Okay, well until I figure out if it's possible to use crypted passwds in
LDAP _and_ use MS-CHAPv2, I have managed to get the client to use PAP,
which seems to work okay. I figured since it's tunneled inside of all that
other stuff, it ought to be okay, right?
Thanks to Alan for pointing me in the right direction :)
-David
On Fri, 27 Aug 2004, David Sotnick wrote:
> I still haven't managed to get this to work...
>
> After studying the logs closely, it seems as though the tunneled message
> is requesting MS-CHAP authentication with NT-Password (?). Is this
> typical or expected?
>
> radiusd.conf:
>
> authorize {
> preprocess
> chap
> mschap
> suffix
> eap
> files
> ldap
> }
>
> authenticate {
> Auth-Type MS-CHAP {
> mschap
> }
> Auth-Type LDAP {
> ldap
> }
> eap
> }
>
> Log file:
>
> rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 4
> Invalid operator for item Suffix: reverting to '=='
> Invalid operator for item Suffix: reverting to '=='
> Invalid operator for item Suffix: reverting to '=='
> modcall[authorize]: module "preprocess" returns ok for request 4
> modcall[authorize]: module "chap" returns noop for request 4
> rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP'
> modcall[authorize]: module "mschap" returns ok for request 4
> rlm_realm: No '@' in User-Name = "sotnickd", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 4
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 4
> modcall[authorize]: module "files" returns notfound for request 4
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for sotnickd
> radius_xlat: '(uid=sotnickd)'
> radius_xlat: 'o=ddv.com'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in o=ddv.com, with filter (uid=sotnickd)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user sotnickd authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 4
> modcall: group authorize returns ok for request 4
> rad_check_password: Found Auth-Type MS-CHAP
> auth: type "MS-CHAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 4
> rlm_mschap: No User-Password configured. Cannot create LM-Password.
> rlm_mschap: No User-Password configured. Cannot create NT-Password.
> rlm_mschap: Told to do MS-CHAPv2 for sotnickd with NT-Password
> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
> modcall[authenticate]: module "mschap" returns reject for request 4
> modcall: group Auth-Type returns reject for request 4
> auth: Failed to validate the user.
> TTLS: Got tunneled Access-Reject
> rlm_eap: Handler failed in EAP/ttls
> rlm_eap: Failed in EAP select
> modcall[authenticate]: module "eap" returns invalid for request 4
> modcall: group authenticate returns invalid for request 4
> auth: Failed to validate the user.
> Delaying request 4 for 1 seconds
> Finished request 4
> Going to the next request
> Waking up in 5 seconds...
> rad_recv: Access-Request packet from host 192.168.250.12:1122, id=168, length=285
> Sending Access-Reject of id 168 to 192.168.250.12:1122
> EAP-Message = 0x04b10004
> Message-Authenticator = 0x00000000000000000000000000000000
> --- Walking the entire request list ---
> Cleaning up request 0 ID 164 with timestamp 412f9426
> Cleaning up request 1 ID 165 with timestamp 412f9426
> Cleaning up request 2 ID 166 with timestamp 412f9426
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 3 ID 167 with timestamp 412f9427
> Cleaning up request 4 ID 168 with timestamp 412f9427
> Nothing to do. Sleeping until we see a request.
>
> Any help is greatly appreciated. It seems like I'm so close, but
> something's just not right.
>
> Thanks!
>
> -David
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
