FreeRADIUS + OpenLDAP for Wireless authentication

Mantas Šiurkus siurkusm at gmail.com
Wed May 22 22:46:12 CEST 2013


On 2013.05.22 21:13, Alan DeKok wrote:
> Mantas Šiurkus wrote:
>> I have configured FreeRADIUS to work with OpenLDAP. Created user in
>> OpenLDAP. Radtest from localhost works perfect. But I can't connect from
>> other devices (android phone, etc..). In logs I get:
>>
>> [ldap] No default NMAS login sequence
>> [ldap] looking for check items in directory...
>> [ldap] looking for reply items in directory...
>> WARNING: No "known good" password was found in LDAP.  Are you sure that
>> the user is configured correctly?
>    If FreeRADIUS can't find the user's password, then one of two things
> is true:
>
> a) you've misconfigured FreeRADIUS to look in the wrong place
>
>    or
>
> b) the user doesn't have a password in LDAP.
>
>> I think it is problem in plain text password or something?
>    The problem is in the error message above.  Why look somewhere else?
> Is the debug log *lying* to you?
>
>> What can I do?
>    Ensure that FreeRADIUS is configured correctly.  Ensure that the
> rlm_ldap configuration is correct.  Ensure that the "known good"
> password is found in ldap.
>
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Thank you for the replay. Sorry I am new in freeradius and openldap.

I uncommented two lines in freeradius/modules/ldap

identity = "cn=admin,dc=my,dc=domain"
password = myldappass

And now freeradius debuging logs changed.
When I am connecting from android phone where - "EAP method : PEAP" and 
"phase 2 authetication: MSCHAPV2"
I got thease logs:

[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
   [ldap] userPassword -> Password-With-Header == "pass123"
[ldap] looking for reply items in directory...
[ldap] user radiusas authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Failed to decode Password-With-Header = "pass123"
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file 
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: radiusas
[mschap] Told to do MS-CHAPv2 for radiusas with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
         MS-CHAP-Error = "\006E=691 R=1"
         EAP-Message = 0x04060004
         Message-Authenticator = 0x00000000000000000000000000000000


When I put user in freeradius/users than it connect. But via LDAP wont 
connect.

Thank You for help.



More information about the Freeradius-Users mailing list