Freeradius can't authenticate pptp users from Windows XP to LDAP

nf-vale nf-vale at critical-links.com
Thu Oct 8 16:28:41 CEST 2009


On Thursday 08 October 2009 15:05:24 Ivan Kalik wrote:
> Just had a look at your ldap antries again. This doesn't look right:
>
> userPassword:: dGVzdGVy
>
> Shouldn't there be just one colon?

Two colons means that it's a BASE64 encoded field.

>
> Ivan Kalik
> Kalik Informatika ISP
>
> > You can add NT / LM pairs to each LDAP user object. You must include the
> > samba.schema into the ldap server schemas.
> >
> > Ex:
> >
> > sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C
> > sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE
> >
> >
> > This way pptp MSCHAP auth will work.
> >
> >
> > Nelson Vale
> >
> > On Thursday 08 October 2009 12:53:21 tede wrote:
> >> Ivan Kalik wrote:
> >> >> Debug: rlm_ldap: performing search in ou=vpn,dc=home, with filter
> >> >> (uid=light)
> >> >> Debug: rlm_ldap: No default NMAS login sequence
> >> >> Debug: rlm_ldap: looking for check items in directory...
> >> >> Debug: rlm_ldap: looking for reply items in directory...
> >> >> Debug: WARNING: No "known good" password was found in LDAP.  Are you
> >> >> sure that the user is configured correctly?
> >> >
> >> > Hm, try adding mapping for Cleartext-Password as userPassword to
> >> > ldap.attrmap.
> >> >
> >> > Ivan Kalik
> >> > Kalik Informatika ISP
> >> >
> >> > -
> >> > List info/subscribe/unsubscribe? See
> >> > http://www.freeradius.org/list/users.html
> >>
> >> Hi Ivan, first of all, thanks for answering me :)
> >>
> >> So, here is the result after adding mapping for Cleartext-Password as
> >> userPassword,
> >> as we can see in the radius mapping part of the debug :
> >>
> >>
> >> Info: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Oct
> >>  3
> >> 2009 at 19:16:29
> >> Info: Copyright (C) 1999-2008 The FreeRADIUS server project and
> >> contributors.
> >> Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR
> >> A
> >> Info: PARTICULAR PURPOSE.
> >> Info: You may redistribute copies of FreeRADIUS under the terms of the
> >> Info: GNU General Public License.
> >> Info: Starting - reading configuration files ...
> >> Debug: including configuration file /etc/freeradius/radiusd.conf
> >> Debug: including configuration file /etc/freeradius/clients.conf
> >> Debug: including configuration file /etc/freeradius/policy.conf
> >> Debug: including files in directory /etc/freeradius/sites-enabled/
> >> Debug: including configuration file
> >> /etc/freeradius/sites-enabled/default
> >> Debug: including configuration file
> >> /etc/freeradius/sites-enabled/inner-tunnel
> >> Debug: including dictionary file /etc/freeradius/dictionary
> >> Debug: main {
> >> Debug: 	prefix = "/usr"
> >> Debug: 	localstatedir = "/var"
> >> Debug: 	logdir = "/var/log/freeradius"
> >> Debug: 	libdir = "/usr/lib/freeradius"
> >> Debug: 	radacctdir = "/var/log/freeradius/radacct"
> >> Debug: 	hostname_lookups = no
> >> Debug: 	max_request_time = 30
> >> Debug: 	cleanup_delay = 5
> >> Debug: 	max_requests = 1024
> >> Debug: 	allow_core_dumps = no
> >> Debug: 	pidfile = "/var/run/freeradius/freeradius.pid"
> >> Debug: 	user = "freerad"
> >> Debug: 	group = "freerad"
> >> Debug: 	checkrad = "/usr/sbin/checkrad"
> >> Debug: 	debug_level = 0
> >> Debug: 	proxy_requests = yes
> >> Debug:  security {
> >> Debug: 	max_attributes = 200
> >> Debug: 	reject_delay = 1
> >> Debug: 	status_server = yes
> >> Debug:  }
> >> Debug: }
> >> Debug:  client localhost {
> >> Debug: 	ipaddr = 127.0.0.1
> >> Debug: 	require_message_authenticator = no
> >> Debug: 	secret = "hometest"
> >> Debug: 	nastype = "other"
> >> Debug:  }
> >> Debug:  client 192.168.0.0/24 {
> >> Debug: 	require_message_authenticator = no
> >> Debug: 	secret = "hometest"
> >> Debug: 	shortname = "private-network-1"
> >> Debug:  }
> >> Debug: radiusd: #### Loading Realms and Home Servers ####
> >> Debug: radiusd: #### Instantiating modules ####
> >> Debug:  instantiate {
> >> Debug:     (Loaded rlm_exec, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_exec
> >> Debug:  Module: Instantiating exec
> >> Debug:   exec {
> >> Debug: 	wait = yes
> >> Debug: 	input_pairs = "request"
> >> Debug: 	shell_escape = yes
> >> Debug:   }
