using userPassword instead sambaNTPassword

Nicolás Guerra nicoguerrarocha at gmail.com
Fri Sep 19 20:26:28 CEST 2014


thank you for you quick answer,
between lines:
> ------------------------------
>
> Message: 4
> Date: Thu, 18 Sep 2014 12:46:27 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Subject: Re: using userPassword instead sambaNTPassword
> Message-ID: <541B0C63.1080105 at deployingradius.com>
> Content-Type: text/plain; charset=windows-1252
>
> Nicolás Guerra wrote:
>>   this is the server log output:
>> # radiusd -X > log.radius
>> I don't understand what "**WARNING: No "known good" password was found
>> in LDAP.  Are you sure that *the **user is configured correctly?*" means?
>    It means that the server couldn't find userPassword or sambaNTPassword
> for the user.
Thats right! I didn't realised that userPassword field in the openLDAP 
server is restringed to authenticated users.

so, I used my own credentials in /etc/raddb/modules/ldap file. the log 
changed, there's the new one. (I used my own credentials just for 
testing pruposes I'll change it)

What I don't understand:
I can read that "[ldap] user nicolas.guerra authorized to use remote access"
but it continues evaluating things untill an error happen on request #8 
with mschapv2

please forgive my ignorance, I'm new in freeRADIUS, I'm just trying to 
make it work as I'd been asked (users should authenticate with the 
userPassword attr).
and forgive me for the long (log) response, I'm trying to do the best to 
help you helping me. I don't even know if I'm answering correctly to the 
mailing list, I can't see the thread....

What I saw is, I think is the error but I don't know what I should do 
with it...
any help would be wellcome.


in request #8:

(extract)
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: nicolas.guerra
[mschap] Client is using MS-CHAPv2 for nicolas.guerra, we need NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [nicolas.guerra] (from client owrt.router port 0 via 
TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
         MS-CHAP-Error = "\327E=691 R=1"
         EAP-Message = 0x04d70004
         Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
         MS-CHAP-Error = "\327E=691 R=1"
         EAP-Message = 0x04d70004
         Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
(finish-extract)


