Password Encryption
rrperez
rrperez at apc.edu.ph
Tue Aug 10 07:11:05 CEST 2010
Thanks for the response David,
Now, I have solved the problem locally by putting an attribute in the
ldap.attrmap but then another problem appears through the wireless network,
MSCHAPv2 fails.
Here is the debug:
rad_recv: Access-Request packet from host 10.96.100.205 port 3474, id=0,
length=141
User-Name = "kgalmarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0xad0c602caf0879e361d2fc32a03924cb
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400061900
Message-Authenticator = 0x1a992ae101dc19bed2e015caf2bbeb6a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kgalmarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 3474
EAP-Message =
0x0105009e19006f0fd8a5dc5276fa83706f679780f3e60b36f5b3489d5551b7dc0590f2ddf6959d4ba9550b38329c20dce0ab3182205608a19b3d2964953695b467af4cd29ade6a679b18dfa5492a4286fe5b2a13c12d8305450e32b2441a68b97f9701655d60ad7d399f3b693b9562b3353d3bd5d730cab42857c0e5edb72fde0d9b70eeb03dd0afd787e1ceede01810d2c9e83bdc16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xad0c602cae0979e361d2fc32a03924cb
Finished request 26.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 3476, id=0,
length=473
User-Name = "kgalmarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0xad0c602cae0979e361d2fc32a03924cb
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020501501980000001461603010106100001020100c542f62acfbd366e8405d3adff312ebd94735bf3ac304ad3d77181e4c4b0bf44d9be0535950cbaf69c37070037d4d133dc89c0380dc5316ffc95990b89ece6edae37e693b36394f8b2083dfc51ed6c2299bd79d12f6092575821119d33adde80ab4ef139676595fbc92634f37fdcff35aeffa0c74679911a2da24a69d8072e5c579c3e54013399a1234e73ea4d46abc6d9ef9f244a6b71156299361fa64df7e35a3294a06ea27ef2994bd4c92a48d1c2bab9e93b0d2013d031870c916565ea72ab93ea251c8b0a7866e20f784d606e8ad1e1166304fe1bc6e6a5314b0e985faa24aa65282a8c8e40
EAP-Message =
0x9b50d5596b8eb762b310f7f4eff103bd4fd97a3befdafea71403010001011603010030a680505c090eb82a07d19dc8803018fcd9f8267117d19d5b292f0c04f0cbcc9eaa3aba3957e5f79f3e79d380940620cf
Message-Authenticator = 0x6037a94f2dacb582d4754d31502219ab
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kgalmarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 3476
EAP-Message =
0x0106004119001403010001011603010030128464a588d53c8a4b6235b1e461217101864b8e71d1a5e83c6b3b7f7ea8f29b130286a84db48714e04005fb560fd728
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xad0c602ca90a79e361d2fc32a03924cb
Finished request 27.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 3478, id=0,
length=141
User-Name = "kgalmarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0xad0c602ca90a79e361d2fc32a03924cb
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020600061900
Message-Authenticator = 0x9d8dfc736e1c22a4314d7aa160c5ea11
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kgalmarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 3478
EAP-Message =
0x0107002b190017030100203f0b8da669b9347ac0886ca305a901f2a7bf50c2e3c5c0b5b95ab558820f1b7f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xad0c602ca80b79e361d2fc32a03924cb
Finished request 28.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 3480, id=0,
length=178
User-Name = "kgalmarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0xad0c602ca80b79e361d2fc32a03924cb
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0207002b19001703010020310fb390754a0699925dada77e3a377bde515be9847340533953d3b41a159a79
Message-Authenticator = 0x7d16904deafc08a2e3947d16eb0d4c56
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kgalmarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - kgalmarez
[peap] Got tunneled request
EAP-Message = 0x0207000e016b67616c6d6172657a
server {
PEAP: Got tunneled identity of kgalmarez
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to kgalmarez
Sending tunneled request
EAP-Message = 0x0207000e016b67616c6d6172657a
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "kgalmarez"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "kgalmarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry kgalmarez at line 95
++[files] returns ok
[ldap] performing user authorization for kgalmarez
[ldap] expand: %{Stripped-User-Name} ->
[ldap] expand: %{User-Name} -> kgalmarez
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=kgalmarez)
[ldap] expand: dc=testldap1,dc=test,dc=corpoff ->
dc=testldap1,dc=test,dc=corpoff
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testldap1,dc=test,dc=corpoff, with filter
(uid=kgalmarez)
[ldap] looking for check items in directory...
rlm_ldap: userPassword -> User-Password ==
"{crypt}$1$3rOzYhpM$iBPcRQdUVkW4x6BxpUrNO0"
[ldap] looking for reply items in directory...