> >> Debug:     (Loaded rlm_expr, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_expr
> >> Debug:  Module: Instantiating expr
> >> Debug:     (Loaded rlm_expiration, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_expiration
> >> Debug:  Module: Instantiating expiration
> >> Debug:   expiration {
> >> Debug: 	reply-message = "Password Has Expired  "
> >> Debug:   }
> >> Debug:     (Loaded rlm_logintime, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_logintime
> >> Debug:  Module: Instantiating logintime
> >> Debug:   logintime {
> >> Debug: 	reply-message = "You are calling outside your allowed timespan
> >> "
> >> Debug: 	minimum-timeout = 60
> >> Debug:   }
> >> Debug:  }
> >> Debug: radiusd: #### Loading Virtual Servers ####
> >> Debug: server inner-tunnel {
> >> Debug:  modules {
> >> Debug:  Module: Checking authenticate {...} for more modules to load
> >> Debug:     (Loaded rlm_pap, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_pap
> >> Debug:  Module: Instantiating pap
> >> Debug:   pap {
> >> Debug: 	encryption_scheme = "auto"
> >> Debug: 	auto_header = no
> >> Debug:   }
> >> Debug:     (Loaded rlm_chap, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_chap
> >> Debug:  Module: Instantiating chap
> >> Debug:     (Loaded rlm_mschap, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_mschap
> >> Debug:  Module: Instantiating mschap
> >> Debug:   mschap {
> >> Debug: 	use_mppe = yes
> >> Debug: 	require_encryption = no
> >> Debug: 	require_strong = no
> >> Debug: 	with_ntdomain_hack = no
> >> Debug:   }
> >> Debug:     (Loaded rlm_unix, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_unix
> >> Debug:  Module: Instantiating unix
> >> Debug:   unix {
> >> Debug: 	radwtmp = "/var/log/freeradius/radwtmp"
> >> Debug:   }
> >> Debug:     (Loaded rlm_ldap, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_ldap
> >> Debug:  Module: Instantiating ldap
> >> Debug:   ldap {
> >> Debug: 	server = "localhost"
> >> Debug: 	port = 389
> >> Debug: 	password = ""
> >> Debug: 	identity = ""
> >> Debug: 	net_timeout = 1
> >> Debug: 	timeout = 4
> >> Debug: 	timelimit = 3
> >> Debug: 	tls_mode = no
> >> Debug: 	start_tls = no
> >> Debug: 	tls_require_cert = "allow"
> >> Debug:    tls {
> >> Debug: 	start_tls = no
> >> Debug: 	require_cert = "allow"
> >> Debug:    }
> >> Debug: 	basedn = "ou=vpn,dc=home"
> >> Debug: 	filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> >> Debug: 	base_filter = "(objectclass=radiusprofile)"
> >> Debug: 	password_attribute = "userPassword"
> >> Debug: 	auto_header = yes
> >> Debug: 	access_attr_used_for_allow = yes
> >> Debug: 	groupname_attribute = "cn"
> >> Debug: 	groupmembership_filter =
> >> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
> >>oup OfUniqueNames)(uniquemember=%{Ldap-UserDn})))" Debug:
> >> 	dictionary_mapping =
> >> "/etc/freeradius/ldap.attrmap"
> >> Debug: 	ldap_debug = 0
> >> Debug: 	ldap_connections_number = 5
> >> Debug: 	compare_check_items = no
> >> Debug: 	do_xlat = yes
> >> Debug: 	edir_account_policy_check = no
> >> Debug: 	set_auth_type = no
> >> Debug:   }
> >> Debug: rlm_ldap: Registering ldap_groupcmp for Ldap-Group
> >> Debug: rlm_ldap: Registering ldap_xlat with xlat_name ldap
> >> Debug: rlm_ldap: reading ldap<->radius mappings from file
> >> /etc/freeradius/ldap.attrmap
> >> Debug: rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
> >> Debug: rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
> >> Debug: rlm_ldap: LDAP digestHA1 mapped to RADIUS Digest-HA1
> >> Debug: rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password
> >> Debug: rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
> >> Debug: rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS
> >> Simultaneous-Use
> >> Debug: rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS
> >> Called-Station-Id
> >> Debug: rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
> >> Calling-Station-Id
> >> Debug: rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
> >> Debug: rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
> >> Debug: rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
> >> Debug: rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
> >> Debug: rlm_ldap: LDAP ntHash mapped to RADIUS NT-Hash
> >> Debug: rlm_ldap: LDAP lmHash mapped to RADIUS LM-Hash
