attribute would not pass using PEAP, but work using MD5
Hi,
I'm using wired 802.1x to authenticate user using eap md5 and eap
peap. the problem rise when using peap, the radius attribute (tunnel
private group id) didn't pass to the switch. but if we use md5, the
server will pass the attribute. I suspect something missing on inner
tunnel config (I only change 1 line at authorization section that's
adding ldap module ), btw i'm using 2.0.5
debug for peap :
Framed-MTU = 1480
NAS-IP-Address = 192.168.12.130
NAS-Identifier = ProCurve Switch 2650
User-Name = testing
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = 1
Called-Station-Id = 00-1c-2e-73-85-00
Calling-Station-Id = 00-16-36-5a-f1-e4
Connect-Info = CONNECT Ethernet 100Mbps Full duplex
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 100
EAP-Message = 0x0201000c0174657374696e67
Message-Authenticator = 0x24f65e66f58f3fbc5672fd7460764248
server nispdot1x {
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testing, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry DEFAULT at line 183
++[files] returns ok
++- entering redundant-load-balance group redundant-load-balance
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testing
expand: (uid=%u) - (uid=testing)
expand: ou=dialup,dc=zzz,dc=com - ou=dialup,dc=zzz,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.11.17:389, authentication 0
rlm_ldap: bind as memberUid=radius,ou=admin,dc=zzz,dc=com/radiusjuga to
192.168.11.17:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter
(uid=testing)
rlm_ldap: checking if remote access for testing is allowed by uid
rlm_ldap: Added User-Password = Testing10 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time
== WK0800-1800
rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password ==
0x3139373530313942423345344631324146413133423832443930424146414137
rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password ==
0x3244353534353037374437423744324136443341363237433832344630323946
rlm_ldap: LDAP attribute radiusCallingStationId as RADIUS attribute
Calling-Station-Id == 00-16-36-5a-f1-e4
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute
Tunnel-Private-Group-Id:0 = 101
rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute
Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute
Tunnel-Type:0 = VLAN
rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute
Framed-Protocol = PPP
rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute
Service-Type = Framed-User
rlm_ldap: user testing authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap_instance10] returns ok
++- redundant-load-balance group redundant-load-balance returns ok
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-16-36-5a-f1-e4
rlm_checkval: Value Name: Calling-Station-Id, Value: 00-16-36-5a-f1-e4
++[checkval] returns ok
++[expiration] returns noop
rlm_logintime: Checking Login-Time: 'WK0800-1800'
rlm_logintime: timestr returned accept
rlm_logintime: Session-Timeout set to: 24660
++[logintime] returns ok
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known
good !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!
auth: type EAP
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
} # server nispdot1x
Framed-Compression = Van-Jacobson-TCP-IP
Tunnel-Private-Group-Id:0 = 101
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Framed-Protocol = PPP
Service-Type =
Re: Freeradius Accounting using different virtual server
In 2.1.0 you can create a home_server that points to a virtual server. This means you don't need extra listen sections. Then I really need to upgrade it Why does it *not work* to create multiple detail modules? See the FAQ for it doesn't work. Alan DeKok. Sorry for not posting the configuration but it has solved already. adding module at accounting module rather different than at authentication or authorization section Thanks Alan -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Accounting using different virtual server
Hi, I'm using freeradius 2.0.5... many client authenticate againt us that is segmented by realm ( / IPASS). the server will strip the username realm and proxying to localhost with different port number ( so i create many listen section with point to their own virtual server ) ex like this : realm test1/username -- will go to 127.0.0.1:1912( auth) 127.0.0.1:1913 (acct) using virtual server link1 realm test2/username -- will go to 127.0.0.1:2012 ( auth) 127.0.0.1:2013 (acct) using virtual server link2 .. etc for 127.0.0.1 I'm using per socket client to differentiate each client the problem rise when I want to differentiate each virtual server accounting ( radutmp, radwtmp, and detail file), because using default accounting file each realm will be muddle into one file. In module authorization and authentication I can create many instance ex( ldap1 ldap2 ldap3), but *not work* at accounting module ex ( detail1 detail2 detail3 ). is there a way to do this? could someone give some example? Thank you Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP mschapv2 using xp native supplicant
I've changed the lm and nt password using hash one, and now it works thanks Alan And here we have it. Those are NOT valid lmPassword or ntPassword fields. You are putting the clear-text password into those fields. The clear-text password belongs in the userPassword field. Delete the lmPassword and ntPassword fields from the DB. They're wrong. -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP mschapv2 using xp native supplicant
Ryan Setiawan H wrote:
Please post ALL of the debug output. I suspect that you are doing the
ldap lookups OUTSIDE of the TLS tunnel rather than INSIDE.
