attribute would not pass using PEAP, but work using MD5
Hi, I'm using wired 802.1x to authenticate user using eap md5 and eap peap. the problem rise when using peap, the radius attribute (tunnel private group id) didn't pass to the switch. but if we use md5, the server will pass the attribute. I suspect something missing on inner tunnel config (I only change 1 line at authorization section that's adding ldap module ), btw i'm using 2.0.5 debug for peap : Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-16-36-5a-f1-e4 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 100 EAP-Message = 0x0201000c0174657374696e67 Message-Authenticator = 0x24f65e66f58f3fbc5672fd7460764248 server nispdot1x { +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry DEFAULT at line 183 ++[files] returns ok ++- entering redundant-load-balance group redundant-load-balance rlm_ldap: - authorize rlm_ldap: performing user authorization for testing expand: (uid=%u) - (uid=testing) expand: ou=dialup,dc=zzz,dc=com - ou=dialup,dc=zzz,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.11.17:389, authentication 0 rlm_ldap: bind as memberUid=radius,ou=admin,dc=zzz,dc=com/radiusjuga to 192.168.11.17:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by uid rlm_ldap: Added User-Password = Testing10 in check items rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time == WK0800-1800 rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0x3139373530313942423345344631324146413133423832443930424146414137 rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password == 0x3244353534353037374437423744324136443341363237433832344630323946 rlm_ldap: LDAP attribute radiusCallingStationId as RADIUS attribute Calling-Station-Id == 00-16-36-5a-f1-e4 rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = 101 rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute Framed-Protocol = PPP rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute Service-Type = Framed-User rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_instance10] returns ok ++- redundant-load-balance group redundant-load-balance returns ok rlm_checkval: Item Name: Calling-Station-Id, Value: 00-16-36-5a-f1-e4 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-16-36-5a-f1-e4 ++[checkval] returns ok ++[expiration] returns noop rlm_logintime: Checking Login-Time: 'WK0800-1800' rlm_logintime: timestr returned accept rlm_logintime: Session-Timeout set to: 24660 ++[logintime] returns ok rlm_pap: Normalizing NT-Password from hex encoding rlm_pap: Normalizing LM-Password from hex encoding rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled } # server nispdot1x Framed-Compression = Van-Jacobson-TCP-IP Tunnel-Private-Group-Id:0 = 101 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Framed-Protocol = PPP Service-Type =
Re: Freeradius Accounting using different virtual server
In 2.1.0 you can create a home_server that points to a virtual server. This means you don't need extra listen sections. Then I really need to upgrade it Why does it *not work* to create multiple detail modules? See the FAQ for it doesn't work. Alan DeKok. Sorry for not posting the configuration but it has solved already. adding module at accounting module rather different than at authentication or authorization section Thanks Alan -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Accounting using different virtual server
Hi, I'm using freeradius 2.0.5... many client authenticate againt us that is segmented by realm ( / IPASS). the server will strip the username realm and proxying to localhost with different port number ( so i create many listen section with point to their own virtual server ) ex like this : realm test1/username -- will go to 127.0.0.1:1912( auth) 127.0.0.1:1913 (acct) using virtual server link1 realm test2/username -- will go to 127.0.0.1:2012 ( auth) 127.0.0.1:2013 (acct) using virtual server link2 .. etc for 127.0.0.1 I'm using per socket client to differentiate each client the problem rise when I want to differentiate each virtual server accounting ( radutmp, radwtmp, and detail file), because using default accounting file each realm will be muddle into one file. In module authorization and authentication I can create many instance ex( ldap1 ldap2 ldap3), but *not work* at accounting module ex ( detail1 detail2 detail3 ). is there a way to do this? could someone give some example? Thank you Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP mschapv2 using xp native supplicant
I've changed the lm and nt password using hash one, and now it works thanks Alan And here we have it. Those are NOT valid lmPassword or ntPassword fields. You are putting the clear-text password into those fields. The clear-text password belongs in the userPassword field. Delete the lmPassword and ntPassword fields from the DB. They're wrong. -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP mschapv2 using xp native supplicant
