Adam Seed adamjseed at gmail.com
Mon Mar 3 15:07:05 CET 2014

OK great, now I understand the root cause...

I have changed my passwords in the ldap (im using openLDAP with
phpldapadmin) to be clear text but still getting radius rejected issue.

The log says: Cleartext-Password is required for authentication but it
should be?!

rad_recv: Access-Request packet from host 10.x.x.100 port 55524, id=14,
        User-Name = "adamjseed"
        CHAP-Password = 0xf9f798ccef8ac701b1f545d0dda826172a
# Executing section authorize from file
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "adamjseed", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for adamjseed
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> adamjseed
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
[ldap]  expand: dc=example,dc=com -> dc=example,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=example,dc=com, with filter (uid=adamjseed)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "Password01"
[ldap] looking for reply items in directory...
[ldap] user adamjseed authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Failed to decode Password-With-Header = "Password01"
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "adamjseed" with CHAP password
*[chap] Cleartext-Password is required for authentication*
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> adamjseed
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated

On Mon, Mar 3, 2014 at 1:36 PM, Alan DeKok <aland at deployingradius.com>wrote:

> Adam Seed wrote:
> > Hi Alan,
> >
> > That same wiki says 'The ldap module can only work with PAP passwords
> > since it needs to send the clear text user password to the LDAP server
> > to authenticate the user.'
>   Where?
> > I might be mis-understanding as im new to
> > Radius, but that doesnt sound to positive. Anyway... I'm hoping to find
> > a workaround
>   That text (whatever it is) means that you can only do "bind as user"
> when the Access-Request contains User-Password (i.e. PAP).
> > So I checked my sites-enabled/default and it does have the LDAP module
> > listed:
>   OK...
> > (I striped out the comments and highlighted the bits I changed)
>   Please don't post it here.  It doesn't help.
> > In addition here is the output of my debug:
>   That's what we need.
> >   [ldap] userPassword -> Password-With-Header ==
> > "{MD5}1hkMdaNUxxbUu/hufTrjtQ=="
>   You're storing passwords in MD5 hashed format.  This is incompatible
> with CHAP.
> http://deployingradius.com/documents/protocols/compatibility.html
> > [chap] Cleartext-Password is required for authentication
>   See?  I suggest believing that message.  It'd true.
> > Any assistant is greatly welcomed.
>   (a) store clear-text passwords in LDAP
>   (b) don't use CHAP.
>   Pick one.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140303/1e87cba2/attachment.html>

More information about the Freeradius-Users mailing list