...
repost forgot change subject
I'm sorry I didn't include all the debug, because it was so large...
anyway here the debug :
As I suspected... you are doing the LDAP lookups *outside* of the
tunnel. See raddb/sites-available/inner-tunnel. Ensure that the
references to ldap are uncommented.
Alan DeKok.
Hi, I've uncomment the ldap section at inner-tunnel also make sure at
eap.conf default eap type peap, but still don't work. I've tried to make
the eap session directly go to inner-tunnel server at client.conf, but i
think it's not good idea and also don't work. any other ways? or am I
miss something?
Thanks
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: Invalid LM-Password
rlm_mschap: Invalid NT-Password
rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
} # server nispdot1x
EAP-Message =
0x010a00261900170301001ba41a64fc5858e400f6380342e22751610df4070fb87d66fcd1dcbb
Message-Authenticator = 0x
State = 0x252558f1222f410baf9655c23dbf74f3
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
Framed-MTU = 1480
NAS-IP-Address = 192.168.12.130
NAS-Identifier = ProCurve Switch 2650
User-Name = testing
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = 1
Called-Station-Id = 00-1c-2e-73-85-00
Calling-Station-Id = 00-16-36-5a-f1-e4
Connect-Info = CONNECT Ethernet 100Mbps Full duplex
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 1
State = 0x252558f1222f410baf9655c23dbf74f3
EAP-Message =
0x020a00261900170301001ba49c9266682a7900ffd51675496e5519722e108c0e7a1eaf33a31a
Message-Authenticator = 0xeaa952199e0cb6c5e3852ba39433eed3
server nispdot1x {
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testing, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 10 length 38
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in
this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
--
DISCLAIMER:
The contents of this email and attachments are confidential and may be subject
to legal privilege. Any unauthorized use, copying, disclosure or communicating
any part of it to others is strictly prohibited and may be unlawful. If you are
not the intended recipient you must not use, copy, distribute or rely on this
email and should please return it immediately to the sender or notify us and
delete the email and any attachments from your system. We cannot accept
liability for loss or damage resulting from computer viruses. The integrity of
email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not
accept liability for any claims arising as a result of the use of this medium
for transmissions by or to PT BANK NISP, Tbk.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP mschapv2 using xp native supplicant
rlm_mschap: Invalid LM-Password rlm_mschap: Invalid NT-Password Well, that should be a hint. How about trying to add a user password in the users file? An example is in the FAQ. when using users file it just work, the problem rose when using ldap backend. In ldap database, I've added the attribute LM-Password and NT-Password, and also add them in check item at ldap.attrmap -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP mschapv2 using xp native supplicant
The passwords you've added are invalid. The debug message is telling
you that.
Perhaps you could try posting WHAT you entered as LM-Password and
NT-Password. Odds are you entered invalid ones. Because the debug
message is telling you that they're invalid.
Here the attribute at LDAP server for user testing
dn: uid=testing,ou=dialup,dc=zzz,dc=com
dialupAccess: dialup
gidNumber: 1000
uid: testing
userPassword: Testing10
objectClass: posixGroup
objectClass: radiusprofile
objectClass: uidObject
objectClass: top
objectClass: sambaAccount
radiusTunnelType: VLAN
radiusTunnelMediumType: IEEE-802
cn: testing
radiusServiceType: Framed-User
radiusFramedProtocol: PPP
rid: 1
radiusTunnelPrivateGroupId: 101
radiusCallingStationId: 00-16-36-5a-f1-e4
radiusLoginTime: WK0800-1800
lmPassword: Testing10
ntPassword: Testing10
You are making it difficult for anyone to help you. Giving out as
little information as possible in every message is counter-productive.
