Re: LDAP & MSCHAP errors
Great - thanks, Absolutely outstanding help thanks! :) I hashed from ldap.attrmap as below #checkItem LM-Password sambaLmPassword #checkItem NT-Password sambaNtPassword And it all worked! :) Thanks very much! Simon >>> <[EMAIL PROTECTED]> 12/11/2008 13:46 >>> >[ldap] Added the eDirectory password password in check items as >Cleartext-Password OK. Here is the clear text password. >[ldap] No default NMAS login sequence >[ldap] looking for check items in directory... >rlm_ldap: acctFlags -> SMB-Account-CTRL-TEXT == "[UX ]" >rlm_ldap: sambaNtPassword -> NT-Password == >0x414539434130363637413341393742303139423034323645363933373332 >rlm_ldap: sambaLmPassword -> LM-Password == >0x363542393930304434314234453336383139463130413944343836384443 So, you don't need these. Remove them and mschap will work. That hash looks decimal not hex to me. I don't think that they are correct. Ivan Kalik Kalik informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at sylw'r unigolyn neu'r sefydliad a enwir uchod. Bydd unrhyw farn neu sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni chynrychiolant o anghenraid farn Coleg Sir Gâr. Os ydych chi wedi derbyn yr e-bost hwn ar gam, rhowch sylw i'r gweinyddwr ar y cyfeiriad canlynol: [EMAIL PROTECTED] Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn? This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Coleg Sir Gâr. If you have received this email in error please notify the administrator on the following address: [EMAIL PROTECTED] Please consider the environment - do you really need to print this email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MSCHAP errors
>[ldap] Added the eDirectory password password in check items as >Cleartext-Password OK. Here is the clear text password. >[ldap] No default NMAS login sequence >[ldap] looking for check items in directory... >rlm_ldap: acctFlags -> SMB-Account-CTRL-TEXT == "[UX ]" >rlm_ldap: sambaNtPassword -> NT-Password == >0x414539434130363637413341393742303139423034323645363933373332 >rlm_ldap: sambaLmPassword -> LM-Password == >0x363542393930304434314234453336383139463130413944343836384443 So, you don't need these. Remove them and mschap will work. That hash looks decimal not hex to me. I don't think that they are correct. Ivan Kalik Kalik informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MSCHAP errors
FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on
Nov 10 2008 at 13:18:51
Copyright (C) 1999-2008 The FreeRADIUS server project and
contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file
/usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/mschap.org
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file
/usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file
/usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file
/usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir
= "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 172.16.8.0/24 {
require_message_authenticator = no
secret = "testing123"
shortname = "testing"
}
client 192.168.1.1/32 {
require_message_authenticator = no
secret = "w1f1netw0rk"
shortname = "ArubaController"
}
radiusd: Loading Realms and Home Serv
Re: LDAP & MSCHAP errors
>>>pap against LDAP works fine >>>chap against LDAP works fine (With ntradping) >> >>They used different password. > >Do you mean chap and MSCHAPv2 require passwords in different formats or >something? No. There is a clear text password stored somewhere. >I can auth CHAP, but with the same username and password can't auth >CHAPv2 >(with no config change on freeradius) >My two debugs show that >Debug: rlm_ldap: sambaNtPassword -> NT-Password == >0x414539434130363637412341393742303139423034323445363933373332 >So the NT-Password is being retrieved from LDAP in both cases. > Yes. But chap wasn't using it. >>A coorect password. > >Do you think the has being retrieved from LDAP is wrong then? Yes. >If I do put in an incorrect password I do get the same error message. > No surprise. >>* >>>Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password >>>"ommitted" for user testuser authentication. >>* >> >>>Where did that come from? > >I don't know - inside tha chap module? No. >It's retrieved from LDAP. Not that I can see. Post the whole debug and I will tell you where is clear text password possibly stored. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MSCHAP errors
>>pap against LDAP works fine
>>chap against LDAP works fine (With ntradping)
>
>They used different password.
Do you mean chap and MSCHAPv2 require passwords in different formats or
something?
I can auth CHAP, but with the same username and password can't auth
CHAPv2
(with no config change on freeradius)
My two debugs show that
Debug: rlm_ldap: sambaNtPassword -> NT-Password ==
0x414539434130363637412341393742303139423034323445363933373332
So the NT-Password is being retrieved from LDAP in both cases.
>
>>BUT - MSCHAPv2 gives "FAILED: MS-CHAP2-Response is incorrect"
>>Am I missing something required for MSCHAP to work? The NT-Password
>>seems to be retrieved...
>>
>
>A coorect password.
Do you think the has being retrieved from LDAP is wrong then?
If I do put in an incorrect password I do get the same error message.
Does anyone have Freeradius working with MSCHAP against eDir?
>
>>Working CHAP debug from ntradping:
>>
>>Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for check items in
>>directory...
>>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: acctFlags ->
>>SMB-Account-CTRL-TEXT == "[UX ]"
>>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaNtPassword ->
>>NT-Password ==
>>0x414539434130363637413341393742303139423034323645363933373332
>>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaLmPassword ->
>>LM-Password ==
>>0x363542393930304434314234453336383139463130413944343836384443
>>Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for reply items in
>>directory...
