PAP and NT-hashed password
sb
superabx at gmail.com
Fri Jan 2 13:26:33 CET 2015
On Wed, Dec 31, 2014 at 3:34 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Dec 30, 2014, at 10:58 AM, sb <superabx at gmail.com> wrote:
> > Thank you, Alan! I will try to upgrade to 2.2.6.
>
> That’s really the best solution.
>
Upgraded to 2.2.6, nothing changes.
=======================================================================================================
# radiusd -v
radiusd: FreeRADIUS Version 2.2.6, for host x86_64-unknown-linux-gnu, built
on Jan 2 2015 at 13:43:16
rad_recv: Access-Request packet from host 127.0.0.1 port 32834, id=32, length=55
User-Name = "abx"
User-Password = "n***********W"
NAS-IP-Address = 192.168.203.235
NAS-Port = 0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1
[auth_log] expand:
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20150102
[auth_log] /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20150102
[auth_log] expand: %t -> Fri Jan 2 15:07:04 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "abx", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
++policy redundant {
[local] performing user authorization for abx
[local] expand: %{Stripped-User-Name} ->
[local] ... expanding second conditional
[local] expand: %{User-Name} -> abx
[local] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=abx)
[local] expand: dc=ourcorp,dc=net -> dc=ourcorp,dc=net
[local] ldap_get_conn: Checking Id: 0
[local] ldap_get_conn: Got Id: 0
[local] attempting LDAP reconnection
[local] (re)connect to localhost:389, authentication 0
[local] setting TLS CACert File to certs/ourcorp.net.ca.cer
[local] setting TLS CACert Directory to /etc/ssl/certs
[local] setting TLS Cert File to certs/wildcard.ourcorp.net.cer
[local] setting TLS Key File to certs/wildcard.ourcorp.net.key
[local] bind as cn=readuser,dc=ourcorp,dc=net/******* to localhost:389
[local] waiting for bind result ...
[local] Bind was successful
[local] performing search in dc=ourcorp,dc=net, with filter (uid=abx)
[local] checking if remote access for abx is allowed by dialupAccess
[local] Added User-Password = 1D*********************9B in check items
[local] looking for check items in directory...
[local] sambaNtPassword -> NT-Password ==
0x31**********************************************************42
[local] sambaLmPassword -> LM-Password ==
0x42**********************************************************36
[local] looking for reply items in directory...
[local] radiusFramedIPAddress -> Framed-IP-Address = 10.0.0.198
[local] user abx authorized to use remote access
[local] ldap_release_conn: Release Id: 0
+++[local] = ok
++} # policy redundant = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
++[pap] = updated
+} # group authorize = updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group PAP {
[pap] login attempt with password "n**************W"
[pap] Using clear text password "1D********************9B"
[pap] Passwords don't match
++[pap] = reject
+} # group PAP = reject
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> abx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 32 to 127.0.0.1 port 32834
Waking up in 4.9 seconds.
Cleaning up request 0 ID 32 with timestamp +4
Ready to process requests.
============================================================================
I can not understand why is this:
[local] Added User-Password = 1D*********************9B in check items
There is nothing of User-Password in ldap.attrmap, why the radius adds it
from sambaLmPassword?
I can not put cleartext passwords in LDAP, so I have to work with NT-hashed
passwords only.
So, how to tell the radius that User-Password and Cleartext-Password are
empty and it has to operate with NT-Password?
I believe it should be smth simple that I forgot to do...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150102/f2c35f2a/attachment.html>
More information about the Freeradius-Users
mailing list