Thanks for the help, Alan.
> Add a '0x' to the start of the NT password hash in the LDAP
> database.
I've tried that. Here's what my output looks like when I pepend the
ntpassword from the LDAP with '0x':
rad_recv: Access-Request packet from host 10.32.3.253:1070, id=40,
length=223
User-Name = "leap_test"
Cisco-AVPair = "ssid=tsunami"
NAS-IP-Address = 10.32.3.253
Called-Station-Id = "000d653d6940"
Calling-Station-Id = "0030650d5ce6"
NAS-Identifier = "AP1200-3d6940"
NAS-Port = 37
Framed-MTU = 1400
State =
0x6717451603a62928816ae8c1cb977ea7c18c953ff7fce3a8cc42e450cefc4c51af94e18b
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x02030029110100180ebb2197383b3737df3a4ed5d85c45c8820014bf867add8c6c6561705f
74657374
Message-Authenticator = 0xc65aeab8dbe83fab867a97f6e2373055
modcall: entering group authorize
rlm_ldap: - authorize
rlm_ldap: performing user authorization for leap_test
radius_xlat: '(uid=leap_test)'
radius_xlat: 'o=PUSD,c=US'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=leap_test)
rlm_ldap: Added password 0x8846F7EAEE8FB117AD06BDD830B7586C in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntpassword as NT-Password, value
0x8846F7EAEE8FB117AD06BDD830B7586C & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user leap_test authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "files" returns notfound
rlm_eap: EAP packet type notification id 3 length 41
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 3 length 41
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - leap
rlm_eap: processing type leap
rlm_eap_leap: Stage 4
rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP
modcall[authenticate]: module "eap" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Sending Access-Reject of id 40 to 10.32.3.253:1070
EAP-Message = 0x04030004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 1
Going to the next request
>
> The issue is that the NT-Password attribute is of type
> 'octets', which requires a '0x' to start off the string. If
> it doesn't see that, it assumes that the data is a
> double-quoted string, and it uses that verbatim.
Are you referring to the RADIUS attribute 'NT-Password' which (according to
my ldap.attrmap file) maps to my LDAP 'ntpassword' attribute? Because as
far as I can tell, the LDAP data type for the 'ntpassword' attribute is
straight text:
.
.
.
attributetype ( 1.3.6.1.4.1.12430.1.7
NAME 'ntpassword'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
.
.
.
Bryan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
