freeradius3 + openldap + mschapv2
futhwo
futhwo at gmail.com
Wed May 28 11:31:34 CEST 2014
Hello
I have a working installation of freeradius2, providing AAA on my wlan by
using ldap stored users.
I am trying to upgrade to freeradius3, but I met a problem.
As far as I understood, the ldap attribute previusly mapped through the
ldap.attrmap file now must be mapped by an update statement, so in the ldap
module configuration I configured:
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'sambaNTPassword'
}
I know that this is working because in the debug I see:
..
(12) 8021x1 : User object found at DN "uid=XXXXXXX
(12) 8021x1 : Processing user attributes
(12) 8021x1 : control:Password-With-Header +=
'{SHA}XXXXXXXXXXXXXXXXXXXX'
(12) 8021x1 : control:NT-Password :=
0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
rlm_ldap (8021x1): Released connection (4)
But when I try to authenticate I have this error:
(12) Found Auth-Type = EAP
(12) # Executing group from file
/ofb/freeradius/etc/raddb/sites-enabled/default
(12) authenticate {
(12) eap : Expiring EAP session with state 0x08682d8c08653729
(12) eap : Finished EAP session with state 0x08682d8c08653729
(12) eap : Previous EAP request found for state 0x08682d8c08653729,
released from the list
(12) eap : Peer sent MSCHAPv2 (26)
(12) eap : EAP MSCHAPv2 (26)
(12) eap : Calling eap_mschapv2 to process EAP data
(12) eap_mschapv2 : # Executing group from file
/ofb/freeradius/etc/raddb/sites-enabled/default
(12) eap_mschapv2 : Auth-Type MS-CHAP {
(12) mschap : No Cleartext-Password configured. Cannot create LM-Password
(12) ERROR: mschap : NT-Password has not been normalized by the "pap"
module. Authentication will fail.
(12) mschap : Creating challenge hash with username: XXX
(12) mschap : Client is using MS-CHAPv2 for XXX, we need NT-Password
(12) mschap : FAILED: No NT/LM-Password. Cannot perform authentication.
(12) mschap : FAILED: MS-CHAP2-Response is incorrect
(12) [mschap] = reject
(12) } # Auth-Type MS-CHAP = reject
(12) eap : Freeing handler
(12) [eap] = reject
(12) } # authenticate = reject
(12) Failed to authenticate the user.
(12) Using Post-Auth-Type Reject
(12) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
requested action.
} # server default
(12) eap_peap : Got tunneled reply code 3
MS-CHAP-Error = '\rE=691 R=1'
EAP-Message = 0x040d0004
Message-Authenticator = 0x00000000000000000000000000000000
(12) eap_peap : Got tunneled reply RADIUS code 3
MS-CHAP-Error = '\rE=691 R=1'
EAP-Message = 0x040d0004
Message-Authenticator = 0x00000000000000000000000000000000
(12) eap_peap : Tunneled authentication was rejected.
(12) eap_peap : FAILURE
I took a peek at the rlm_mschap.c code and I saw that the part "validating"
the NT-Password is oddly different from version 2 to version 3, as v2 was:
nt_password = pairfind(request->config_items, PW_NT_PASSWORD);
if (nt_password) {
if ((nt_password->length == 16) ||
((nt_password->length == 32) &&
(fr_hex2bin(nt_password->vp_strvalue,
nt_password->vp_octets, 16) == 16))) {
RDEBUG2("Found NT-Password");
nt_password->length = 16;
while v3 has:
nt_password = pairfind(request->config_items, PW_NT_PASSWORD, 0,
TAG_ANY);
if (nt_password) {
if (nt_password->length == 16) {
RDEBUG2("Found NT-Password");
} else {
RWDEBUG("NT-Password has not been normalized by the 'pap'
module. Authentication will fail");
nt_password = NULL;
}
I use samba's mkntpwd to generate NT hashes, and it generare 32 chars long
hashes....so how could i have those hashes "normalized by pap" in my
configuration? am i missing some key difference between the 2 versions?
Thanks
Futhwo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140528/a4d58faa/attachment.html>
More information about the Freeradius-Users
mailing list