Freeradius/LDAP Authentication issue

Anirudh Malhotra 8zero2ops at gmail.com
Thu Mar 24 05:45:44 CET 2016 

Yes i think the shared secret are not matching thats why we see unencrypted value of user password as something else and hence it fails to match with the "known good" password.

BR,
Anirudh Malhotra
8zero2
Mail: 8zero2.in at gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in

On 24 Mar 2016, 00:00 +0530, Peter Lambrechtsen<peter at crypt.nz>, wrote:
> On Mar 24, 2016 6:11 AM, "Benjamin Dupalut"<benjamin.dupalut at esiee.fr
> wrote:
> >  
> > Hi,
> >  
> > First of all, sorry for my bad english.
> >  
> > I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to
> authenticate users via our LDAP. I face an issue when i perform this
> radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/
>  
> The default config the shared secret is testing123 rather than
> clientpassword
>  
> >  
> > Here is the freeradius -X debug :
> >  
> >  
> > rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
> length=48
> > Sending duplicate reply to client localhost port 44928 - ID: 111
> > Sending Access-Reject of id 111 to 127.0.0.1 port 44928
> > Waking up in 2.9 seconds.
> > Cleaning up request 2 ID 111 with timestamp +114
> > Ready to process requests.
> > rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
> length=48
> > User-Name = "toto"
> > User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ"
>  
> This would be the cleartext password if your secret matched.
>  
> > server inner-tunnel {
> > # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
> > +group authorize {
> > ++[mschap] = noop
> > [suffix] No '@' in User-Name = "toto", looking up realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] = noop
> > ++update control {
> > ++} # update control = noop
> > [eap] No EAP-Message, not doing EAP
> > ++[eap] = noop
> > ++[files] = noop
> > ++group {
> > [ldap_1] performing user authorization for toto
> > [ldap_1] expand: %{Stripped-User-Name} -
> > [ldap_1] ... expanding second conditional
> > [ldap_1] expand: %{User-Name} ->toto
> > [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
> (uid=toto)
> > [ldap_1] expand: ou=Users,dc=XXXX,dc=fr ->ou=Users,dc=XXXX,dc=fr
> > [ldap_1] ldap_get_conn: Checking Id: 0
> > [ldap_1] ldap_get_conn: Got Id: 0
> > [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter
> (uid=toto)
> > [ldap_1] checking if remote access for toto is allowed by uid
> > [ldap_1] No default NMAS login sequence
> > [ldap_1] looking for check items in directory...
> > [ldap_1] sambaNtPassword ->NT-Password ==
> 0x3344424445363937443731363930413736393230344245423132323833363738
> > [ldap_1] sambaLmPassword ->LM-Password ==
> 0x4343463931353545334537444234353341414433423433354235313430344545
> > [ldap_1] userPassword ->Cleartext-Password ==
> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> > [ldap_1] userPassword ->Password-With-Header ==
> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> > [ldap_1] sambaNtPassword ->NT-Password ==
> 0x3344424445363937443731363930413736393230344245423132323833363738
> > [ldap_1] sambaLmPassword ->LM-Password ==
> 0x4343463931353545334537444234353341414433423433354235313430344545
> > [ldap_1] looking for reply items in directory...
> > [ldap_1] user toto authorized to use remote access
> > [ldap_1] ldap_release_conn: Release Id: 0
> > +++[ldap_1] = ok
> > ++} # group = ok
> > ++[expiration] = noop
> > ++[logintime] = noop
> > +} # group authorize = ok
> > WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> > WARNING: Use the PAP or CHAP modules instead.
> > User-Password in the request does NOT match "known good" password.
> > Failed to authenticate the user.
> > WARNING: Unprintable characters in the password. Double-check the
> shared secret on the server and the NAS!
> > } # server inner-tunnel
> > Using Post-Auth-Type REJECT
> > # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> > +group REJECT {
> > [attr_filter.access_reject] expand: %{User-Name} ->toto
> > attr_filter: Matched entry DEFAULT at line 11
> > ++[attr_filter.access_reject] = updated
> > +} # group REJECT = updated
> > Delaying reject of request 3 for 1 seconds
> > Going to the next request
> > Waking up in 0.9 seconds.
> > Sending delayed reject for request 3
> > Sending Access-Reject of id 111 to 127.0.0.1 port 44928
> > Waking up in 4.9 seconds.
> > Cleaning up request 3 ID 111 with timestamp +120
> > Ready to process requests.
> >  
> >  
> > The user and client passwords are correct and i don't understand the
> following errors :
> >  
> > WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> > WARNING: Use the PAP or CHAP modules instead.
> > User-Password in the request does NOT match "known good" password.
> > Failed to authenticate the user.
> > WARNING: Unprintable characters in the password. Double-check the
> shared secret on the server and the NAS!
> >  
> >  
> > Thank you for your replies.
> >  
> > Cordialement,
> >  
> > - -
> >  
> > Benjamin Dupalut
> > Administrateur système et réseau
> > Service des Moyens Informatiques Généraux (SMIG)
> > ESIEE Paris
> > 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
> > T : +33 1 45 92 66 17
> > benjamin.dupalut at esiee.fr
> > www.esiee.fr / www.cci-paris-idf.fr
> >  
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list