Cannot connect with EAP-TTLS + MS-CHAPv2. if you'd kindly teach me.

Yuya Yanagi peacefull64 at gmail.com
Tue Aug 13 04:25:00 CEST 2019


Hi Alan.

thank you for answering!

>> There is no AD in this environment, everything is done with LDAP, and
>> the password is stored in LDAP with NT Hash. Mapping has the following
>> two mappings. (LDAP is OpenLDAP use )
>>
>> control:NT-Password         :=      'sambaNtPassword'
>> control:User-Password         :=      'sambaNtPassword'

 > Are those attributes found in LDAP?

sambaNtPassword has an attribute in LDAP

>> In the authentication section I am trying to reference LDAP with Auth-Type LDAP
>> The following error occurs and there is no inquiry.
>>
>> (6) ldap_regularusers: WARNING: You have set "Auth-Type := LDAP" somewhere
>> (6) ldap_regularusers: WARNING: *********************************************
>> (6) ldap_regularusers: WARNING: * THAT CONFIGURATION IS WRONG.  DELETE IT.
>> (6) ldap_regularusers: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING
>> (6) ldap_regularusers: WARNING: *********************************************
>> (6) ldap_regularusers: ERROR: Attribute "User-Password" is required
>> for authentication

 >That seems pretty clear.  Don't set "Auth-Type := LDAP".  It's not needed.

Does that mean commenting out the Auth-Type LDAP part of the
authentication section?

