Could use some help setting up freeradius ttls-pap with ldap backend serving NT-passwords

Arjan Sinnige arjan at audiodude.nl
Mon Jan 5 20:24:38 CET 2015


Ok first post here. Howdy..  Name is Arjan. Sorry for the long post in advance.

Currently our small school is running a mac osx tiger file/web server with radius slapped onto it.
As the server is getting old, I've been asked to configure a new server. (Dell 720 running Ubuntu 14.10.) Clients are numerous formats (BYOD) but mainly osx and windows machines. Testing virtually at home atm. The Apache, LDAP and Samba part are fine for me. But freeradius is really tough.. Can use some help.

Trying to get a EAP-TTLS with PAP working, as that was what we had before. Users are supposed to login with their username and password. No user certificates.

Doing a pap or mschap from server terminal is fine, which means the connection to ldap seems to be working. Doing TTLS-PAP from android phone gives errors.

The mailing list won't allow me to post my full config and output. (>100KB) so I've put it up at a website :
http://www.audiodude.nl/ldapconfig.txt

Here a few excerpts:

radtest -t mschap arjan Mypassword^3 localhost 0 mypassword  ends with :

Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 44458, id=134, length=131
        User-Name = "arjan"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0xe851266b3b6672aed5d53caecf5421b9
        MS-CHAP-Challenge = 0x6e5a7c9078ec9181
        MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000e8c0afd962f70b27eae06ed24a3fd2e53950c029a26de960
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "arjan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for arjan
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> arjan
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=arjan)
[ldap]  expand: ou=Users,dc=mysite,dc=nl -> ou=Users,dc=mysite,dc=nl
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to ldapserv.mysite.nl:389, authentication 0
  [ldap] bind as cn=admin,dc=mysite,dc=nl/Mypassword^3 to ldapserv.mysite.nl:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in ou=Users,dc=mysite,dc=nl, with filter (uid=arjan)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{SSHA}EO6u+XXXXXXXXXXXXXXXXXXX9CVEpL"
  [ldap] sambaNtPassword -> NT-Password == 0x323444323XXXXXXXXXXXXXXXXXXX136453246
  [ldap] sambaLmPassword -> LM-Password == 0x4437314142XXXXXXXXXXXXXXXXXXX7343541363935
[ldap] looking for reply items in directory...
[ldap] user arjan authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Found LM-Password
[mschap] Found NT-Password
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 134 to 127.0.0.1 port 44458
        MS-CHAP-MPPE-Keys = 0xd71ab5a02f21bf6c84ea1619e12e6d233ad6e6fe70164f220000000000000000
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
Finished request 0.

So LDAP seems ok.

But doing a EAP-TTLS-PAP produces results below :
Should I change something in the EAP.conf file ?
                ttls {
                        default_eap_type = md5
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                        virtual_server = "inner-tunnel"
        }

THX in advance guys !

