Hi all,
I'm using eap for authentication on wired connection ( using
freeradius 2.0.5 and LDAP backend ), most of our clients are windows
machine so there's little choice for using eap, that is eap-MD5 and PEAP
mschapv2.
Using EAP-MD5 there isn't any problem, the problem begin with PEAP
mschapv2
the debug :
-----------------------------------------------------------------
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=dialup,dc=xxx,dc=com, with filter
(uid=testing)
rlm_ldap: checking if remote access for testing is allowed by uid
rlm_ldap: Added User-Password = Testing10 in check items
---------------------------------------------------------------
clearly freeradius can see the password and also it clear text :)
below i also add samba schema that contain LM and NT password
---------------------------------------------------------------
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time
== "Wk0800-1800"
rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password ==
0x54657374696e6731
rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password ==
0x54657374696e6731
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute
Tunnel-Private-Group-Id:0 = "101"
rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute
Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute
Tunnel-Type:0 = VLAN
rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute
Framed-Protocol = PPP
rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute
Service-Type = Framed-User
rlm_ldap: user testing authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
-------------------------------------------------------------------
mschap module say no clear text pasword and also can't create LM and NT
password
-------------------------------------------------------------------
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [testing/<via Auth-Type = EAP>] (from client dotix port 0)
PEAP: Tunneled authentication was rejected.
anyone can help?Thanks
Ryan Setiawan H
--
DISCLAIMER:
The contents of this email and attachments are confidential and may be subject
to legal privilege. Any unauthorized use, copying, disclosure or communicating
any part of it to others is strictly prohibited and may be unlawful. If you are
not the intended recipient you must not use, copy, distribute or rely on this
email and should please return it immediately to the sender or notify us and
delete the email and any attachments from your system. We cannot accept
liability for loss or damage resulting from computer viruses. The integrity of
email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not
accept liability for any claims arising as a result of the use of this medium
for transmissions by or to PT BANK NISP, Tbk.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
