FreeRADIUS + OpenLDAP for Wireless authentication
Mantas Šiurkus
siurkusm at gmail.com
Wed May 22 22:46:12 CEST 2013
On 2013.05.22 21:13, Alan DeKok wrote:
> Mantas Šiurkus wrote:
>> I have configured FreeRADIUS to work with OpenLDAP. Created user in
>> OpenLDAP. Radtest from localhost works perfect. But I can't connect from
>> other devices (android phone, etc..). In logs I get:
>>
>> [ldap] No default NMAS login sequence
>> [ldap] looking for check items in directory...
>> [ldap] looking for reply items in directory...
>> WARNING: No "known good" password was found in LDAP. Are you sure that
>> the user is configured correctly?
> If FreeRADIUS can't find the user's password, then one of two things
> is true:
>
> a) you've misconfigured FreeRADIUS to look in the wrong place
>
> or
>
> b) the user doesn't have a password in LDAP.
>
>> I think it is problem in plain text password or something?
> The problem is in the error message above. Why look somewhere else?
> Is the debug log *lying* to you?
>
>> What can I do?
> Ensure that FreeRADIUS is configured correctly. Ensure that the
> rlm_ldap configuration is correct. Ensure that the "known good"
> password is found in ldap.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you for the replay. Sorry I am new in freeradius and openldap.
I uncommented two lines in freeradius/modules/ldap
identity = "cn=admin,dc=my,dc=domain"
password = myldappass
And now freeradius debuging logs changed.
When I am connecting from android phone where - "EAP method : PEAP" and
"phase 2 authetication: MSCHAPV2"
I got thease logs:
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "pass123"
[ldap] looking for reply items in directory...
[ldap] user radiusas authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Failed to decode Password-With-Header = "pass123"
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: radiusas
[mschap] Told to do MS-CHAPv2 for radiusas with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\006E=691 R=1"
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
When I put user in freeradius/users than it connect. But via LDAP wont
connect.
Thank You for help.
More information about the Freeradius-Users
mailing list