PAP/SSHA plus MS-CHAP on 2.17

Eric Swanson swanson at technologypartnerds.com
Thu Jan 14 06:59:46 CET 2010


Y'all:

Maybe this question obvious for somebody, but I haven't been able to
find an answer so far.  I'd appreciate any help on this.

I'm setting up freeradius 2.17 with OpenLDAP on CentOS 5.3 (using the
pre-built RPM repository from
http://people.redhat.com/jdennis/freeradius-rhel-centos).  The system
need to authenticate at least two different ways by RADIUS (plus
several others by LDAP, but that's all working fine).  Currently one
is working and the other is not.  I've worked with freeradius/LDAP
setups before, but it's been a couple years since I last did it from
scratch.

One client needs to talk MS-CHAP, and that's working great.  If it
matters I'm happy to post logs of these sessions happening, but I
presume that's irrelevant.

The other client needs to talk PAP, and it's not working right at all.

In keeping with the frequent advice of this group, I've kept the
config files as pristine as I can.  Here are all the changes I've made
since I last reverted to the default files:


[/etc/raddb]# diff ./sites-available/default.DIST ./sites-available/default
170c170
< #     ldap
---
>       ldap
[/etc/raddb]# diff ./modules/ldap.DIST ./modules/ldap
33c33
<       server = "ldap.your.domain"
---
>       server = ".org"
36c36
<       basedn = "o=My Org,c=UA"
---
>       basedn = "dc=my,dc=office,dc=org"
116c116
<       # password_attribute = userPassword
---
>       password_attribute = userPassword
[/etc/raddb]# diff ./modules/pap.DIST ./modules/pap
17c17
<       auto_header = no
---
>       auto_header = yes
[/etc/raddb]# diff ./clients.conf.DIST ./clients.conf
101c101
<       secret          = testing123
---
>       secret          = SharedSecret
234a235,240
>
> client 172.16.0.0/24 {
>       secret = SharedSecret
>       shortname = office-network
> }
>
[/etc/raddb]#


In fiddling over the past few days I've achieved several different
failure modes, but here's what a session looks like now:

rad_recv: Access-Request packet from host 172.16.0.1 port 1078, id=36, length=82
        User-Name = "testuser"
        User-Password = "user"
        Service-Type = Authenticate-Only
        NAS-Identifier = "VPNSRV"
        Message-Authenticator = 0x8e--censored--db
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
[ldap] performing user authorization for testuser
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  expand: %{User-Name} -> testuser
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser)
[ldap]  expand: dc=my,dc=office,dc=org -> dc=my,dc=office,dc=org
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to muggins.my.office.org:389, authentication 0
rlm_ldap: bind as / to muggins.my.office.org:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=my,dc=office,dc=org, with filter
(uid=testuser)
[ldap] Added User-Password = {SSHA}i9--censored--JI in check items
[ldap] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password == 0x4338--censored--4531
rlm_ldap: sambaLmPassword -> LM-Password == 0x4637--censored--4545
[ldap] looking for reply items in directory...
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "user"
[pap] Using CRYPT encryption.
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> testuser
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 36 to 172.16.0.1 port 1078
Waking up in 4.9 seconds.


The part that seems strange to me is that the system clearly
identifies the type of passwords we are using ("Normalizing
SSHA1-Password from base64 encoding" seems proof enough of that), but
a couple lines later PAP has decided to use CRYPT encryption for some
reason.  I can't imagine what I've done to make the system believe it
should use CRYPT instead of SSHA.

I've been developing a range of crazy theories as to what might be
going on, but I think it's time for me to see what y'all have to say.

Thanks in advance for any guidance.

E.




More information about the Freeradius-Users mailing list