords?
My configuration files follows below...
Thanks in advance....
The LDAP-Authentication seems to work, here is the freeradius -X output after radtest:
Debian# radtest schlapp Gerti1000 localhost 1645 testing123
rad_recv: Access-Request packet from host 127.0.0.1:32852, id=247, length=59
User-Name = "schlapp"
User-Password = "Gerti1000"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1645
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "schlapp", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry schlapp at line 87
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for schlapp
radius_xlat: '(&(sAMAccountname=schlapp)(objectClass=person))'
radius_xlat: 'DC=winlab,DC=rsnhm,DC=t-com,DC=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.187.64.3:389, authentication 0
rlm_ldap: bind as CN=Robert Huber,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de/Gerti1000 to 10.187.64.3:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in DC=winlab,DC=rsnhm,DC=t-com,DC=de, with filter (&(sAMAccountname=schlapp)(objectClass=person))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user schlapp authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "schlapp" with password "Gerti1000"
rlm_ldap: user DN: CN=schlapp hut,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de
rlm_ldap: (re)connect to 10.187.64.3:389, authentication 1
rlm_ldap: bind as CN=schlapp hut,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de/Gerti1000 to 10.187.64.3:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user schlapp authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 0
modcall: leaving group LDAP (returns ok) for request 0
Login OK: [schlapp/Gerti1000] (from client localhost port 1645)
Sending Access-Accept of id 247 to 127.0.0.1 port 32852
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "50"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
But when i try to use my WinXP-Client, EAP says:
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
rlm_eap: Handler failed in EAP/md5
rlm_eap: Failed in EAP select
Here is the entire freeradius -X output:
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=174, length=129
User-Name = "schlapp"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
EAP-Message = 0x0202000c017363686c617070
Message-Authenticator = 0x7a4a5ff5030a44b2fcee7b79d3aac47c
NAS-Port = 60003
NAS-Port-Type = Virtual
NAS-IP-Address = 10.187.0.15
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "schlapp", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry schlapp at line 83
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for schlapp
radius_xlat: '(&(sAMAccountname=schlapp)(objectClass=person))'
radius_xlat: 'DC=winlab,DC=rsnhm,DC=t-com,DC=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.187.64.3:389, authentication 0
rlm_ldap: bind as CN=Robert Huber,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de/Gerti1000 to 10.187.64.3:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in DC=winlab,DC=rsnhm,DC=t-com,DC=de, with filter (&(sAMAccountname=schlapp)(objectClass=person))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user schlapp authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 174 to 10.187.0.15 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "50"
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4172a142a08feeb924f2a128e5ddef32
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=175, length=141
User-Name = "schlapp"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
EAP-Message = 0x020300060304
Message-Authenticator = 0x71486fbf711a2bbd7b14377510a81beb
NAS-Port = 60003
NAS-Port-Type = Virtual
State = 0x4172a142a08feeb924f2a128e5ddef32
NAS-IP-Address = 10.187.0.15
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "schlapp", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry schlapp at line 83
modcall[authorize]: module "files" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for schlapp
radius_xlat: '(&(sAMAccountname=schlapp)(objectClass=person))'
radius_xlat: 'DC=winlab,DC=rsnhm,DC=t-com,DC=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in DC=winlab,DC=rsnhm,DC=t-com,DC=de, with filter (&(sAMAccountname=schlapp)(objectClass=person))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user schlapp authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/md5
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 175 to 10.187.0.15 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "50"
EAP-Message = 0x01040016041033c920c71b4f300c45c31a67d56acce6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x166498a3095698d1df3c6b3827bdd631
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=176, length=164
User-Name = "schlapp"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
EAP-Message = 0x0204001d04108ade4625748baf1353f8c786e23d72527363686c617070
Message-Authenticator = 0x28e98702a7aec9aec73273be08999cee
NAS-Port = 60003
NAS-Port-Type = Virtual
State = 0x166498a3095698d1df3c6b3827bdd631
NAS-IP-Address = 10.187.0.15
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "schlapp", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 4 length 29
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry schlapp at line 83
modcall[authorize]: module "files" returns ok for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for schlapp
radius_xlat: '(&(sAMAccountname=schlapp)(objectClass=person))'
radius_xlat: 'DC=winlab,DC=rsnhm,DC=t-com,DC=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in DC=winlab,DC=rsnhm,DC=t-com,DC=de, with filter (&(sAMAccountname=schlapp)(objectClass=person))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user schlapp authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/md5
rlm_eap: processing type md5
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
rlm_eap: Handler failed in EAP/md5
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 2
modcall: leaving group authenticate (returns invalid) for request 2
auth: Failed to validate the user.
Login incorrect: [schlapp/<no User-Password attribute>] (from client M4DEMRCO0000015 port 60003 cli 00-0B-5D-84-AE-CA)
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=176, length=164
Sending Access-Reject of id 176 to 10.187.0.15 port 1645
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 1 seconds...
my users:
------------
schlapp
Tunnel-Type = VLAN,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 50
my eap.conf
--------------
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
}
mschapv2 {
}
}
my radiusd.conf
-----------------
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}"
}
ldap {
server = "10.187.64.3"
identity = "CN=Robert Kastl,CN=Computers,DC=winlab,DC=rsnhm,DC=t-com,DC=de"
password = Gerti1000
basedn = "DC=winlab,DC=rsnhm,DC=t-com,DC=de"
filter = "(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
preprocess
chap
mschap
suffix
eap
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
my ldap.attrmap
-------------------
checkItem $GENERIC$ radiusCheckItem
replyItem $GENERIC$ radiusReplyItem
checkItem Auth-Type radiusAuthType
checkItem Simultaneous-Use radiusSimultaneousUse
checkItem Called-Station-Id radiusCalledStationId
checkItem Calling-Station-Id radiusCallingStationId
checkItem LM-Password lmPassword
checkItem NT-Password ntPassword
checkItem SMB-Account-CTRL-TEXT acctFlags
checkItem Expiration radiusExpiration
checkItem NAS-IP-Address radiusNASIpAddress
replyItem Service-Type radiusServiceType
replyItem Framed-Protocol radiusFramedProtocol
replyItem Framed-IP-Address radiusFramedIPAddress
replyItem Framed-IP-Netmask radiusFramedIPNetmask
replyItem Framed-Route radiusFramedRoute
replyItem Framed-Routing radiusFramedRouting
replyItem Filter-Id radiusFilterId
replyItem Framed-MTU radiusFramedMTU
replyItem Framed-Compression radiusFramedCompression
replyItem Login-IP-Host radiusLoginIPHost
replyItem Login-Service radiusLoginService
replyItem Login-TCP-Port radiusLoginTCPPort
replyItem Callback-Number radiusCallbackNumber
replyItem Callback-Id radiusCallbackId
replyItem Framed-IPX-Network radiusFramedIPXNetwork
replyItem Class radiusClass
replyItem Session-Timeout radiusSessionTimeout
replyItem Idle-Timeout radiusIdleTimeout
replyItem Termination-Action radiusTerminationAction
replyItem Login-LAT-Service radiusLoginLATService
replyItem Login-LAT-Node radiusLoginLATNode
replyItem Login-LAT-Group radiusLoginLATGroup
replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink
replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork
replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone
replyItem Port-Limit radiusPortLimit
replyItem Login-LAT-Port radiusLoginLATPort
replyItem Reply-Message radiusReplyMessage
Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren
ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig
und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer,
nur 44,85 € inkl. DSL- und ISDN-Grundgebühr!
http://www.arcor.de/rd/emf-dsl-2
More information about the Freeradius-Users
mailing list