Freeradius/LDAP Authentication issue
Benjamin Dupalut
benjamin.dupalut at esiee.fr
Thu Mar 24 11:43:33 CET 2016
Unless i made a mistake, it should already be set. See my "inner-tunnel" :
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
group {
ldap_1
}
expiration
logintime
}
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
} # inner-tunnel server block
In my previous radtest, i don't set the port to 18120. Here is the new
radtest and freeradius -X :
root at freeradius:/etc/freeradius/sites-enabled# radtest testfreeradius
123 127.0.0.1:18120 0 testing123
Sending Access-Request of id 243 to 127.0.0.1 port 18120
User-Name = "testfreeradius"
User-Password = "123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 18120, id=243,
length=20
rad_recv: Access-Request packet from host 127.0.0.1 port 50017, id=243,
length=84
User-Name = "testfreeradius"
User-Password = "123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x7575a48753b9ab51dcbed43d84c4e5ee
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[mschap] = noop
[suffix] No '@' in User-Name = "testfreeradius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
++group {
[ldap_1] performing user authorization for testfreeradius
[ldap_1] expand: %{Stripped-User-Name} ->
[ldap_1] ... expanding second conditional
[ldap_1] expand: %{User-Name} -> testfreeradius
[ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=testfreeradius)
[ldap_1] expand: ou=Users,dc=esiee,dc=fr -> ou=Users,dc=esiee,dc=fr
[ldap_1] ldap_get_conn: Checking Id: 0
[ldap_1] ldap_get_conn: Got Id: 0
[ldap_1] performing search in ou=Users,dc=esiee,dc=fr, with filter
(uid=testfreeradius)
[ldap_1] checking if remote access for testfreeradius is allowed by uid
[ldap_1] No default NMAS login sequence
[ldap_1] looking for check items in directory...
[ldap_1] sambaNtPassword -> NT-Password ==
0x3344424445363937443731363930413736393230344245423132323833363738
[ldap_1] sambaLmPassword -> LM-Password ==
0x4343463931353545334537444234353341414433423433354235313430344545
[ldap_1] userPassword -> Cleartext-Password ==
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
[ldap_1] userPassword -> Password-With-Header ==
"{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
[ldap_1] sambaNtPassword -> NT-Password ==
0x3344424445363937443731363930413736393230344245423132323833363738
[ldap_1] sambaLmPassword -> LM-Password ==
0x4343463931353545334537444234353341414433423433354235313430344545
[ldap_1] looking for reply items in directory...
[ldap_1] user testfreeradius authorized to use remote access
[ldap_1] ldap_release_conn: Release Id: 0
+++[ldap_1] = ok
++} # group = ok
++[expiration] = noop
++[logintime] = noop
+} # group authorize = ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match "known good" password.
Failed to authenticate the user.
} # server inner-tunnel
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> testfreeradius
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 243 to 127.0.0.1 port 50017
Waking up in 4.9 seconds.
Cleaning up request 6 ID 243 with timestamp +6068
Ready to process requests.
Cordialement,
- -
Benjamin Dupalut
Administrateur système et réseau
Service des Moyens Informatiques Généraux (SMIG)
ESIEE Paris
2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
T : +33 1 45 92 66 17
benjamin.dupalut at esiee.fr
www.esiee.fr / www.cci-paris-idf.fr
Le 24/03/2016 10:58, Anirudh Malhotra a écrit :
> Set auth type as PAP or LDAP
> Set pap in the end of authorize section.
>
> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>
> BR,
> Anirudh Malhotra
> 8zero2
> Mail: 8zero2.in at gmail.com
> Facebook: www.facebook.com/8zero2
> Twitter: @8zero2_in
> Blog: blog.8zero2.in
>
> On 24 Mar 2016, 15:07 +0530, Benjamin Dupalut<benjamin.dupalut at esiee.fr>, wrote:
>> Hi,
>>
>> Thank you for your replies.
