Freeradius/LDAP Authentication issue
Benjamin Dupalut
benjamin.dupalut at esiee.fr
Wed Mar 23 18:08:04 CET 2016
Hi,
First of all, sorry for my bad english.
I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to
authenticate users via our LDAP. I face an issue when i perform this
radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/
Here is the freeradius -X debug :
rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
length=48
Sending duplicate reply to client localhost port 44928 - ID: 111
Sending Access-Reject of id 111 to 127.0.0.1 port 44928
Waking up in 2.9 seconds.
Cleaning up request 2 ID 111 with timestamp +114
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
length=48
User-Name = "toto"
User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ"
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[mschap] = noop
[suffix] No '@' in User-Name = "toto", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
++group {
[ldap_1] performing user authorization for toto
[ldap_1] expand: %{Stripped-User-Name} ->
[ldap_1] ... expanding second conditional
[ldap_1] expand: %{User-Name} -> toto
[ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=toto)
[ldap_1] expand: ou=Users,dc=XXXX,dc=fr -> ou=Users,dc=XXXX,dc=fr
[ldap_1] ldap_get_conn: Checking Id: 0
[ldap_1] ldap_get_conn: Got Id: 0
[ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter
(uid=toto)
[ldap_1] checking if remote access for toto is allowed by uid
[ldap_1] No default NMAS login sequence
[ldap_1] looking for check items in directory...
[ldap_1] sambaNtPassword -> NT-Password ==
0x3344424445363937443731363930413736393230344245423132323833363738
[ldap_1] sambaLmPassword -> LM-Password ==
0x4343463931353545334537444234353341414433423433354235313430344545
[ldap_1] userPassword -> Cleartext-Password ==
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
[ldap_1] userPassword -> Password-With-Header ==
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
[ldap_1] sambaNtPassword -> NT-Password ==
0x3344424445363937443731363930413736393230344245423132323833363738
[ldap_1] sambaLmPassword -> LM-Password ==
0x4343463931353545334537444234353341414433423433354235313430344545
[ldap_1] looking for reply items in directory...
[ldap_1] user toto authorized to use remote access
[ldap_1] ldap_release_conn: Release Id: 0
+++[ldap_1] = ok
++} # group = ok
++[expiration] = noop
++[logintime] = noop
+} # group authorize = ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match "known good" password.
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the
shared secret on the server and the NAS!
} # server inner-tunnel
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> toto
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 111 to 127.0.0.1 port 44928
Waking up in 4.9 seconds.
Cleaning up request 3 ID 111 with timestamp +120
Ready to process requests.
The user and client passwords are correct and i don't understand the
following errors :
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match "known good" password.
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the
shared secret on the server and the NAS!
Thank you for your replies.
Cordialement,
- -
Benjamin Dupalut
Administrateur système et réseau
Service des Moyens Informatiques Généraux (SMIG)
ESIEE Paris
2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
T : +33 1 45 92 66 17
benjamin.dupalut at esiee.fr
www.esiee.fr / www.cci-paris-idf.fr
More information about the Freeradius-Users
mailing list