>>Tue Nov 11 10:10:26 2008 : Info: [ldap] user testuser authorized to
use
>>remote access
>>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: ldap_release_conn:
Release
>>Id: 0
>>Tue Nov 11 10:10:26 2008 : Info: ++[ldap] returns ok
>>Tue Nov 11 10:10:26 2008 : Info: ++[expiration] returns noop
>>Tue Nov 11 10:10:26 2008 : Info: ++[logintime] returns noop
>>Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing NT-Password from
hex
>>encoding
>>Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing LM-Password from
hex
>>encoding
>>Tue Nov 11 10:10:26 2008 : Info: [pap] Found existing Auth-Type, not
>>changing it.
>>Tue Nov 11 10:10:26 2008 : Info: ++[pap] returns noop
>>Tue Nov 11 10:10:26 2008 : Info: Found Auth-Type = CHAP
>>Tue Nov 11 10:10:26 2008 : Info: +- entering group CHAP {...}
>>Tue Nov 11 10:10:26 2008 : Info: [chap] login attempt by "testuser"
>>with CHAP password
>
>*
>>Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password
>>"ommitted" for user testuser authentication.
>*
>
>>Where did that come from?
I don't know - inside tha chap module? It's retrieved from LDAP. I'm
using the default modules/chap - it just says:
chap {
# no configuration
}
>
>>Tue Nov 11 10:10:26 2008 : Info: [chap] chap user testuser
>>authenticated succesfully
>
>>Default configuration in modules/mschap and modules/chap
>>In sites-enabled/default
>>authorize {
>>ldap
>>}
>
>That is obviously untrue from your debug.
Just checked again, modules/mschap has nothing unhashed.
modules/chap has as above with # no configuration
>
>Try doing pap with that NT-Password from ldap (remove clear text
password
>entry wherever it is).
Yeah - PAP works perfectly, chap works perfectly, MSCHAP doesn't.
Thanks
>
>Ivan Kalik
>Kalik Informatika ISP
Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at sylw'r
unigolyn neu'r sefydliad a enwir uchod. Bydd
unrhyw farn neu sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni
chynrychiolant o anghenraid farn Coleg Sir Gâr.
Os ydych chi wedi derbyn yr e-bost hwn ar gam, rhowch sylw i'r
gweinyddwr ar y cyfeiriad canlynol:
[EMAIL PROTECTED]
Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn?
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to
whom they are addressed. Any views or opinions expressed are solely
those of the author an
d do not necessarily represent those of Coleg Sir
Gâr. If you have received this email in error please notify the
administrator on the following address:
[EMAIL PROTECTED]
Please consider the environment - do you really need to print this
email?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MSCHAP errors
>We are trying to set up freeRADIUS 2.1.1 against eDirectory LDAP and
>getting problems.
>(Trying SLES 10 SP2 32bit and 64 bit)
>pap against LDAP works fine
>chap against LDAP works fine (With ntradping)
They used different password.
>BUT - MSCHAPv2 gives "FAILED: MS-CHAP2-Response is incorrect"
>Am I missing something required for MSCHAP to work? The NT-Password
>seems to be retrieved...
>
A coorect password.
>Working CHAP debug from ntradping:
>
>Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for check items in
>directory...
>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: acctFlags ->
>SMB-Account-CTRL-TEXT == "[UX ]"
>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaNtPassword ->
>NT-Password ==
>0x414539434130363637413341393742303139423034323645363933373332
>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaLmPassword ->
>LM-Password ==
>0x363542393930304434314234453336383139463130413944343836384443
>Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for reply items in
>directory...
>Tue Nov 11 10:10:26 2008 : Info: [ldap] user testuser authorized to use
>remote access
>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: ldap_release_conn: Release
>Id: 0
>Tue Nov 11 10:10:26 2008 : Info: ++[ldap] returns ok
>Tue Nov 11 10:10:26 2008 : Info: ++[expiration] returns noop
>Tue Nov 11 10:10:26 2008 : Info: ++[logintime] returns noop
>Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing NT-Password from hex
>encoding
>Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing LM-Password from hex
>encoding
>Tue Nov 11 10:10:26 2008 : Info: [pap] Found existing Auth-Type, not
>changing it.
>Tue Nov 11 10:10:26 2008 : Info: ++[pap] returns noop
>Tue Nov 11 10:10:26 2008 : Info: Found Auth-Type = CHAP
>Tue Nov 11 10:10:26 2008 : Info: +- entering group CHAP {...}
>Tue Nov 11 10:10:26 2008 : Info: [chap] login attempt by "testuser"
>with CHAP password
*
>Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password
>"ommitted" for user testuser authentication.
*
Where did that come from?
>Tue Nov 11 10:10:26 2008 : Info: [chap] chap user testuser
>authenticated succesfully
>Default configuration in modules/mschap and modules/chap
>In sites-enabled/default
>authorize {
>ldap
>}
That is obviously untrue from your debug.
Try doing pap with that NT-Password from ldap (remove clear text password
entry wherever it is).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
