RADIUS + LDAP authentication problem

Matthew Newton mcn4 at leicester.ac.uk
Wed Apr 25 13:45:46 CEST 2012 

Hi,

On Wed, Apr 25, 2012 at 01:47:09PM +0300, Alexander Kulbiy wrote:
> Hello all,
> 
> I'm trying to configure RADIUS server that would be used for authentication
> of users in Wi-Fi network with WPA-enterprise encryption. To do this I'm
> trying to use EAP + LDAP inside of freeradius.

You're using TTLS/MS-CHAP:

> [ttls] Session established.  Proceeding to decode tunneled attributes.
> [ttls] Got tunneled request
>         User-Name = "alexander.duts"
>         MS-CHAP-Challenge = 0xa6d98f587da2024f7a6513f2e991d261
>         MS-CHAP2-Response =
> 0x7a004794198aef4fbcb66d3e389079ed41560000000000000000fa8c2cdf0c49219574c0826b377c9d6ca977ece95f465ae4
>         FreeRADIUS-Proxied-To = 127.0.0.1
> [ttls] Sending tunneled request
>         User-Name = "alexander.duts"
>         MS-CHAP-Challenge = 0xa6d98f587da2024f7a6513f2e991d261
>         MS-CHAP2-Response =
> 0x7a004794198aef4fbcb66d3e389079ed41560000000000000000fa8c2cdf0c49219574c0826b377c9d6ca977ece95f465ae4
>         FreeRADIUS-Proxied-To = 127.0.0.1

You need the password in clear text, or as an LM- or NT-hash. Read
the list archives from yesterday. Oh, and the day before.


> [ldap] looking for check items in directory...
>   [ldap] userPassword -> Password-With-Header ==
> "{MD5}ibKj45B56xWdI2wgngTn5A=="
> [ldap] looking for reply items in directory...

MD5 isn't going to work.

And for the daily URL:

http://deployingradius.com/documents/protocols/compatibility.html

> Does anyone have idea what could be the problem?

Don't mix incompatible auth schemes.

You're also using your default outer server for your inner server.
That's probably not the best idea, and certainly not the supplied
default config.

> [ttls] Sending tunneled request
>         User-Name = "alexander.duts"
>         MS-CHAP-Challenge = 0xa6d98f587da2024f7a6513f2e991d261
>         MS-CHAP2-Response =
> 0x7a004794198aef4fbcb66d3e389079ed41560000000000000000fa8c2cdf0c49219574c0826b377c9d6ca977ece95f465ae4
>         FreeRADIUS-Proxied-To = 127.0.0.1
> server  {
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}

Cheers,

Matthew



-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list