Renaming during Machine Authentication

Phil Mayers p.mayers at imperial.ac.uk
Sat May 21 11:08:05 CEST 2011


On 05/20/2011 10:33 PM, Mark Jones wrote:
> Here is the latest debug...Im not sure what to try next.

Latest debug... ok, what has changed?


> rad_recv: Access-Request packet from host 10.152.0.100 port 32819,
> id=186, length=216
> NAS-IP-Address = 10.152.0.100
> NAS-Port = 0
> NAS-Port-Type = Wireless-802.11
> User-Name = "host/TEST-11501.hpsd48.ab.ca"
> Calling-Station-Id = "00265EE9B2CA"
> Called-Station-Id = "000B86611894"
> MS-CHAP-Challenge = 0xa389f8f8a19c2761c3f31128115bac7f
> MS-CHAP2-Response =
> 0x0800afc6531b8f43785e186a0578c795c13b00000000000000005f4828b8f016c112e3e453505d0c203f7172ad8a40f17c02
> Service-Type = Login-User
> Aruba-Essid-Name = "HPSD_RAD2"
> Aruba-Location-Id = "Tech 01"

This is still a plain MSCHAP request, indicating that the Aruba 
equipment is still terminating the PEAP itself, and translating the 
EAP-MSCHAP to plain MSCHAP. As per my previous emails, I recommend you 
change this.

> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
> ++[mschap] returns ok
> ++[digest] returns noop
> [suffix] No '@' <mailto:'@'> in User-Name =
> "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> [ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca

So this is a full host/name.domain.com now - what did you change?

> [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$)
> [ldap] expand: o=hpsd_48 -> o=hpsd_48
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] attempting LDAP reconnection
> [ldap] (re)connect to 172.17.152.4:636, authentication 0
> [ldap] setting TLS mode to 1
> [ldap] bind as cn=admin,o=hpsd_48/xxxxxx to 172.17.152.4:636
> [ldap] waiting for bind result ...
> [ldap] Bind was successful
> [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$)
> [ldap] Added the eDirectory password xxxxxx in check items as
> Cleartext-Password

Ok, you're using Novell eDir here? Are you using DSFW?

I know almost nothing about Novell, but a recent poster to the list was 
using eDir and DFSW, and he suggested that you need to:

  1. use LDAP/eDir for users
  2. use Samba/ntlm_auth for machines

See here:

https://lists.freeradius.org/pipermail/freeradius-users/2011-May/msg00069.html

> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING: Auth-Type already set. Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = MSCHAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group MS-CHAP {...}
> [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca
> [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with
> NT-Password
> [mschap] FAILED: MS-CHAP2-Response is incorrect

Again, only three possible choices:

  1. The client is sending the wrong data (i.e password - unlikely)
  2. The server is using the wrong data (i.e. password from LDAP is 
incorrect)
  3. Something is fiddling with the data in-flight (e.g. Aruba messing 
with the EAP)



More information about the Freeradius-Users mailing list