> >> Debug: rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
> >> Debug: rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
> >> Debug: rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
> >> Debug: rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
> >> Debug: rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS
> >> Framed-Protocol
> >> Debug: rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS
> >> Framed-IP-Address
> >> Debug: rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS
> >> Framed-IP-Netmask
> >> Debug: rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
> >> Debug: rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS
> >> Framed-Routing
> >> Debug: rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
> >> Debug: rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
> >> Debug: rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS
> >> Framed-Compression
> >> Debug: rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
> >> Debug: rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
> >> Debug: rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
> >> Debug: rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS
> >> Callback-Number
> >> Debug: rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
> >> Debug: rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS
> >> Framed-IPX-Network
> >> Debug: rlm_ldap: LDAP radiusClass mapped to RADIUS Class
> >> Debug: rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS
> >> Session-Timeout
> >> Debug: rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
> >> Debug: rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS
> >> Termination-Action
> >> Debug: rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS
> >> Login-LAT-Service
> >> Debug: rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
> >> Debug: rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS
> >> Login-LAT-Group
> >> Debug: rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
> >> Framed-AppleTalk-Link
> >> Debug: rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
> >> Framed-AppleTalk-Network
> >> Debug: rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
> >> Framed-AppleTalk-Zone
> >> Debug: rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
> >> Debug: rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
> >> Debug: rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
> >> Debug: conns: 0x85c8988
> >> Debug:  Module: Checking authorize {...} for more modules to load
> >> Debug:     (Loaded rlm_realm, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_realm
> >> Debug:  Module: Instantiating suffix
> >> Debug:   realm suffix {
> >> Debug: 	format = "suffix"
> >> Debug: 	delimiter = "@"
> >> Debug: 	ignore_default = no
> >> Debug: 	ignore_null = no
> >> Debug:   }
> >> Debug:     (Loaded rlm_files, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_files
> >> Debug:  Module: Instantiating files
> >> Debug:   files {
> >> Debug: 	usersfile = "/etc/freeradius/users"
> >> Debug: 	acctusersfile = "/etc/freeradius/acct_users"
> >> Debug: 	preproxy_usersfile = "/etc/freeradius/preproxy_users"
> >> Debug: 	compat = "no"
> >> Debug:   }
> >> Debug:  Module: Checking session {...} for more modules to load
> >> Debug:     (Loaded rlm_radutmp, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_radutmp
> >> Debug:  Module: Instantiating radutmp
> >> Debug:   radutmp {
> >> Debug: 	filename = "/var/log/freeradius/radutmp"
> >> Debug: 	username = "%{User-Name}"
> >> Debug: 	case_sensitive = yes
> >> Debug: 	check_with_nas = yes
> >> Debug: 	perm = 384
> >> Debug: 	callerid = yes
> >> Debug:   }
> >> Debug:  Module: Checking post-auth {...} for more modules to load
> >> Debug:     (Loaded rlm_attr_filter, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_attr_filter
> >> Debug:  Module: Instantiating attr_filter.access_reject
> >> Debug:   attr_filter attr_filter.access_reject {
> >> Debug: 	attrsfile = "/etc/freeradius/attrs.access_reject"
> >> Debug: 	key = "%{User-Name}"
> >> Debug:   }
> >> Debug:  }
> >> Debug: }
> >> Debug: server {
> >> Debug:  modules {
> >> Debug:  Module: Checking authenticate {...} for more modules to load
> >> Debug:  Module: Checking authorize {...} for more modules to load