Ryan Setiawan H wrote: Please post ALL of the debug output. I suspect that you are doing the ldap lookups OUTSIDE of the TLS tunnel rather than INSIDE. ... repost forgot change subject I'm sorry I didn't include all the debug, because it was so large... anyway here the debug : As I suspected... you are doing the LDAP lookups *outside* of the tunnel. See raddb/sites-available/inner-tunnel. Ensure that the references to ldap are uncommented. Alan DeKok. Hi, I've uncomment the ldap section at inner-tunnel also make sure at eap.conf default eap type peap, but still don't work. I've tried to make the eap session directly go to inner-tunnel server at client.conf, but i think it's not good idea and also don't work. any other ways? or am I miss something? Thanks auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: Invalid LM-Password rlm_mschap: Invalid NT-Password rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled } # server nispdot1x EAP-Message = 0x010a00261900170301001ba41a64fc5858e400f6380342e22751610df4070fb87d66fcd1dcbb Message-Authenticator = 0x State = 0x252558f1222f410baf9655c23dbf74f3 Finished request 7. Going to the next request Waking up in 4.7 seconds. Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-16-36-5a-f1-e4 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 State = 0x252558f1222f410baf9655c23dbf74f3 EAP-Message = 0x020a00261900170301001ba49c9266682a7900ffd51675496e5519722e108c0e7a1eaf33a31a Message-Authenticator = 0xeaa952199e0cb6c5e3852ba39433eed3 server nispdot1x { +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 10 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP mschapv2 using xp native supplicant
rlm_mschap: Invalid LM-Password rlm_mschap: Invalid NT-Password Well, that should be a hint. How about trying to add a user password in the users file? An example is in the FAQ. when using users file it just work, the problem rose when using ldap backend. In ldap database, I've added the attribute LM-Password and NT-Password, and also add them in check item at ldap.attrmap -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP mschapv2 using xp native supplicant
The passwords you've added are invalid. The debug message is telling you that. Perhaps you could try posting WHAT you entered as LM-Password and NT-Password. Odds are you entered invalid ones. Because the debug message is telling you that they're invalid. Here the attribute at LDAP server for user testing dn: uid=testing,ou=dialup,dc=zzz,dc=com dialupAccess: dialup gidNumber: 1000 uid: testing userPassword: Testing10 objectClass: posixGroup objectClass: radiusprofile objectClass: uidObject objectClass: top objectClass: sambaAccount radiusTunnelType: VLAN radiusTunnelMediumType: IEEE-802 cn: testing radiusServiceType: Framed-User radiusFramedProtocol: PPP rid: 1 radiusTunnelPrivateGroupId: 101 radiusCallingStationId: 00-16-36-5a-f1-e4 radiusLoginTime: WK0800-1800 lmPassword: Testing10 ntPassword: Testing10 You are making it difficult for anyone to help you. Giving out as little information as possible in every message is counter-productive. Alan DeKok. Sorry Alan, I don't intend to do that and make it difficult. it just usually people don't like a lot text show up and make them bored to read it, so I pick the message which I conclude have to do with the problem... I include all debug below... thanks for your help Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-16-36-5a-f1-e4 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x0201000c0174657374696e67 Message-Authenticator = 0x58d7a85d7797a6a111db87923f69e24a server nispdot1x { +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry DEFAULT at line 183 ++[files] returns ok ++- entering redundant-load-balance group redundant-load-balance rlm_ldap: - authorize rlm_ldap: performing user authorization for testing expand: (uid=%u) - (uid=testing) expand: ou=dialup,dc=zzz,dc=com - ou=dialup,dc=zzz,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by uid rlm_ldap: Added User-Password = Testing10 in check items rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time == WK0800-1800 rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0x54657374696e673130 rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password == 0x54657374696e673130 rlm_ldap: LDAP attribute radiusCallingStationId as RADIUS attribute Calling-Station-Id == 00-16-36-5a-f1-e4 rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = 101 rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute Framed-Protocol = PPP rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute Service-Type = Framed-User rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_instance10] returns ok ++- redundant-load-balance group redundant-load-balance returns ok rlm_checkval: Item Name: Calling-Station-Id, Value: 00-16-36-5a-f1-e4 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-16-36-5a-f1-e4 ++[checkval] returns ok ++[expiration] returns noop rlm_logintime: Checking Login-Time: 'WK0800-1800' rlm_logintime: timestr returned accept rlm_logintime: Session-Timeout set to: 31800 ++[logintime] returns ok rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
Re: Freeradius-Users Digest, Vol 40, Issue 3
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm! Cancelling invalid proxy request. rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled } # server nispdot1x EAP-Message = 0x010a00261900170301001bf310bdd3b5003f17e6b384f8d72a7a9c7a874b3b2ae817450b07cd Message-Authenticator = 0x State = 0x1fa720c117ad3925bd7da50678295fc0 Finished request 12. Going to the next request Waking up in 4.6 seconds. Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-16-36-5a-f1-e4 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 State = 0x1fa720c117ad3925bd7da50678295fc0 EAP-Message = 0x020a00261900170301001bc69a12bf5d23b5dedc2c6c8d537f8577436b7bded7dee8eb290178 Message-Authenticator = 0x2a7e10fb4deef91301ba11f38f970f39 server nispdot1x { +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 10 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port 1 cli 00-16-36-5a-f1-e4) } # server nispdot1x Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - testing attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 13 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 13 EAP-Message = 0x040a0004 Message-Authenticator = 0x Waking up in 3.6 seconds. Cleaning up request 4 ID 9 with timestamp +540 Cleaning up request 5 ID 10 with timestamp +540 Waking up in 0.1 seconds. Cleaning up request 6 ID 11 with timestamp +540 Cleaning up request 7 ID 12 with timestamp +540 Cleaning up request 8 ID 13 with timestamp +540 Cleaning up request 9 ID 14 with timestamp +540 Cleaning up request 10 ID 15 with timestamp +540 Cleaning up request 11 ID 16 with timestamp +540 Cleaning up request 12 ID 17 with timestamp +540 Waking up in 1.0 seconds. Cleaning up request 13 ID 18 with timestamp +540 Ready to process requests. Thank You Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk
