Help with Chap and ldap

Jean Carlos Coelho coelho at teltecsolutions.com.br
Fri Dec 6 15:00:06 CET 2013


I think you should use mschapv2 with smbldap-tools for eg. Windows uses
MSCHAPv2 present in SambaNTPassword at LDAP.



On 05/12/13 21:38, "P K" <getpkme at gmail.com> wrote:

>Hi,
>
>I'm using openldap and phpldapadmin to create account. The interface
>allows me to store "clear" password. When I do an ldapsearch
>commandline, I get base64 password. I don't see an option in
>phpldapadmin to store "clear-text" type.
>
>I've configured freeradius to use ldap and I'm using radtest to test
>but chap always fails. Is it failing because of base64? It seems to
>have decoded fine looking at the logs. Why is CHAP failing? Please
>help.
>
>Here's my log.
>
>radtest -t chap boris password01 localhost 0 testing123
>Sending Access-Request of id 74 to 127.0.0.1 port 1812
>        User-Name = "boris"
>        CHAP-Password = 0x4ab32d3fc82d3d59528ca82338d3ed40aa
>        NAS-IP-Address = 127.0.1.1
>        NAS-Port = 0
>rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=74,
>length=20
>
>
>
>Listening on authentication address * port 1812
>Listening on accounting address * port 1813
>Listening on authentication address 127.0.0.1 port 18120 as server
>inner-tunnel
>Listening on proxy address * port 1814
>Ready to process requests.
>rad_recv: Access-Request packet from host 127.0.0.1 port 37517, id=74,
>length=58
>        User-Name = "boris"
>        CHAP-Password = 0x4ab32d3fc82d3d59528ca82338d3ed40aa
>        NAS-IP-Address = 127.0.1.1
>        NAS-Port = 0
># Executing section authorize from file
>/etc/freeradius/sites-enabled/default
>+- entering group authorize {...}
>++[preprocess] returns ok
>[auth_log]      expand:
>/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>/var/log/freeradius/radacct/127.0.0.1/auth-detail-20131205
>[auth_log] 
>/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20131205
>[auth_log]      expand: %t -> Thu Dec  5 23:31:12 2013
>++[auth_log] returns ok
>[chap] Setting 'Auth-Type := CHAP'
>++[chap] returns ok
>++[mschap] returns noop
>++[digest] returns noop
>[suffix] No '@' in User-Name = "boris", looking up realm NULL
>[suffix] No such realm "NULL"
>++[suffix] returns noop
>[eap] No EAP-Message, not doing EAP
>++[eap] returns noop
>[files]         expand: %{NAS-IP-Address} -> 127.0.1.1
>[files]         expand: %{NAS-IP-Address} -> 127.0.1.1
>[files] users: Matched entry DEFAULT at line 23
>++[files] returns ok
>[ldap] performing user authorization for boris
>[ldap]  expand: %{Stripped-User-Name} ->
>[ldap]  ... expanding second conditional
>[ldap]  expand: %{User-Name} -> boris
>[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
>(uid=boris)
>[ldap]  expand: dc=example,dc=int -> dc=example,dc=int
>  [ldap] ldap_get_conn: Checking Id: 0
>  [ldap] ldap_get_conn: Got Id: 0
>  [ldap] attempting LDAP reconnection
>  [ldap] (re)connect to 127.0.0.1:389, authentication 0
>  [ldap] bind as cn=admin,dc=example,dc=int/P0intBlank to 127.0.0.1:389
>  [ldap] waiting for bind result ...
>  [ldap] Bind was successful
>  [ldap] performing search in dc=example,dc=int, with filter (uid=boris)
>[ldap] No default NMAS login sequence
>[ldap] looking for check items in directory...
>  [ldap] userPassword -> Password-With-Header == "password01"
>[ldap] looking for reply items in directory...
>[ldap] user boris authorized to use remote access
>  [ldap] ldap_release_conn: Release Id: 0
>++[ldap] returns ok
>++[expiration] returns noop
>++[logintime] returns noop
>[pap] Failed to decode Password-With-Header = "password01"
>[pap] WARNING: Auth-Type already set.  Not setting to PAP
>++[pap] returns noop
>Found Auth-Type = CHAP
># Executing group from file /etc/freeradius/sites-enabled/default
>+- entering group CHAP {...}
>[chap] login attempt by "boris" with CHAP password
>[chap] Cleartext-Password is required for authentication
>++[chap] returns invalid
>Failed to authenticate the user.
>Using Post-Auth-Type Reject
># Executing group from file /etc/freeradius/sites-enabled/default
>+- entering group REJECT {...}
>[attr_filter.access_reject]     expand: %{User-Name} -> boris
> attr_filter: Matched entry DEFAULT at line 11
>++[attr_filter.access_reject] returns updated
>Delaying reject of request 0 for 1 seconds
>Going to the next request
>Waking up in 0.9 seconds.
>Sending delayed reject for request 0
>Sending Access-Reject of id 74 to 127.0.0.1 port 37517
>Waking up in 4.9 seconds.
>Cleaning up request 0 ID 74 with timestamp +22
>Ready to process requests.
>^C
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list