Re: Doubt - Freeradius + Ldap

Fri, 05 Nov 2010 11:56:13 -0700 

sorry, but where i checked the shared secret? in clients.conf?

if yes, secret is ok!

thanks for any help.



On 11/04/2010 09:51 AM, eduardo moreira wrote:
SOrry about this mail Josip, but i checked again my clients.conf, and i put conf here for u see. 

clients.conf
client 127.0.0.1 {
        secret          = password
        shortname       = localhost
        nastype     = other     # localhost isn't usually a NAS...
}
client 10.12.60.19 {
        secret      = password
        shortname   = any
        nastype     = other
}

and i use this command to test connection:
radtest username 123456 10.12.60.19 1812 0 password

And i see log of debug and receive this message:
Mon Nov  1 15:06:16 2010 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100, length=73 
    User-Name = "username"
    User-Password = "c\355W'\021tC\372\177R\232(\007\027n\263"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 1812
    Framed-Protocol = PPP
Thu Nov  4 09:30:02 2010 : Debug: +- entering group authorize
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 
Thu Nov  4 09:30:02 2010 : Debug: ++[preprocess] returns ok
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 
Thu Nov  4 09:30:02 2010 : Debug: ++[mschap] returns noop
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 1 
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: - authorize
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing user authorization for username 
Thu Nov  4 09:30:02 2010 : Debug:     expand: (uid=%u) -> (uid=username)
Thu Nov 4 09:30:02 2010 : Debug: expand: dc=a,dc=a,dc=c,dc=b -> dc=a,dc=a,dc=c,dc=b 
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in dc=a,dc=a,dc=c,dc=b,dc=a,dc=a,dc=c,dc=b, with filter (uid=username) Thu Nov 4 09:30:02 2010 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. 
Thu Nov  4 09:30:02 2010 : Info: rlm_ldap: Attempting reconnect
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: attempting LDAP reconnection
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: closing existing LDAP connection Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: (re)connect to ldap.intra proxy.intra localhost:389, authentication 0 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: bind as cn=Administrator,dc=a,dc=c,dc=a,dc=c,dc=b/password to ldap.intra proxy.intra localhost:389 
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: waiting for bind result ...
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: Bind was successful
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in dc=a,dc=c,dc=a,dc=a,dc=c,dc=a,dc=c, with filter (uid=username) Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: Added User-Password = {crypt}tg/iHj5yM2iXI in check items 
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: No default NMAS login sequence
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for check items in directory... Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute userPassword as RADIUS attribute Password-With-Header == "{crypt}tg/iHj5yM2iXI" Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute sambantPassword as RADIUS attribute NT-Password == 0x3738463934413643303931413730423936454135373046344341353438304531 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute sambalmPassword as RADIUS attribute LM-Password == 0x3743414142444638393134314430423841414433423433354235313430344545 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute cn as RADIUS attribute Group == "username" Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for reply items in directory... Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: user username authorized to use remote access Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 1 
Thu Nov  4 09:30:02 2010 : Debug: ++[ldap] returns ok
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 1 
Thu Nov  4 09:30:02 2010 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 1 
Thu Nov  4 09:30:02 2010 : Debug: ++[eap] returns noop
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 1 
Thu Nov  4 09:30:02 2010 : Debug: ++[chap] returns noop
Thu Nov 4 09:30:02 2010 : Debug: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thu Nov 4 09:30:02 2010 : Debug: !!! Replacing User-Password in config items with Cleartext-Password. !!! Thu Nov 4 09:30:02 2010 : Debug: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thu Nov 4 09:30:02 2010 : Debug: !!! Please update your configuration so that the "known good" !!! Thu Nov 4 09:30:02 2010 : Debug: !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Thu Nov 4 09:30:02 2010 : Debug: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
Thu Nov  4 09:30:02 2010 : Debug: auth: type Local
Thu Nov 4 09:30:02 2010 : Debug: auth: user supplied User-Password does NOT match local User-Password 
Thu Nov  4 09:30:02 2010 : Debug: auth: Failed to validate the user.
Thu Nov 4 09:30:02 2010 : Auth: Login incorrect: [username/c\355W'\021tC\372\177R\232(\007\027n\263] (from client any port 1812) Thu Nov 4 09:30:02 2010 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Thu Nov 4 09:30:02 2010 : Debug: Delaying reject of request 1 for 1 seconds 
Thu Nov  4 09:30:02 2010 : Debug: Going to the next request
Thu Nov  4 09:30:02 2010 : Debug: Waking up in 0.9 seconds.
Thu Nov  4 09:30:03 2010 : Debug: Sending delayed reject for request 1
Sending Access-Reject of id 100 to 10.12.60.19 port 50105
Thu Nov  4 09:30:03 2010 : Debug: Waking up in 4.9 seconds.
Thu Nov 4 09:30:08 2010 : Debug: Cleaning up request 1 ID 100 with timestamp +239035 
Thu Nov  4 09:30:08 2010 : Debug: Ready to process requests.
if u see here: Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: user username authorized to use remote access my username is authorized to use, but in last line appears failed to validade the user ... Thu Nov 4 09:30:02 2010 : Debug: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thu Nov 4 09:30:02 2010 : Debug: !!! Replacing User-Password in config items with Cleartext-Password. !!! Thu Nov 4 09:30:02 2010 : Debug: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thu Nov 4 09:30:02 2010 : Debug: !!! Please update your configuration so that the "known good" !!! Thu Nov 4 09:30:02 2010 : Debug: !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Thu Nov 4 09:30:02 2010 : Debug: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
Thu Nov  4 09:30:02 2010 : Debug: auth: type Local
Thu Nov 4 09:30:02 2010 : Debug: auth: user supplied User-Password does NOT match local User-Password 
Thu Nov  4 09:30:02 2010 : Debug: auth: Failed to validate the user.
Thu Nov 4 09:30:02 2010 : Auth: Login incorrect: [username/c\355W'\021tC\372\177R\232(\007\027n\263] (from client any port 1812) Thu Nov 4 09:30:02 2010 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! 