[ldap] user kgalmarez authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010800231a0108001e108c4aca055aec2ed994cff2e383755b8f6b67616c6d6172657a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2c1b34c32c132e7886182821520901eb
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010800231a0108001e108c4aca055aec2ed994cff2e383755b8f6b67616c6d6172657a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2c1b34c32c132e7886182821520901eb
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 3480
EAP-Message =
0x0108004b19001703010040c48fd3b6a88a8dc11aa312f383f04bbcbec5e0b2c3ef04cb84d396ec3ba3c4469d42b77a3a97fa3b3e886481fc23ab29413b348872a8d7bd9582d37947f1f3e9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xad0c602cab0479e361d2fc32a03924cb
Finished request 29.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 3482, id=0,
length=242
User-Name = "kgalmarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0xad0c602cab0479e361d2fc32a03924cb
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0208006b190017030100600b6f5a0fda2fdc2779755ef1f3d92b36cd2e1f71e1f9183d9210c36a7e791f0810e1bb1f23ed4404a5660adc23bd51b0ca74401684d786fe42eb40e8717b6dd041ec15ac6d7f3c4c2929f8dbd11fc126f6775b4feb2e88d27ea9d802161b8e67
Message-Authenticator = 0x85d69ad69206158d4d5f75154b71d6c6
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kgalmarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020800441a0208003f31151b7d14a7f10fbe1ffe01e50d3bfcf800000000000000007920079161e59ed5e4f0452a30a70e7f92fdeb49b9485b8c006b67616c6d6172657a
server {
PEAP: Setting User-Name to kgalmarez
Sending tunneled request
EAP-Message =
0x020800441a0208003f31151b7d14a7f10fbe1ffe01e50d3bfcf800000000000000007920079161e59ed5e4f0452a30a70e7f92fdeb49b9485b8c006b67616c6d6172657a
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "kgalmarez"
State = 0x2c1b34c32c132e7886182821520901eb
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "kgalmarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry kgalmarez at line 95
++[files] returns ok
[ldap] performing user authorization for kgalmarez
[ldap] expand: %{Stripped-User-Name} ->
[ldap] expand: %{User-Name} -> kgalmarez
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=kgalmarez)
[ldap] expand: dc=testldap1,dc=test,dc=corpoff ->
dc=testldap1,dc=test,dc=corpoff
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testldap1,dc=test,dc=corpoff, with filter
(uid=kgalmarez)
[ldap] looking for check items in directory...
rlm_ldap: userPassword -> User-Password ==
"{crypt}$1$3rOzYhpM$iBPcRQdUVkW4x6BxpUrNO0"
[ldap] looking for reply items in directory...
[ldap] user kgalmarez authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for kgalmarez with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.96.100.205 port 3482
EAP-Message =
0x0109002b19001703010020e012cc0b3cad898588189afb15506efef9e3a869b363f0922ab0d48e1d770c1f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xad0c602caa0579e361d2fc32a03924cb
Finished request 30.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.96.100.205 port 3484, id=0,
length=178
User-Name = "kgalmarez"
NAS-IP-Address = 10.96.100.205
Called-Station-Id = "0014bf8abbc5"
Calling-Station-Id = "002682a0ed7d"
NAS-Identifier = "0014bf8abbc5"
NAS-Port = 48
Framed-MTU = 1400
State = 0xad0c602caa0579e361d2fc32a03924cb
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0209002b190017030100205b5eadc70f2e71d647f1d2ae8df2d85c39a9eb30ab66d8cbb3ccaa2940132841
Message-Authenticator = 0x261a660bb45a54fef98341b392f060f2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kgalmarez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> kgalmarez
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 31 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 31
Sending Access-Reject of id 0 to 10.96.100.205 port 3484
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 23 ID 0 with timestamp +766
Cleaning up request 24 ID 0 with timestamp +766
Cleaning up request 25 ID 0 with timestamp +766
Cleaning up request 26 ID 0 with timestamp +766
Cleaning up request 27 ID 0 with timestamp +766
Cleaning up request 28 ID 0 with timestamp +766
Cleaning up request 29 ID 0 with timestamp +766
Cleaning up request 30 ID 0 with timestamp +766
Waking up in 1.0 seconds.
Cleaning up request 31 ID 0 with timestamp +766
Ready to process requests.
Is there a way for me to solve the mschapv2 error?
--
View this message in context: http://old.nabble.com/Password-Encryption-tp29393526p29394307.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list