Re: Authentication Problem with PEAP and openldap
> smbencrypt is distributed with the server. Use it to check the > password hash. > Ivan Kalik > Kalik Informatika ISP The authentication is half finished. The hint with the smbencrypt showed that the stored nt passwords in our ldap directory was wrong. The hint with ldap.attrmap pointed to a wrong nt-password mapping. Thanks a lot for the help. Now we are facing another problem: 1. We use the native windows xp (sp2 + sp3) 802.1x client without the check in the box "Validate server certificate". Result: The authentication works. 2. We check the box, fill in the right dns server name and select the right Trusted Root CA. Result: The authentication fails. 3. We use an macintosh with leopard, the authentication works fine. 4. We use windows xp (sp3) with an odyssey client, the authentication works fine. The failed authentication shows in the debug log, that something goes wrong with the user data in the inner tunnel. There is no "rlm_eap_peap: Identity - username". Instead it breaks with an "TLS Alert" and an "No data inside the tunnel" Our Server Certificate has the extended key-usage PKIX serverAuth (OID: 1.3.6.1.5.5.7.3.1) PKIX clientAuth (OID: 1.3.6.1.5.5.7.3.2) Any help is appreciated, best regards Michael rad_recv: Access-Request packet from host 141.2.252.203:8, id=60, length=82 User-Name = "nutzername" EAP-Message = 0x020b016d706f736572 Message-Authenticator = 0x4f1d0d2973fdb38611ce6bfacb5846f2 NAS-Identifier = "cb-jur-vc0-11og" NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched DEFAULT at 238 radius_xlat: 'nutzername' modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for nutzername radius_xlat: '(uid=nutzername)' radius_xlat: 'ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldaps://septimus.domain.de, authentication 0 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/ca-bundle.crt rlm_ldap: bind as uid=authproxy,o=bla,dc=bla,dc=de/geheim$ to ldaps://septimus.domain.de rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de, with filter (uid=nutzername) rlm_ldap: Added password 0x81 in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as NT-Password, value 0x81 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user nutzername authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 60 to 141.2.252.203:8 User-Name = "nutzername" EAP-Message = 0x010100160410cae9bfb010ee5187489092b9a2f82ddd Message-Authenticator = 0x State = 0xbea2ee7e075274739942fa3464748581 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 141.2.252.203:8, id=226, length=95 User-Name = "nutzername" State = 0xbea2ee7e075274739942fa3464748581 EAP-Message = 0x020100060319 Message-Authenticator = 0x200b492108ca7cac81f0e899d1ce NAS-Identifier = "cb-jur-vc0-11og" NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noo
Re: Authentication Problem with PEAP and openldap
Hello Alan, thank you for your reply. The mapping of the NT-Password describe exactly our problem. We cannot find the right passage in the radius config to do this. Maybe you can give as a little hint, this would be very kindly. Best Regards, Michael > native wired xp 802.1X client with PEAP (mschapv2) tries to authenticate via > freeradius against openldap with an md4 encoded utf-16e password hash. The > authentication fails. If we use the hash instead of the clear-text password > with the xp client, the authentication works fine. There must be some > problems with the encryption of the password. How do we fix the problem? Any > help is appreciated. You may have the NT hash of the password in the LDAP database, but you're telling FreeRADIUS it's the clear-text password: ... > rlm_ldap: performing search in ou=XXX,ou=XXX,o=XXX,dc=XXX,dc=de, with filter > (uid=plisch01) > rlm_ldap: Added password 4183... in check items You want to map this to the NT-Password attribute. Alan DeKok. -- Michael Poser, HRZ - Abteilung Netze Tel.:069/798-28052 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication Problem with PEAP and openldap
Hello Thiabault, >> native wired xp 802.1X client with PEAP (mschapv2) tries to authenticate >> via freeradius against openldap with an md4 encoded utf-16e password hash. > This is just not possible. > PEAP (mschapv2) requires you can read the user password either as a > cleartext password or as a NTLM-hashed password in your DB. it was a bit ambiguous. The term "md4 encoded utf-16e password hash" should express, that it is an NTLM Hash. Sorry for the confusion. Best Regards, Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication Problem with PEAP and openldap
Hello,
native wired xp 802.1X client with PEAP (mschapv2) tries to authenticate via
freeradius against openldap with an md4 encoded utf-16e password hash. The
authentication fails. If we use the hash instead of the clear-text password
with the xp client, the authentication works fine. There must be some
problems with the encryption of the password. How do we fix the problem? Any
help is appreciated.