Alan DeKok.
Sorry Alan, I don't intend to do that and make it difficult. it just
usually people don't like a lot text show up and make them bored to read
it, so I pick the message which I conclude have to do with the problem...
I include all debug below... thanks for your help
Framed-MTU = 1480
NAS-IP-Address = 192.168.12.130
NAS-Identifier = ProCurve Switch 2650
User-Name = testing
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = 1
Called-Station-Id = 00-1c-2e-73-85-00
Calling-Station-Id = 00-16-36-5a-f1-e4
Connect-Info = CONNECT Ethernet 100Mbps Full duplex
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 1
EAP-Message = 0x0201000c0174657374696e67
Message-Authenticator = 0x58d7a85d7797a6a111db87923f69e24a
server nispdot1x {
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testing, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry DEFAULT at line 183
++[files] returns ok
++- entering redundant-load-balance group redundant-load-balance
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testing
expand: (uid=%u) - (uid=testing)
expand: ou=dialup,dc=zzz,dc=com - ou=dialup,dc=zzz,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter
(uid=testing)
rlm_ldap: checking if remote access for testing is allowed by uid
rlm_ldap: Added User-Password = Testing10 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time
== WK0800-1800
rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password ==
0x54657374696e673130
rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password ==
0x54657374696e673130
rlm_ldap: LDAP attribute radiusCallingStationId as RADIUS attribute
Calling-Station-Id == 00-16-36-5a-f1-e4
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute
Tunnel-Private-Group-Id:0 = 101
rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute
Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute
Tunnel-Type:0 = VLAN
rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute
Framed-Protocol = PPP
rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute
Service-Type = Framed-User
rlm_ldap: user testing authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap_instance10] returns ok
++- redundant-load-balance group redundant-load-balance returns ok
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-16-36-5a-f1-e4
rlm_checkval: Value Name: Calling-Station-Id, Value: 00-16-36-5a-f1-e4
++[checkval] returns ok
++[expiration] returns noop
rlm_logintime: Checking Login-Time: 'WK0800-1800'
rlm_logintime: timestr returned accept
rlm_logintime: Session-Timeout set to: 31800
++[logintime] returns ok
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known
good !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
Re: Freeradius-Users Digest, Vol 40, Issue 3
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm!
Cancelling invalid proxy request.
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
} # server nispdot1x
EAP-Message =
0x010a00261900170301001bf310bdd3b5003f17e6b384f8d72a7a9c7a874b3b2ae817450b07cd
Message-Authenticator = 0x
State = 0x1fa720c117ad3925bd7da50678295fc0
Finished request 12.
Going to the next request
Waking up in 4.6 seconds.
Framed-MTU = 1480
NAS-IP-Address = 192.168.12.130
NAS-Identifier = ProCurve Switch 2650
User-Name = testing
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = 1
Called-Station-Id = 00-1c-2e-73-85-00
Calling-Station-Id = 00-16-36-5a-f1-e4
Connect-Info = CONNECT Ethernet 100Mbps Full duplex
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 1
State = 0x1fa720c117ad3925bd7da50678295fc0
EAP-Message =
0x020a00261900170301001bc69a12bf5d23b5dedc2c6c8d537f8577436b7bded7dee8eb290178
Message-Authenticator = 0x2a7e10fb4deef91301ba11f38f970f39
server nispdot1x {
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testing, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 10 length 38
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in
this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port
1 cli 00-16-36-5a-f1-e4)
} # server nispdot1x
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - testing
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 13 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 13
EAP-Message = 0x040a0004
Message-Authenticator = 0x
Waking up in 3.6 seconds.
