Failing to authenticate using FreeRadius(in OpenBSD) + XP as a client +Linksys AP (WRT54v2.2) using peap

Alan DeKok aland at deployingradius.com
Sat Aug 16 16:21:51 CEST 2008


Maurizio Cimaschi wrote:
> OK. So the rlm_mschap will look for the internal check-Item
> "Cleartext-Password" and it will use that value for authentication.
> 
> From share/freeradius/dictionary.freeradius.internal

  Can I ask you to stop quoting the documentation and configuration to
me?  I wrote much of it.  I'm familiar with it.  Quoting it back at me
means you're assuming I'm an idiot, and that I don't remember any of it.

> This item should be set by some module (rlm_file, rlm_ldap, possibly
> others) during the "authorize" state. Beside, rlm_mschap has no idea on
> where the passwords (in any form) are stored.
> 
> Correct ?

  Yes.

>>   That is a historical artifact of the server.  See the big warnings in
>> debugging mode in 2.0.x.
> 
> In rlm_ldap I found this warning (I found just one):

  Which means you didn't see the warnings when you ran it in debugging
mode, if you even bothered to do that.

> Few lines before, it seems that it tries to copy all the attributes that
> smell like a password in the request; this warning is raised if there's
> no user pwd (from the supplicant) and/or no clear text pwd in the DB.

  Since you haven't followed instructions, you're looking at the wrong
section of the code, and are wasting your time... and mine.

>>> checkItem       User-Password                   userPassword
>>
>>   Which is wrong.  It should map to Cleartext-Password.
> 
> I understand that, but how could be possible that my users who are not
> samba users are able lo connect to the AP ?

  Maybe it's magic.

> There's no LM/NT pwd for them, and there's also no "Cleartext-Password"
> because the mapping is wrong (but I've changed now). So how does
> rlm_mschap find the password ?

  Magic?

> I've looked the mschap_authenticate and it seems to look for LM pwd and
> NT pwd in the request, and to build one or both of them from the
> cleartext password if they're missing.

  Really?  I didn't know that.

  Oh wait... I did.

  I have no idea why you think it's necessary to explain the code to me.
 Maybe you're just "thinking out loud"... but this list isn't the place
to do that.

  Alan DeKok.



More information about the Freeradius-Users mailing list