Cannot connect with EAP-TTLS + MS-CHAPv2. if you'd kindly teach me.

Alan DeKok aland at deployingradius.com
Tue Aug 13 04:16:27 CEST 2019 

On Aug 12, 2019, at 9:31 PM, Yuya Yanagi <peacefull64 at gmail.com> wrote:
> We are replacing from freeradius v2 to freeradius v3, the settings
> will take over the previous contents, and the Wifi authentication
> method will not change from EAP-TTLS + MS-CHAPv2
> It is a specification and customer request.

  OK.

> In freeradius v2 environment, you can connect with EAP-TTLS +
> MS-CHAPv2. In Freeradius v3, you can connect with EAP-TTLS + PAP, but
> you cannot connect with MS-CHAPv2.

  It should be possible with mostly the same configuration.

> There is no AD in this environment, everything is done with LDAP, and
> the password is stored in LDAP with NT Hash. Mapping has the following
> two mappings. (LDAP is OpenLDAP use )
> 
> control:NT-Password         :=      'sambaNtPassword'
> control:User-Password         :=      'sambaNtPassword'

  Are those attributes found in LDAP?

> In the authentication section I am trying to reference LDAP with Auth-Type LDAP
> The following error occurs and there is no inquiry.
> 
> (6) ldap_regularusers: WARNING: You have set "Auth-Type := LDAP" somewhere
> (6) ldap_regularusers: WARNING: *********************************************
> (6) ldap_regularusers: WARNING: * THAT CONFIGURATION IS WRONG.  DELETE IT.
> (6) ldap_regularusers: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING
> (6) ldap_regularusers: WARNING: *********************************************
> (6) ldap_regularusers: ERROR: Attribute "User-Password" is required
> for authentication

  That seems pretty clear.  Don't set "Auth-Type := LDAP".  It's not needed.

> (6) server inner-tunnel {
> (6)   session-state: No cached attributes
> (6)   # Executing section authorize from file
> /etc/raddb/sites-enabled/inner-tunnel
> (6)     authorize {
> (6)       policy rewrite_called_station_id {
> (6)         if (&Called-Station-Id && (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
> {
> (6)         if (&Called-Station-Id && (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
> -> FALSE
> (6)         else {
> (6)           [noop] = noop
> (6)         } # else = noop
> (6)       } # policy rewrite_called_station_id = noop
> (6)       [mschap] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "yanagi", looking up realm NULL
> (6) suffix: Found realm "NULL"
> (6) suffix: Adding Stripped-User-Name = "yanagi"
> (6) suffix: Adding Realm = "NULL"
> (6) suffix: Authentication realm is LOCAL
> (6)       [suffix] = ok
> (6) eap: Peer sent EAP Response (code 2) ID 8 length 65
> (6) eap: No EAP Start, assuming it's an on-going EAP conversation
> (6)       [eap] = updated
> (6)       if (&outer.request:NAS-IP-Address =~
> /^192\.168\.10\.1[2]{1}$/ || &outer.request:NAS-IP-Address ==
> "192.168.200.240" || &outer.request:NAS-IP-Address == "localhost") {
> (6)       if (&outer.request:NAS-IP-Address =~
> /^192\.168\.10\.1[2]{1}$/ || &outer.request:NAS-IP-Address ==
> "192.168.200.240" || &outer.request:NAS-IP-Address == "localhost")  ->
> TRUE
> (6)       if (&outer.request:NAS-IP-Address =~
> /^192\.168\.10\.1[2]{1}$/ || &outer.request:NAS-IP-Address ==
> "192.168.200.240" || &outer.request:NAS-IP-Address == "localhost")  {
> (6)         if (&outer.request:Called-Station-SSID == 'BLUE')  {
> (6)         if (&outer.request:Called-Station-SSID == 'BLUE')   -> TRUE
> (6)         if (&outer.request:Called-Station-SSID == 'BLUE')   {
> rlm_ldap (ldap_regularusers): Closing connection (0): Hit
> idle_timeout, was idle for 294 seconds
> rlm_ldap (ldap_regularusers): You probably need to lower "min"
> rlm_ldap (ldap_regularusers): Closing connection (1): Hit
> idle_timeout, was idle for 294 seconds
> rlm_ldap (ldap_regularusers): You probably need to lower "min"
> rlm_ldap (ldap_regularusers): Closing connection (2): Hit
> idle_timeout, was idle for 294 seconds
> rlm_ldap (ldap_regularusers): You probably need to lower "min"
> rlm_ldap (ldap_regularusers): Closing connection (3): Hit
> idle_timeout, was idle for 293 seconds
> rlm_ldap (ldap_regularusers): You probably need to lower "min"
> rlm_ldap (ldap_regularusers): Closing connection (4): Hit
> idle_timeout, was idle for 293 seconds
> rlm_ldap (ldap_regularusers): You probably need to lower "min"
> rlm_ldap (ldap_regularusers): 0 of 0 connections in use.  You  may
> need to increase "spare"
> rlm_ldap (ldap_regularusers): Opening additional connection (5), 1 of
> 10 pending slots used
> rlm_ldap (ldap_regularusers): Connecting to ldap://tyg-ldap-01:636
> rlm_ldap (ldap_regularusers): Waiting for bind result...
> rlm_ldap (ldap_regularusers): Bind successful
> rlm_ldap (ldap_regularusers): Reserved connection (5)
> (6) ldap_regularusers: EXPAND
> (&(!(employeeType=participant))(!(employeeType=trainee))(!(hogePersonAccountStatus=03))(!(hogePersonAccountStatus=04))(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
> (6) ldap_regularusers:    -->
> (&(!(employeeType=participant))(!(employeeType=trainee))(!(hogePersonAccountStatus=03))(!(hogePersonAccountStatus=04))(uid=yanagi))
> (6) ldap_regularusers: Performing search in
> "ou=Users,dc=edu,dc=hoge,dc=ac,dc=jp" with filter
> "(&(!(employeeType=participant))(!(employeeType=trainee))(!(hogePersonAccountStatus=03))(!(hogePersonAccountStatus=04))(uid=yanagi))",
> scope "sub"
> (6) ldap_regularusers: Waiting for search result...
> (6) ldap_regularusers: User object found at DN
> "uid=yanagi,ou=Users,dc=edu,dc=hoge,dc=ac,dc=jp"
> (6) ldap_regularusers: Processing user attributes
> (6) ldap_regularusers: control:NT-Password :=
> 0x4243353030433041363439353842434531393638383936303344464645343530

  That's the NT password.  If you just leave things alone, it will work.

> (6) ldap_regularusers: control:Password-With-Header :=
> '{SSHA256}Q1iLz8Pc/mkXU/hniRsu3/rpWKOVdjAU/4t2iLynZqdIPFIYPW0elA=='
> rlm_ldap (ldap_regularusers): Released connection (5)
> Need 4 more connections to reach min connections (5)
> rlm_ldap (ldap_regularusers): Opening additional connection (6), 1 of
> 9 pending slots used
> rlm_ldap (ldap_regularusers): Connecting to ldap://tyg-ldap-01:636
> rlm_ldap (ldap_regularusers): Waiting for bind result...
> rlm_ldap (ldap_regularusers): Bind successful
> (6)           [ldap_regularusers] = updated
> (6)           update control {
> (6)             &Auth-Type := LDAP
> (6)           } # update control = noop

  Don't do that.  It's breaking the server.

  Delete those lines from your configuration.  The user should then be able to authenticate.

  Alan DeKok.

More information about the Freeradius-Users mailing list