Cleaning up request 4 ID 9 with timestamp +540
Cleaning up request 5 ID 10 with timestamp +540
Waking up in 0.1 seconds.
Cleaning up request 6 ID 11 with timestamp +540
Cleaning up request 7 ID 12 with timestamp +540
Cleaning up request 8 ID 13 with timestamp +540
Cleaning up request 9 ID 14 with timestamp +540
Cleaning up request 10 ID 15 with timestamp +540
Cleaning up request 11 ID 16 with timestamp +540
Cleaning up request 12 ID 17 with timestamp +540
Waking up in 1.0 seconds.
Cleaning up request 13 ID 18 with timestamp +540
Ready to process requests.
Thank You
Ryan Setiawan H
--
DISCLAIMER:
The contents of this email and attachments are confidential and may be subject
to legal privilege. Any unauthorized use, copying, disclosure or communicating
any part of it to others is strictly prohibited and may be unlawful. If you are
not the intended recipient you must not use, copy, distribute or rely on this
email and should please return it immediately to the sender or notify us and
delete the email and any attachments from your system. We cannot accept
liability for loss or damage resulting from computer viruses. The integrity of
email across the Internet cannot be guaranteed and PT BANK NISP, Tbk
Re: PEAP mschapv2 using xp native supplicant
] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "testing", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
rlm_eap: EAP packet type response id 9 length 66
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm!
Cancelling invalid proxy request.
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create
LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create
NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [testing/via Auth-Type = EAP] (from client
dotix port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
} # server nispdot1x
EAP-Message =
0x010a00261900170301001bf310bdd3b5003f17e6b384f8d72a7a9c7a874b3b2ae817450b07cd
Message-Authenticator = 0x
State = 0x1fa720c117ad3925bd7da50678295fc0
Finished request 12.
Going to the next request
Waking up in 4.6 seconds.
Framed-MTU = 1480
NAS-IP-Address = 192.168.12.130
NAS-Identifier = "ProCurve Switch 2650"
User-Name = "testing"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-1c-2e-73-85-00"
Calling-Station-Id = "00-16-36-5a-f1-e4"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0x1fa720c117ad3925bd7da50678295fc0
EAP-Message =
0x020a00261900170301001bc69a12bf5d23b5dedc2c6c8d537f8577436b7bded7dee8eb290178
Message-Authenticator = 0x2a7e10fb4deef91301ba11f38f970f39
server nispdot1x {
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testing", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 10 length 38
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in
this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [testing/via Auth-Type = EAP] (from client
dotix port 1 cli 00-16-36-5a-f1-e4)
} # server nispdot1x
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - testing
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 13 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 13
EAP-Message = 0x040a0004
Message-Authenticator = 0x
Waking up in 3.6 seconds.
Cleaning up request 4 ID 9 with timestamp +540
Cleaning up request 5 ID 10 with timestamp +540
Waking up in 0.1 seconds.
Cleaning up request 6 ID 11 with timestamp +540
Cleaning up request 7 ID 12 with timestamp +540
Cleaning up request 8 ID 13 with timestamp +540
Cleaning up request 9 ID 14 with timestamp +540
Cleaning up request 10 ID 15 with timestamp +540
Cleaning up request 11 ID 16 with timestamp +540
Cleaning up request 12 ID 17 with timestamp +540
Waking up in 1.0 seconds.
Cleaning up request 13 ID 18 with timestamp +540
Ready to process requests.
