802.1x ->Radius ->Ldap

Kyle Plimack kplimack at videoegg.com
Fri Jun 18 20:11:50 CEST 2010


Doing an ldapsearch put me on the right track, I had created a user 'radiusd', but that user did not have the rights to request the userPassword.

The error I am getting now is:

Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for kplimack with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject

I added an entry to ldap.attrmap, "checkItem   Cleartext-Password  userPassword"
The Password is not cleartext, but I read somewhere that radius is supposed to figure that out automatically from a header.  This is what is returned:

rlm_ldap: userPassword -> Cleartext-Password == "{SSHA}xQjX16XbCUSXpiR2y****************"


Full Log:
http://pastebin.com/ZJuPsyrb




On 6/18/10 7:14 AM, "John Dennis" <jdennis at redhat.com> wrote:

On 06/18/2010 02:01 AM, Alan DeKok wrote:
> Kyle Plimack wrote:
>> I have pap working (i.e.  I ran radtest and got an access-accept).
>> I don't want to configure certs on each of my hosts for each of my
>> clients, so I'd like to use PEAP/msChapV2 so that dot1x clients are
>> prompted for and username/password.
>>
>> According the the deployingradius.com guide, once pap is working,
>> mschapv2 should "just work".  It doesn't.
>
>    Your debug output shows you are using PEAP.  That is *not* MSCHAPv2.
>
>> I've put the log on pastebin where it is formatted in a more friendly way
>> http://pastebin.com/9tSjQW1f
>
>    You have added "ldap" to the "inner-tunnel" section.  That's good.
> You haven't read the WARNING in the debug output, as pointed out by
> John.  That's bad.
>
>    The server NEEDS a "known good" password in order to authenticate the
> user.  The LDAP server didn't supply one.  Ensure that that LDAP server
> returns a password.  It *will* work.

Do an ldapsearch on the command line for the user to see what is getting
returned to radius. Look for the password attributes, are they there? Is
there a cleartext password rather than just hashes? Does the cleartext
password attribute in ldap match the password attribute in your radius
ldap config (by default it's userPassword). Does your
/etc/raddb/ldap.attrmap file have this line?

checkItem   Cleartext-Password      userPassword

Don't forget to put an ACL on the password attributes in ldap, you don't
want others to be able to read them! If you don't want to store
cleartext passwords you'll need to restrict the protocols you support.

--
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100618/3b6733fd/attachment.html>


More information about the Freeradius-Users mailing list