Re: Authentication failure via PAP

2007-09-18 Thread tnt 
1. Secret is different (probability 99%)
2. MD5 libraries on the client or the server are broken

I would delete the secret on the server and the client and type in
another one. If that doesn't work then you will need to fix the MD5
calculations. If it's the server you will get this problem with every
client you try. If it's only one client ...

Ivan Kalik
Kalik Informatika ISP


Dana 18/9/2007, "Thomas Schmitz" <[EMAIL PROTECTED]> piše:

>Hi,
>
>I'm using Freeradius 1.1.6 inside a Solaris 10 zone and compiled 
>it from vanilla sources. I configured rlm_ldap since the 
>usernames and cleartext-passwords are stored in an LDAP 
>directory and it works just fine for applications like Cisco-VPN 
>or 802.1X EAP-TTLS. Now I wanted to set up the Captive Portal of 
>pfsense/m0n0wall to authenticate against radius, which is using 
>PAP for password transmission but authentication always fails 
>even if I triple-check the entered user credentials.
>
>The freeradius log always says:
>Auth: Login incorrect (rlm_ldap: Bind as user failed): 
>[my_username] (from client pfsensebox port 1 cli 
>00:17:f2:xx:yy:zz)
>
>Of course I also checked if the radius client is using the 
>correct secret. I set auto_headers to "yes" as it is suggested 
>in the rlm_pap manpage and put pap at the end of the authorize 
>section.
>
>I also included an excerpt of my radiusd.conf
>
>---begin radiusd.conf---
>modules {
>pap {
>auto_header = yes
>}
>ldap {
>server = "ldapserver.mydomain.com"
>basedn = "ou=people,o=my organization,c=de"
>filter 
>= "(uid=%{Stripped-User-Name:-%{User-Name}})"
>start_tls = no
>access_attr = "uid"
>dictionary_mapping = ${raddbdir}/ldap.attrmap
>ldap_connections_number = 5
>password_attribute = userPassword
>timeout = 4
>timelimit = 3
>net_timeout = 1
>}
>}
>authorize {
>auth_log
>chap
>mschap
>suffix
>eap
>ldap
>files
>daily
>pap
>}
>
>authenticate {
>pap
>chap
>mschap
>ldap
>eap
>}
>---end radiusd.conf---
>
>Here is an output of radiusd -X:
>
>---begin radiusd -X output---
>rad_recv: Access-Request packet from host 111.222.333.444:51087, 
>id=255, length=131
>NAS-IP-Address = 111.222.333.444
>NAS-Identifier = "pfsense.local"
>User-Name = "my_username"
>User-Password 
>= "\301q\202\355g\264g)N\265\315\311\374\205i"
>Service-Type = Login-User
>NAS-Port-Type = Ethernet
>NAS-Port = 1
>Framed-IP-Address = 192.168.23.200
>Called-Station-Id = "00:01:02:xx:yy:zz"
>Calling-Station-Id = "00:17:f2:aa:bb:cc"
>  Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
>radius_xlat:  '/opt/radiusd/var/log//radacct/auth-detail-200709'
>rlm_detail: /opt/radiusd/var/log//radacct/auth-detail-%Y%m 
>expands to /opt/radiusd/var/log//radacct/auth-detail-200709
>  modcall[authorize]: module "auth_log" returns ok for request 0
>  modcall[authorize]: module "chap" returns noop for request 0
>  modcall[authorize]: module "mschap" returns noop for request 0
>rlm_realm: No '@' in User-Name = "my_username", looking up 
>realm NULL
>rlm_realm: Found realm "NULL"
>rlm_realm: Adding Stripped-User-Name = "my_username"
>rlm_realm: Proxying request from user my_username to realm 
>NULL
>rlm_realm: Adding Realm = "NULL"
>rlm_realm: Authentication realm is LOCAL.
>  modcall[authorize]: module "suffix" returns noop for request 0
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 0
>rlm_ldap: - authorize
>rlm_ldap: performing user authorization for my_username
>radius_xlat:  '(uid=my_username)'
>radius_xlat:  'ou=people,o=my organization,c=de'
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: attempting LDAP reconnection
>rlm_ldap: (re)connect to directory.fernuni-hagen.de:389, 
>authentication 0
>rlm_ldap: bind as / to directory.fernuni-hagen.de:389
>rlm_ldap: waiting for bind result ...
>rlm_ldap: Bind was successful
>rlm_ldap: performing search in ou=people,o=my organization,c=de, 
>with filter (uid=my_username)
>rlm_ldap: checking if remote access for my_username is allowed by 
>uid
>rlm_ldap: looking for check items in directory...
>rlm_ldap: Adding uid as User-Name, value my_username & op=21
>rlm_ldap: looking for reply items in directory...
>rlm_ldap: Setting Auth-Type = ldap
>rlm_ldap: user my_username authorized to use remote access
>rlm_ldap: ldap_release_conn: Release Id: 0
>  modcall[authorize]: module "ldap" returns ok for request 0
>  modcall[authorize]: module "files" returns notfound for request 
>0
>rlm_counter: Entering module authorize code
>rlm_counter: Could not find Check item