Thank You
Ryan Setiawan H
--
DISCLAIMER:
The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP mschapv2 using xp native supplicant
Hi all, I'm using eap for authentication on wired connection ( using freeradius 2.0.5 and LDAP backend ), most of our clients are windows machine so there's little choice for using eap, that is eap-MD5 and PEAP mschapv2. Using EAP-MD5 there isn't any problem, the problem begin with PEAP mschapv2 the debug : - rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=xxx,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by uid rlm_ldap: Added User-Password = Testing10 in check items --- clearly freeradius can see the password and also it clear text :) below i also add samba schema that contain LM and NT password --- rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time == Wk0800-1800 rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0x54657374696e6731 rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password == 0x54657374696e6731 rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = 101 rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute Framed-Protocol = PPP rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute Service-Type = Framed-User rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 --- mschap module say no clear text pasword and also can't create LM and NT password --- +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port 0) PEAP: Tunneled authentication was rejected. anyone can help?Thanks Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP mschapv2 using xp native supplicant
oh and also when using users file the PEAP just run with no problem, the problem rise only when using LDAP Thanks Ryan Setiawan H wrote: Hi all, I'm using eap for authentication on wired connection ( using freeradius 2.0.5 and LDAP backend ), most of our clients are windows machine so there's little choice for using eap, that is eap-MD5 and PEAP mschapv2. Using EAP-MD5 there isn't any problem, the problem begin with PEAP mschapv2 the debug : - rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=xxx,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by uid rlm_ldap: Added User-Password = Testing10 in check items --- clearly freeradius can see the password and also it clear text :) below i also add samba schema that contain LM and NT password --- rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time == Wk0800-1800 rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0x54657374696e6731 rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password == 0x54657374696e6731 rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = 101 rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute Framed-Protocol = PPP rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute Service-Type = Framed-User rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 --- mschap module say no clear text pasword and also can't create LM and NT password --- +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [testing/via Auth-Type = EAP] (from client dotix port 0) PEAP: Tunneled authentication was rejected. anyone can help?Thanks Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Alan wrote: hi, as Alan stated - your NAS doesnt seem to be getting the responses from your server. some ACL or routing issue? (stick a sniffer directly in front of the switch...if you need to, you may need to have a 'port mirror' or somesuch from the switch that feeds that switch if traffic is on a mgmt VLAN and .1q trunking is involved etc. dont worry about the errors from the ./configure - unless you are using any of those technologies (postgresql, oracle, TNC or IKEv2) - your server is 'normal' alan -- Hi all, it's partially solve... I'm using a server as radius server and as vlan trunk that feed the switch tagged packet, also the server become gateway... after I using other server for radius, it work yeah the 1.1.7 radius is on other machine ( that's why it works )... so it's clear this not about freeradius version. thank alot all for your time Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about EAP using 1.1.7 and 2.0.3
Hi All, I've an issue about EAP in 802.1X. right now, I'm trying EAP-MD5 for 802.1X using freeradius 2.0.3 and procurve switch, sadly it doesn't work. but when I 'am using freeradius 1.1.7 it works smoothly I've tried not only using native windows XP SP 2 supplicant but also wpa_supplicant. both don't work using freeradius2. I've also tried reinstall the freeradius 2.0.3 ( i'm forget using mercurial ), I thought I misconfigure something..but. even using fresh from the oven configuration still just don't work. , here are the debug: Sending duplicate reply to client test port 1024 - ID: 4 Cleaning up request 2 ID 4 with timestamp +46 Ready to process requests. Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-0a-e4-13-58-c7 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x023a000c0174657374696e67 Message-Authenticator = 0x55d6fa8c198752bd6c62c351b234a57b +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 58 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry testing at line 102 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = Ethernet Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 101 EAP-Message = 0x013b001604101fee1ce904aea0659f790123de5bc761 Message-Authenticator = 0x State = 0x9e1dcf679e26cbc870b5fae6a11d133d Finished request 3. Going to the next request Waking up in 4.9 seconds. Sending duplicate reply to client test port 1024 - ID: 4 --- any clue what is it ? Cleaning up request 3 ID 4 with timestamp +56 Ready to process requests. from the wpa_supplicant's debug it broke right before EAP message method, so it (the supplicant) doesn't receive any MD5 Challenge from radius. anyone have same problem? really appreciate for any help Thank you Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Ryan Setiawan H wrote: Use 2.0.5. Or, install raddb/sites-available/inner-tunnel from the source tree. Alan DeKok. Hi Alan, Thanks for the reply, I've Update to freeradius 2.0.5, but still didn't show result, the debug still the same, here are the debug : rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-0a-e4-13-b8-87 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x0261000c0174657374696e67 Message-Authenticator = 0xf267668d55a632d7f6ff3b2b94735eca +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 97 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry testing at line 61 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 27 to 192.168.12.130 port 1024 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 101 EAP-Message = 0x016200160410706dc9d0aeae1c2c1fe2d41a5f8cc84a Message-Authenticator = 0x State = 0xba2a19f0ba481d03bf0d1926ffd8f60a Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Sending duplicate reply to client local port 1024 - ID: 27 Sending Access-Challenge of id 27 to 192.168.12.130 port 1024 Cleaning up request 0 ID 27 with timestamp +164 Ready to process requests. rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = ProCurve Switch 2650 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 00-1c-2e-73-85-00 Calling-Station-Id = 00-0a-e4-13-b8-87 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x0261000c0174657374696e67 Message-Authenticator = --- I'm not sure it will help but i include the configure warning for 2.0.5 config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting chmod: check-radiusd-config: No such file or directory configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: silently not building rlm_sql_postgresql. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. - I'm using default configuration, just only change client.conf and users. there is clue, when I saw debug from 1.1.7 the second access request has different id but in this debug, it had same id ( that's is 27 ) maybe because
Re: [Fwd: LDAP CHAP born again]
Alan DeKok wrote: Try installing 2.0.5 in a separate directory and configuring it. Odds are it will work. in time I will try install it, but if i can't make this ( LDAP CHAP ) clear... definitely I will encounter the same problem again :) 2.0.5 has many, many fixes that aren't in 1.1.7. Some things that are difficult to impossible in 1.1.7 are easy in 2.0.5. Alan DeKok. right now I have already installed 2.0.3 because the dependency just like 1.1.7 :D waw lot of change I see ... but here we go the debug User-Name = testing CHAP-Password = 0xee8f74f97f724f06e54a9862f98ccef299 +- entering group authorize ++[preprocess] returns ok rlm_chap: Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = testing, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for testing expand: (uid=%u) - (uid=testing) expand: ou=dialup,dc=zzz,dc=com - ou=dialup,dc=zzz,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.11.17:389, authentication 0 rlm_ldap: bind as memberUid=radius,ou=admin,dc=zzz,dc=com/radiusjuga to 192.168.11.17:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter (uid=testing) rlm_ldap: Password header not found in password Testing10 for user testing rlm_ldap: Added User-Password = Testing10 in check items --cut-- added user-password = Testing10 in check item this is the debug output difference compare to 1.1.7 --cut-- rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type CHAP +- entering group CHAP rlm_chap: login attempt by testing with CHAP password rlm_chap: Using clear text password Testing10 for user testing authentication. rlm_chap: chap user testing authenticated succesfully ++[chap] returns ok Login OK: [testing/CHAP-Password] (from client local port 0) Finished request 0. Going to the next request Waking up in 4.9 seconds. It's just work :D thanks Alan however there is this strange string Please update your configuration so that the known good clear text password is in Cleartext-Password, and not in User-Password. after I digging the freeradius.org, I see people also have this minor problem, and in a mail you say to change the attribute userpassword to cleartext-password. but in openldap schema v3 there isn't any attribute called cleartext-password... is there any explanation for this ... everyone if you don't mind :) . still digging in openldap forum :) Thanks Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Fwd: LDAP CHAP born again]
Hi all,
I've research googling about LDAP and CHAP :D, but until now
still don't work ... here the debug, and btw i'm using freeradius-1.1.7_2 :
rad_recv: Access-Request packet from host 192.168.8.88:4609, id=30,
length=48
User-Name = testing
CHAP-Password = 0x30e3e28c521fe0d81b988d2475dae76f3f
cut--.
