Freeradius/LDAP Authentication issue

Benjamin Dupalut benjamin.dupalut at esiee.fr
Thu Mar 24 10:33:27 CET 2016


Hi,

Thank you for your replies.

I wrote "clientpassword" so i don't publish a private password in this 
public mail. I modified the clients.conf file to set the localhost 
client password to "testing123" and perform this new radtest :

root at freeradius:/etc/freeradius# radtest testfreeradius 123 127.0.0.1 0 
testing123
Sending Access-Request of id 68 to 127.0.0.1 port 1812
     User-Name = "testfreeradius"
     User-Password = "123"
     NAS-IP-Address = 127.0.1.1
     NAS-Port = 0
     Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=68, 
length=20

Here it is the freeradius -X debug :

rad_recv: Access-Request packet from host 127.0.0.1 port 35730, id=68, 
length=84
     User-Name = "testfreeradius"
     User-Password = "123"
     NAS-IP-Address = 127.0.1.1
     NAS-Port = 0
     Message-Authenticator = 0xb48c8d817ebe7b7ff9cfeeefa1de6b2e
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log]     expand: %{Packet-Src-IP-Address} -> 127.0.0.1
[auth_log]     expand: 
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d 
-> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20160324
[auth_log] 
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d 
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20160324
[auth_log]     expand: %t -> Thu Mar 24 10:26:33 2016
++[auth_log] = ok
++[mschap] = noop
[suffix] No '@' in User-Name = "testfreeradius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
++group  {
[ldap_1] performing user authorization for testfreeradius
[ldap_1]     expand: %{Stripped-User-Name} ->
[ldap_1]     ... expanding second conditional
[ldap_1]     expand: %{User-Name} -> testfreeradius
[ldap_1]     expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(uid=testfreeradius)
[ldap_1]     expand: ou=Users,dc=esiee,dc=fr -> ou=Users,dc=esiee,dc=fr
   [ldap_1] ldap_get_conn: Checking Id: 0
   [ldap_1] ldap_get_conn: Got Id: 0
   [ldap_1] performing search in ou=Users,dc=esiee,dc=fr, with filter 
(uid=testfreeradius)
[ldap_1] checking if remote access for testfreeradius is allowed by uid
[ldap_1] No default NMAS login sequence
[ldap_1] looking for check items in directory...
   [ldap_1] sambaNtPassword -> NT-Password == 
0x3344424445363937443731363930413736393230344245423132323833363738
   [ldap_1] sambaLmPassword -> LM-Password == 
0x4343463931353545334537444234353341414433423433354235313430344545
   [ldap_1] userPassword -> Cleartext-Password == 
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
   [ldap_1] userPassword -> Password-With-Header == 
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
   [ldap_1] sambaNtPassword -> NT-Password == 
0x3344424445363937443731363930413736393230344245423132323833363738
   [ldap_1] sambaLmPassword -> LM-Password == 
0x4343463931353545334537444234353341414433423433354235313430344545
[ldap_1] looking for reply items in directory...
[ldap_1] user testfreeradius authorized to use remote access
   [ldap_1] ldap_release_conn: Release Id: 0
+++[ldap_1] = ok
++} # group  = ok
+} # group authorize = ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match "known good" password.
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> testfreeradius
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 68 to 127.0.0.1 port 35730
Waking up in 4.9 seconds.
Cleaning up request 3 ID 68 with timestamp +1377
Ready to process requests.

Here it is the client.conf file :

client 127.0.0.1 {
         secret      = testing123
         shortname   = localhost
         nastype     = other     # localhost isn't usually a NAS...
}

Cordialement,

- -

Benjamin Dupalut
Administrateur système et réseau
Service des Moyens Informatiques Généraux (SMIG)
ESIEE Paris
2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
T : +33 1 45 92 66 17
benjamin.dupalut at esiee.fr
www.esiee.fr / www.cci-paris-idf.fr