Authentication failure via PAP

2007-09-18 Thread Thomas Schmitz 
Hi,

I'm using Freeradius 1.1.6 inside a Solaris 10 zone and compiled 
it from vanilla sources. I configured rlm_ldap since the 
usernames and cleartext-passwords are stored in an LDAP 
directory and it works just fine for applications like Cisco-VPN 
or 802.1X EAP-TTLS. Now I wanted to set up the Captive Portal of 
pfsense/m0n0wall to authenticate against radius, which is using 
PAP for password transmission but authentication always fails 
even if I triple-check the entered user credentials.

The freeradius log always says:
Auth: Login incorrect (rlm_ldap: Bind as user failed): 
[my_username] (from client pfsensebox port 1 cli 
00:17:f2:xx:yy:zz)

Of course I also checked if the radius client is using the 
correct secret. I set auto_headers to "yes" as it is suggested 
in the rlm_pap manpage and put pap at the end of the authorize 
section.

I also included an excerpt of my radiusd.conf

---begin radiusd.conf---
modules {
pap {
auto_header = yes
}
ldap {
server = "ldapserver.mydomain.com"
basedn = "ou=people,o=my organization,c=de"
filter 
= "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "uid"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
}
authorize {
auth_log
chap
mschap
suffix
eap
ldap
files
daily
pap
}

authenticate {
pap
chap
mschap
ldap
eap
}
---end radiusd.conf---

Here is an output of radiusd -X:

---begin radiusd -X output---
rad_recv: Access-Request packet from host 111.222.333.444:51087, 
id=255, length=131
NAS-IP-Address = 111.222.333.444
NAS-Identifier = "pfsense.local"
User-Name = "my_username"
User-Password 
= "\301q\202\355g\264g)N\265\315\311\374\205i"
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 1
Framed-IP-Address = 192.168.23.200
Called-Station-Id = "00:01:02:xx:yy:zz"
Calling-Station-Id = "00:17:f2:aa:bb:cc"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat:  '/opt/radiusd/var/log//radacct/auth-detail-200709'
rlm_detail: /opt/radiusd/var/log//radacct/auth-detail-%Y%m 
expands to /opt/radiusd/var/log//radacct/auth-detail-200709
  modcall[authorize]: module "auth_log" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "my_username", looking up 
realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "my_username"
rlm_realm: Proxying request from user my_username to realm 
NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for my_username
radius_xlat:  '(uid=my_username)'
radius_xlat:  'ou=people,o=my organization,c=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to directory.fernuni-hagen.de:389, 
authentication 0
rlm_ldap: bind as / to directory.fernuni-hagen.de:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,o=my organization,c=de, 
with filter (uid=my_username)
rlm_ldap: checking if remote access for my_username is allowed by 
uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding uid as User-Name, value my_username & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user my_username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
  modcall[authorize]: module "files" returns notfound for request 
0
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
  modcall[authorize]: module "daily" returns noop for request 0
rlm_pap: WARNING! No "known good" password found for the user.  
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type ldap
auth: type "ldap"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "my_username" with password "Áq?íg
´g)NµÍÉü?i"