> >> Debug:     (Loaded rlm_preprocess, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_preprocess
> >> Debug:  Module: Instantiating preprocess
> >> Debug:   preprocess {
> >> Debug: 	huntgroups = "/etc/freeradius/huntgroups"
> >> Debug: 	hints = "/etc/freeradius/hints"
> >> Debug: 	with_ascend_hack = no
> >> Debug: 	ascend_channels_per_line = 23
> >> Debug: 	with_ntdomain_hack = no
> >> Debug: 	with_specialix_jetstream_hack = no
> >> Debug: 	with_cisco_vsa_hack = no
> >> Debug: 	with_alvarion_vsa_hack = no
> >> Debug:   }
> >> Debug:  Module: Checking preacct {...} for more modules to load
> >> Debug:     (Loaded rlm_acct_unique, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_acct_unique
> >> Debug:  Module: Instantiating acct_unique
> >> Debug:   acct_unique {
> >> Debug: 	key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> >> Client-IP-Address, NAS-Port"
> >> Debug:   }
> >> Debug:  Module: Checking accounting {...} for more modules to load
> >> Debug:     (Loaded rlm_detail, checking if it's valid)
> >> Debug:  Module: Linked to module rlm_detail
> >> Debug:  Module: Instantiating detail
> >> Debug:   detail {
> >> Debug: 	detailfile =
> >> "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> >> Debug: 	header = "%t"
> >> Debug: 	detailperm = 384
> >> Debug: 	dirperm = 493
> >> Debug: 	locking = no
> >> Debug: 	log_packet_header = no
> >> Debug:   }
> >> Debug:  Module: Instantiating attr_filter.accounting_response
> >> Debug:   attr_filter attr_filter.accounting_response {
> >> Debug: 	attrsfile = "/etc/freeradius/attrs.accounting_response"
> >> Debug: 	key = "%{User-Name}"
> >> Debug:   }
> >> Debug:  Module: Checking session {...} for more modules to load
> >> Debug:  Module: Checking post-auth {...} for more modules to load
> >> Debug:  }
> >> Debug: }
> >> Debug: radiusd: #### Opening IP addresses and Ports ####
> >> Debug: listen {
> >> Debug: 	type = "auth"
> >> Debug: 	ipaddr = *
> >> Debug: 	port = 0
> >> Debug: }
> >> Debug: listen {
> >> Debug: 	type = "acct"
> >> Debug: 	ipaddr = *
> >> Debug: 	port = 0
> >> Debug: }
> >> Debug: main {
> >> Debug: 	snmp = no
> >> Debug: 	smux_password = ""
> >> Debug: 	snmp_write_access = no
> >> Debug: }
> >> Debug: Listening on authentication address * port 1812
> >> Debug: Listening on accounting address * port 1813
> >> Debug: Listening on proxy address * port 1814
> >> Debug: Ready to process requests.
> >> rad_recv: Access-Request packet from host 127.0.0.1 port 58943, id=90,
> >> length=144
> >> 	Service-Type = Framed-User
> >> 	Framed-Protocol = PPP
> >> 	User-Name = "light"
> >> 	MS-CHAP-Challenge = 0x0478587b0fbb0f95a407ca180b2f8a37
> >> 	MS-CHAP2-Response =
> >> 0xd300647b6787cf9c9d95e042b5ba55d38d180000000000000000261560ec809d3c64ce
> >>fc0 34d7af5be715a3570723e5dbe2f Calling-Station-Id = "192.168.0.1"
> >> 	NAS-IP-Address = 0x0101
> >> 	NAS-Port = 0
> >> Debug: +- entering group authorize
> >> Debug:   modsingle[authorize]: calling preprocess (rlm_preprocess) for
> >> request 0
> >> Debug:   modsingle[authorize]: returned from preprocess (rlm_preprocess)
> >> for request 0
> >> Debug: ++[preprocess] returns ok
> >> Debug:   modsingle[authorize]: calling chap (rlm_chap) for request 0
> >> Debug:   modsingle[authorize]: returned from chap (rlm_chap) for request
> >> 0
> >> Debug: ++[chap] returns noop
> >> Debug:   modsingle[authorize]: calling ldap (rlm_ldap) for request 0
> >> Debug: rlm_ldap: - authorize
> >> Debug: rlm_ldap: performing user authorization for light
> >> Debug: WARNING: Deprecated conditional expansion ":-".  See "man unlang"
> >> for details
> >> Debug: 	expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=light)
> >> Debug: 	expand: ou=vpn,dc=home -> ou=vpn,dc=home
> >> Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
> >> Debug: rlm_ldap: ldap_get_conn: Got Id: 0
> >> Debug: rlm_ldap: attempting LDAP reconnection
> >> Debug: rlm_ldap: (re)connect to localhost:389, authentication 0
> >> Debug: rlm_ldap: bind as / to localhost:389
> >> Debug: rlm_ldap: waiting for bind result ...
> >> Debug: rlm_ldap: Bind was successful
> >> Debug: rlm_ldap: performing search in ou=vpn,dc=home, with filter
> >> (uid=light)
> >> Debug: rlm_ldap: No default NMAS login sequence
> >> Debug: rlm_ldap: looking for check items in directory...