Le 24/03/2016 05:45, Anirudh Malhotra a écrit :
> Yes i think the shared secret are not matching thats why we see unencrypted value of user password as something else and hence it fails to match with the "known good" password.
>
> BR,
> Anirudh Malhotra
> 8zero2
> Mail: 8zero2.in at gmail.com
> Facebook: www.facebook.com/8zero2
> Twitter: @8zero2_in
> Blog: blog.8zero2.in
>
> On 24 Mar 2016, 00:00 +0530, Peter Lambrechtsen<peter at crypt.nz>, wrote:
>> On Mar 24, 2016 6:11 AM, "Benjamin Dupalut"<benjamin.dupalut at esiee.fr
>> wrote:
>>>   
>>> Hi,
>>>   
>>> First of all, sorry for my bad english.
>>>   
>>> I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to
>> authenticate users via our LDAP. I face an issue when i perform this
>> radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/
>>   
>> The default config the shared secret is testing123 rather than
>> clientpassword
>>   
>>>   
>>> Here is the freeradius -X debug :
>>>   
>>>   
>>> rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
>> length=48
>>> Sending duplicate reply to client localhost port 44928 - ID: 111
>>> Sending Access-Reject of id 111 to 127.0.0.1 port 44928
>>> Waking up in 2.9 seconds.
>>> Cleaning up request 2 ID 111 with timestamp +114
>>> Ready to process requests.
>>> rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
>> length=48
>>> User-Name = "toto"
>>> User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ"
>>   
>> This would be the cleartext password if your secret matched.
>>   
>>> server inner-tunnel {
>>> # Executing section authorize from file
>> /etc/freeradius/sites-enabled/inner-tunnel
>>> +group authorize {
>>> ++[mschap] = noop
>>> [suffix] No '@' in User-Name = "toto", looking up realm NULL
>>> [suffix] No such realm "NULL"
>>> ++[suffix] = noop
>>> ++update control {
>>> ++} # update control = noop
>>> [eap] No EAP-Message, not doing EAP
>>> ++[eap] = noop
>>> ++[files] = noop
>>> ++group {
>>> [ldap_1] performing user authorization for toto
>>> [ldap_1] expand: %{Stripped-User-Name} -
>>> [ldap_1] ... expanding second conditional
>>> [ldap_1] expand: %{User-Name} ->toto
>>> [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
>> (uid=toto)
>>> [ldap_1] expand: ou=Users,dc=XXXX,dc=fr ->ou=Users,dc=XXXX,dc=fr
>>> [ldap_1] ldap_get_conn: Checking Id: 0
>>> [ldap_1] ldap_get_conn: Got Id: 0
>>> [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter
>> (uid=toto)
>>> [ldap_1] checking if remote access for toto is allowed by uid
>>> [ldap_1] No default NMAS login sequence
>>> [ldap_1] looking for check items in directory...
>>> [ldap_1] sambaNtPassword ->NT-Password ==
>> 0x3344424445363937443731363930413736393230344245423132323833363738
>>> [ldap_1] sambaLmPassword ->LM-Password ==
>> 0x4343463931353545334537444234353341414433423433354235313430344545
>>> [ldap_1] userPassword ->Cleartext-Password ==
>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>>> [ldap_1] userPassword ->Password-With-Header ==
>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>>> [ldap_1] sambaNtPassword ->NT-Password ==
>> 0x3344424445363937443731363930413736393230344245423132323833363738
>>> [ldap_1] sambaLmPassword ->LM-Password ==
>> 0x4343463931353545334537444234353341414433423433354235313430344545
>>> [ldap_1] looking for reply items in directory...
>>> [ldap_1] user toto authorized to use remote access
>>> [ldap_1] ldap_release_conn: Release Id: 0
>>> +++[ldap_1] = ok
>>> ++} # group = ok
>>> ++[expiration] = noop
>>> ++[logintime] = noop
>>> +} # group authorize = ok
>>> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>>> WARNING: Use the PAP or CHAP modules instead.
>>> User-Password in the request does NOT match "known good" password.
>>> Failed to authenticate the user.
>>> WARNING: Unprintable characters in the password. Double-check the
>> shared secret on the server and the NAS!
>>> } # server inner-tunnel
>>> Using Post-Auth-Type REJECT
>>> # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
>>> +group REJECT {
>>> [attr_filter.access_reject] expand: %{User-Name} ->toto
>>> attr_filter: Matched entry DEFAULT at line 11
>>> ++[attr_filter.access_reject] = updated
>>> +} # group REJECT = updated
>>> Delaying reject of request 3 for 1 seconds
>>> Going to the next request
>>> Waking up in 0.9 seconds.
>>> Sending delayed reject for request 3
>>> Sending Access-Reject of id 111 to 127.0.0.1 port 44928
>>> Waking up in 4.9 seconds.
>>> Cleaning up request 3 ID 111 with timestamp +120
>>> Ready to process requests.
>>>   
>>>   
>>> The user and client passwords are correct and i don't understand the
>> following errors :
>>>   
>>> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>>> WARNING: Use the PAP or CHAP modules instead.
>>> User-Password in the request does NOT match "known good" password.
>>> Failed to authenticate the user.
>>> WARNING: Unprintable characters in the password. Double-check the
>> shared secret on the server and the NAS!
>>>   
>>>   
>>> Thank you for your replies.
>>>   
>>> Cordialement,
>>>   
>>> - -
>>>   
>>> Benjamin Dupalut
>>> Administrateur système et réseau
>>> Service des Moyens Informatiques Généraux (SMIG)
>>> ESIEE Paris
>>> 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
>>> T : +33 1 45 92 66 17
>>> benjamin.dupalut at esiee.fr
>>> www.esiee.fr / www.cci-paris-idf.fr
>>>   
>>> -
>>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list