Freeradius/LDAP Authentication issue

Anirudh Malhotra 8zero2ops at gmail.com
Thu Mar 24 10:58:56 CET 2016


Set auth type as PAP or LDAP
Set pap in the end of authorize section.

WARNING: Please update your configuration, and remove 'Auth-Type = Local'

BR,
Anirudh Malhotra
8zero2
Mail: 8zero2.in at gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in

On 24 Mar 2016, 15:07 +0530, Benjamin Dupalut<benjamin.dupalut at esiee.fr>, wrote:
> Hi,
>  
> Thank you for your replies.
>  
> I wrote "clientpassword" so i don't publish a private password in this
> public mail. I modified the clients.conf file to set the localhost
> client password to "testing123" and perform this new radtest :
>  
> root at freeradius:/etc/freeradius# radtest testfreeradius 123 127.0.0.1 0
> testing123
> Sending Access-Request of id 68 to 127.0.0.1 port 1812
> User-Name = "testfreeradius"
> User-Password = "123"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 0
> Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=68,
> length=20
>  
> Here it is the freeradius -X debug :
>  
> rad_recv: Access-Request packet from host 127.0.0.1 port 35730, id=68,
> length=84
> User-Name = "testfreeradius"
> User-Password = "123"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 0
> Message-Authenticator = 0xb48c8d817ebe7b7ff9cfeeefa1de6b2e
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> [auth_log] expand: %{Packet-Src-IP-Address} ->127.0.0.1
> [auth_log] expand:
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> ->/var/log/freeradius/radacct/127.0.0.1/auth-detail-20160324
> [auth_log]
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20160324
> [auth_log] expand: %t ->Thu Mar 24 10:26:33 2016
> ++[auth_log] = ok
> ++[mschap] = noop
> [suffix] No '@' in User-Name = "testfreeradius", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] = noop
> ++[files] = noop
> ++group {
> [ldap_1] performing user authorization for testfreeradius
> [ldap_1] expand: %{Stripped-User-Name} -
> [ldap_1] ... expanding second conditional
> [ldap_1] expand: %{User-Name} ->testfreeradius
> [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
> (uid=testfreeradius)
> [ldap_1] expand: ou=Users,dc=esiee,dc=fr ->ou=Users,dc=esiee,dc=fr
> [ldap_1] ldap_get_conn: Checking Id: 0
> [ldap_1] ldap_get_conn: Got Id: 0
> [ldap_1] performing search in ou=Users,dc=esiee,dc=fr, with filter
> (uid=testfreeradius)
> [ldap_1] checking if remote access for testfreeradius is allowed by uid
> [ldap_1] No default NMAS login sequence
> [ldap_1] looking for check items in directory...
> [ldap_1] sambaNtPassword ->NT-Password ==
> 0x3344424445363937443731363930413736393230344245423132323833363738
> [ldap_1] sambaLmPassword ->LM-Password ==
> 0x4343463931353545334537444234353341414433423433354235313430344545
> [ldap_1] userPassword ->Cleartext-Password ==
> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> [ldap_1] userPassword ->Password-With-Header ==
> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> [ldap_1] sambaNtPassword ->NT-Password ==
> 0x3344424445363937443731363930413736393230344245423132323833363738
> [ldap_1] sambaLmPassword ->LM-Password ==
> 0x4343463931353545334537444234353341414433423433354235313430344545
> [ldap_1] looking for reply items in directory...
> [ldap_1] user testfreeradius authorized to use remote access
> [ldap_1] ldap_release_conn: Release Id: 0
> +++[ldap_1] = ok
> ++} # group = ok
> +} # group authorize = ok
> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> WARNING: Use the PAP or CHAP modules instead.
> User-Password in the request does NOT match "known good" password.
> Failed to authenticate the user.
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group REJECT {
> [attr_filter.access_reject] expand: %{User-Name} ->testfreeradius
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 3 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 3
> Sending Access-Reject of id 68 to 127.0.0.1 port 35730
> Waking up in 4.9 seconds.
> Cleaning up request 3 ID 68 with timestamp +1377
> Ready to process requests.
>  
> Here it is the client.conf file :
>  
> client 127.0.0.1 {
> secret = testing123
> shortname = localhost
> nastype = other # localhost isn't usually a NAS...
> }
>  
> Cordialement,
>  
> - -
>  
> Benjamin Dupalut
> Administrateur système et réseau
> Service des Moyens Informatiques Généraux (SMIG)
> ESIEE Paris
> 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
> T : +33 1 45 92 66 17
> benjamin.dupalut at esiee.fr
> www.esiee.fr / www.cci-paris-idf.fr
>  
> Le 24/03/2016 05:45, Anirudh Malhotra a écrit :
> > Yes i think the shared secret are not matching thats why we see unencrypted value of user password as something else and hence it fails to match with the "known good" password.
> >  
> > BR,
> > Anirudh Malhotra
> > 8zero2
> > Mail: 8zero2.in at gmail.com
> > Facebook: www.facebook.com/8zero2
> > Twitter: @8zero2_in
> > Blog: blog.8zero2.in
> >  
> > On 24 Mar 2016, 00:00 +0530, Peter Lambrechtsen<peter at crypt.nz>, wrote:
> > > On Mar 24, 2016 6:11 AM, "Benjamin Dupalut"<benjamin.dupalut at esiee.fr
> > > wrote:
> > > >  
> > > > Hi,
> > > >  
> > > > First of all, sorry for my bad english.
> > > >  
> > > > I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to
