Hi, 

I’ve  started using FreeIPA and got  fascinated with it’s capabilities, but 
recently I tried to configure FreeRadius integration
for WiFi authentication and ran into some issues.

I’ve configured ldap integration and when I run a test everything seems fine:

----
radtest dmitry.fedorov fedor 127.0.0.1 100 testing123
Sending Access-Request Id 93 from 0.0.0.0:54153 to 127.0.0.1:1812
        User-Name = 'dmitry.fedorov'
        User-Password = 'fedor'
        NAS-IP-Address = 10.0.0.12
        NAS-Port = 100
        Message-Authenticator = 0x00
Received Access-Accept Id 93 from 127.0.0.1:1812 to 127.0.0.1:54153 length 20
-----

But when I try to do a real-world test and run authentication on a wifi device 
I get this:

——
(10)  ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module 
failed
(10)  eap : Failed in EAP select
(10)   [eap] = invalid
(10)  } #  authenticate = invalid
(10) Failed to authenticate the user
(10) Using Post-Auth-Type Reject
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10)  Post-Auth-Type REJECT {
(10)  attr_filter.access_reject : EXPAND %{User-Name}
(10)  attr_filter.access_reject :    --> dmitry.fedorov
(10)  attr_filter.access_reject : Matched entry DEFAULT at line 11
(10)   [attr_filter.access_reject] = updated
(10)  eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(10)   [eap] = noop
(10)   remove_reply_message_if_eap remove_reply_message_if_eap {
(10)     if (&reply:EAP-Message && &reply:Reply-Message) 
(10)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(10)    else else {
(10)     [noop] = noop
(10)    } # else else = noop
(10)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(10)  } # Post-Auth-Type REJECT = updated
(10) Delaying response for 1 seconds
Waking up in 0.1 seconds.
Waking up in 0.6 seconds.
(10) Sending delayed response
(10) Sending Access-Reject packet to host 10.0.0.139 port 62980, id=23, length=0
(10)    EAP-Message = 0x040a0004
(10)    Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Reject Id 23 from 10.0.0.12:1812 to 10.0.0.139:62980
        EAP-Message = 0x040a0004
        Message-Authenticator = 0x0000000000000000000000000000000
———

before this I see a couple of other errors in the debug output
—
WARNING: mschap : No Cleartext-Password configured.  Cannot create LM-Password
(9)    WARNING: mschap : No Cleartext-Password configured.  Cannot create 
NT-Password
(9)    mschap : Creating challenge hash with username: dmitry.fedorov
(9)    mschap : Client is using MS-CHAPv2
(9)    ERROR: mschap : FAILED: No NT/LM-Password.  Cannot perform authentication
(9)    ERROR: mschap : MS-CHAP2-Response is incorrect
(9)     [mschap] = reject
(9)    } # Auth-Type MS-CHAP = reject
—

and

---
ldap : Processing user attributes
(2)  WARNING: ldap : No "known good" password added. Ensure the admin user has 
permission to read the password attribute
(2)  WARNING: ldap : PAP authentication will *NOT* work with Active Directory 
(if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
(2)   [ldap] = ok
(2)    if ((ok || updated) && User-Password) 
(2)    if ((ok || updated) && User-Password)  -> FALSE
(2)   [expiration] = noop
(2)   [logintime] = noop
(2)  WARNING: pap : No "known good" password found for the user.  Not setting 
Auth-Type
(2)  WARNING: pap : Authentication will fail unless a "known good" password is 
available
(2)   [pap] = noop
—

At first I thought the problem was in the "known good” password, but if it was, 
most likely the ‘radtest' string would not work.
And if I change the base_dn to a wrong one, the test fails at once. From my 
point of view it proves that free radius is able to get to ldap, but there is 
some over error present.
Maybe I’m wrong.

Please help to understand what is wrong with my setup.


Regards,
Boris







-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to