Freeradius open-ldap Auth
David Musoke
dmusoke at umu.ac.ug
Tue Dec 1 16:02:19 CET 2020
Hello Folks,
Am trying to set up authentication using open ldap and freeradius.
When I run a radtest for one of my users in ldap, i receive access-accept
msg
But when I try authenticating from a windows or Mac Os user I don't succeed.
Below is my debug out-put when i try to authenticate from a windows machine
Waking up in 3.3 seconds.
(7) Received Access-Request Id 107 from 10.106.1.205:51262 to
196.43.180.27:1812 length 346
(7) User-Name = "dmusoke at umu.ac.ug"
(7) NAS-IP-Address = 10.106.1.205
(7) NAS-Identifier = "8a8a2055b8c8"
(7) Called-Station-Id = "8A-8A-20-55-B8-C8:ICT-TEST"
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Calling-Station-Id = "34-CF-F6-DA-C0-FA"
(7) Connect-Info = "CONNECT 0Mbps 802.11b"
(7) Acct-Session-Id = "D4000DCC2E7E294C"
(7) Acct-Multi-Session-Id = "404A761D1E6EC7B3"
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027076
(7) WLAN-AKM-Suite = 1027073
(7) Framed-MTU = 1400
(7) EAP-Message =
0x02da006b1900170303006000000000000000024e01010a4300b62285fefdeb4077f49488e885300adb0b4889fbb5c10f8704a78bff8c25c35d5ac6ec6251511bba311e6773d4e2bf82cc2f75c1b1d0f95ad4125f45d763928b6a9cc31fa0d84abd06f4fcb67d6fe801ff99
(7) State = 0xa8ec0dfaae3614327b0f2a0ced9765ca
(7) Message-Authenticator = 0xc878a00d7e991c569dbc46e760bd29c8
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "umu.ac.ug" for User-Name = "dmusoke at umu.ac.ug"
(7) suffix: Found realm "umu.ac.ug"
(7) suffix: Adding Realm = "umu.ac.ug"
(7) suffix: Authentication realm is LOCAL
(7) [suffix] = ok
(7) eap: Peer sent EAP Response (code 2) ID 218 length 107
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0xb2a21f7db2780593
(7) eap: Finished EAP session with state 0xa8ec0dfaae361432
(7) eap: Previous EAP request found for state 0xa8ec0dfaae361432, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message =
0x02da004c1a02da004731a9a56b3b7817dd1e49fa6e1f5ea8c240000000000000000093c169d66ec81330d82a821926ad3be2a76365126cb4ccaf00646d75736f6b6540756d752e61632e7567
(7) eap_peap: Setting User-Name to dmusoke at umu.ac.ug
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message =
0x02da004c1a02da004731a9a56b3b7817dd1e49fa6e1f5ea8c240000000000000000093c169d66ec81330d82a821926ad3be2a76365126cb4ccaf00646d75736f6b6540756d752e61632e7567
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "dmusoke at umu.ac.ug"
(7) eap_peap: State = 0xb2a21f7db27805937dbad257c82d792b
(7) Virtual server inner-tunnel received request
(7) EAP-Message =
0x02da004c1a02da004731a9a56b3b7817dd1e49fa6e1f5ea8c240000000000000000093c169d66ec81330d82a821926ad3be2a76365126cb4ccaf00646d75736f6b6540756d752e61632e7567
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "dmusoke at umu.ac.ug"
(7) State = 0xb2a21f7db27805937dbad257c82d792b
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "umu.ac.ug" for User-Name = "dmusoke at umu.ac.ug"
(7) suffix: Found realm "umu.ac.ug"
(7) suffix: Adding Realm = "umu.ac.ug"
(7) suffix: Authentication realm is LOCAL
(7) [suffix] = ok
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 218 length 76
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(7) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap: --> (uid=dmusoke at umu.ac.ug)
(7) ldap: Performing search in "dc=umu,dc=ac,dc=ug" with filter "(uid=
dmusoke at umu.ac.ug)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "cn=dmusoke at umu.ac.ug
,ou=staff,dc=umu,dc=ac,dc=ug"
(7) ldap: Processing user attributes
(7) ldap: control:Password-With-Header +=
'{SSHA}wkHhU0bWVfwT6X5lZVtI4+lD8Bd3ZmYv'
rlm_ldap (ldap): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots
used
rlm_ldap (ldap): Connecting to ldap://196.43.180.28:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(7) [ldap] = updated
(7) [expiration] = noop
(7) [logintime] = noop
(7) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password
(7) pap: Removing &control:Password-With-Header
(7) pap: Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24
bytes
(7) pap: WARNING: Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0xb2a21f7db2780593
(7) eap: Finished EAP session with state 0xb2a21f7db2780593
(7) eap: Previous EAP request found for state 0xb2a21f7db2780593, released
from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(7) mschap: Creating challenge hash with username: dmusoke at umu.ac.ug
(7) mschap: Client is using MS-CHAPv2
(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
(7) [mschap] = reject
(7) } # authenticate = reject
(7) eap: Sending EAP Failure (code 4) ID 218 length 4
(7) eap: Freeing handler
(7) [eap] = reject
(7) } # authenticate = reject
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject: --> dmusoke at umu.ac.ug
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7) [attr_filter.access_reject] = updated
(7) update outer.session-state {
(7) &Module-Failure-Message := &request:Module-Failure-Message ->
'mschap: FAILED: No NT/LM-Password. Cannot perform authentication'
(7) } # update outer.session-state = noop
(7) } # Post-Auth-Type REJECT = updated
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) MS-CHAP-Error = "\332E=691 R=1 C=a647d2920e720b1be308ea4a20115ec7 V=3
M=Authentication rejected"
(7) EAP-Message = 0x04da0004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply code 3
(7) eap_peap: MS-CHAP-Error = "\332E=691 R=1
C=a647d2920e720b1be308ea4a20115ec7 V=3 M=Authentication rejected"
(7) eap_peap: EAP-Message = 0x04da0004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply RADIUS code 3
(7) eap_peap: MS-CHAP-Error = "\332E=691 R=1
C=a647d2920e720b1be308ea4a20115ec7 V=3 M=Authentication rejected"
(7) eap_peap: EAP-Message = 0x04da0004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Tunneled authentication was rejected
(7) eap_peap: FAILURE
(7) eap: Sending EAP Request (code 1) ID 219 length 46
(7) eap: EAP session adding &reply:State = 0xa8ec0dfaaf371432
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot
perform authentication"
(7) Sent Access-Challenge Id 107 from 196.43.180.27:1812 to
10.106.1.205:51262 length 0
(7) EAP-Message =
0x01db002e19001703030023d9a6aef0855958dee03f672cdd1211150670d06a1d3bfee502e4cc34ef1b2e235a66d0
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xa8ec0dfaaf3714327b0f2a0ced9765ca
(7) Finished request
*RegardsDavid Musoke*
*ICT Department*
*Mob: +256773731776*
* +256757414650*
--
More information about the Freeradius-Users
mailing list