> > > authenticate users via our LDAP. I face an issue when i perform this
> > > radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/
> > >  
> > > The default config the shared secret is testing123 rather than
> > > clientpassword
> > >  
> > > >  
> > > > Here is the freeradius -X debug :
> > > >  
> > > >  
> > > > rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
> > > length=48
> > > > Sending duplicate reply to client localhost port 44928 - ID: 111
> > > > Sending Access-Reject of id 111 to 127.0.0.1 port 44928
> > > > Waking up in 2.9 seconds.
> > > > Cleaning up request 2 ID 111 with timestamp +114
> > > > Ready to process requests.
> > > > rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
> > > length=48
> > > > User-Name = "toto"
> > > > User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ"
> > >  
> > > This would be the cleartext password if your secret matched.
> > >  
> > > > server inner-tunnel {
> > > > # Executing section authorize from file
> > > /etc/freeradius/sites-enabled/inner-tunnel
> > > > +group authorize {
> > > > ++[mschap] = noop
> > > > [suffix] No '@' in User-Name = "toto", looking up realm NULL
> > > > [suffix] No such realm "NULL"
> > > > ++[suffix] = noop
> > > > ++update control {
> > > > ++} # update control = noop
> > > > [eap] No EAP-Message, not doing EAP
> > > > ++[eap] = noop
> > > > ++[files] = noop
> > > > ++group {
> > > > [ldap_1] performing user authorization for toto
> > > > [ldap_1] expand: %{Stripped-User-Name} -
> > > > [ldap_1] ... expanding second conditional
> > > > [ldap_1] expand: %{User-Name} ->toto
> > > > [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
> > > (uid=toto)
> > > > [ldap_1] expand: ou=Users,dc=XXXX,dc=fr ->ou=Users,dc=XXXX,dc=fr
> > > > [ldap_1] ldap_get_conn: Checking Id: 0
> > > > [ldap_1] ldap_get_conn: Got Id: 0
> > > > [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter
> > > (uid=toto)
> > > > [ldap_1] checking if remote access for toto is allowed by uid
> > > > [ldap_1] No default NMAS login sequence
> > > > [ldap_1] looking for check items in directory...
> > > > [ldap_1] sambaNtPassword ->NT-Password ==
> > > 0x3344424445363937443731363930413736393230344245423132323833363738
> > > > [ldap_1] sambaLmPassword ->LM-Password ==
> > > 0x4343463931353545334537444234353341414433423433354235313430344545
> > > > [ldap_1] userPassword ->Cleartext-Password ==
> > > "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> > > > [ldap_1] userPassword ->Password-With-Header ==
> > > "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> > > > [ldap_1] sambaNtPassword ->NT-Password ==
> > > 0x3344424445363937443731363930413736393230344245423132323833363738
> > > > [ldap_1] sambaLmPassword ->LM-Password ==
> > > 0x4343463931353545334537444234353341414433423433354235313430344545
> > > > [ldap_1] looking for reply items in directory...
> > > > [ldap_1] user toto authorized to use remote access
> > > > [ldap_1] ldap_release_conn: Release Id: 0
> > > > +++[ldap_1] = ok
> > > > ++} # group = ok
> > > > ++[expiration] = noop
> > > > ++[logintime] = noop
> > > > +} # group authorize = ok
> > > > WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> > > > WARNING: Use the PAP or CHAP modules instead.
> > > > User-Password in the request does NOT match "known good" password.
> > > > Failed to authenticate the user.
> > > > WARNING: Unprintable characters in the password. Double-check the
> > > shared secret on the server and the NAS!
> > > > } # server inner-tunnel
> > > > Using Post-Auth-Type REJECT
> > > > # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> > > > +group REJECT {
> > > > [attr_filter.access_reject] expand: %{User-Name} ->toto
> > > > attr_filter: Matched entry DEFAULT at line 11
> > > > ++[attr_filter.access_reject] = updated
> > > > +} # group REJECT = updated
> > > > Delaying reject of request 3 for 1 seconds
> > > > Going to the next request
> > > > Waking up in 0.9 seconds.
> > > > Sending delayed reject for request 3
> > > > Sending Access-Reject of id 111 to 127.0.0.1 port 44928
> > > > Waking up in 4.9 seconds.
> > > > Cleaning up request 3 ID 111 with timestamp +120
> > > > Ready to process requests.
> > > >  
> > > >  
> > > > The user and client passwords are correct and i don't understand the
> > > following errors :
> > > >  
> > > > WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> > > > WARNING: Use the PAP or CHAP modules instead.
> > > > User-Password in the request does NOT match "known good" password.
> > > > Failed to authenticate the user.
> > > > WARNING: Unprintable characters in the password. Double-check the
> > > shared secret on the server and the NAS!
> > > >  
> > > >  
> > > > Thank you for your replies.
> > > >  
> > > > Cordialement,
> > > >  
> > > > - -
> > > >  
> > > > Benjamin Dupalut
> > > > Administrateur système et réseau
> > > > Service des Moyens Informatiques Généraux (SMIG)
> > > > ESIEE Paris
> > > > 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
> > > > T : +33 1 45 92 66 17
> > > > benjamin.dupalut at esiee.fr
> > > > www.esiee.fr / www.cci-paris-idf.fr
> > > >  
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > > -
> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>  
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list