Freeradius/LDAP Authentication issue

Wed Mar 23 19:28:48 CET 2016

On Mar 24, 2016 6:11 AM, "Benjamin Dupalut" <benjamin.dupalut at esiee.fr>
wrote:
>
> Hi,
>
> First of all, sorry for my bad english.
>
> I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to
authenticate users via our LDAP. I  face an issue when i perform this
radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/

The default config the shared secret is testing123 rather than
clientpassword

>
> Here is the freeradius -X debug :
>
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
length=48
> Sending duplicate reply to client localhost port 44928 - ID: 111
> Sending Access-Reject of id 111 to 127.0.0.1 port 44928
> Waking up in 2.9 seconds.
> Cleaning up request 2 ID 111 with timestamp +114
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
length=48
>     User-Name = "toto"
>     User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ"

This would be the cleartext password if your secret matched.

> server inner-tunnel {
> # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
> +group authorize {
> ++[mschap] = noop
> [suffix] No '@' in User-Name = "toto", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> ++update control {
> ++} # update control = noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] = noop
> ++[files] = noop
> ++group  {
> [ldap_1] performing user authorization for toto
> [ldap_1]     expand: %{Stripped-User-Name} ->
> [ldap_1]     ... expanding second conditional
> [ldap_1]     expand: %{User-Name} -> toto
> [ldap_1]     expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=toto)
> [ldap_1]     expand: ou=Users,dc=XXXX,dc=fr -> ou=Users,dc=XXXX,dc=fr
>   [ldap_1] ldap_get_conn: Checking Id: 0
>   [ldap_1] ldap_get_conn: Got Id: 0
>   [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter
(uid=toto)
> [ldap_1] checking if remote access for toto is allowed by uid
> [ldap_1] No default NMAS login sequence
> [ldap_1] looking for check items in directory...
>   [ldap_1] sambaNtPassword -> NT-Password ==
0x3344424445363937443731363930413736393230344245423132323833363738
>   [ldap_1] sambaLmPassword -> LM-Password ==
0x4343463931353545334537444234353341414433423433354235313430344545
>   [ldap_1] userPassword -> Cleartext-Password ==
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>   [ldap_1] userPassword -> Password-With-Header ==
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>   [ldap_1] sambaNtPassword -> NT-Password ==
0x3344424445363937443731363930413736393230344245423132323833363738
>   [ldap_1] sambaLmPassword -> LM-Password ==
0x4343463931353545334537444234353341414433423433354235313430344545
> [ldap_1] looking for reply items in directory...
> [ldap_1] user toto authorized to use remote access
>   [ldap_1] ldap_release_conn: Release Id: 0
> +++[ldap_1] = ok
> ++} # group  = ok
> ++[expiration] = noop
> ++[logintime] = noop
> +} # group authorize = ok
> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> WARNING: Use the PAP or CHAP modules instead.
> User-Password in the request does NOT match "known good" password.
> Failed to authenticate the user.
>   WARNING: Unprintable characters in the password.  Double-check the
shared secret on the server and the NAS!
> } # server inner-tunnel
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> +group REJECT {
> [attr_filter.access_reject]     expand: %{User-Name} -> toto
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 3 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 3
> Sending Access-Reject of id 111 to 127.0.0.1 port 44928
> Waking up in 4.9 seconds.
> Cleaning up request 3 ID 111 with timestamp +120
> Ready to process requests.
>
>
> The user and client passwords are correct and i don't understand the
following errors :
>
> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> WARNING: Use the PAP or CHAP modules instead.
> User-Password in the request does NOT match "known good" password.
> Failed to authenticate the user.
>   WARNING: Unprintable characters in the password.  Double-check the
shared secret on the server and the NAS!
>
>
> Thank you for your replies.
>
> Cordialement,
>
> - -
>
> Benjamin Dupalut
> Administrateur système et réseau
> Service des Moyens Informatiques Généraux (SMIG)
> ESIEE Paris
> 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
> T : +33 1 45 92 66 17
> benjamin.dupalut at esiee.fr
> www.esiee.fr / www.cci-paris-idf.fr
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html