sorry josip, i chek again my clients.conf but i still dont uderstand.

thanks again for u help.



2010/11/1 Josip Rodin <j...@entuzijast.net <mailto:j...@entuzijast.net>>

    On Tue, Nov 02, 2010 at 07:30:23AM +1300, Peter Lambrechtsen wrote:
    > It's probably since you didn't compile OpenLDAP and FreeRadius
    with OpenSSL
    > support.
    >
    > So you will need to recompile OpenLDAP, Cyrus SASL, OpenLDAP and
    FreeRadius.

    No, no, no, and no. <sigh>

    If you want to read random debug messages, don't pick just any.

    Yes, he doesn't have SSL support, but the log also says pretty
    clearly:

    > > Mon Nov  1 15:06:10 2010 : Debug:   rlm_eap: No EAP-Message,
    not doing EAP

    When the client does not use EAP, it's completely irrelevant that
    the server
    doesn't have support for SSL-using EAP methods.

    And there's clearly no reason to recompile even FR, let alone
    three other
    different pieces of software. (For the former, just use
    lenny-backports.)

    The final error state is:

    > > Mon Nov  1 15:06:10 2010 : Auth: Login incorrect:
    > > [eduardo/1\320\026\305\020B)\323I\211????\001\nx\204] (from client
    > > BrasilTelecom port 1812)
    > > Mon Nov  1 15:06:10 2010 : Debug:   WARNING: Unprintable
    characters in the
    > > password.    Double-check the shared secret on the server and
    the NAS!

    So, have you double-checked the shared secret?

    --
        2. That which causes joy or happiness.
    -
    List info/subscribe/unsubscribe? See
    http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to