Re: ldap machine account auth tutorial

Mon, 01 Feb 2010 08:45:23 -0800 

Excuse me I didn't want to email you directly.
I run 2 LDAP modules because i would like to put machines in good VLAN after authentification. 

that my next problem ;)
I work on it ... but i don't know to begin :p



Le 01/02/2010 17:34, Phil Mayers a écrit :


On 01/02/10 16:04, cd wrote:

thanks Phil


but it looks like that i get an access-accept without ldap password 
validation ??!


Please don't email me directly; I'm on the list.


rad_recv: Access-Request packet from host 192.168.10.254 port 1024, 
id=151, length=136

NAS-IP-Address = 10.172.253.110
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Message-Authenticator = 0xe35737afd4fb25d9a9cab4dc24bffa77
NAS-Port = 10
Framed-MTU = 1490
User-Name = "host/crid72-42ee2079"
Calling-Station-Id = "00-0C-29-7E-44-54"
EAP-Message = 0x020d001901686f73742f6372696437322d3432656532303739



SNIP; your LDAP debugging level is way, way too high. It's very hard 
to read the debugging output.



rlm_ldap: sambaNtPassword ->  NT-Password == 
0x3241384242423239424546354639314230324146363837323930414442344637



[ldap_admin] performing user authorization for host/crid72-42ee2079


...why are you running 2 LDAP modules?


+++[ldap_sw] returns ok
++- policy redundant returns ok
rlm_ldap: Entering ldap_groupcmp()



Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
Sending Access-Challenge of id 151 to 192.168.10.254 port 1024

EAP-Message = 
0x010e002e1a010e002910924d24419c6082e80c304f8d76c22109686f73742f6372696437322d3432656532303739 


Message-Authenticator = 0x00000000000000000000000000000000
State = 0x517b79b8517563ae61de7219537f52df


Ok, so EAP challenge sent.


Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap




So it's using PEAP. Then after lots and lots of unnecessary LDAP debug 
output:



Sending Access-Accept of id 161 to 192.168.10.254 port 1024
User-Name = "host/crid72-42ee2079"

MS-MPPE-Recv-Key = 
0xc83951c8f97b57386194b58be2d66edbe3a7b37cbaead57df65c61d64cea65e1
MS-MPPE-Send-Key = 
0xeefc2477dc12da93c583c05676c8474a66fd2ad11b1cd90ef3ff575dcf876010

EAP-Message = 0x03170004
Message-Authenticator = 0x00000000000000000000000000000000


It succeeds. So what's the problem?


Radius looked the NT password up in LDAP, and did a PEAP/MS-CHAP 
against it. It worked.

-

List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to