Cannot connect with EAP-TTLS + MS-CHAPv2. if you'd kindly teach me.
Yuya Yanagi
peacefull64 at gmail.com
Tue Aug 13 04:43:13 CEST 2019
Hi Alan
I understood the pointed out contents and deleted . I'm sorry for bothering you.
When you run it again, you will be told that there is no NT / LM
password. Where should I look next?
---------
lm_ldap (ldap_regularusers): Reserved connection (0)
(6) ldap_regularusers: EXPAND
(&(!(employeeType=participant))(!(employeeType=trainee))(!(tutPersonAccountStatus=03))(!(tutPersonAccountStatus=04))(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
(6) ldap_regularusers: -->
(&(!(employeeType=participant))(!(employeeType=trainee))(!(tutPersonAccountStatus=03))(!(tutPersonAccountStatus=04))(uid=yanagi))
(6) ldap_regularusers: Performing search in
"ou=Users,dc=edu,dc=tut,dc=ac,dc=jp" with filter
"(&(!(employeeType=participant))(!(employeeType=trainee))(!(tutPersonAccountStatus=03))(!(tutPersonAccountStatus=04))(uid=yanagi))",
scope "sub"
(6) ldap_regularusers: Waiting for search result...
(6) ldap_regularusers: User object found at DN
"uid=yanagi,ou=Users,dc=edu,dc=tut,dc=ac,dc=jp"
(6) ldap_regularusers: Processing user attributes
(6) ldap_regularusers: control:NT-Password :=
0x4243353030433041363439353842434531393638383936303344464645343530
(6) ldap_regularusers: control:User-Password :=
'BC500C0A64958BCE196889603DFFE450'
(6) ldap_regularusers: control:Password-With-Header :=
'{SSHA256}Q1iLz8Pc/mkXU/hniRsu3/rpWKOVdjAU/4t2iLynZqdIPFIYPW0elA=='
rlm_ldap (ldap_regularusers): Released connection (0)
(6) [ldap_regularusers] = updated
(6) } # if (&outer.request:Called-Station-SSID == 'BLUE') = updated
(6) } # if (&outer.request:NAS-IP-Address =~
/^192\.168\.10\.1[2]{1}$/ || &outer.request:NAS-IP-Address ==
"192.168.200.240" || &outer.request:NAS-IP-Address == "localhost") =
updated
(6) [expiration] = noop
(6) [logintime] = noop
(6) } # authorize = updated
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Expiring EAP session with state 0x826df85d8265e230
(6) eap: Finished EAP session with state 0x826df85d8265e230
(6) eap: Previous EAP request found for state 0x826df85d8265e230,
released from the list
(6) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(6) eap_mschapv2: authenticate {
(6) mschap: WARNING: NT-Password has not been normalized by the 'pap'
module (likely still in hex format). Authentication may fail
(6) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(6) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(6) mschap: Creating challenge hash with username: yanagi
(6) mschap: Client is using MS-CHAPv2
(6) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(6) mschap: ERROR: MS-CHAP2-Response is incorrect
(6) [mschap] = reject
(6) } # authenticate = reject
(6) eap: Sending EAP Failure (code 4) ID 8 length 4
(6) eap: Freeing handler
(6) [eap] = reject
(6) } # authenticate = reject
(6) Failed to authenticate the user
(6) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot
perform authentication): [yanagi/<via Auth-Type = eap>] (from client
n-test port 0 via TLS tunnel)
(6) Using Post-Auth-Type Reject
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) Post-Auth-Type REJECT {
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject: --> yanagi
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6) [attr_filter.access_reject] = updated
(6) update outer.session-state {
(6) &Module-Failure-Message := &request:Module-Failure-Message
-> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication'
(6) } # update outer.session-state = noop
(6) } # Post-Auth-Type REJECT = updated
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) MS-CHAP-Error = "\010E=691 R=1
C=0d87b3e853acf17d17b03a4b37641556 V=3 M=Authentication failed"
(6) EAP-Message = 0x04080004
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_ttls: Got tunneled Access-Reject
(6) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(6) eap: Sending EAP Failure (code 4) ID 8 length 4
2019年8月13日(火) 11:31 Alan DeKok <aland at deployingradius.com>:
>
> On Aug 12, 2019, at 10:25 PM, Yuya Yanagi <peacefull64 at gmail.com> wrote:
> >
> >> That seems pretty clear. Don't set "Auth-Type := LDAP". It's not needed.
> >
> > Does that mean commenting out the Auth-Type LDAP part of the
> > authentication section?
>
> No.
>
> Read my message. I said to DELETE the section that did:
>
> update control {
> Auth-Type := LDAP
> }
>
> Read this:
>
> >>> (6) update control {
> >>> (6) &Auth-Type := LDAP
> >>> (6) } # update control = noop
> >>
> >> Don't do that. It's breaking the server.
> >>
> >> Delete those lines from your configuration. The user should then be able to authenticate.
>
> DELETE that section. Don't delete ANOTHER section.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list