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter
(uid=testing)
rlm_ldap: checking if remote access for testing is allowed by dialupAccess
rlm_ldap: Password header not found in password Testing1 for user testing
---cut---
* as you can see the radius module rlm_ldap can see the password for
user testing, here the next one
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testing authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_realm: No '/' in User-Name = testing, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module IPASS returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
rlm_chap: login attempt by testing with CHAP password
rlm_chap: Could not find clear text password for user testing
modcall[authenticate]: module chap returns invalid for request 0
modcall: leaving group CHAP (returns invalid) for request 0
auth: Failed to validate the user.
cut-
*this is classic problem, but until now there wasn't any straight answer
for this one
based on the faq on
http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3F,
it is possible for using chap with ldap backend, also there is clue
where parameter like
password_header = {clear}
password_attribute = userPassword
password_radius_attribute = User-Password
must be set but how?
i'm still trying to read the code ( like rlm_chap.c ) to see what
attribut does rlm_chap read for the password that was passed by the
module ldap. but it is so arcane and debuging code twice hard as
writing the code at first place
anyone has solution for this matter?
--
DISCLAIMER:
The contents of this email and attachments are confidential and may be subject
to legal privilege. Any unauthorized use, copying, disclosure or communicating
any part of it to others is strictly prohibited and may be unlawful. If you are
not the intended recipient you must not use, copy, distribute or rely on this
email and should please return it immediately to the sender or notify us and
delete the email and any attachments from your system. We cannot accept
liability for loss or damage resulting from computer viruses. The integrity of
email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not
accept liability for any claims arising as a result of the use of this medium
for transmissions by or to PT BANK NISP, Tbk.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: LDAP CHAP born again]
Hi Alan, thanks for your reply
Alan Dekok wrote :
If the LDAP server gives FreeRADIUS the clear-text password, then CHAP
should work.
yes the LDAP server already gave clear text password, you can see in the debug
below
rad_recv: Access-Request packet from host 192.168.8.88:4609, id=30,
length=48
User-Name = testing
CHAP-Password = 0x30e3e28c521fe0d81b988d2475dae76f3f
cut--.
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter
(uid=testing)
rlm_ldap: checking if remote access for testing is allowed by dialupAccess
rlm_ldap: Password header not found in password Testing1 for user testing
And does CHAP work for this user?
no... what I mean is the module ldap (rlm_ldap) could see the password for user
testing that is Testing1 ( yes this is the password )
the LDAP should pass this clear text password ( Testing1 ) for module CHAP to
authenticate
also there is clue
where parameter like
password_header = {clear}
password_attribute = userPassword
password_radius_attribute = User-Password
must be set but how?
in the ldap section of radiusd.conf, where the LDAP parameters are
configured.
yes I've configure that string in radiusd.conf section ldap...
for password_attribute, clearly it must contain userPassword ( attribute the LDAP server keeps the password )
but how about password_radius_attribute ? from the faq
password_radius_attribute is radius attribute where the user password will be
stored after being extracted from LDAP
is password_radius_attribute should contain string User-Password or Clear-text
Password or maybe CHAP-Password? what attribute does CHAP read for authentication?
i'm still trying to read the code ( like rlm_chap.c ) to see what
attribut does rlm_chap read for the password that was passed by the
module ldap. but it is so arcane and debuging code twice hard as
writing the code at first place
Don't read the code. It won't help you.
yeah... it killing me ( the code ) :D
anyone has solution for this matter?
Try installing 2.0.5 in a separate directory and configuring it. Odds
are it will work.
in time I will try install it, but if i can't make this ( LDAP CHAP ) clear...
definitely I will encounter the same problem again :)
Thank You
Ryan Setiawan H
--
DISCLAIMER:
The contents of this email and attachments are confidential and may be subject
to legal privilege. Any unauthorized use, copying, disclosure or communicating
any part of it to others is strictly prohibited and may be unlawful. If you are
not the intended recipient you must not use, copy, distribute or rely on this
email and should please return it immediately to the sender or notify us and
delete the email and any attachments from your system. We cannot accept
liability for loss or damage resulting from computer viruses. The integrity of
email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not
accept liability for any claims arising as a result of the use of this medium
for transmissions by or to PT BANK NISP, Tbk.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
