Re: LDAP & MSCHAP errors
Great - thanks, Absolutely outstanding help thanks! :) I hashed from ldap.attrmap as below #checkItem LM-Password sambaLmPassword #checkItem NT-Password sambaNtPassword And it all worked! :) Thanks very much! Simon >>> <[EMAIL PROTECTED]> 12/11/2008 13:46 >>> >[ldap] Added the eDirectory password password in check items as >Cleartext-Password OK. Here is the clear text password. >[ldap] No default NMAS login sequence >[ldap] looking for check items in directory... >rlm_ldap: acctFlags -> SMB-Account-CTRL-TEXT == "[UX ]" >rlm_ldap: sambaNtPassword -> NT-Password == >0x414539434130363637413341393742303139423034323645363933373332 >rlm_ldap: sambaLmPassword -> LM-Password == >0x363542393930304434314234453336383139463130413944343836384443 So, you don't need these. Remove them and mschap will work. That hash looks decimal not hex to me. I don't think that they are correct. Ivan Kalik Kalik informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at sylw'r unigolyn neu'r sefydliad a enwir uchod. Bydd unrhyw farn neu sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni chynrychiolant o anghenraid farn Coleg Sir Gâr. Os ydych chi wedi derbyn yr e-bost hwn ar gam, rhowch sylw i'r gweinyddwr ar y cyfeiriad canlynol: [EMAIL PROTECTED] Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn? This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Coleg Sir Gâr. If you have received this email in error please notify the administrator on the following address: [EMAIL PROTECTED] Please consider the environment - do you really need to print this email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MSCHAP errors
>[ldap] Added the eDirectory password password in check items as >Cleartext-Password OK. Here is the clear text password. >[ldap] No default NMAS login sequence >[ldap] looking for check items in directory... >rlm_ldap: acctFlags -> SMB-Account-CTRL-TEXT == "[UX ]" >rlm_ldap: sambaNtPassword -> NT-Password == >0x414539434130363637413341393742303139423034323645363933373332 >rlm_ldap: sambaLmPassword -> LM-Password == >0x363542393930304434314234453336383139463130413944343836384443 So, you don't need these. Remove them and mschap will work. That hash looks decimal not hex to me. I don't think that they are correct. Ivan Kalik Kalik informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MSCHAP errors
FreeRADIUS Version 2.1.1, for host x86_64-unknown-linux-gnu, built on Nov 10 2008 at 13:18:51 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/mschap.org including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 172.16.8.0/24 { require_message_authenticator = no secret = "testing123" shortname = "testing" } client 192.168.1.1/32 { require_message_authenticator = no secret = "w1f1netw0rk" shortname = "ArubaController" } radiusd: Loading Realms and Home Serv
Re: LDAP & MSCHAP errors
>>>pap against LDAP works fine >>>chap against LDAP works fine (With ntradping) >> >>They used different password. > >Do you mean chap and MSCHAPv2 require passwords in different formats or >something? No. There is a clear text password stored somewhere. >I can auth CHAP, but with the same username and password can't auth >CHAPv2 >(with no config change on freeradius) >My two debugs show that >Debug: rlm_ldap: sambaNtPassword -> NT-Password == >0x414539434130363637412341393742303139423034323445363933373332 >So the NT-Password is being retrieved from LDAP in both cases. > Yes. But chap wasn't using it. >>A coorect password. > >Do you think the has being retrieved from LDAP is wrong then? Yes. >If I do put in an incorrect password I do get the same error message. > No surprise. >>* >>>Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password >>>"ommitted" for user testuser authentication. >>* >> >>>Where did that come from? > >I don't know - inside tha chap module? No. >It's retrieved from LDAP. Not that I can see. Post the whole debug and I will tell you where is clear text password possibly stored. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MSCHAP errors
>>pap against LDAP works fine >>chap against LDAP works fine (With ntradping) > >They used different password. Do you mean chap and MSCHAPv2 require passwords in different formats or something? I can auth CHAP, but with the same username and password can't auth CHAPv2 (with no config change on freeradius) My two debugs show that Debug: rlm_ldap: sambaNtPassword -> NT-Password == 0x414539434130363637412341393742303139423034323445363933373332 So the NT-Password is being retrieved from LDAP in both cases. > >>BUT - MSCHAPv2 gives "FAILED: MS-CHAP2-Response is incorrect" >>Am I missing something required for MSCHAP to work? The NT-Password >>seems to be retrieved... >> > >A coorect password. Do you think the has being retrieved from LDAP is wrong then? If I do put in an incorrect password I do get the same error message. Does anyone have Freeradius working with MSCHAP against eDir? > >>Working CHAP debug from ntradping: >> >>Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for check items in >>directory... >>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: acctFlags -> >>SMB-Account-CTRL-TEXT == "[UX ]" >>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaNtPassword -> >>NT-Password == >>0x414539434130363637413341393742303139423034323645363933373332 >>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaLmPassword -> >>LM-Password == >>0x363542393930304434314234453336383139463130413944343836384443 >>Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for reply items in >>directory... >>Tue Nov 11 10:10:26 2008 : Info: [ldap] user testuser authorized to use >>remote access >>Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: ldap_release_conn: Release >>Id: 0 >>Tue Nov 11 10:10:26 2008 : Info: ++[ldap] returns ok >>Tue Nov 11 10:10:26 2008 : Info: ++[expiration] returns noop >>Tue Nov 11 10:10:26 2008 : Info: ++[logintime] returns noop >>Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing NT-Password from hex >>encoding >>Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing LM-Password from hex >>encoding >>Tue Nov 11 10:10:26 2008 : Info: [pap] Found existing Auth-Type, not >>changing it. >>Tue Nov 11 10:10:26 2008 : Info: ++[pap] returns noop >>Tue Nov 11 10:10:26 2008 : Info: Found Auth-Type = CHAP >>Tue Nov 11 10:10:26 2008 : Info: +- entering group CHAP {...} >>Tue Nov 11 10:10:26 2008 : Info: [chap] login attempt by "testuser" >>with CHAP password > >* >>Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password >>"ommitted" for user testuser authentication. >* > >>Where did that come from? I don't know - inside tha chap module? It's retrieved from LDAP. I'm using the default modules/chap - it just says: chap { # no configuration } > >>Tue Nov 11 10:10:26 2008 : Info: [chap] chap user testuser >>authenticated succesfully > >>Default configuration in modules/mschap and modules/chap >>In sites-enabled/default >>authorize { >>ldap >>} > >That is obviously untrue from your debug. Just checked again, modules/mschap has nothing unhashed. modules/chap has as above with # no configuration > >Try doing pap with that NT-Password from ldap (remove clear text password >entry wherever it is). Yeah - PAP works perfectly, chap works perfectly, MSCHAP doesn't. Thanks > >Ivan Kalik >Kalik Informatika ISP Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at sylw'r unigolyn neu'r sefydliad a enwir uchod. Bydd unrhyw farn neu sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni chynrychiolant o anghenraid farn Coleg Sir Gâr. Os ydych chi wedi derbyn yr e-bost hwn ar gam, rhowch sylw i'r gweinyddwr ar y cyfeiriad canlynol: [EMAIL PROTECTED] Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn? This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions expressed are solely those of the author an d do not necessarily represent those of Coleg Sir Gâr. If you have received this email in error please notify the administrator on the following address: [EMAIL PROTECTED] Please consider the environment - do you really need to print this email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MSCHAP errors
>We are trying to set up freeRADIUS 2.1.1 against eDirectory LDAP and >getting problems. >(Trying SLES 10 SP2 32bit and 64 bit) >pap against LDAP works fine >chap against LDAP works fine (With ntradping) They used different password. >BUT - MSCHAPv2 gives "FAILED: MS-CHAP2-Response is incorrect" >Am I missing something required for MSCHAP to work? The NT-Password >seems to be retrieved... > A coorect password. >Working CHAP debug from ntradping: > >Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for check items in >directory... >Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: acctFlags -> >SMB-Account-CTRL-TEXT == "[UX ]" >Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaNtPassword -> >NT-Password == >0x414539434130363637413341393742303139423034323645363933373332 >Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: sambaLmPassword -> >LM-Password == >0x363542393930304434314234453336383139463130413944343836384443 >Tue Nov 11 10:10:26 2008 : Info: [ldap] looking for reply items in >directory... >Tue Nov 11 10:10:26 2008 : Info: [ldap] user testuser authorized to use >remote access >Tue Nov 11 10:10:26 2008 : Debug: rlm_ldap: ldap_release_conn: Release >Id: 0 >Tue Nov 11 10:10:26 2008 : Info: ++[ldap] returns ok >Tue Nov 11 10:10:26 2008 : Info: ++[expiration] returns noop >Tue Nov 11 10:10:26 2008 : Info: ++[logintime] returns noop >Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing NT-Password from hex >encoding >Tue Nov 11 10:10:26 2008 : Info: [pap] Normalizing LM-Password from hex >encoding >Tue Nov 11 10:10:26 2008 : Info: [pap] Found existing Auth-Type, not >changing it. >Tue Nov 11 10:10:26 2008 : Info: ++[pap] returns noop >Tue Nov 11 10:10:26 2008 : Info: Found Auth-Type = CHAP >Tue Nov 11 10:10:26 2008 : Info: +- entering group CHAP {...} >Tue Nov 11 10:10:26 2008 : Info: [chap] login attempt by "testuser" >with CHAP password * >Tue Nov 11 10:10:26 2008 : Info: [chap] Using clear text password >"ommitted" for user testuser authentication. * Where did that come from? >Tue Nov 11 10:10:26 2008 : Info: [chap] chap user testuser >authenticated succesfully >Default configuration in modules/mschap and modules/chap >In sites-enabled/default >authorize { >ldap >} That is obviously untrue from your debug. Try doing pap with that NT-Password from ldap (remove clear text password entry wherever it is). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html