Re: PEAP mschapv2 using xp native supplicant
] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "testing", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 9 length 66 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm! Cancelling invalid proxy request. rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled } # server nispdot1x EAP-Message = 0x010a00261900170301001bf310bdd3b5003f17e6b384f8d72a7a9c7a874b3b2ae817450b07cd Message-Authenticator = 0x State = 0x1fa720c117ad3925bd7da50678295fc0 Finished request 12. Going to the next request Waking up in 4.6 seconds. Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = "ProCurve Switch 2650" User-Name = "testing" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-1c-2e-73-85-00" Calling-Station-Id = "00-16-36-5a-f1-e4" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x1fa720c117ad3925bd7da50678295fc0 EAP-Message = 0x020a00261900170301001bc69a12bf5d23b5dedc2c6c8d537f8577436b7bded7dee8eb290178 Message-Authenticator = 0x2a7e10fb4deef91301ba11f38f970f39 server nispdot1x { +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testing", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 10 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port 1 cli 00-16-36-5a-f1-e4) } # server nispdot1x Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - testing attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 13 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 13 EAP-Message = 0x040a0004 Message-Authenticator = 0x Waking up in 3.6 seconds. Cleaning up request 4 ID 9 with timestamp +540 Cleaning up request 5 ID 10 with timestamp +540 Waking up in 0.1 seconds. Cleaning up request 6 ID 11 with timestamp +540 Cleaning up request 7 ID 12 with timestamp +540 Cleaning up request 8 ID 13 with timestamp +540 Cleaning up request 9 ID 14 with timestamp +540 Cleaning up request 10 ID 15 with timestamp +540 Cleaning up request 11 ID 16 with timestamp +540 Cleaning up request 12 ID 17 with timestamp +540 Waking up in 1.0 seconds. Cleaning up request 13 ID 18 with timestamp +540 Ready to process requests. Thank You Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP mschapv2 using xp native supplicant
Hi all, I'm using eap for authentication on wired connection ( using freeradius 2.0.5 and LDAP backend ), most of our clients are windows machine so there's little choice for using eap, that is eap-MD5 and PEAP mschapv2. Using EAP-MD5 there isn't any problem, the problem begin with PEAP mschapv2 the debug : - rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=xxx,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by uid rlm_ldap: Added User-Password = Testing10 in check items --- clearly freeradius can see the password and also it clear text :) below i also add samba schema that contain LM and NT password --- rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time == Wk0800-1800 rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0x54657374696e6731 rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password == 0x54657374696e6731 rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = 101 rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute Framed-Protocol = PPP rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute Service-Type = Framed-User rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 --- mschap module say no clear text pasword and also can't create LM and NT password --- +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port 0) PEAP: Tunneled authentication was rejected. anyone can help?Thanks Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP mschapv2 using xp native supplicant
oh and also when using users file the PEAP just run with no problem, the problem rise only when using LDAP Thanks Ryan Setiawan H wrote: Hi all, I'm using eap for authentication on wired connection ( using freeradius 2.0.5 and LDAP backend ), most of our clients are windows machine so there's little choice for using eap, that is eap-MD5 and PEAP mschapv2. Using EAP-MD5 there isn't any problem, the problem begin with PEAP mschapv2 the debug : - rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=xxx,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by uid rlm_ldap: Added User-Password = Testing10 in check items --- clearly freeradius can see the password and also it clear text :) below i also add samba schema that contain LM and NT password --- rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time == Wk0800-1800 rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0x54657374696e6731 rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password == 0x54657374696e6731 rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = 101 rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute Framed-Protocol = PPP rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute Service-Type = Framed-User rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 --- mschap module say no clear text pasword and also can't create LM and NT password --- +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port 0) PEAP: Tunneled authentication was rejected. anyone can help?Thanks Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Alan wrote: hi, as Alan stated - your NAS doesnt seem to be getting the responses from your server. some ACL or routing issue? (stick a sniffer directly in front of the switch...if you need to, you may need to have a 'port mirror' or somesuch from the switch that feeds that switch if traffic is on a mgmt VLAN and .1q trunking is involved etc. dont worry about the errors from the ./configure - unless you are using any of those technologies (postgresql, oracle, TNC or IKEv2) - your server is 'normal' alan -- Hi all, it's partially solve... I'm using a server as radius server and as vlan trunk that feed the switch tagged packet, also the server become gateway... after I using other server for radius, it work yeah the 1.1.7 radius is on other machine ( that's why it works )... so it's clear this not about freeradius version. thank alot all for your time Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about EAP using 1.1.7 and 2.0.3
Hi All, I've an issue about EAP in 802.1X. right now, I'm trying EAP-MD5 for 802.1X using freeradius 2.0.3 and procurve switch, sadly it doesn't work. but when I 'am using freeradius 1.1.7 it works smoothly I've tried not only using native windows XP SP 2 supplicant but also wpa_supplicant. both don't work using freeradius2. I've also tried reinstall the freeradius 2.0.3 ( i'm forget using mercurial ), I thought I misconfigure something..but. even using fresh from the oven configuration still just don't work. , here are the debug: Sending duplicate reply to client test port 1024 - ID: 4 Cleaning up request 2 ID 4 with timestamp +46 Ready to process requests. Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-0a-e4-13-58-c7 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x023a000c0174657374696e67 Message-Authenticator = 0x55d6fa8c198752bd6c62c351b234a57b +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 58 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry testing at line 102 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = Ethernet Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 101 EAP-Message = 0x013b001604101fee1ce904aea0659f790123de5bc761 Message-Authenticator = 0x State = 0x9e1dcf679e26cbc870b5fae6a11d133d Finished request 3. Going to the next request Waking up in 4.9 seconds. Sending duplicate reply to client test port 1024 - ID: 4 --- any clue what is it ? Cleaning up request 3 ID 4 with timestamp +56 Ready to process requests. from the wpa_supplicant's debug it broke right before EAP message method, so it (the supplicant) doesn't receive any MD5 Challenge from radius. anyone have same problem? really appreciate for any help Thank you Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Ryan Setiawan H wrote: Use 2.0.5. Or, install raddb/sites-available/inner-tunnel from the source tree. Alan DeKok. Hi Alan, Thanks for the reply, I've Update to freeradius 2.0.5, but still didn't show result, the debug still the same, here are the debug : rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-0a-e4-13-b8-87 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x0261000c0174657374696e67 Message-Authenticator = 0xf267668d55a632d7f6ff3b2b94735eca +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 97 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry testing at line 61 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 27 to 192.168.12.130 port 1024 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 101 EAP-Message = 0x016200160410706dc9d0aeae1c2c1fe2d41a5f8cc84a Message-Authenticator = 0x State = 0xba2a19f0ba481d03bf0d1926ffd8f60a Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Sending duplicate reply to client local port 1024 - ID: 27 Sending Access-Challenge of id 27 to 192.168.12.130 port 1024 Cleaning up request 0 ID 27 with timestamp +164 Ready to process requests. rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-0a-e4-13-b8-87 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x0261000c0174657374696e67 Message-Authenticator = --- I'm not sure it will help but i include the configure warning for 2.0.5 config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting chmod: check-radiusd-config: No such file or directory configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: silently not building rlm_sql_postgresql. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. - I'm using default configuration, just only change client.conf and users. there is clue, when I saw debug from 1.1.7 the second access request has different id but in this debug, it had same id ( that's is 27 ) maybe because
Re: [Fwd: LDAP CHAP born again]