I separated requests with a "-----------------------------------" line



  ... adding new socket proxy address * port 36330
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server 
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.202.10.93 port 60123, 
id=110, length=165
         User-Name = "nicolas.guerra"
         Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 1
         Calling-Station-Id = "CC-FE-3C-92-E0-1B"
         Connect-Info = "CONNECT 54Mbps 802.11g"
         Framed-MTU = 1400
         EAP-Message = 0x02cf0013016e69636f6c61732e677565727261
         Message-Authenticator = 0xf3d2fdc1b2c7d8fd17426e83f12b3fbf
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 207 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for nicolas.guerra
[ldap]  expand: (uid=%u) -> (uid=nicolas.guerra)
[ldap]  expand: ou=People,ou=Users,dc=asse -> ou=People,ou=Users,dc=asse
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] attempting LDAP reconnection
   [ldap] (re)connect to ldap:389, authentication 0
   [ldap] bind as uid=nicolas.guerra,ou=People,ou=Users,dc=asse/agarra 
to ldap:389
   [ldap] waiting for bind result ...
   [ldap] Bind was successful
   [ldap] performing search in ou=People,ou=Users,dc=asse, with filter 
(uid=nicolas.guerra)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
   [ldap] userPassword -> Password-With-Header == 
"{SHA}/XmlnVvg6a3Lq4Gi1PqEBrt55FU="
   [ldap] sambaNtPassword -> NT-Password == 
0x4130333335363744443336453645424439394331413531463437333434344345
[ldap] looking for reply items in directory...
[ldap] user nicolas.guerra authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing SHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 110 to 10.202.10.93 port 60123
         EAP-Message = 0x01d0001604103d1e9b7ab042b7e6a265534b0045b9ff
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x758fc0dc755fc40d29544e3e28c8c2ba
Finished request 0.
----------------------------------------------------------------------------------------------------
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.202.10.93 port 60123, 
id=111, length=170
         User-Name = "nicolas.guerra"
         Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 1
         Calling-Station-Id = "CC-FE-3C-92-E0-1B"
         Connect-Info = "CONNECT 54Mbps 802.11g"
         Framed-MTU = 1400
         EAP-Message = 0x02d000060319
         State = 0x758fc0dc755fc40d29544e3e28c8c2ba
         Message-Authenticator = 0xaa3caa5271fd0a1bc95449457b875d3c
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 208 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for nicolas.guerra
[ldap]  expand: (uid=%u) -> (uid=nicolas.guerra)
[ldap]  expand: ou=People,ou=Users,dc=asse -> ou=People,ou=Users,dc=asse
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in ou=People,ou=Users,dc=asse, with filter 
(uid=nicolas.guerra)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
   [ldap] userPassword -> Password-With-Header == 
"{SHA}/XmlnVvg6a3Lq4Gi1PqEBrt55FU="
   [ldap] sambaNtPassword -> NT-Password == 
0x4130333335363744443336453645424439394331413531463437333434344345
[ldap] looking for reply items in directory...
[ldap] user nicolas.guerra authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing SHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 111 to 10.202.10.93 port 60123
         EAP-Message = 0x01d100061920
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x758fc0dc745ed90d29544e3e28c8c2ba
Finished request 1.
----------------------------------------------------------------------------------------------------
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.202.10.93 port 60123, 
id=112, length=360
         User-Name = "nicolas.guerra"
         Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 1
         Calling-Station-Id = "CC-FE-3C-92-E0-1B"
         Connect-Info = "CONNECT 54Mbps 802.11g"
         Framed-MTU = 1400
         EAP-Message = 
0x02d100c4190016030100b9010000b50301541c5f77f1fb5c2f403841c322cd32b8198da4dfb21658a7e643dc090cae8d8d000048c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000
         State = 0x758fc0dc745ed90d29544e3e28c8c2ba
