Help with Chap and ldap

P K getpkme at gmail.com
Fri Dec 6 00:38:30 CET 2013


Hi,

I'm using openldap and phpldapadmin to create account. The interface
allows me to store "clear" password. When I do an ldapsearch
commandline, I get base64 password. I don't see an option in
phpldapadmin to store "clear-text" type.

I've configured freeradius to use ldap and I'm using radtest to test
but chap always fails. Is it failing because of base64? It seems to
have decoded fine looking at the logs. Why is CHAP failing? Please
help.

Here's my log.

radtest -t chap boris password01 localhost 0 testing123
Sending Access-Request of id 74 to 127.0.0.1 port 1812
        User-Name = "boris"
        CHAP-Password = 0x4ab32d3fc82d3d59528ca82338d3ed40aa
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=74, length=20



Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 37517, id=74, length=58
        User-Name = "boris"
        CHAP-Password = 0x4ab32d3fc82d3d59528ca82338d3ed40aa
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20131205
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20131205
[auth_log]      expand: %t -> Thu Dec  5 23:31:12 2013
++[auth_log] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "boris", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files]         expand: %{NAS-IP-Address} -> 127.0.1.1
[files]         expand: %{NAS-IP-Address} -> 127.0.1.1
[files] users: Matched entry DEFAULT at line 23
++[files] returns ok
[ldap] performing user authorization for boris
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> boris
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=boris)
[ldap]  expand: dc=example,dc=int -> dc=example,dc=int
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to 127.0.0.1:389, authentication 0
  [ldap] bind as cn=admin,dc=example,dc=int/P0intBlank to 127.0.0.1:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in dc=example,dc=int, with filter (uid=boris)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "password01"
[ldap] looking for reply items in directory...
[ldap] user boris authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Failed to decode Password-With-Header = "password01"
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "boris" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> boris
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 74 to 127.0.0.1 port 37517
Waking up in 4.9 seconds.
Cleaning up request 0 ID 74 with timestamp +22
Ready to process requests.
^C


More information about the Freeradius-Users mailing list