2019年8月13日(火) 11:16 Alan DeKok <aland at deployingradius.com>:
>
> On Aug 12, 2019, at 9:31 PM, Yuya Yanagi <peacefull64 at gmail.com> wrote:
> > We are replacing from freeradius v2 to freeradius v3, the settings
> > will take over the previous contents, and the Wifi authentication
> > method will not change from EAP-TTLS + MS-CHAPv2
> > It is a specification and customer request.
>
>   OK.
>
> > In freeradius v2 environment, you can connect with EAP-TTLS +
> > MS-CHAPv2. In Freeradius v3, you can connect with EAP-TTLS + PAP, but
> > you cannot connect with MS-CHAPv2.
>
>   It should be possible with mostly the same configuration.
>
> > There is no AD in this environment, everything is done with LDAP, and
> > the password is stored in LDAP with NT Hash. Mapping has the following
> > two mappings. (LDAP is OpenLDAP use )
> >
> > control:NT-Password         :=      'sambaNtPassword'
> > control:User-Password         :=      'sambaNtPassword'
>
>   Are those attributes found in LDAP?
>
> > In the authentication section I am trying to reference LDAP with Auth-Type LDAP
> > The following error occurs and there is no inquiry.
> >
> > (6) ldap_regularusers: WARNING: You have set "Auth-Type := LDAP" somewhere
> > (6) ldap_regularusers: WARNING: *********************************************
> > (6) ldap_regularusers: WARNING: * THAT CONFIGURATION IS WRONG.  DELETE IT.
> > (6) ldap_regularusers: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING
> > (6) ldap_regularusers: WARNING: *********************************************
> > (6) ldap_regularusers: ERROR: Attribute "User-Password" is required
> > for authentication
>
>   That seems pretty clear.  Don't set "Auth-Type := LDAP".  It's not needed.
>
> > (6) server inner-tunnel {
> > (6)   session-state: No cached attributes
> > (6)   # Executing section authorize from file
> > /etc/raddb/sites-enabled/inner-tunnel
> > (6)     authorize {
> > (6)       policy rewrite_called_station_id {
> > (6)         if (&Called-Station-Id && (&Called-Station-Id =~
> > /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
> > {
> > (6)         if (&Called-Station-Id && (&Called-Station-Id =~
> > /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
> > -> FALSE
> > (6)         else {
> > (6)           [noop] = noop
> > (6)         } # else = noop
> > (6)       } # policy rewrite_called_station_id = noop
> > (6)       [mschap] = noop
> > (6) suffix: Checking for suffix after "@"
> > (6) suffix: No '@' in User-Name = "yanagi", looking up realm NULL
> > (6) suffix: Found realm "NULL"
> > (6) suffix: Adding Stripped-User-Name = "yanagi"
> > (6) suffix: Adding Realm = "NULL"
> > (6) suffix: Authentication realm is LOCAL
> > (6)       [suffix] = ok
> > (6) eap: Peer sent EAP Response (code 2) ID 8 length 65
> > (6) eap: No EAP Start, assuming it's an on-going EAP conversation
> > (6)       [eap] = updated
> > (6)       if (&outer.request:NAS-IP-Address =~
> > /^192\.168\.10\.1[2]{1}$/ || &outer.request:NAS-IP-Address ==
> > "192.168.200.240" || &outer.request:NAS-IP-Address == "localhost") {
> > (6)       if (&outer.request:NAS-IP-Address =~
> > /^192\.168\.10\.1[2]{1}$/ || &outer.request:NAS-IP-Address ==
> > "192.168.200.240" || &outer.request:NAS-IP-Address == "localhost")  ->
> > TRUE
> > (6)       if (&outer.request:NAS-IP-Address =~
> > /^192\.168\.10\.1[2]{1}$/ || &outer.request:NAS-IP-Address ==
> > "192.168.200.240" || &outer.request:NAS-IP-Address == "localhost")  {
> > (6)         if (&outer.request:Called-Station-SSID == 'BLUE')  {
> > (6)         if (&outer.request:Called-Station-SSID == 'BLUE')   -> TRUE
> > (6)         if (&outer.request:Called-Station-SSID == 'BLUE')   {
> > rlm_ldap (ldap_regularusers): Closing connection (0): Hit
> > idle_timeout, was idle for 294 seconds
> > rlm_ldap (ldap_regularusers): You probably need to lower "min"
> > rlm_ldap (ldap_regularusers): Closing connection (1): Hit
> > idle_timeout, was idle for 294 seconds
> > rlm_ldap (ldap_regularusers): You probably need to lower "min"
> > rlm_ldap (ldap_regularusers): Closing connection (2): Hit
> > idle_timeout, was idle for 294 seconds
> > rlm_ldap (ldap_regularusers): You probably need to lower "min"
> > rlm_ldap (ldap_regularusers): Closing connection (3): Hit
> > idle_timeout, was idle for 293 seconds
> > rlm_ldap (ldap_regularusers): You probably need to lower "min"
> > rlm_ldap (ldap_regularusers): Closing connection (4): Hit
> > idle_timeout, was idle for 293 seconds
> > rlm_ldap (ldap_regularusers): You probably need to lower "min"
> > rlm_ldap (ldap_regularusers): 0 of 0 connections in use.  You  may
> > need to increase "spare"
> > rlm_ldap (ldap_regularusers): Opening additional connection (5), 1 of
> > 10 pending slots used
> > rlm_ldap (ldap_regularusers): Connecting to ldap://tyg-ldap-01:636
> > rlm_ldap (ldap_regularusers): Waiting for bind result...
> > rlm_ldap (ldap_regularusers): Bind successful
> > rlm_ldap (ldap_regularusers): Reserved connection (5)
> > (6) ldap_regularusers: EXPAND
> > (&(!(employeeType=participant))(!(employeeType=trainee))(!(hogePersonAccountStatus=03))(!(hogePersonAccountStatus=04))(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
> > (6) ldap_regularusers:    -->
> > (&(!(employeeType=participant))(!(employeeType=trainee))(!(hogePersonAccountStatus=03))(!(hogePersonAccountStatus=04))(uid=yanagi))
> > (6) ldap_regularusers: Performing search in
> > "ou=Users,dc=edu,dc=hoge,dc=ac,dc=jp" with filter
> > "(&(!(employeeType=participant))(!(employeeType=trainee))(!(hogePersonAccountStatus=03))(!(hogePersonAccountStatus=04))(uid=yanagi))",
> > scope "sub"
> > (6) ldap_regularusers: Waiting for search result...
> > (6) ldap_regularusers: User object found at DN
> > "uid=yanagi,ou=Users,dc=edu,dc=hoge,dc=ac,dc=jp"
> > (6) ldap_regularusers: Processing user attributes
> > (6) ldap_regularusers: control:NT-Password :=
> > 0x4243353030433041363439353842434531393638383936303344464645343530
>
>   That's the NT password.  If you just leave things alone, it will work.
>
> > (6) ldap_regularusers: control:Password-With-Header :=
> > '{SSHA256}Q1iLz8Pc/mkXU/hniRsu3/rpWKOVdjAU/4t2iLynZqdIPFIYPW0elA=='
> > rlm_ldap (ldap_regularusers): Released connection (5)
> > Need 4 more connections to reach min connections (5)
> > rlm_ldap (ldap_regularusers): Opening additional connection (6), 1 of
> > 9 pending slots used
> > rlm_ldap (ldap_regularusers): Connecting to ldap://tyg-ldap-01:636
> > rlm_ldap (ldap_regularusers): Waiting for bind result...
> > rlm_ldap (ldap_regularusers): Bind successful
> > (6)           [ldap_regularusers] = updated
> > (6)           update control {
> > (6)             &Auth-Type := LDAP
> > (6)           } # update control = noop
>
>   Don't do that.  It's breaking the server.
>
>   Delete those lines from your configuration.  The user should then be able to authenticate.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list