ssha passwords openldap problem

Сергей Черевко ink.dude at mail.ru
Thu Jan 23 09:01:53 CET 2020 

 
Hi, i have VPN mikrotik server → freeradius → openldap
 
I have plaintext passwords for users in ldap. And all it’s okay.
 
I encrypted users passwords in SSHA and my VPN don’t working
 
Logs from freeradius
 
(5) ldap: Performing search in "ou=people,dc=fusioncore,dc=local" with filter "(uid=scherevko)", scope "sub"
(5) ldap: Waiting for search result...
(5) ldap: User object found at DN "uid=scherevko,ou=people,dc=fusioncore,dc=local"
(5) ldap: Processing user attributes
(5) ldap: control:Password-With-Header += '{SSHA}y11iufAi/kWir/t/5npxER+fpUYSroNSr0VM4Q=='
rlm_ldap (ldap): Released connection (11)
(5)     [ldap] = updated
(5)     [expiration] = noop
(5)     [logintime] = noop
(5) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password
(5) pap: Removing &control:Password-With-Header
(5) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28 bytes
(5) pap: WARNING: Auth-Type already set.  Not setting to PAP
(5)     [pap] = noop
(5)   } # authorize = updated
(5) Found Auth-Type = mschap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   authenticate {
(5) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
(5) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
(5) mschap: Creating challenge hash with username: scherevko
(5) mschap: Client is using MS-CHAPv2
(5) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
(5) mschap: ERROR: MS-CHAP2-Response is incorrect
(5)     [mschap] = reject
(5)   } # authenticate = reject
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject:    --> scherevko
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5)     [attr_filter.access_reject] = updated
(5)     [eap] = noop
(5)     policy remove_reply_message_if_eap {
(5)       if (&reply:EAP-Message && &reply:Reply-Message) {
(5)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(5)       else {
(5)         [noop] = noop
(5)       } # else = noop
(5)     } # policy remove_reply_message_if_eap = noop
(5)   } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) (5) Discarding duplicate request from client mikrotik_router port 56532 - ID: 31 due to delayed response
Waking up in 0.6 seconds.
(5) (5) Discarding duplicate request from client mikrotik_router port 56532 - ID: 31 due to delayed response
Waking up in 0.3 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 31 from 10.10.2.176:1812 to 10.10.2.1:56532 length 103
(5)   MS-CHAP-Error = "\001E=691 R=1 C=359def4fd6e2f6ec8965898ccce170c8 V=3 M=Authentication rejected"
Waking up in 3.9 seconds.
(5) Cleaning up request packet ID 31 with timestamp +1893
Ready to process requests
 
 
 
 
 

More information about the Freeradius-Users mailing list