[Freeipa-users] FreeIPA & FreeRadius LDAP auth issue

David Kreitschmann david at kreitschmann.de
Tue Apr 12 16:33:01 UTC 2016 

Hi,
you are trying to do different things in both cases. radtest does plain text authentication to ldap while your real world example connects as another user and tries to compare the MSCHAPv2 hash.

For MSCHAPv2 to work you need:
-mschapv2 hashes in ldap (samba schema or activate AD trust feature)
-your users will probably need to change their password to create the hash
-read access to those fields for freeradius (create ACI)

You can use eapol_test from wpa_supplicant to check if it works, use this config:

network={
        ssid="example"
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="user at freeipa.local"
        anonymous_identity="anonymous"
        password="asdfasdf"
        phase2="autheap=MSCHAPV2"
}


Regards,
David

> Am 12.04.2016 um 14:02 schrieb Boris Cheperis <boris at datarobot.com>:
> 
> Hi,
> 
> I’ve  started using FreeIPA and got  fascinated with it’s capabilities, but recently I tried to configure FreeRadius integration
> for WiFi authentication and ran into some issues.
> 
> I’ve configured ldap integration and when I run a test everything seems fine:
> 
> ----
> radtest dmitry.fedorov fedor 127.0.0.1 100 testing123
> Sending Access-Request Id 93 from 0.0.0.0:54153 to 127.0.0.1:1812
> 	User-Name = 'dmitry.fedorov'
> 	User-Password = 'fedor'
> 	NAS-IP-Address = 10.0.0.12
> 	NAS-Port = 100
> 	Message-Authenticator = 0x00
> Received Access-Accept Id 93 from 127.0.0.1:1812 to 127.0.0.1:54153 length 20
> -----
> 
> But when I try to do a real-world test and run authentication on a wifi device I get this:
> 
> ——
> (10)  ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed
> (10)  eap : Failed in EAP select
> (10)   [eap] = invalid
> (10)  } #  authenticate = invalid
> (10) Failed to authenticate the user
> (10) Using Post-Auth-Type Reject
> (10) # Executing group from file /etc/raddb/sites-enabled/default
> (10)  Post-Auth-Type REJECT {
> (10)  attr_filter.access_reject : EXPAND %{User-Name}
> (10)  attr_filter.access_reject :    --> dmitry.fedorov
> (10)  attr_filter.access_reject : Matched entry DEFAULT at line 11
> (10)   [attr_filter.access_reject] = updated
> (10)  eap : Reply already contained an EAP-Message, not inserting EAP-Failure
> (10)   [eap] = noop
> (10)   remove_reply_message_if_eap remove_reply_message_if_eap {
> (10)     if (&reply:EAP-Message && &reply:Reply-Message)
> (10)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (10)    else else {
> (10)     [noop] = noop
> (10)    } # else else = noop
> (10)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
> (10)  } # Post-Auth-Type REJECT = updated
> (10) Delaying response for 1 seconds
> Waking up in 0.1 seconds.
> Waking up in 0.6 seconds.
> (10) Sending delayed response
> (10) Sending Access-Reject packet to host 10.0.0.139 port 62980, id=23, length=0
> (10) 	EAP-Message = 0x040a0004
> (10) 	Message-Authenticator = 0x00000000000000000000000000000000
> Sending Access-Reject Id 23 from 10.0.0.12:1812 to 10.0.0.139:62980
> 	EAP-Message = 0x040a0004
> 	Message-Authenticator = 0x0000000000000000000000000000000
> ———
> 
> before this I see a couple of other errors in the debug output
>> WARNING: mschap : No Cleartext-Password configured.  Cannot create LM-Password
> (9)    WARNING: mschap : No Cleartext-Password configured.  Cannot create NT-Password
> (9)    mschap : Creating challenge hash with username: dmitry.fedorov
> (9)    mschap : Client is using MS-CHAPv2
> (9)    ERROR: mschap : FAILED: No NT/LM-Password.  Cannot perform authentication
> (9)    ERROR: mschap : MS-CHAP2-Response is incorrect
> (9)     [mschap] = reject
> (9)    } # Auth-Type MS-CHAP = reject
>> 
> and
> 
> ---
> ldap : Processing user attributes
> (2)  WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute
> (2)  WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (4)
> (2)   [ldap] = ok
> (2)    if ((ok || updated) && User-Password)
> (2)    if ((ok || updated) && User-Password)  -> FALSE
> (2)   [expiration] = noop
> (2)   [logintime] = noop
> (2)  WARNING: pap : No "known good" password found for the user.  Not setting Auth-Type
> (2)  WARNING: pap : Authentication will fail unless a "known good" password is available
> (2)   [pap] = noop
>> 
> At first I thought the problem was in the "known good” password, but if it was, most likely the ‘radtest' string would not work.
> And if I change the base_dn to a wrong one, the test fails at once. From my point of view it proves that free radius is able to get to ldap, but there is some over error present.
> Maybe I’m wrong.
> 
> Please help to understand what is wrong with my setup.
> 
> 
> Regards,
> Boris
> 
> 
> 
> 
> 
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160412/4cf3bee2/attachment.sig>

More information about the Freeipa-users mailing list