         Message-Authenticator = 0x60dae326fc0a6efe3d5cc042ea835a8d
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 209 length 196
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00b9], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 112 to 10.202.10.93 port 60123
         EAP-Message = 
0x01d2040019c0000009fa1603010039020000350301c34bb4650235a81b087a7e68b5932a9ff64b385f4ec3faaf0d073e42ea530c4400c01400000dff01000100000b000403000102160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966
         EAP-Message = 
0x696361746520417574686f72697479301e170d3134303931363137323134315a170d3135303931363137323134315a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100afa13573b912b82fd8025f526ff2bc70b8371704e2510a26129eb3d54796df7f22d8bbc9ce0fb3448e014e29c1b20c
         EAP-Message = 
0x4de2aa9783db9b05345135ac8a5e92ce7cdf7ff49630bf177d021fc7848da6f58af5da030034ee5adf1702583661c1432aaf54a20ce6dfb65a7ffcaa9f0083fc34e1c1400eed077530d4d7fbe43a08999ddf62729260ccc4f72d0035ae652e3fb4d45970076a36b5eba4179e7e6e6533a76db9289f655b893db73bcea09be225305809a58d4e712bd84ab6329296a094084a3ec6676e5c587317ac8a5723489da908549a2c488f1b4f0ca95e8898fb01a93b713372d04e9dd9116284e66d23c15148c7425011b84786c36fa9a2806b73a50203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505
         EAP-Message = 
0x0003820101008acb01f1683233a751f9b8dcd10c329952ecfa30603fdd7b386457c33d79df337b29b0f36f8a24cf333bd3f93599b421599592827ad9e30945740794c8bbad36adec4bf7594a83915ac87a0c11d11ca33e04071e8c32751ebff88251bff5bdda323e9d2f1ff7440b4261fef69f8d72fb3fde26f61d4446ed9489111333e07c65c4de79b34dc1ec83f5ae9d5899bc4e1b7dda162c589d282c8c130bfd20265fd0e04500289c7dc01554ed5d619430ac5ea2cf44670e77077860b6dff0d49ada5273b5cd4ae52b302a71a6dd1e690570f607794ebe064ade22719d50edafa312cf6da9828e0bda9eb47ae1d4019abce3dca4f317eaf9eda6
         EAP-Message = 0xd971ed8de12a89d46a0004ab
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x758fc0dc775dd90d29544e3e28c8c2ba
Finished request 2.
----------------------------------------------------------------------------------------------------
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.202.10.93 port 60123, 
id=113, length=170
         User-Name = "nicolas.guerra"
         Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 1
         Calling-Station-Id = "CC-FE-3C-92-E0-1B"
         Connect-Info = "CONNECT 54Mbps 802.11g"
         Framed-MTU = 1400
         EAP-Message = 0x02d200061900
         State = 0x758fc0dc775dd90d29544e3e28c8c2ba
         Message-Authenticator = 0x6eae8c26c731b1ecabbbe332d4017abf
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 210 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 113 to 10.202.10.93 port 60123
         EAP-Message = 
0x01d303fc1940308204a73082038fa003020102020900d5ab86f540cf1f35300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3134303931363137323134315a170d3135303931363137323134315a308193310b3009060355040613024652310f300d06035504080c
         EAP-Message = 
0x065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b3b7b19437c3b749740072eaa7cddc4dd3db5d45fc383764e7e185c0b7ba81db004234b894fa5c2ea5403aec1917f0a9870340f07ec225bd862ac31a6b8382f1c00c70db4494ed08bf499c0b878f716ffe524f09705cc8279d55f6ef600a88b0
         EAP-Message = 
0x7c4d1cfde4865b0d9ffe7314310cdb5c14d2786fae4462d34262013d9c03f06b1a6bbf69e163541ab58779f51bdcc8a663246d348073c3fb883062230376582241e5245d7de924413dd67de781725665e401327da74e589ba47368930b7d47e479cfa39d0b7ddaf519b51236af553ff14a4fd928707eaa3e4914eea7f120837419d835671e26141cae3e5a9c045b68575644093e5cacfbadb96ab0b20bbc8bdd0203010001a381fb3081f8301d0603551d0e04160414e940086d09ae6bcdc91359bd3b7bd0138a324eee3081c80603551d230481c03081bd8014e940086d09ae6bcdc91359bd3b7bd0138a324eeea18199a48196308193310b30090603
         EAP-Message = 
0x55040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479820900d5ab86f540cf1f35300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100aebc9b750a6480391b6008b55c2b76239994a4f09d3993f3a0251aa7c8dad1e6ced9e1c93c2fc1b415032dd921ccef6ac1d7332c60f02696755bd58e5881598a67c4be
         EAP-Message = 0x7eb7a01ad619cdc2
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x758fc0dc765cd90d29544e3e28c8c2ba
