Google LDAP integration failure
Phil Grace
phil.grace at hssd.k12.ar.us
Sat Feb 23 18:58:19 CET 2019
Hi everyone, I’m brand new and having an issue that I haven’t found a clear answer to. I’m running free radius 3.x on ubuntu server 18.10. I have LDAP enabled to auth to google secure LDAP. So far I’m binding to google successfully and with the radtest command my LDAP user gets access-accept. If I do raddest with -t mschap I get access-reject.
I’m hoping that someone more experienced can point me in the right direction as to where I can fix the issue. Here’s a snippet of my log in -X mode. Thanks in advance to anyone that can help
===================================================================================================================
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(15) [ldap] = ok
(15) [expiration] = noop
(15) [logintime] = noop
(15) [pap] = noop
(15) } # authorize = updated
(15) Found Auth-Type = eap
(15) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(15) authenticate {
(15) eap: Expiring EAP session with state 0x53c912cb54220b41
(15) eap: Finished EAP session with state 0x313d43603170599a
(15) eap: Previous EAP request found for state 0x313d43603170599a, released from the list
(15) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(15) eap: Calling submodule eap_mschapv2 to process data
(15) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(15) eap_mschapv2: authenticate {
(15) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(15) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(15) mschap: Creating challenge hash with username: phil.grace at hssd.k12.ar.us
(15) mschap: Client is using MS-CHAPv2
(15) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(15) mschap: ERROR: MS-CHAP2-Response is incorrect
(15) [mschap] = reject
(15) } # authenticate = reject
(15) eap: Sending EAP Failure (code 4) ID 77 length 4
(15) eap: Freeing handler
(15) [eap] = reject
(15) } # authenticate = reject
(15) Failed to authenticate the user
(15) Using Post-Auth-Type Reject
(15) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(15) Post-Auth-Type REJECT {
(15) attr_filter.access_reject: EXPAND %{User-Name}
(15) attr_filter.access_reject: --> phil.grace at hssd.k12.ar.us
(15) attr_filter.access_reject: Matched entry DEFAULT at line 11
(15) [attr_filter.access_reject] = updated
(15) update outer.session-state {
(15) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication'
(15) } # update outer.session-state = noop
(15) } # Post-Auth-Type REJECT = updated
(15) } # server inner-tunnel
(15) Virtual server sending reply
(15) MS-CHAP-Error = "ME=691 R=1 C=369d22d8c278cfa7667ff5d2ab0bf287 V=3 M=Authentication rejected"
(15) EAP-Message = 0x044d0004
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) eap_peap: Got tunneled reply code 3
(15) eap_peap: MS-CHAP-Error = "ME=691 R=1 C=369d22d8c278cfa7667ff5d2ab0bf287 V=3 M=Authentication rejected"
(15) eap_peap: EAP-Message = 0x044d0004
(15) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(15) eap_peap: Got tunneled reply RADIUS code 3
(15) eap_peap: MS-CHAP-Error = "ME=691 R=1 C=369d22d8c278cfa7667ff5d2ab0bf287 V=3 M=Authentication rejected"
(15) eap_peap: EAP-Message = 0x044d0004
(15) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(15) eap_peap: Tunneled authentication was rejected
(15) eap_peap: FAILURE
(15) eap: Sending EAP Request (code 1) ID 78 length 46
(15) eap: EAP session adding &reply:State = 0x893d3c588e7325ea
(15) [eap] = handled
(15) } # authenticate = handled
(15) Using Post-Auth-Type Challenge
(15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(15) Challenge { ... } # empty sub-section is ignored
(15) session-state: Saving cached attributes
(15) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication"
(15) Sent Access-Challenge Id 78 from 10.8.172.26:1812 to 10.8.173.105:38595 length 0
(15) EAP-Message = 0x014e002e1900170303002377d07beda30c6131207f85740de5138af7d4342329fb590ca32ddd8e781256a69c9a3a
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0x893d3c588e7325ea93a4d1f0a45e4742
(15) Finished request
Waking up in 3.4 seconds.
