Re: "known good" error
> what I can see that Radius couldn't encrypt clear text password. For > example > when I send the password in clear text like "123456" it rejects me but > when > I send it encrypted like "&^%$%$%JGjgjg(&%%^njahjahs" I was able to login > without any problems. Note that I changed my real password and its > encryption to secure my data. You have fixed the encryption with password_header in your ldap configuration. You can't fix the header and then use password with different encryption (or unencrypted). Server works as expected. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "known good" error
what I can see that Radius couldn't encrypt clear text password. For example when I send the password in clear text like "123456" it rejects me but when I send it encrypted like "&^%$%$%JGjgjg(&%%^njahjahs" I was able to login without any problems. Note that I changed my real password and its encryption to secure my data. On Thu, Sep 24, 2009 at 3:01 PM, Alan DeKok wrote: > wessam seleem wrote: > ... > > [pap] login attempt with password "123456" > > [pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs" > > Your shared secret is wrong. Fix it. > > See the FAQ for more details. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "known good" error
wessam seleem wrote: ... > [pap] login attempt with password "123456" > [pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs" Your shared secret is wrong. Fix it. See the FAQ for more details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "known good" error
Thanks Ivan for your reply. Here is the ldap configuration section: ldap { server = "x.x.x.x" identity = "cn=username" password = password basedn = "ou=email,o=data,c=eg" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" password_header = "{CRYPT}" ldap_connections_number = 100 timeout = 15 timelimit = 10 net_timeout = 5 tls { start_tls = no } profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" dictionary_mapping = ${confdir}/ldap.attrmap password_attribute = radiususerPassword } and here is the debug message ++[ldap] returns ok Found Auth-Type = PAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! +- entering group PAP {...} [pap] login attempt with password "123456" [pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> username attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Thanks for your support. Wessam On Thu, Sep 24, 2009 at 1:37 PM, Ivan Kalik wrote: > >I decided to install free radius 2.1.6-2 to test it and then to > upgrade > > my existing versions in my servers. I configured my free radius to use > > ldap. > > When I tried to authenticate from the new radius it gave me the following > > message "from radius -X". > > > > Replacing User-Password in config items with Cleartext-Password. !!! > > > !!! > > !!! Please update your configuration so that the "known good" > > !!! > > !!! clear text password is in Cleartext-Password, and not in > > User-Password. > > !!! > > > > > > Note that when I wrote the password encrypted "like > > *%@&ks...@sdgsadgjhsb" > > I was able to login but when I wrote the password in clear text "like > > test" > > I failed to login. > > Password in ldap probably has a header. You can ignore the message then, > because server will convert User-Password to appropriate password > attribute on it's own (Crypt-Password for {crypt}, SHA-Password for {sha} > etc.) if auto-header is enabled. Post the whole debug. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "known good" error
>I decided to install free radius 2.1.6-2 to test it and then to upgrade > my existing versions in my servers. I configured my free radius to use > ldap. > When I tried to authenticate from the new radius it gave me the following > message "from radius -X". > > Replacing User-Password in config items with Cleartext-Password. !!! > !!! > !!! Please update your configuration so that the "known good" > !!! > !!! clear text password is in Cleartext-Password, and not in > User-Password. > !!! > > > Note that when I wrote the password encrypted "like > *%@&ks...@sdgsadgjhsb" > I was able to login but when I wrote the password in clear text "like > test" > I failed to login. Password in ldap probably has a header. You can ignore the message then, because server will convert User-Password to appropriate password attribute on it's own (Crypt-Password for {crypt}, SHA-Password for {sha} etc.) if auto-header is enabled. Post the whole debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html