Re: Using mschap authentication without EAP

Fri, 21 Jul 2006 04:12:49 -0700 

Well, after some changes in OpenLDAP config, this is the result:


So your first issue was openldap related...



Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as
cn=Manager,dc=xxxx,dc=it/PASSWORD to 192.168.1.221:389
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successful


Bind as manager is ok...


Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in
ou=utenti,dc=xxxx,dc=it, with filter (uid=misterc)
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for
misterc is allowed by userPassword
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password
{SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in
directory...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as
Auth-Type, value LDAP & op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as
User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in
directory...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use
remote access


Great rlm_ldap has retreived everything needed.


Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns
ok) for request 0


Now it's time to run the authenticate module


Fri Jul 21 11:15:51 2006 : Debug:   rad_check_password:  Found Auth-Type
LDAP
Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP"
Fri Jul 21 11:15:51 2006 : Debug:   Processing the authenticate section of
radiusd.conf



Ldap module will be used (that is to say a bind with the user's 
credential will be attempted, provided that the request contains the 
necessary data.



Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0
Fri Jul 21 11:15:51 2006 : Debug:   modsingle[authenticate]: calling pap
(rlm_pap) for request 0
Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required
for authentication. Cannot use "CHAP-Password".



Well, it seems that your radius client is trying CHAP and not PAP. You 
wrote in a previous mail that the request was:

rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217
      User-Name = "misterc"
      CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e
      CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986
      NAS-IP-Address = 0.0.0.0
      Service-Type = Login-User
      Framed-IP-Address = 192.168.182.2
      Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
      Called-Station-Id = "AA-AA-AA-AA-DD-AA"
      NAS-Identifier = "nas01"
      Acct-Session-Id = "44bfd15d00000000"
      NAS-Port-Type = Wireless-802.11
      NAS-Port = 0
      Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a
      WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff";



That means that your client is trying MS-CHAP, and MS-CHAP can't be 
used with something else than NT-Hash passwords or cleartext passwords 
in the authorize backend (in your case LDAP).


Thibault


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to