(16) Received Access-Request Id 79 from 10.8.173.105:38595 to 10.8.172.26:1812 length 320
(16) User-Name = "phil.grace at hssd.k12.ar.us"
(16) NAS-IP-Address = 10.8.173.105
(16) Called-Station-Id = "8A-15-54-AB-61-48:Faculty"
(16) NAS-Port-Type = Wireless-802.11
(16) Service-Type = Framed-User
(16) NAS-Port = 1
(16) Calling-Station-Id = "C8-3C-85-9C-A7-17"
(16) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 26, Channel: 149"
(16) Acct-Session-Id = "03D12019BACECB86"
(16) WLAN-Pairwise-Cipher = 1027076
(16) WLAN-Group-Cipher = 1027074
(16) WLAN-AKM-Suite = 1027073
(16) Meraki-Device-Name = "Technology Dept"
(16) Framed-MTU = 1400
(16) EAP-Message = 0x024e002e1900170303002321d3fee96f33295e5c79085340cadd61fe65772f5ac4bf4fb1b67c9346e8461e546cea
(16) State = 0x893d3c588e7325ea93a4d1f0a45e4742
(16) Message-Authenticator = 0x36f2f741b4dbc208756af96049eeda54
(16) Restoring &session-state
(16) &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication"
(16) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(16) authorize {
(16) policy filter_username {
(16) if (&User-Name) {
(16) if (&User-Name) -> TRUE
(16) if (&User-Name) {
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@[^@]*@/ ) {
(16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /@\./) {
(16) if (&User-Name =~ /@\./) -> FALSE
(16) } # if (&User-Name) = notfound
(16) } # policy filter_username = notfound
(16) [preprocess] = ok
(16) [chap] = noop
(16) [mschap] = noop
(16) [digest] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: Looking up realm "hssd.k12.ar.us" for User-Name = "phil.grace at hssd.k12.ar.us"
(16) suffix: No such realm "hssd.k12.ar.us"
(16) [suffix] = noop
(16) eap: Peer sent EAP Response (code 2) ID 78 length 46
(16) eap: Continuing tunnel setup
(16) [eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = eap
(16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(16) authenticate {
(16) eap: Expiring EAP session with state 0x53c912cb54220b41
(16) eap: Finished EAP session with state 0x893d3c588e7325ea
(16) eap: Previous EAP request found for state 0x893d3c588e7325ea, released from the list
(16) eap: Peer sent packet with method EAP PEAP (25)
(16) eap: Calling submodule eap_peap to process data
(16) eap_peap: Continuing EAP-TLS
(16) eap_peap: [eaptls verify] = ok
(16) eap_peap: Done initial handshake
(16) eap_peap: [eaptls process] = ok
(16) eap_peap: Session established. Decoding tunneled attributes
(16) eap_peap: PEAP state send tlv failure
(16) eap_peap: Received EAP-TLV response
(16) eap_peap: ERROR: The users session was previously rejected: returning reject (again.)
(16) eap_peap: This means you need to read the PREVIOUS messages in the debug output
(16) eap_peap: to find out the reason why the user was rejected
(16) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
(16) eap_peap: what went wrong, and how to fix the problem
(16) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(16) eap: Sending EAP Failure (code 4) ID 78 length 4
(16) eap: Failed in EAP select
(16) [eap] = invalid
(16) } # authenticate = invalid
(16) Failed to authenticate the user
(16) Using Post-Auth-Type Reject
(16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(16) Post-Auth-Type REJECT {
(16) attr_filter.access_reject: EXPAND %{User-Name}
(16) attr_filter.access_reject: --> phil.grace at hssd.k12.ar.us
(16) attr_filter.access_reject: Matched entry DEFAULT at line 11
(16) [attr_filter.access_reject] = updated
(16) [eap] = noop
(16) policy remove_reply_message_if_eap {
(16) if (&reply:EAP-Message && &reply:Reply-Message) {
(16) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(16) else {
(16) [noop] = noop
(16) } # else = noop
(16) } # policy remove_reply_message_if_eap = noop
(16) } # Post-Auth-Type REJECT = updated
(16) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(16) Sending delayed response
(16) Sent Access-Reject Id 79 from 10.8.172.26:1812 to 10.8.173.105:38595 length 44
(16) EAP-Message = 0x044e0004
(16) Message-Authenticator = 0x00000000000000000000000000000000
===================================================================================
Phil Grace
Director of Technology
Heber Springs School District
phil.grace at hssd.k12.ar.us
Arkansas LEA Rep to the NCES Forum
National Center for Education Statistics
https://nces.ed.gov/forum/
More information about the Freeradius-Users
mailing list