ldap machine account auth tutorial

Phil Mayers p.mayers at imperial.ac.uk
Mon Feb 1 17:34:12 CET 2010 

On 01/02/10 16:04, cd wrote:
> thanks Phil
>
> but it looks like that i get an access-accept without ldap password validation ??!

Please don't email me directly; I'm on the list.

> rad_recv: Access-Request packet from host 192.168.10.254 port 1024, id=151, length=136
> NAS-IP-Address = 10.172.253.110
> NAS-Port-Type = Ethernet
> Service-Type = Framed-User
> Message-Authenticator = 0xe35737afd4fb25d9a9cab4dc24bffa77
> NAS-Port = 10
> Framed-MTU = 1490
> User-Name = "host/crid72-42ee2079"
> Calling-Station-Id = "00-0C-29-7E-44-54"
> EAP-Message = 0x020d001901686f73742f6372696437322d3432656532303739

SNIP; your LDAP debugging level is way, way too high. It's very hard to 
read the debugging output.

> rlm_ldap: sambaNtPassword ->  NT-Password == 0x3241384242423239424546354639314230324146363837323930414442344637

> [ldap_admin] performing user authorization for host/crid72-42ee2079

...why are you running 2 LDAP modules?

> +++[ldap_sw] returns ok
> ++- policy redundant returns ok
> rlm_ldap: Entering ldap_groupcmp()

> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
> } # server inner-tunnel
> Sending Access-Challenge of id 151 to 192.168.10.254 port 1024
> EAP-Message = 0x010e002e1a010e002910924d24419c6082e80c304f8d76c22109686f73742f6372696437322d3432656532303739
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x517b79b8517563ae61de7219537f52df

Ok, so EAP challenge sent.

> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP NAK
> [eap] EAP-NAK asked for EAP-Type/peap


So it's using PEAP. Then after lots and lots of unnecessary LDAP debug 
output:

> Sending Access-Accept of id 161 to 192.168.10.254 port 1024
> User-Name = "host/crid72-42ee2079"
> MS-MPPE-Recv-Key = 0xc83951c8f97b57386194b58be2d66edbe3a7b37cbaead57df65c61d64cea65e1
> MS-MPPE-Send-Key = 0xeefc2477dc12da93c583c05676c8474a66fd2ad11b1cd90ef3ff575dcf876010
> EAP-Message = 0x03170004
> Message-Authenticator = 0x00000000000000000000000000000000

It succeeds. So what's the problem?

Radius looked the NT password up in LDAP, and did a PEAP/MS-CHAP against 
it. It worked.

More information about the Freeradius-Users mailing list