Hi, For a couple of years I've been successfully using FreeRADIUS to authenticate some users against Active Directory using cleartext passwords, a Perl script to do some department checking, and a simple LDAP "bind as user".
I've now got at least one user who fails authentication, and I'm wondering if the problem is a backslash in their password. The password is... w[)xg=\7k2 I can use the same username and password to successfully LDAP bind to AD using a tool like ldapsearch from my Linux based RADIUS server, but using RADIUS itself fails. If it helps here's the -X debug trace: Wed Oct 20 15:36:19 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 172.16.80.3 port 20002, id=9, length=135 User-Name = "bill" Calling-Station-Id = "00-24-D7-40-8C-8C" Called-Station-Id = "00-0B-0E-DE-AB-80" NAS-Port = 52340 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 172.16.80.3 User-Password = "w[)xg=\\7k2" Wed Oct 20 15:39:10 2010 : Info: +- entering group authorize {...} Wed Oct 20 15:39:10 2010 : Info: ++[preprocess] returns ok Wed Oct 20 15:39:10 2010 : Info: [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/172.16.80.3/auth-detail-20101020 Wed Oct 20 15:39:10 2010 : Info: [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.80.3/auth-detail-20101020 Wed Oct 20 15:39:10 2010 : Info: [auth_log] expand: %t -> Wed Oct 20 15:39:10 2010 Wed Oct 20 15:39:10 2010 : Info: ++[auth_log] returns ok Wed Oct 20 15:39:10 2010 : Info: [ldap] performing user authorization for bill Wed Oct 20 15:39:10 2010 : Info: [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Wed Oct 20 15:39:10 2010 : Info: [ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=bill) Wed Oct 20 15:39:10 2010 : Info: [ldap] expand: dc=fed,dc=foo,dc=ac,dc=uk -> dc=fed,dc=foo,dc=ac,dc=uk Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: attempting LDAP reconnection Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: (re)connect to logonserv.fed.foo.ac.uk:389, authentication 0 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: bind as / to logonserv.fed.foo.ac.uk:389 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: waiting for bind result ... Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: Bind was successful Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: performing search in dc=fed,dc=foo,dc=ac,dc=uk, with filter (sAMAccountName=bill) Wed Oct 20 15:39:10 2010 : Info: [ldap] looking for check items in directory... Wed Oct 20 15:39:10 2010 : Info: [ldap] looking for reply items in directory... Wed Oct 20 15:39:10 2010 : Debug: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Wed Oct 20 15:39:10 2010 : Info: [ldap] Setting Auth-Type = LDAP Wed Oct 20 15:39:10 2010 : Info: [ldap] user bill authorized to use remote access Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Oct 20 15:39:10 2010 : Info: ++[ldap] returns ok Wed Oct 20 15:39:10 2010 : Info: ++[expiration] returns noop Wed Oct 20 15:39:10 2010 : Info: ++[logintime] returns noop Wed Oct 20 15:39:10 2010 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Wed Oct 20 15:39:10 2010 : Info: ++[pap] returns noop Wed Oct 20 15:39:10 2010 : Info: ++? if (control:Auth-Type == LDAP) Wed Oct 20 15:39:10 2010 : Info: ? Evaluating (control:Auth-Type == LDAP) -> TRUE Wed Oct 20 15:39:10 2010 : Info: ++? if (control:Auth-Type == LDAP) -> TRUE Wed Oct 20 15:39:10 2010 : Info: ++- entering if (control:Auth-Type == LDAP) {...} Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair Called-Station-Id = 00-0B-0E-DE-AB-80 Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair Calling-Station-Id = 00-24-D7-40-8C-8C Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair User-Name = bill Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair NAS-Identifier = Trapeze Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair User-Password = w[)xg=\\7k2 Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair NAS-Port = 52340 Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair NAS-IP-Address = 172.16.80.3 Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair Auth-Type = LDAP Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair Ldap-UserDn = CN=bill,OU=Facility Users,OU=FBU,DC=fed,DC=foo,DC=ac,DC=uk Wed Oct 20 15:39:10 2010 : Info: +++[perl] returns noop Wed Oct 20 15:39:10 2010 : Info: ++- if (control:Auth-Type == LDAP) returns noop Wed Oct 20 15:39:10 2010 : Info: Found Auth-Type = LDAP Wed Oct 20 15:39:10 2010 : Info: +- entering group LDAP {...} Wed Oct 20 15:39:10 2010 : Info: [ldap] login attempt by "bill" with password "w[)xg=\\7k2" Wed Oct 20 15:39:10 2010 : Info: [ldap] user DN: CN=bill,OU=Facility Users,OU=FBU,DC=fed,DC=foo,DC=ac,DC=uk Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: (re)connect to logonserv.fed.foo.ac.uk:389, authentication 1 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: bind as CN=bill,OU=Facility Users,OU=FBU,DC=fed,DC=foo,DC=ac,DC=uk/w[)xg=\\7k2 to logonserv.fed.foo.ac.uk:389 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: waiting for bind result ... Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: Bind failed with invalid credentials Wed Oct 20 15:39:10 2010 : Info: ++[ldap] returns reject Wed Oct 20 15:39:10 2010 : Info: Failed to authenticate the user. Wed Oct 20 15:39:10 2010 : Auth: Login incorrect (rlm_ldap: Bind as user failed): [bill] (from client wireless-2 port 52340 cli 00-24-D7-40-8C-8C) Wed Oct 20 15:39:10 2010 : Info: Using Post-Auth-Type Reject I don't know whether the problem lies with me (for allowing a backslash in the password in the first place) the NAS for appearing to 'escape' the backslash (with a backslash) or the way I've configured FreeRADIUS. Can anyone give me any pointers? Thanks in advance of any advice, Cheers, Mark. -- Scanned by iCritical. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html