Authentication failure via PAP

tnt at kalik.co.yu tnt at kalik.co.yu
Tue Sep 18 12:25:49 CEST 2007 

1. Secret is different (probability 99%)
2. MD5 libraries on the client or the server are broken

I would delete the secret on the server and the client and type in
another one. If that doesn't work then you will need to fix the MD5
calculations. If it's the server you will get this problem with every
client you try. If it's only one client ...

Ivan Kalik
Kalik Informatika ISP


Dana 18/9/2007, "Thomas Schmitz" <thomas.schmitz at FernUni-Hagen.de> piše:

>Hi,
>
>I'm using Freeradius 1.1.6 inside a Solaris 10 zone and compiled 
>it from vanilla sources. I configured rlm_ldap since the 
>usernames and cleartext-passwords are stored in an LDAP 
>directory and it works just fine for applications like Cisco-VPN 
>or 802.1X EAP-TTLS. Now I wanted to set up the Captive Portal of 
>pfsense/m0n0wall to authenticate against radius, which is using 
>PAP for password transmission but authentication always fails 
>even if I triple-check the entered user credentials.
>
>The freeradius log always says:
>Auth: Login incorrect (rlm_ldap: Bind as user failed): 
>[my_username] (from client pfsensebox port 1 cli 
>00:17:f2:xx:yy:zz)
>
>Of course I also checked if the radius client is using the 
>correct secret. I set auto_headers to "yes" as it is suggested 
>in the rlm_pap manpage and put pap at the end of the authorize 
>section.
>
>I also included an excerpt of my radiusd.conf
>
>---begin radiusd.conf---
>modules {
>        pap {
>                auto_header = yes
>        }
>ldap {
>                server = "ldapserver.mydomain.com"
>                basedn = "ou=people,o=my organization,c=de"
>                filter 
>= "(uid=%{Stripped-User-Name:-%{User-Name}})"
>                start_tls = no
>                access_attr = "uid"
>                dictionary_mapping = ${raddbdir}/ldap.attrmap
>                ldap_connections_number = 5
>                password_attribute = userPassword
>                timeout = 4
>                timelimit = 3
>                net_timeout = 1
>        }
>}
>authorize {
>        auth_log
>        chap
>        mschap
>        suffix
>        eap
>        ldap
>        files
>        daily
>        pap
>}
>
>authenticate {
>        pap
>        chap
>        mschap
>        ldap
>        eap
>}
>---end radiusd.conf---
>
>Here is an output of radiusd -X:
>
>---begin radiusd -X output---
>rad_recv: Access-Request packet from host 111.222.333.444:51087, 
>id=255, length=131
>        NAS-IP-Address = 111.222.333.444
>        NAS-Identifier = "pfsense.local"
>        User-Name = "my_username"
>        User-Password 
>= "\301q\202\355g\264g)N\265\315\311\374\205i"
>        Service-Type = Login-User
>        NAS-Port-Type = Ethernet
>        NAS-Port = 1
>        Framed-IP-Address = 192.168.23.200
>        Called-Station-Id = "00:01:02:xx:yy:zz"
>        Calling-Station-Id = "00:17:f2:aa:bb:cc"
>  Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
>radius_xlat:  '/opt/radiusd/var/log//radacct/auth-detail-200709'
>rlm_detail: /opt/radiusd/var/log//radacct/auth-detail-%Y%m 
>expands to /opt/radiusd/var/log//radacct/auth-detail-200709
>  modcall[authorize]: module "auth_log" returns ok for request 0
>  modcall[authorize]: module "chap" returns noop for request 0
>  modcall[authorize]: module "mschap" returns noop for request 0
>    rlm_realm: No '@' in User-Name = "my_username", looking up 
>realm NULL
>    rlm_realm: Found realm "NULL"
>    rlm_realm: Adding Stripped-User-Name = "my_username"
>    rlm_realm: Proxying request from user my_username to realm 
>NULL
>    rlm_realm: Adding Realm = "NULL"
>    rlm_realm: Authentication realm is LOCAL.
>  modcall[authorize]: module "suffix" returns noop for request 0
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 0
>rlm_ldap: - authorize
>rlm_ldap: performing user authorization for my_username
>radius_xlat:  '(uid=my_username)'
>radius_xlat:  'ou=people,o=my organization,c=de'
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: attempting LDAP reconnection
>rlm_ldap: (re)connect to directory.fernuni-hagen.de:389, 
>authentication 0
>rlm_ldap: bind as / to directory.fernuni-hagen.de:389
>rlm_ldap: waiting for bind result ...
>rlm_ldap: Bind was successful
>rlm_ldap: performing search in ou=people,o=my organization,c=de, 
>with filter (uid=my_username)
>rlm_ldap: checking if remote access for my_username is allowed by 
>uid
>rlm_ldap: looking for check items in directory...
>rlm_ldap: Adding uid as User-Name, value my_username & op=21
>rlm_ldap: looking for reply items in directory...
>rlm_ldap: Setting Auth-Type = ldap
>rlm_ldap: user my_username authorized to use remote access
>rlm_ldap: ldap_release_conn: Release Id: 0
>  modcall[authorize]: module "ldap" returns ok for request 0
>  modcall[authorize]: module "files" returns notfound for request 
>0
>rlm_counter: Entering module authorize code
>rlm_counter: Could not find Check item value pair
>  modcall[authorize]: module "daily" returns noop for request 0
>rlm_pap: WARNING! No "known good" password found for the user.  
>Authentication may fail because of this.
>  modcall[authorize]: module "pap" returns noop for request 0
>modcall: leaving group authorize (returns ok) for request 0
>  rad_check_password:  Found Auth-Type ldap
>auth: type "ldap"
>  Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 0
>rlm_ldap: - authenticate
>rlm_ldap: login attempt by "my_username" with password "Áq?íg
>´g)NÂľĂĂ‰Ăź?i"
>rlm_ldap: user DN: uid=my_username,ou=People,o=my 
>organization,c=de
>rlm_ldap: (re)connect to directory.fernuni-hagen.de:389, 
>authentication 1
>rlm_ldap: bind as uid=my_username,ou=People,o=my 
>organization,c=de/Áq?Ă­g´g)NÂľĂĂ‰Ăź?i to 
>directory.fernuni-hagen.de:389
>rlm_ldap: waiting for bind result ...
>rlm_ldap: Bind failed with invalid credentials
>  modcall[authenticate]: module "ldap" returns reject for request 
>0
>modcall: leaving group authenticate (returns reject) for request 
>0
>auth: Failed to validate the user.
>Login incorrect (rlm_ldap: Bind as user failed): [my_username] 
>(from client pfsensebox port 1 cli 00:17:f2:aa:bb:cc)
>  WARNING: Unprintable characters in the password. ?  
>Double-check the shared secret on the server and the NAS!
>---end radiusd -X output---
>
>What seems very curious to me is that my password, though 
>delivered in cleartext, seems broken since the password in the 
>following line is actually not the real password:
>
>rlm_ldap: login attempt by "my_username" with password "Áq?íg
>´g)NÂľĂĂ‰Ăź?i"
>
>Is it the client that does those nasty things or is my freeradius 
>just misconfigured? How can I get it to work?
>
>Thanks in advance,
>Thomas
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list