Ready to process requests.
rad_recv: Access-Request packet from host 192.168.63.144 port 32869, id=0, length=123
        User-Name = "arjan"
        NAS-IP-Address = 192.168.63.144
        Called-Station-Id = "20aa4b81f8a3"
        Calling-Station-Id = "64a769fde8c7"
        NAS-Identifier = "20aa4b81f8a3"
        NAS-Port = 18
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0200000a0161726a616e
        Message-Authenticator = 0x2f7a9f1fe7f8586e05b801511990fa64
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "arjan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for arjan
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> arjan
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=arjan)
[ldap]  expand: ou=Users,dc=mysite,dc=nl -> ou=Users,dc=mysite,dc=nl
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to ldapserv.mysite.nl:389, authentication 0
  [ldap] bind as cn=admin,dc=mysite,dc=nl/Mypassword^3 to ldapserv.mysite.nl:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in ou=Users,dc=mysite,dc=nl, with filter (uid=arjan)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{SSHA}EO6u+XXXXXXXXXXXXXXXXXXX9CVEpL"
  [ldap] sambaNtPassword -> NT-Password == 0x323444323XXXXXXXXXXXXXXXXXXX136453246
  [ldap] sambaLmPassword -> LM-Password == 0x4437314142XXXXXXXXXXXXXXXXXXX7343541363935
[ldap] looking for reply items in directory...
[ldap] user arjan authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.63.144 port 32869
        EAP-Message = 0x010100061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb4cfcc79b4ced9bce030871567d52b3d
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.63.144 port 32869, id=0, length=327
Cleaning up request 0 ID 0 with timestamp +41
        User-Name = "arjan"
        NAS-IP-Address = 192.168.63.144
        Called-Station-Id = "20aa4b81f8a3"
        Calling-Station-Id = "64a769fde8c7"
        NAS-Identifier = "20aa4b81f8a3"
        NAS-Port = 18
        Framed-MTU = 1400
        State = 0xb4cfcc79b4ced9bce030871567d52b3d
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020100c4150016030100b9010000b5030154a9bcfe6fc055caad760b07efb122cc8df68813c63eaf12f11c3c770607a803000048c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000
        Message-Authenticator = 0xa56f2ecfe109fcdef933ff8083a95981
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "arjan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 196
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 00b9], ClientHello
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 080c], Certificate
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[ttls]     TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.63.144 port 32869
        EAP-Message = 0x0102040015c0000009a81603010039020000350301f859cacda779f3daccc335ce2f05951a6ebd8553a22fcdddd9e3f970f333aa8400c01400000dff01000100000b000403000102160301080c0b00080800080500040830820404308202eca003020102020101300d06092a864886f70d01010b050030818f310b3009060355040613024e4c310b300906035504080c024e48310f300d06035504070c064865696c6f6f31123010060355040a0c09417564696f64756465310b3009060355040b0c024954311e301c06035504030c156c646170736572762e617564696f647564652e6e6c3121301f06092a864886f70d010901161261726a616e4061
        EAP-Message = 0x7564696f647564652e6e6c301e170d3134313131373232353630335a170d3334313131323232353630335a307e310b3009060355040613024e4c310b300906035504080c024e4831123010060355040a0c09417564696f64756465310b3009060355040b0c024954311e301c06035504030c156c646170736572762e617564696f647564652e6e6c3121301f06092a864886f70d010901161261726a616e40617564696f647564652e6e6c30820122300d06092a864886f70d01010105000382010f003082010a0282010100f4640f19e08fb8869b72176e11694ec277cb35f285ff090219a6ca6f27b8150cd9f667e29ace92c495715bb27dcae8e66d
        EAP-Message = 0x7dd93ef3160790f4ee9d86b43d7a5e80b1c90848a4be5fbd8ecbf36eba46dc440fdb23fc79ea81083d52362e2b34f54b3ba959e16dc547acb3956bdb93002efe024c319ccb199a18d681aad0abb92dbac30a074424daea0c853db8877502b69fb32eead1c8772a1549bf4a317fad2a0697302694063eea7a3ca3bb8c5f3393176a0c3be75e11fd8f18f01acd79a4c64e5e21531c69546c47ee2aa72b053eec7ab9bc74f59c14fddaf5ad3cbbdd70bbf1535a5bde27017f170fc0f1f29a6945f39e1ec5413ce927b5465de6d24180850203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047
        EAP-Message = 0x656e657261746564204365727469666963617465301d0603551d0e041604140737387034b41501c039af30da0610a01696e022301f0603551d23041830168014ced3e4ed5350edb0ae3d88f9fa1864647b84a63d300d06092a864886f70d01010b05000382010100bd4eb2a878d181e7b59b5791af99a3bf420aef6187859901d5b7a07d839b8ebde91cd7201db875f6211c112f8926c3624dc4600dd1d9935ed74b58664f7a81d38313240da1683fa8cfb5091ffb0f9156533147296da74a0acb439ab955a108a2d07461921bd1715f2c8a76d9d1d9031be91afbc0062c9b3b8e2b1bf856628b8a9d63a7119b8f8b76bf895e7be163269baea4602221
        EAP-Message = 0xcd9d8cef411761a8d4ef22af
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb4cfcc79b5cdd9bce030871567d52b3d
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.63.144 port 32869, id=0, length=309
Cleaning up request 1 ID 0 with timestamp +41
        User-Name = "arjan"
        NAS-IP-Address = 192.168.63.144
        Called-Station-Id = "20aa4b81f8a3"
        Calling-Station-Id = "64a769fde8c7"
        NAS-Identifier = "20aa4b81f8a3"
        NAS-Port = 18
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020100c4150016030100b9010000b5030154a9bcfe6fc055caad760b07efb122cc8df68813c63eaf12f11c3c770607a803000048c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000
        Message-Authenticator = 0x3e826a011acf3c3c7c4ee12c132df594
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "arjan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 196
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> arjan
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 0 to 192.168.63.144 port 32869

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150105/8756ca03/attachment-0001.html>


More information about the Freeradius-Users mailing list