>>
>> I wrote "clientpassword" so i don't publish a private password in this
>> public mail. I modified the clients.conf file to set the localhost
>> client password to "testing123" and perform this new radtest :
>>
>> root at freeradius:/etc/freeradius# radtest testfreeradius 123 127.0.0.1 0
>> testing123
>> Sending Access-Request of id 68 to 127.0.0.1 port 1812
>> User-Name = "testfreeradius"
>> User-Password = "123"
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 0
>> Message-Authenticator = 0x00000000000000000000000000000000
>> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=68,
>> length=20
>>
>> Here it is the freeradius -X debug :
>>
>> rad_recv: Access-Request packet from host 127.0.0.1 port 35730, id=68,
>> length=84
>> User-Name = "testfreeradius"
>> User-Password = "123"
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 0
>> Message-Authenticator = 0xb48c8d817ebe7b7ff9cfeeefa1de6b2e
>> # Executing section authorize from file
>> /etc/freeradius/sites-enabled/default
>> +group authorize {
>> ++[preprocess] = ok
>> [auth_log] expand: %{Packet-Src-IP-Address} ->127.0.0.1
>> [auth_log] expand:
>> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> ->/var/log/freeradius/radacct/127.0.0.1/auth-detail-20160324
>> [auth_log]
>> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
>> expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20160324
>> [auth_log] expand: %t ->Thu Mar 24 10:26:33 2016
>> ++[auth_log] = ok
>> ++[mschap] = noop
>> [suffix] No '@' in User-Name = "testfreeradius", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] = noop
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] = noop
>> ++[files] = noop
>> ++group {
>> [ldap_1] performing user authorization for testfreeradius
>> [ldap_1] expand: %{Stripped-User-Name} -
>> [ldap_1] ... expanding second conditional
>> [ldap_1] expand: %{User-Name} ->testfreeradius
>> [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
>> (uid=testfreeradius)
>> [ldap_1] expand: ou=Users,dc=esiee,dc=fr ->ou=Users,dc=esiee,dc=fr
>> [ldap_1] ldap_get_conn: Checking Id: 0
>> [ldap_1] ldap_get_conn: Got Id: 0
>> [ldap_1] performing search in ou=Users,dc=esiee,dc=fr, with filter
>> (uid=testfreeradius)
>> [ldap_1] checking if remote access for testfreeradius is allowed by uid
>> [ldap_1] No default NMAS login sequence
>> [ldap_1] looking for check items in directory...
>> [ldap_1] sambaNtPassword ->NT-Password ==
>> 0x3344424445363937443731363930413736393230344245423132323833363738
>> [ldap_1] sambaLmPassword ->LM-Password ==
>> 0x4343463931353545334537444234353341414433423433354235313430344545
>> [ldap_1] userPassword ->Cleartext-Password ==
>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>> [ldap_1] userPassword ->Password-With-Header ==
>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>> [ldap_1] sambaNtPassword ->NT-Password ==
>> 0x3344424445363937443731363930413736393230344245423132323833363738
>> [ldap_1] sambaLmPassword ->LM-Password ==
>> 0x4343463931353545334537444234353341414433423433354235313430344545
>> [ldap_1] looking for reply items in directory...
>> [ldap_1] user testfreeradius authorized to use remote access
>> [ldap_1] ldap_release_conn: Release Id: 0
>> +++[ldap_1] = ok
>> ++} # group = ok
>> +} # group authorize = ok
>> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>> WARNING: Use the PAP or CHAP modules instead.
>> User-Password in the request does NOT match "known good" password.
>> Failed to authenticate the user.
>> Using Post-Auth-Type REJECT
>> # Executing group from file /etc/freeradius/sites-enabled/default
>> +group REJECT {
>> [attr_filter.access_reject] expand: %{User-Name} ->testfreeradius
>> attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] = updated
>> +} # group REJECT = updated
>> Delaying reject of request 3 for 1 seconds
>> Going to the next request
>> Waking up in 0.9 seconds.
>> Sending delayed reject for request 3
>> Sending Access-Reject of id 68 to 127.0.0.1 port 35730
>> Waking up in 4.9 seconds.
>> Cleaning up request 3 ID 68 with timestamp +1377
>> Ready to process requests.
>>
>> Here it is the client.conf file :
>>
>> client 127.0.0.1 {
>> secret = testing123
>> shortname = localhost
>> nastype = other # localhost isn't usually a NAS...
>> }
>>
>> Cordialement,
>>
>> - -
>>
>> Benjamin Dupalut
>> Administrateur système et réseau
>> Service des Moyens Informatiques Généraux (SMIG)
>> ESIEE Paris
>> 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
>> T : +33 1 45 92 66 17
>> benjamin.dupalut at esiee.fr
>> www.esiee.fr / www.cci-paris-idf.fr
>>
>> Le 24/03/2016 05:45, Anirudh Malhotra a écrit :
>>> Yes i think the shared secret are not matching thats why we see unencrypted value of user password as something else and hence it fails to match with the "known good" password.
>>>
>>> BR,
>>> Anirudh Malhotra
>>> 8zero2
>>> Mail: 8zero2.in at gmail.com
>>> Facebook: www.facebook.com/8zero2
>>> Twitter: @8zero2_in
>>> Blog: blog.8zero2.in
>>>
>>> On 24 Mar 2016, 00:00 +0530, Peter Lambrechtsen<peter at crypt.nz>, wrote:
>>>> On Mar 24, 2016 6:11 AM, "Benjamin Dupalut"<benjamin.dupalut at esiee.fr
>>>> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> First of all, sorry for my bad english.
>>>>>
>>>>> I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to
>>>> authenticate users via our LDAP. I face an issue when i perform this
>>>> radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/
>>>>
>>>> The default config the shared secret is testing123 rather than
>>>> clientpassword
>>>>
>>>>>
>>>>> Here is the freeradius -X debug :
>>>>>
>>>>>
>>>>> rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
>>>> length=48
>>>>> Sending duplicate reply to client localhost port 44928 - ID: 111
>>>>> Sending Access-Reject of id 111 to 127.0.0.1 port 44928
>>>>> Waking up in 2.9 seconds.
>>>>> Cleaning up request 2 ID 111 with timestamp +114
>>>>> Ready to process requests.
>>>>> rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111,
>>>> length=48
>>>>> User-Name = "toto"
>>>>> User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ"
>>>>
>>>> This would be the cleartext password if your secret matched.
>>>>
>>>>> server inner-tunnel {
>>>>> # Executing section authorize from file
>>>> /etc/freeradius/sites-enabled/inner-tunnel
>>>>> +group authorize {
>>>>> ++[mschap] = noop
>>>>> [suffix] No '@' in User-Name = "toto", looking up realm NULL
>>>>> [suffix] No such realm "NULL"
>>>>> ++[suffix] = noop
>>>>> ++update control {
>>>>> ++} # update control = noop
>>>>> [eap] No EAP-Message, not doing EAP
>>>>> ++[eap] = noop
>>>>> ++[files] = noop
>>>>> ++group {
>>>>> [ldap_1] performing user authorization for toto
>>>>> [ldap_1] expand: %{Stripped-User-Name} -
>>>>> [ldap_1] ... expanding second conditional
>>>>> [ldap_1] expand: %{User-Name} ->toto
>>>>> [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
>>>> (uid=toto)
>>>>> [ldap_1] expand: ou=Users,dc=XXXX,dc=fr ->ou=Users,dc=XXXX,dc=fr
>>>>> [ldap_1] ldap_get_conn: Checking Id: 0
>>>>> [ldap_1] ldap_get_conn: Got Id: 0
>>>>> [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter
>>>> (uid=toto)
>>>>> [ldap_1] checking if remote access for toto is allowed by uid
>>>>> [ldap_1] No default NMAS login sequence
>>>>> [ldap_1] looking for check items in directory...
>>>>> [ldap_1] sambaNtPassword ->NT-Password ==
>>>> 0x3344424445363937443731363930413736393230344245423132323833363738
>>>>> [ldap_1] sambaLmPassword ->LM-Password ==
>>>> 0x4343463931353545334537444234353341414433423433354235313430344545
>>>>> [ldap_1] userPassword ->Cleartext-Password ==
>>>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>>>>> [ldap_1] userPassword ->Password-With-Header ==
>>>> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
>>>>> [ldap_1] sambaNtPassword ->NT-Password ==
>>>> 0x3344424445363937443731363930413736393230344245423132323833363738
>>>>> [ldap_1] sambaLmPassword ->LM-Password ==
>>>> 0x4343463931353545334537444234353341414433423433354235313430344545
>>>>> [ldap_1] looking for reply items in directory...
>>>>> [ldap_1] user toto authorized to use remote access
>>>>> [ldap_1] ldap_release_conn: Release Id: 0
>>>>> +++[ldap_1] = ok
>>>>> ++} # group = ok
>>>>> ++[expiration] = noop
>>>>> ++[logintime] = noop
>>>>> +} # group authorize = ok
>>>>> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>>>>> WARNING: Use the PAP or CHAP modules instead.
>>>>> User-Password in the request does NOT match "known good" password.
>>>>> Failed to authenticate the user.
>>>>> WARNING: Unprintable characters in the password. Double-check the
>>>> shared secret on the server and the NAS!
>>>>> } # server inner-tunnel
>>>>> Using Post-Auth-Type REJECT
>>>>> # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
>>>>> +group REJECT {
>>>>> [attr_filter.access_reject] expand: %{User-Name} ->toto
>>>>> attr_filter: Matched entry DEFAULT at line 11
>>>>> ++[attr_filter.access_reject] = updated
>>>>> +} # group REJECT = updated
>>>>> Delaying reject of request 3 for 1 seconds
>>>>> Going to the next request
>>>>> Waking up in 0.9 seconds.
>>>>> Sending delayed reject for request 3
>>>>> Sending Access-Reject of id 111 to 127.0.0.1 port 44928
>>>>> Waking up in 4.9 seconds.
>>>>> Cleaning up request 3 ID 111 with timestamp +120
>>>>> Ready to process requests.
>>>>>
>>>>>
>>>>> The user and client passwords are correct and i don't understand the
>>>> following errors :
>>>>>
>>>>> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
>>>>> WARNING: Use the PAP or CHAP modules instead.
>>>>> User-Password in the request does NOT match "known good" password.
>>>>> Failed to authenticate the user.
>>>>> WARNING: Unprintable characters in the password. Double-check the
>>>> shared secret on the server and the NAS!
>>>>>
>>>>>
>>>>> Thank you for your replies.
>>>>>
>>>>> Cordialement,
>>>>>
>>>>> - -
>>>>>
>>>>> Benjamin Dupalut
>>>>> Administrateur système et réseau
>>>>> Service des Moyens Informatiques Généraux (SMIG)
>>>>> ESIEE Paris
>>>>> 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
>>>>> T : +33 1 45 92 66 17
>>>>> benjamin.dupalut at esiee.fr
>>>>> www.esiee.fr / www.cci-paris-idf.fr
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list