Problemes between 2.1.8 and 2.19 with NT-Password and LDAP

Miquel Canes miquelcanes at gmail.com
Wed Sep 29 15:29:57 CEST 2010 

Hello,
I'm having some troubles updating the FreeRadius version between 2.1.8
and 2.1.9.

I'm using two different machines using a very similar configurations
(some changes on clients.conf and other small changes) one with the
2.1.8 and the other with the 2.1.9 versions.

FreeRadius 2.1.8 is working perfect but FreeRadius 2.1.9 fails with
the NT-Password stored on LDAP.
Authentication with NT-Password fails on Freeradius 2.1.9.

I have the two output files:

FreeRadius 2.1.8 output file http://pastebin.ca/1951039
FreeRadius 2.1.9 autput file http://pastebin.ca/1951040

This files contains more than 1500 lines of output so checking it it's not fast.

So I think that the main problem is located on this part of the 2.1.9 output:
(near line 1100)

[ldapuser] performing user authorization for user
[ldapuser]      expand: (&(uid=%{User-Name})) -> (&(uid=user))
[ldapuser]      expand: ou=Auten,o=xx,c=es -> ou=Auten,o=xx,c=es
  [ldapuser] ldap_get_conn: Checking Id: 0
  [ldapuser] ldap_get_conn: Got Id: 0
  [ldapuser] performing search in ou=Auten,o=xx,c=es, with filter (&(uid=user))
[ldapuser] looking for check items in directory...
  [ldapuser] ntPassword -> NT-Password ==
0x3641343935364634344242333245413934324241424544303242363337344641
[ldapuser] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure
that the user is configured correctly?
[ldapuser] user user authorized to use remote access
  [ldapuser] ldap_release_conn: Release Id: 0
++[ldapuser] returns ok
[eap] EAP packet type response id 141 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message =
0x028d00411a028d003c31b02eb642fafae8883512337347472ebb000000000000000073bf979f67d820f838c095f2805eea20b933d3c63f40a4c1006d63616e6573
server  {
  PEAP: Setting User-Name to user
Sending tunneled request
        EAP-Message =
0x028d00411a028d003c31b02eb642fafae8883512337347472ebb000000000000000073bf979f67d820f838c095f2805eea20b933d3c63f40a4c1006d63616e6573
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "user"
        State = 0x5bf416ba5b790c781a701a2fac1738f6
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 141 length 65
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for user with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject


As I can see, NT-Password from LDAP is not found by the mschap module.

Checking this part of the output with the 2.1.8 file, i got this:
(Correct output from 2.1.8 version, near line 1200)


[ldapuser] performing user authorization for user
[ldapuser]      expand: (&(uid=%{User-Name})) -> (&(uid=user))
[ldapuser]      expand: ou=Auten,o=xx,c=es -> ou=Auten,o=xx,c=es
  [ldapuser] ldap_get_conn: Checking Id: 0
  [ldapuser] ldap_get_conn: Got Id: 0
  [ldapuser] performing search in ou=Auten,o=xx,c=es, with filter (&(uid=user))
[ldapuser] looking for check items in directory...
  [ldapuser] ntPassword -> NT-Password ==
0x3641343935364634344242333245413934324241424544303242363337344641
[ldapuser] looking for reply items in directory...
  [ldapuser] uid -> User = "user"
WARNING: No "known good" password was found in LDAP.  Are you sure
that the user is configured correctly?
[ldapuser] user user authorized to use remote access
  [ldapuser] ldap_release_conn: Release Id: 0
++[ldapuser] returns ok
[eap] EAP packet type response id 135 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message =
0x028700411a0287003c31d0cc5502bcdeef559de609c8268f3dd300000000000000003011b20a6a21675e82f3d176866be42295a9ba4e0ea4bd87006d63616e6573
server  {
  PEAP: Setting User-Name to user
Sending tunneled request
        EAP-Message =
0x028700411a0287003c31d0cc5502bcdeef559de609c8268f3dd300000000000000003011b20a6a21675e82f3d176866be42295a9ba4e0ea4bd87006d63616e6573
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "user"
        State = 0x23676bf823e071513e7de13f5545f696
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 135 length 65
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldapuser] performing user authorization for user
[ldapuser]      expand: (&(uid=%{User-Name})) -> (&(uid=user))
[ldapuser]      expand: ou=Auten,o=xx,c=es -> ou=Auten,o=xx,c=es
  [ldapuser] ldap_get_conn: Checking Id: 0
  [ldapuser] ldap_get_conn: Got Id: 0
  [ldapuser] performing search in ou=Auten,o=xx,c=es, with filter (&(uid=user))
[ldapuser] looking for check items in directory...
  [ldapuser] ntPassword -> NT-Password ==
0x3641343935364634344242333245413934324241424544303242363337344641
[ldapuser] looking for reply items in directory...
  [ldapuser] uid -> User = "user"
WARNING: No "known good" password was found in LDAP.  Are you sure
that the user is configured correctly?
[ldapuser] user user authorized to use remote access
  [ldapuser] ldap_release_conn: Release Id: 0
++[ldapuser] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Told to do MS-CHAPv2 for user with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok


NT-Password is found here and authentication works correctly on the
next handled request.


How can I fix this error? Any change between versions change the
method to check NT-Password from LDAP?


I have no ideas about how to fix this problem.


I understand that check big debug outputs is not easy. But if somebody
can give me a hand I appreciate it.


Thank you,
Miquel

More information about the Freeradius-Users mailing list