FreeRadius and FreeIpa integration not working in our Lab setup

Fri Jul 15 06:52:23 UTC 2022

On 15.07.22 06:01, Krishna Chaitanya wrote:
> Looks like I found the reason,  the issue is because the wireless router is
> not added in the cd /etc/raddb/client.conf file.
> And I can see the radtest requests are getting accepted by the Freeradius
> server for the user profiles on FreeIPA Directory as shown below.
> ====================================================================================================
> krishna at QICAP:~$ radtest radius Freeip at 1234 122.1.5.84 1812 testing123
> Sent Access-Request Id 50 from 0.0.0.0:43213 to 122.1.5.84:1812 length 76
> User-Name = "radius"
> User-Password = "Freeip at 1234"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 1812
> Message-Authenticator = 0x00
> Cleartext-Password = "Freeip at 1234"
> Received Access-Accept Id 50 from 122.1.5.84:1812 to 122.1.5.136:43213
> length 20
> ===================================================================================
> However, when a user is trying to authenticate to wireless services,
> getting a debug report as below and connection to wireless is failing:
> ---------------------------------------------------------------------------------------------------------------------------
> (146) Received Access-Request Id 0 from 122.1.5.89:38592 to 122.1.5.84:1812
> length 125
> (146)   User-Name = "radius"

(...)

(154) ldap: User object found at DN
> "uid=radius,cn=users,cn=compat,dc=qi-cap,dc=com"
> (154) ldap: Processing user attributes
> (154) ldap: WARNING: No "known good" password added. Ensure the admin user
> has permission to read the password attribute
> (...)
> (154) eap_mschapv2:   authenticate {
> (154) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> NT-Password
> (154) mschap: Creating challenge hash with username: radius
> (154) mschap: Client is using MS-CHAPv2
> (154) mschap: ERROR: FAILED: No NT-Password.  Cannot perform authentication
> (154) mschap: ERROR: MS-CHAP2-Response is incorrect
> (154) eap_mschapv2:     [mschap] = reject
> (154) eap_mschapv2:   } # authenticate = reject
(...)
> However,just to troubleshoot, added a user profile in user config file at
> sudo vim /etc/raddb/users and below is the same. And when trying to
> authenticate with this test profile am able to authenticate and connect to
> network (QICAP_5G-2).
> [image: image.png]
> So, not really sure why authentication is failing for other user profiles
> which are not added in the user config file and that is not the expected
> behaviour.
> Thanks
> Krishna
>
(...)

read the logs. I shortened the logs to make clear the important parts. 
The truth is on the logs.

or, to make it even more clear:

ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute

No password, no authentication.

Given the history of our conversation on the list here, please note that 
there are a lot of competent people and companies that provide paid 
support. First of all, I would refer to https://networkradius.com