Finished request 3.
----------------------------------------------------------------------------------------------------
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.202.10.93 port 60123, 
id=114, length=170
         User-Name = "nicolas.guerra"
         Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 1
         Calling-Station-Id = "CC-FE-3C-92-E0-1B"
         Connect-Info = "CONNECT 54Mbps 802.11g"
         Framed-MTU = 1400
         EAP-Message = 0x02d300061900
         State = 0x758fc0dc765cd90d29544e3e28c8c2ba
         Message-Authenticator = 0x23be58d15054ac08fbc61b9725de6196
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 211 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 114 to 10.202.10.93 port 60123
         EAP-Message = 
0x01d402141900b35df66c79b2e8a5fd95c2cbce6f8a6c31f3f68e1bb8890d2395864369dbfedef72ec4c5a25a662caa210ba4a52ab332e0e99be658a7ec7a86748695839fe311d3c90117aee79f0205b269acabe8a500de4cd82742820a54d4b805ec2d9e804c4d54237e40028ddc35f92e73f898e3383aac604ab00c06b47280082c34c52506fe7a698094624005a0565cc55e00981955e23a91b08ed599a4c084da30d391b086700f293cfe65d28f1dbeac08334dc63305d8ffda160301014b0c00014703001741046bf779deb26b3a00147bfc828b2dd37d7146093d3c623d019c7807fde7f7e564f7a82db3c5f010985e780406ae3ca60e0ddd3075
         EAP-Message = 
0x5af6893f0a9123ca2d0ed939010053c086399f89b4efd66812a9810b0b68a3399a4e5f0d9a34c1464a9ffce377b3581e0f8c967a9e9bbe6b6e8ed09abf64c6e6f405a6e210460ea809a5b1e3ca54f9d8bdb99fefe0ff886992ace5a37a090c8e0f89e8aa2fd83d40f0155380dd315a98b09c00dbaddb94e0c2736ffbdc7761d9d35f620124e2e634254cc2984e5ad5cdacf5ae812a8bce6c254627a9ccaeabe90b2aff0411c3e24b413f34221f9fdbe555b28c07a4fccd627e88221d5c3c7fc89806b69d19b022d7a77c49f43b7e3fc296ffa1eade7b800354b9bcf8a55706b8d4a84a9272777559134a2607226aa8aa53aa819d7f6d507ef76733fbd5
         EAP-Message = 
0xba0100beda55de08992a0b3f1617cd467216030100040e000000
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x758fc0dc715bd90d29544e3e28c8c2ba
Finished request 4.
----------------------------------------------------------------------------------------------------
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.202.10.93 port 60123, 
id=115, length=304
         User-Name = "nicolas.guerra"
         Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 1
         Calling-Station-Id = "CC-FE-3C-92-E0-1B"
         Connect-Info = "CONNECT 54Mbps 802.11g"
         Framed-MTU = 1400
         EAP-Message = 
0x02d4008c19001603010046100000424104220903dc432a650822abd314074ad4da1c8cd9a64ee5f3b1c4fd683f55123474ab0e75971961eb7dd9bf9d8fee9c7d229d1b7a8aaf878ccaeb1526f4fbbd7acb1403010001011603010030bb6cdd1b1f819aa774fe3c3a110d727b102165ea4f318531e59fe283012957463317b698ec19e7b17e60bd897c5aeb3b
         State = 0x758fc0dc715bd90d29544e3e28c8c2ba
         Message-Authenticator = 0xd51bf47ab1ffb51a8e51d3c979b85507
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 212 length 140
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 115 to 10.202.10.93 port 60123
         EAP-Message = 
0x01d5004119001403010001011603010030eec36f8df623b996a242deb85e5d6e8cc399e042573d203f6ae8fde11180b72892593271bc6e78105e3dc2cb9b0623c8
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x758fc0dc705ad90d29544e3e28c8c2ba
Finished request 5.
----------------------------------------------------------------------------------------------------
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.202.10.93 port 60123, 
id=116, length=170
         User-Name = "nicolas.guerra"
         Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 1
         Calling-Station-Id = "CC-FE-3C-92-E0-1B"
         Connect-Info = "CONNECT 54Mbps 802.11g"
         Framed-MTU = 1400
         EAP-Message = 0x02d500061900
         State = 0x758fc0dc705ad90d29544e3e28c8c2ba
         Message-Authenticator = 0x55b03c926c5d2f691ef1c5eeee696692
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 213 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 116 to 10.202.10.93 port 60123
         EAP-Message = 
0x01d6002b19001703010020e66c65be4f4be8a88875791677fedac7ef1aa06f7bd92d2009530c41423bc599
