'Re: router, freeradius, freeipa'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: router, freeradius, freeipa
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2019-12-20 22:22:43
Message-ID: 0E3383AF-FB1F-43F6-A409-04AB34DF459E () deployingradius ! com
[Download RAW message or body]

On Dec 19, 2019, at 7:38 PM, Robert <rwt@n-voice.com> wrote:
> I have a feeling I'm really close to getting this to work. Spent a
> lot of time reading old posts and such. If I don't use mschap it works
> (first try). If I use mschap it doesn't (Second try).

  That's always the same issue: password formats.

  Please read the documentation about what to post to the list:

http://wiki.freeradius.org/list-help

  We DON'T need to see the output of radclient.  We DON'T need to see the output of \
tests which work.

> (1) ldap: control:Password-With-Header +=
> '{PBKDF2_SHA256}AAAIAEhOrJwqZkQ2Xq6WP4lVdbpoUu6uUvswCNAcoxTx1yHPt79yzSK
> ZC1pPccla4Pmnkcj1HPeKF6zuWC0srkIND9fiJuG6Q3Npsd8la6B6smIqgt4mI0WhYtY2Us
> dGd2uloy15ST+tK+WO4pZfOJbZ4zI82qbd3zgzeD1QSnT/F0oxLZ4yUcr6aYbSi1/I4KCYP
> 6tJFb9Cnq8eXXbdp6JCpNw1VCn+a9TYrjCPkP+kwglCX28Ovq9zt8VX5K/19PysnChU9vaX
> ZWwbfiTk0rbissyoBcYIzruO73f18zsyWUYiXHpq0GyybK0d8X4ddC5DxRTDilzZ3GuCBUm
> uFNaviktPV66jfoMclpPI1LFRZJjND5T6/xSTTKIyO7GDrERM2HdX1oVElLKzdBCbu0IfhS
> kHw6dcYaJ2cx5DQM/tdv5u'
> ...
> (1) pap: Unknown header {PBKDF2_SHA256} in Password-With-Header, re-
> writing to Cleartext-Password

  That's pretty clear.

  The passwords are stored in a format that FreeRADIUS doesn't understand.

> (1) mschap: Found Cleartext-Password, hashing to create NT-Password
> (1) mschap: ERROR: Failed generating NT-Password

  Because the Cleartext-Password is *not* that big blob above.

> Please let me know if I can provide anything else that would be useful.
 
  When you join the list, you get sent an email with a link to the wiki.  The email \
tells you what we need.

> If there is a guide on how to get dd_wrt, freeradius and freeipa
> working I'd like to see that. I've read a bunch of them so far. This is
> the closest I can get.

  The Wiki actually has pretty good documentation, as does the default configuration \
files.  It's almost 2020.  We don't recommend reading random web pages that are \
likely years out of date.

> python3-samba-4.11.3-0.fc31.x86_64            Thu 19 Dec 2019 05:50:53
> PM EST

  We don't need to see lists of RPMs on the system.

  Read this web page.  That page has existed for ~15 years, and documents protocol \
compatibly:

http://deployingradius.com/documents/protocols/compatibility.html

  The "pap" test fails, because you're forcing "Auth-Type := LDAP".  Which means that \
the LDAP module uses the users password to do a "bind as user" to LDAP.  So the LDAP \
server does the authentication.

  LDAP servers do *not* support MS-CHAP authentication.

  Your choices are listed on the web page above.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic