Freeradius3 with PEAP and LDAP
Carsten Schulze
carsten.schulze at leuphana.de
Tue Aug 28 10:11:52 CEST 2018
Hi,
I try to convert our freeradius2 setup to a new freeradius3 configuration.
A setup with TTLS + PAP is working, but when I switch to PEAP I'll get
the following output.
Any idea, or a howto with a LDAP-Provider with NT-Hashes?
radiusd: FreeRADIUS Version 3.0.12, for host x86_64-pc-linux-gnu, built
on Aug 10 2017 at 07:05:06
(10) redundant {
rlm_ldap (server1): 0 of 0 connections in use. You may need to
increase "spare"
rlm_ldap (server1): Opening additional connection (0), 1 of 32 pending
slots used
rlm_ldap (server1): Connecting to ldap://ldap1.DOMAIN:389
rlm_ldap (server1): Waiting for bind result...
rlm_ldap (server1): Bind successful
rlm_ldap (server1): Reserved connection (0)
(10) server1: EXPAND
(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(radiusaccessattribute=EDUROAM))
(10) server1: --> (&(uid=whans)(radiusaccessattribute=EDUROAM))
(10) server1: Performing search in "ou=user,DOMAIN" with filter
"(&(uid=whans)(radiusaccessattribute=EDUROAM))", scope "sub"
(10) server1: Waiting for search result...
(10) server1: User object found at DN
"uid=whans,ou=W,ou=Mitarbeiter,ou=User,DOMAIN"
(10) server1: Processing user attributes
(10) server1: control:NT-Password :=
0x3144364643424433303630373744363633453233373735453535423346324535
rlm_ldap (server1): Released connection (0)
rlm_ldap (server1): Need 2 more connections to reach 10 spares
rlm_ldap (server1): Opening additional connection (1), 1 of 31 pending
slots used
rlm_ldap (server1): Connecting to ldap://ldap1.leuphana.de:389
rlm_ldap (server1): Waiting for bind result...
rlm_ldap (server1): Bind successful
(10) [server1] = updated
(10) } # redundant = updated
(10) [mschap] = noop
(10) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(10) pap: No User-Password attribute in the request. Cannot do PAP
(10) [pap] = noop
(10) } # authorize = updated
(10) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type
= Reject
(10) Failed to authenticate the user
(10) Using Post-Auth-Type Reject
Regrads
Carsten
More information about the Freeradius-Users
mailing list