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x758fc0dc7359d90d29544e3e28c8c2ba
Finished request 6.
----------------------------------------------------------------------------------------------------
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.202.10.93 port 60123, 
id=117, length=260
         User-Name = "nicolas.guerra"
         Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 1
         Calling-Station-Id = "CC-FE-3C-92-E0-1B"
         Connect-Info = "CONNECT 54Mbps 802.11g"
         Framed-MTU = 1400
         EAP-Message = 
0x02d600601900170301002027fb3b79542161d3bfc95b9f5f01bb8ed3bdad3872d0d0549416e4c93fe6c6661703010030adf8467bdc9f43ffd4a575132ca5cf02e5ced919f3db7f6847849ac56c12dbaf55e2da928d055270e5636cd1f7ddcc58
         State = 0x758fc0dc7359d90d29544e3e28c8c2ba
         Message-Authenticator = 0x341fb223e4ead1c285adc542e876c37d
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 214 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - nicolas.guerra
[peap] Got inner identity 'nicolas.guerra'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
         EAP-Message = 0x02d60013016e69636f6c61732e677565727261
server  {
[peap] Setting User-Name to nicolas.guerra
Sending tunneled request
         EAP-Message = 0x02d60013016e69636f6c61732e677565727261
         FreeRADIUS-Proxied-To = 127.0.0.1
         User-Name = "nicolas.guerra"
server inner-tunnel {
# Executing section authorize from file 
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 214 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for nicolas.guerra
[ldap]  expand: (uid=%u) -> (uid=nicolas.guerra)
[ldap]  expand: ou=People,ou=Users,dc=asse -> ou=People,ou=Users,dc=asse
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in ou=People,ou=Users,dc=asse, with filter 
(uid=nicolas.guerra)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
   [ldap] userPassword -> Password-With-Header == 
"{SHA}/XmlnVvg6a3Lq4Gi1PqEBrt55FU="
   [ldap] sambaNtPassword -> NT-Password == 
0x4130333335363744443336453645424439394331413531463437333434344345
[ldap] looking for reply items in directory...
[ldap] user nicolas.guerra authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing SHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
         EAP-Message = 
0x01d700281a01d7002310e86768d290336a6f6d694b29526dbdd16e69636f6c61732e677565727261
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x6ca01c286c7706e53c31e18b5384bf9d
[peap] Got tunneled reply RADIUS code 11
         EAP-Message = 
0x01d700281a01d7002310e86768d290336a6f6d694b29526dbdd16e69636f6c61732e677565727261
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x6ca01c286c7706e53c31e18b5384bf9d
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 117 to 10.202.10.93 port 60123
         EAP-Message = 
0x01d7004b19001703010040c71c581fbb0f992915f77a68e7135a7a993c67b553a8e0958ed5a7021f618190b0870a1b7d08dea450d503e6c73d72573cffd411e16ec14c5ba31a943debca9b
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x758fc0dc7258d90d29544e3e28c8c2ba
Finished request 7.
----------------------------------------------------------------------------------------------------
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.202.10.93 port 60123, 
id=118, length=308
         User-Name = "nicolas.guerra"
         Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 1
         Calling-Station-Id = "CC-FE-3C-92-E0-1B"
         Connect-Info = "CONNECT 54Mbps 802.11g"
         Framed-MTU = 1400
         EAP-Message = 
0x02d70090190017030100209835c1d89f49fdb76e75cd34277f212fc8cc278e367921ffa9478b42692eaf8e17030100604b96f15e88a6ba84c20147c1fe51666a8f9125627a13a1ac11f9ca77dc6396ebadd292f86f127d82ad3978a241e91dfc2481eb4f6ff3eb3384783187b96701664d911eda135737760c5a4b6deb23426f7cc911c0f60bed737c968e367f786d4a
         State = 0x758fc0dc7258d90d29544e3e28c8c2ba
         Message-Authenticator = 0x700e1dfd1e83b3facaee70a3186359cc
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 215 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
         EAP-Message = 
0x02d700491a02d70044311c19091f3449e4e03104da134036f30600000000000000008ab01c93903f478ea476adde1223019cbba6d2afc9839d98006e69636f6c61732e677565727261
