Re: "known good" error
> what I can see that Radius couldn't encrypt clear text password. For > example > when I send the password in clear text like "123456" it rejects me but > when > I send it encrypted like "&^%$%$%JGjgjg(&%%^njahjahs" I was able to login > without any problems. Note that I changed my real password and its > encryption to secure my data. You have fixed the encryption with password_header in your ldap configuration. You can't fix the header and then use password with different encryption (or unencrypted). Server works as expected. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "known good" error
what I can see that Radius couldn't encrypt clear text password. For example when I send the password in clear text like "123456" it rejects me but when I send it encrypted like "&^%$%$%JGjgjg(&%%^njahjahs" I was able to login without any problems. Note that I changed my real password and its encryption to secure my data. On Thu, Sep 24, 2009 at 3:01 PM, Alan DeKok wrote: > wessam seleem wrote: > ... > > [pap] login attempt with password "123456" > > [pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs" > > Your shared secret is wrong. Fix it. > > See the FAQ for more details. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "known good" error
wessam seleem wrote: ... > [pap] login attempt with password "123456" > [pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs" Your shared secret is wrong. Fix it. See the FAQ for more details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "known good" error
Thanks Ivan for your reply. Here is the ldap configuration section:
ldap {
server = "x.x.x.x"
identity = "cn=username"
password = password
basedn = "ou=email,o=data,c=eg"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
password_header = "{CRYPT}"
ldap_connections_number = 100
timeout = 15
timelimit = 10
net_timeout = 5
tls {
start_tls = no
}
profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = radiususerPassword
}
and here is the debug message
++[ldap] returns ok
Found Auth-Type = PAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password.
!!!
!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!
+- entering group PAP {...}
[pap] login attempt with password "123456"
[pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> username
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Thanks for your support.
Wessam
On Thu, Sep 24, 2009 at 1:37 PM, Ivan Kalik wrote:
> >I decided to install free radius 2.1.6-2 to test it and then to
> upgrade
> > my existing versions in my servers. I configured my free radius to use
> > ldap.
> > When I tried to authenticate from the new radius it gave me the following
> > message "from radius -X".
> >
> > Replacing User-Password in config items with Cleartext-Password. !!!
> >
> !!!
> > !!! Please update your configuration so that the "known good"
> > !!!
> > !!! clear text password is in Cleartext-Password, and not in
> > User-Password.
> > !!!
> >
> >
> > Note that when I wrote the password encrypted "like
> > *%@&ks...@sdgsadgjhsb"
> > I was able to login but when I wrote the password in clear text "like
> > test"
> > I failed to login.
>
> Password in ldap probably has a header. You can ignore the message then,
> because server will convert User-Password to appropriate password
> attribute on it's own (Crypt-Password for {crypt}, SHA-Password for {sha}
> etc.) if auto-header is enabled. Post the whole debug.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "known good" error
>I decided to install free radius 2.1.6-2 to test it and then to upgrade
> my existing versions in my servers. I configured my free radius to use
> ldap.
> When I tried to authenticate from the new radius it gave me the following
> message "from radius -X".
>
> Replacing User-Password in config items with Cleartext-Password. !!!
> !!!
> !!! Please update your configuration so that the "known good"
> !!!
> !!! clear text password is in Cleartext-Password, and not in
> User-Password.
> !!!
>
>
> Note that when I wrote the password encrypted "like
> *%@&ks...@sdgsadgjhsb"
> I was able to login but when I wrote the password in clear text "like
> test"
> I failed to login.
Password in ldap probably has a header. You can ignore the message then,
because server will convert User-Password to appropriate password
attribute on it's own (Crypt-Password for {crypt}, SHA-Password for {sha}
etc.) if auto-header is enabled. Post the whole debug.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