> >> Debug: rlm_ldap: looking for reply items in directory...
> >> Debug: WARNING: No "known good" password was found in LDAP.  Are you
> >> sure
> >> that the user is configured correctly?
> >> Debug: rlm_ldap: user light authorized to use remote access
> >> Debug: rlm_ldap: ldap_release_conn: Release Id: 0
> >> Debug:   modsingle[authorize]: returned from ldap (rlm_ldap) for request
> >> 0
> >> Debug: ++[ldap] returns ok
> >> Debug:   modsingle[authorize]: calling mschap (rlm_mschap) for request 0
> >> Debug:   rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  =
> >> mschap'
> >> Debug:   modsingle[authorize]: returned from mschap (rlm_mschap) for
> >> request 0
> >> Debug: ++[mschap] returns ok
> >> Debug:   modsingle[authorize]: calling suffix (rlm_realm) for request 0
> >> Debug:     rlm_realm: No '@' in User-Name = "light", looking up realm
> >> NULL
> >> Debug:     rlm_realm: No such realm "NULL"
> >> Debug:   modsingle[authorize]: returned from suffix (rlm_realm) for
> >> request
> >> 0
> >> Debug: ++[suffix] returns noop
> >> Debug:   modsingle[authorize]: calling unix (rlm_unix) for request 0
> >> Debug:   modsingle[authorize]: returned from unix (rlm_unix) for request
> >> 0
> >> Debug: ++[unix] returns notfound
> >> Debug:   modsingle[authorize]: calling files (rlm_files) for request 0
> >> Debug:   modsingle[authorize]: returned from files (rlm_files) for
> >> request
> >> 0 Debug: ++[files] returns noop
> >> Debug:   modsingle[authorize]: calling expiration (rlm_expiration) for
> >> request 0
> >> Debug:   modsingle[authorize]: returned from expiration (rlm_expiration)
> >> for request 0
> >> Debug: ++[expiration] returns noop
> >> Debug:   modsingle[authorize]: calling logintime (rlm_logintime) for
> >> request 0
> >> Debug:   modsingle[authorize]: returned from logintime (rlm_logintime)
> >> for
> >> request 0
> >> Debug: ++[logintime] returns noop
> >> Debug:   modsingle[authorize]: calling pap (rlm_pap) for request 0
> >> Debug: rlm_pap: WARNING! No "known good" password found for the user.
> >> Authentication may fail because of this.
> >> Debug:   modsingle[authorize]: returned from pap (rlm_pap) for request 0
> >> Debug: ++[pap] returns noop
> >> Debug:   rad_check_password:  Found Auth-Type mschap
> >> Debug: auth: type "MSCHAP"
> >> Debug: +- entering group MS-CHAP
> >> Debug:   modsingle[authenticate]: calling mschap (rlm_mschap) for
> >> request 0
> >> Debug:   rlm_mschap: No Cleartext-Password configured.  Cannot create
> >> LM-Password.
> >> Debug:   rlm_mschap: No Cleartext-Password configured.  Cannot create
> >> NT-Password.
> >> Debug:   rlm_mschap: Told to do MS-CHAPv2 for light with NT-Password
> >> Debug:   rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform
> >> authentication.
> >> Debug:   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
> >> Debug:   modsingle[authenticate]: returned from mschap (rlm_mschap) for
> >> request 0
> >> Debug: ++[mschap] returns reject
> >> Debug: auth: Failed to validate the user.
> >> Auth: Login incorrect: [light/<via Auth-Type = mschap>] (from client
> >> localhost port 0 cli 192.168.0.1)
> >> Debug:   Found Post-Auth-Type Reject
> >> Debug: +- entering group REJECT
> >> Debug:   modsingle[post-auth]: calling attr_filter.access_reject
> >> (rlm_attr_filter) for request 0
> >> Debug: 	expand: %{User-Name} -> light
> >> Debug:  attr_filter: Matched entry DEFAULT at line 11
> >> Debug:   modsingle[post-auth]: returned from attr_filter.access_reject
> >> (rlm_attr_filter) for request 0
> >> Debug: ++[attr_filter.access_reject] returns updated
> >> Debug: Delaying reject of request 0 for 1 seconds
> >> Debug: Going to the next request
> >> Debug: Waking up in 0.9 seconds.
> >> Debug: Sending delayed reject for request 0
> >> Sending Access-Reject of id 90 to 127.0.0.1 port 58943
> >> Debug: Waking up in 4.9 seconds.
> >> Debug: Cleaning up request 0 ID 90 with timestamp +7
> >> Debug: Ready to process requests.
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list