Alan DeKok wrote: Try installing 2.0.5 in a separate directory and configuring it. Odds are it will work. in time I will try install it, but if i can't make this ( LDAP CHAP ) clear... definitely I will encounter the same problem again :) 2.0.5 has many, many fixes that aren't in 1.1.7. Some things that are difficult to impossible in 1.1.7 are easy in 2.0.5. Alan DeKok. right now I have already installed 2.0.3 because the dependency just like 1.1.7 :D waw lot of change I see ... but here we go the debug User-Name = testing CHAP-Password = 0xee8f74f97f724f06e54a9862f98ccef299 +- entering group authorize ++[preprocess] returns ok rlm_chap: Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for testing expand: (uid=%u) - (uid=testing) expand: ou=dialup,dc=zzz,dc=com - ou=dialup,dc=zzz,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.11.17:389, authentication 0 rlm_ldap: bind as memberUid=radius,ou=admin,dc=zzz,dc=com/radiusjuga to 192.168.11.17:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter (uid=testing) rlm_ldap: Password header not found in password Testing10 for user testing rlm_ldap: Added User-Password = Testing10 in check items --cut-- added user-password = Testing10 in check item this is the debug output difference compare to 1.1.7 --cut-- rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type CHAP +- entering group CHAP rlm_chap: login attempt by testing with CHAP password rlm_chap: Using clear text password Testing10 for user testing authentication. rlm_chap: chap user testing authenticated succesfully ++[chap] returns ok Login OK: [testing/CHAP-Password] (from client local port 0) Finished request 0. Going to the next request Waking up in 4.9 seconds. It's just work :D thanks Alan however there is this strange string Please update your configuration so that the known good clear text password is in Cleartext-Password, and not in User-Password. after I digging the freeradius.org, I see people also have this minor problem, and in a mail you say to change the attribute userpassword to cleartext-password. but in openldap schema v3 there isn't any attribute called cleartext-password... is there any explanation for this ... everyone if you don't mind :) . still digging in openldap forum :) Thanks Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Fwd: LDAP CHAP born again]
Hi all, I've research googling about LDAP and CHAP :D, but until now still don't work ... here the debug, and btw i'm using freeradius-1.1.7_2 : rad_recv: Access-Request packet from host 192.168.8.88:4609, id=30, length=48 User-Name = testing CHAP-Password = 0x30e3e28c521fe0d81b988d2475dae76f3f cut--. rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by dialupAccess rlm_ldap: Password header not found in password Testing1 for user testing ---cut--- * as you can see the radius module rlm_ldap can see the password for user testing, here the next one rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '/' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module IPASS returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 0 rlm_chap: login attempt by testing with CHAP password rlm_chap: Could not find clear text password for user testing modcall[authenticate]: module chap returns invalid for request 0 modcall: leaving group CHAP (returns invalid) for request 0 auth: Failed to validate the user. cut- *this is classic problem, but until now there wasn't any straight answer for this one based on the faq on http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3F, it is possible for using chap with ldap backend, also there is clue where parameter like password_header = {clear} password_attribute = userPassword password_radius_attribute = User-Password must be set but how? i'm still trying to read the code ( like rlm_chap.c ) to see what attribut does rlm_chap read for the password that was passed by the module ldap. but it is so arcane and debuging code twice hard as writing the code at first place anyone has solution for this matter? -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: LDAP CHAP born again]
Hi Alan, thanks for your reply Alan Dekok wrote : If the LDAP server gives FreeRADIUS the clear-text password, then CHAP should work. yes the LDAP server already gave clear text password, you can see in the debug below rad_recv: Access-Request packet from host 192.168.8.88:4609, id=30, length=48 User-Name = testing CHAP-Password = 0x30e3e28c521fe0d81b988d2475dae76f3f cut--. rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by dialupAccess rlm_ldap: Password header not found in password Testing1 for user testing And does CHAP work for this user? no... what I mean is the module ldap (rlm_ldap) could see the password for user testing that is Testing1 ( yes this is the password ) the LDAP should pass this clear text password ( Testing1 ) for module CHAP to authenticate also there is clue where parameter like password_header = {clear} password_attribute = userPassword password_radius_attribute = User-Password must be set but how? in the ldap section of radiusd.conf, where the LDAP parameters are configured. yes I've configure that string in radiusd.conf section ldap... for password_attribute, clearly it must contain userPassword ( attribute the LDAP server keeps the password ) but how about password_radius_attribute ? from the faq password_radius_attribute is radius attribute where the user password will be stored after being extracted from LDAP is password_radius_attribute should contain string User-Password or Clear-text Password or maybe CHAP-Password? what attribute does CHAP read for authentication? i'm still trying to read the code ( like rlm_chap.c ) to see what attribut does rlm_chap read for the password that was passed by the module ldap. but it is so arcane and debuging code twice hard as writing the code at first place Don't read the code. It won't help you. yeah... it killing me ( the code ) :D anyone has solution for this matter? Try installing 2.0.5 in a separate directory and configuring it. Odds are it will work. in time I will try install it, but if i can't make this ( LDAP CHAP ) clear... definitely I will encounter the same problem again :) Thank You Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html