Hi
I’m still trying to get this working. I’m using an XP machine plugged into an
edge switch acting as a NAS. I’m using the PEAP/MSCHAP in XP to authenticate
against an LDAP directory. In that directory, we have created an attribute
called ntPasssword which I have populated with the word ‘password’ (create, I
know!). Below is what I get when I run in debug mode.
In ldap.attrmap I have the line:
checkItem NT-Password ntPassword
in radiusd.conf in my ldap declaration, I have:
password_attribute = ntPassword
I can’t quite figure out what’s going on below. Looks to me like the passwords
are not matching. Any advice is appreciated.
Thanks
rad_recv: Access-Request packet from host 11.2.19.3 port 2048, id=3, length=102
NAS-IP-Address = 11.2.19.3
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Message-Authenticator = 0xfbe3f8eb4dd656189f641a6aef2a8e59
NAS-Port = 2
Framed-MTU = 1490
User-Name = "mda"
Calling-Station-Id = "00-11-25-81-1D-DA"
EAP-Message = 0x02030008016d6461
Wed Jun 11 09:42:02 2008 : Debug: +- entering group authorize
Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 1
Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 1
Wed Jun 11 09:42:02 2008 : Debug: ++[preprocess] returns ok
Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 1
Wed Jun 11 09:42:02 2008 : Debug: rlm_realm: No '@' in User-Name = "mda",
looking up realm NULL
Wed Jun 11 09:42:02 2008 : Debug: rlm_realm: No such realm "NULL"
Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from suffix
(rlm_realm) for request 1
Wed Jun 11 09:42:02 2008 : Debug: ++[suffix] returns noop
Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling unbldap
(rlm_ldap) for request 1
Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: - authorize
Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: performing user authorization for
mda
Wed Jun 11 09:42:02 2008 : Debug: WARNING: Deprecated conditional expansion
":-". See "man unlang" for details
Wed Jun 11 09:42:02 2008 : Debug: expand:
(uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=mda)
Wed Jun 11 09:42:02 2008 : Debug: expand: ou=people,dc=unb,dc=ca ->
ou=people,dc=unb,dc=ca
Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: performing search in
ou=people,dc=unb,dc=ca, with filter (uid=mda)
Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: Added User-Password =
å,¬gA??"J;???¦Ëm in check items
Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: looking for check items in
directory...
Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: LDAP attribute ntPassword as RADIUS
attribute NT-Password == 0xe52cac67419a9a224a3b108f3fa6cb6d
Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: looking for reply items in
directory...
Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: user mda authorized to use remote
access
Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from unbldap
(rlm_ldap) for request 1
Wed Jun 11 09:42:02 2008 : Debug: ++[unbldap] returns ok
Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 1
Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from mschap
(rlm_mschap) for request 1
Wed Jun 11 09:42:02 2008 : Debug: ++[mschap] returns noop
Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 1
Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from mschap
(rlm_mschap) for request 1
Wed Jun 11 09:42:02 2008 : Debug: ++[mschap] returns noop
Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling files
(rlm_files) for request 1
Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from files
(rlm_files) for request 1
Wed Jun 11 09:42:02 2008 : Debug: ++[files] returns noop
Wed Jun 11 09:42:02 2008 : Debug:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wed Jun 11 09:42:02 2008 : Debug: !!! Replacing User-Password in config
items with Cleartext-Password. !!!
Wed Jun 11 09:42:02 2008 : Debug:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wed Jun 11 09:42:02 2008 : Debug: !!! Please update your configuration so that
the "known good" !!!
Wed Jun 11 09:42:02 2008 : Debug: !!! clear text password is in
Cleartext-Password, and not in User-Password. !!!
Wed Jun 11 09:42:02 2008 : Debug:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wed Jun 11 09:42:02 2008 : Debug: auth: type Local
Wed Jun 11 09:42:02 2008 : Debug: auth: No User-Password or CHAP-Password
attribute in the request
Wed Jun 11 09:42:02 2008 : Debug: auth: Failed to validate the user.
Wed Jun 11 09:42:02 2008 : Auth: Login incorrect: [mda] (from client hh932 port
2 cli 00-11-25-81-1D-DA)
Wed Jun 11 09:42:02 2008 : Debug: Delaying reject of request 1 for 1 seconds
Wed Jun 11 09:42:02 2008 : Debug: Going to the next request
Wed Jun 11 09:42:02 2008 : Debug: Waking up in 0.9 seconds.
Wed Jun 11 09:42:03 2008 : Debug: Sending delayed reject for request 1
Sending Access-Reject of id 3 to 11.2.19.3 port 2048
Wed Jun 11 09:42:03 2008 : Debug: Waking up in 4.9 seconds.
Wed Jun 11 09:42:08 2008 : Debug: Cleaning up request 1 ID 3 with timestamp +355
Wed Jun 11 09:42:08 2008 : Debug: Ready to process requests.
Matt
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik
Sent: Tuesday, June 10, 2008 11:21 AM
To: [email protected]
Subject: RE: FR and PEAP question
eapol_test from wpa_supplicant
JRadius Simulator
Ivan Kalik
Kalik Informatika ISP
Dana 10/6/2008, "Matt Ashfield" <[EMAIL PROTECTED]> piše:
>I'd like to test this with PEAP/MSCHAP requests if possible. Is there a
>howto? Clearly I'm down the wrong path here.
>
>Matt
>[EMAIL PROTECTED]
>
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf
>Of Ivan Kalik
>Sent: Tuesday, June 10, 2008 11:02 AM
>To: [email protected]
>Subject: RE: FR and PEAP question
>
>FreeRADIUS-Proxied-To == 127.0.0.1 will match only for eap requests. You
>can't test for it with pap requests (radtest).
>
>Ivan Kalik
>Kalik Informatika ISP
>
>
>Dana 10/6/2008, "Matt Ashfield" <[EMAIL PROTECTED]> piše:
>
>>I thought it would get referenced because in my users file I have:
>>
>>DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS,
>>unbldap-Ldap-Group == staff, Autz-Type := Ldap1
>> User-Name=`%{User-Name}`,
>> Tunnel-Private-Group-Id=staff,
>> Tunnel-Type=VLAN,
>> Fall-Through = no
>>
>>And in huntgroups I have this. Although I am unsure if this is correct.
>>UNBFWSS NAS-IP-Address == 127.0.0.1
>>
>>
>>Matt
>>[EMAIL PROTECTED]
>>
>>
>>-----Original Message-----
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf
>>Of Ivan Kalik
>>Sent: Tuesday, June 10, 2008 10:36 AM
>>To: [email protected]
>>Subject: RE: FR and PEAP question
>>
>>>The password that is being supplied by radtest is in plain-text, should I
>>be
>>>supplying it in ntPassword-encrypted format?
>>
>>No.
>>
>>>
>>>It looks to me like I have something wrong with my authenticate section.
>>>
>>>My authorize section looks like:
>>>authorize {
>>> preprocess
>>> chap
>>> mschap
>>> suffix
>>> eap
>>> Autz-Type Ldap1 {
>>> redundant-load-balance{
>>> unbldap
>>> unbldap2
>>> }
>>> mschap
>>> }
>>>}
>>>
>>
>>Not really. You just haven't called that Autz-Type anywhere.
>>
>>Ivan Kalik
>>Kalik Informatika ISP
>>
>>-
>>List info/subscribe/unsubscribe? See
>>http://www.freeradius.org/list/users.html
>>
>>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