Here are the radiusd.conf file and the debug output aof radiusd -X:
Best Regards, Michael
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions= yes
extended_expressions= yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
}
ldap {
server = "ldaps://XX.XX"
identity = "uid=XXX,o=XXX,dc=XXX,dc=de"
password = XXX
basedn = "ou=XXX,ou=XXX,o=XXX,dc=XXX,dc=de"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
tls_cacertfile= /etc/openldap/cacerts/ca-bundle.crt
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/sammeldir/detail
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily
EAP TTLS Certificate - Re-sending Access-Challenge
Hello, i have a problem with EAP using TTLS. I set up a second Freeradius Server (1.04) with a valid certificate from TrustCenter (The certificate from the first FR-Server was selfsigning by openssl - it works very well) The certificate is installed and radiusd -X comes up with no error message. But when i want to authenticate with securew2 or odyssey Client the authentication stopps after the first Access-Request: --8<-- rad_recv: Access-Request packet from host 10.87.80.1:3072, id=151, length=117 User-Name = "anonymous" NAS-IP-Address = 10.87.80.1 NAS-Port = 16 Calling-Station-Id = "00:05:4e:43:f8:1c" NAS-Identifier = "Spielzimmer" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000e01616e6f6e796d6f7573 Message-Authenticator = 0x494893f6addf1946ac5be4d35596f0f3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 70 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 151 to 10.87.80.1:3072 EAP-Message = 0x010200160410573ff27c2d0f1c3dbaa4362e694da04f Message-Authenticator = 0x State = 0xc3115a008d79ac992dfde255f0e7ea2a Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.87.80.1:3072, id=151, length=117 Sending duplicate reply to client lancom-ap:3072 - ID: 151 Re-sending Access-Challenge of id 151 to 10.87.80.1:3072 --8<-- After this, the Client sends the same packet with the same id to the Server; it goes in circles. The working FR-Server continues after the first Access-Request with a second Access-Request with different id and the authentication process proceeds. The configuration is the same as the working FR-Server with selfsigning certificates. Does anybody has a little help for this strange behavior, maybe is the Trustcenter certifacte wrong? Regards, Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User-Name - Reg Expr - auth-type accept
Hello Nicolas,
thanks a lot, this works fine :-)
regards, Michael
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Nicolas Baradakis
> Sent: Tuesday, August 16, 2005 5:51 PM
> To: FreeRadius users mailing list
> Subject: Re: User-Name - Reg Expr - auth-type accept
>
> Michael Poser wrote:
>
> > The regular expression match with the Mac-Address, but 4
> lines behind it,
> > the log says: "auth: No authenticate method (Auth-Type)
> configuration found
> > for the request:" I am confused, in the users file is the statement
> > "Auth-Type := Accept,". What is wrong?
>
> All the check items should be on the first line.
>
> --8<--
> DEFAULT User-Name =~ "^([0-9a-fA-F]){6}-([0-9a-fA-F]{6})$",
> Auth-Type := Accept
> Reply-Message = "Hallo Regulaerer Ausdruck `%{User-Name}`"
> --8<--
>
> --
> Nicolas Baradakis
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User-Name - Reg Expr - auth-type accept
Hello,
an extraction from my users file
--8<--
DEFAULT User-Name =~ "^([0-9a-fA-F]){6}-([0-9a-fA-F]{6})$"
Auth-Type := Accept,
Reply-Message = "Hallo Regulaerer Ausdruck `%{User-Name}`"
--8<--
My suggestion is: Every Mac-Address has to authenticate. But in real life it
doesn't work:
--8<--
rad_recv: Access-Request packet from host 10.87.80.1:3072, id=181, length=95
User-Name = "00022d-65fd60"
User-Password = "geheim"
NAS-IP-Address = 10.87.80.1
NAS-Identifier = "Spielzimmer"
NAS-Port-Type = Wireless-802.11
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "00022d-65fd60", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 77
radius_xlat: 'Hallo Regulaerer Ausdruck `00022d-65fd60`'
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [00022d-65fd60] (from client lancom-ap port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 181 to 10.87.80.1:3072
Reply-Message = "Hallo Regulaerer Ausdruck `00022d-65fd60`"
Waking up in 4 seconds...
--8<--
The regular expression match with the Mac-Address, but 4 lines behind it,
the log says: "auth: No authenticate method (Auth-Type) configuration found
for the request:" I am confused, in the users file is the statement
"Auth-Type := Accept,". What is wrong?
Kind regards,
M. Poser
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