server  {
[peap] Setting User-Name to nicolas.guerra
Sending tunneled request
         EAP-Message = 
0x02d700491a02d70044311c19091f3449e4e03104da134036f30600000000000000008ab01c93903f478ea476adde1223019cbba6d2afc9839d98006e69636f6c61732e677565727261
         FreeRADIUS-Proxied-To = 127.0.0.1
         User-Name = "nicolas.guerra"
         State = 0x6ca01c286c7706e53c31e18b5384bf9d
server inner-tunnel {
# Executing section authorize from file 
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 215 length 73
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for nicolas.guerra
[ldap]  expand: (uid=%u) -> (uid=nicolas.guerra)
[ldap]  expand: ou=People,ou=Users,dc=asse -> ou=People,ou=Users,dc=asse
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in ou=People,ou=Users,dc=asse, with filter 
(uid=nicolas.guerra)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
   [ldap] userPassword -> Password-With-Header == 
"{SHA}/XmlnVvg6a3Lq4Gi1PqEBrt55FU="
   [ldap] sambaNtPassword -> NT-Password == 
0x4130333335363744443336453645424439394331413531463437333434344345
[ldap] looking for reply items in directory...
[ldap] user nicolas.guerra authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing SHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: nicolas.guerra
[mschap] Client is using MS-CHAPv2 for nicolas.guerra, we need NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [nicolas.guerra] (from client owrt.router port 0 via 
TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
         MS-CHAP-Error = "\327E=691 R=1"
         EAP-Message = 0x04d70004
         Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
         MS-CHAP-Error = "\327E=691 R=1"
         EAP-Message = 0x04d70004
         Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 118 to 10.202.10.93 port 60123
         EAP-Message = 
0x01d8002b19001703010020d5506a188aabe243b4c5f1e81acdb4fabe9e3d06d055452811e01a36ce82ed11
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x758fc0dc7d57d90d29544e3e28c8c2ba
Finished request 8.
----------------------------------------------------------------------------------------------------
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.202.10.93 port 60123, 
id=119, length=244
         User-Name = "nicolas.guerra"
         Called-Station-Id = "A0-F3-C1-CF-E3-06:OpenWrt"
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 1
         Calling-Station-Id = "CC-FE-3C-92-E0-1B"
         Connect-Info = "CONNECT 54Mbps 802.11g"
         Framed-MTU = 1400
         EAP-Message = 
0x02d80050190017030100207fff7c342b74c4a5dde99e439121d0feceb470c7af0f3ea5fc9a66b018378ff31703010020dd29b9c76f0e0ef43897c9faa106195329ee837cefdcae0cd5fd3a02d0b2b4bf
         State = 0x758fc0dc7d57d90d29544e3e28c8c2ba
         Message-Authenticator = 0xfd4d513844b07230d93f9ea59d759116
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "nicolas.guerra", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 216 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the 
debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will 
tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [nicolas.guerra] (from client owrt.router port 1 cli 
CC-FE-3C-92-E0-1B)
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> nicolas.guerra
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 119 to 10.202.10.93 port 60123
         EAP-Message = 0x04d80004
         Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
Cleaning up request 0 ID 110 with timestamp +40
Cleaning up request 1 ID 111 with timestamp +40
Cleaning up request 2 ID 112 with timestamp +40
Cleaning up request 3 ID 113 with timestamp +40
Cleaning up request 4 ID 114 with timestamp +40
Cleaning up request 5 ID 115 with timestamp +40
Cleaning up request 6 ID 116 with timestamp +40
Cleaning up request 7 ID 117 with timestamp +40
Cleaning up request 8 ID 118 with timestamp +40
Waking up in 1.0 seconds.
Cleaning up request 9 ID 119 with timestamp +40
Ready to process requests.


>> and, why if I enter sambaNTPassword works fine?
>    No idea.
>
>    Alan DeKok.
>
>


More information about the Freeradius-Users mailing list