Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Radius with LDAP only without EAP

    pfSense Packages
    1
    1
    770
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      snowyrain
      last edited by

      Hello,

      I have a pfsense 2.3.2 machine with the radius package.  Login and group membership works, but only without EAP. I have to set the option:
      LDAP Authentication Support: Enable LDAP For Authentication: on
      Description: “check plain-text password against the ldap database"

      Without EAP many wlan-devices make Problems. The LDAP-Server is “paedml based on UCS@school”. When I browse the ldap with an ldap-browser, I don’t see password hashes in the ldap-tree. Maybe this is the fault?

      My test results:

      Login with plaintext Passwort works:

      
Command:
	radtest LdapTestUser test12345 10.0.0.2 1812 RadiusSecret
Output:
Sending Access-Request of id 227 to 10.0.0.2 port 1812
        User-Name = "LdapTestUser"
        User-Password = "test12345"
        NAS-IP-Address = 10.0.0.2
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 10.0.0.2 port 1812, id=227, length=20

Command:
	tail -n 1 /var/log/radius.log
Output:
	Thu Jan 26 08:55:52 2017 : Auth: Login OK: [LdapTestUser/test12345] (from client localhost port 1812)

      EAP Login with plaintext Passwort fails:

      
Command:
	radtest -t eap-md5 LdapTestUser test12345 10.0.0.2 1812 RadiusSecret
Output:
  Sending Access-Request packet to host 10.0.0.2 port 1812, id=5, length=0
        User-Name = "LdapTestUser"
        User-Password = "test12345"
        NAS-IP-Address = 10.0.0.2
        NAS-Port = 1812
        Message-Authenticator = 0x00
        EAP-Code = Response
        EAP-Type-Identity = 0x70657465722e6d65796572
        EAP-Message = 0x020400100170657465722e6d65796572
  Received Access-Challenge packet from host 10.0.0.2 port 1812, id=5, length=80
        EAP-Message = 0x010500160410d0ddf264a93eb1f59fb26602a67bfc76
        Message-Authenticator = 0xd0620682737ba789ea94a10675900ebc
        State = 0xc88ef904c88bfd9a410dd006961d5165
        EAP-Id = 5
        EAP-Code = Request
        EAP-Type-MD5-Challenge = 0x10d0ddf264a93eb1f59fb26602a67bfc76
  Sending Access-Request packet to host 10.0.0.2 port 1812, id=6, length=99
        User-Name = "LdapTestUser"
        User-Password = "test12345"
        NAS-IP-Address = 10.0.0.2
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
        EAP-Code = Response
        EAP-Type-MD5-Challenge = 0x10b7622aa9c3063a14109fe31c485e9086
        EAP-Id = 5
        State = 0xc88ef904c88bfd9a410dd006961d5165
        EAP-Message = 0x020500160410b7622aa9c3063a14109fe31c485e9086
  Received Access-Reject packet from host 10.0.0.2 port 1812, id=6, length=44
        EAP-Message = 0x04050004
        Message-Authenticator = 0x1a336028fa1abe78c868e2b1318f5a08
        EAP-Id = 5
        EAP-Code = Failure

      Login without plaintext Passwort fails:

      
Command:
	radtest LdapTestUser test12345 10.0.0.2 1812 RadiusSecret
Output:

Sending Access-Request of id 210 to 10.0.0.2 port 1812
        User-Name = "LdapTestUser"
        User-Password = "test12345"
        NAS-IP-Address = 10.0.0.2
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 10.0.0.2 port 1812, id=210, length=20

Command:
	tail -n 1 /var/log/radius.log
Output:
Thu Jan 26 08:58:15 2017 : Auth: Login incorrect: [LdapTestUser/test12345] (from client localhost port 1812)

      EAP Login without plaintext Passwort fails:

      
Command:
	radtest -t eap-md5 LdapTestUser test12345 10.0.0.2 1812 RadiusSecret
Output:
  Sending Access-Request packet to host 10.0.0.2 port 1812, id=41, length=0
        User-Name = "LdapTestUser"
        User-Password = "test12345"
        NAS-IP-Address = 10.0.0.2
        NAS-Port = 1812
        Message-Authenticator = 0x00
        EAP-Code = Response
        EAP-Type-Identity = 0x70657465722e6d65796572
        EAP-Message = 0x022800100170657465722e6d65796572
  Received Access-Challenge packet from host 10.0.0.2 port 1812, id=41, length=80
        EAP-Message = 0x01290016041092e69b70515b4c41fd4f5f79deca9900
        Message-Authenticator = 0x47a65388c92c7225c73a07b842f97838
        State = 0xba499b57ba609fa1dee1ebdccb69e99b
        EAP-Id = 41
        EAP-Code = Request
        EAP-Type-MD5-Challenge = 0x1092e69b70515b4c41fd4f5f79deca9900
  Sending Access-Request packet to host 10.0.0.2 port 1812, id=42, length=99
        User-Name = "LdapTestUser"
        User-Password = "test12345"
        NAS-IP-Address = 10.0.0.2
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
        EAP-Code = Response
        EAP-Type-MD5-Challenge = 0x101f3425edf2ded1c8af487ed2bc4fd05a
        EAP-Id = 41
        State = 0xba499b57ba609fa1dee1ebdccb69e99b
        EAP-Message = 0x0229001604101f3425edf2ded1c8af487ed2bc4fd05a
  Received Access-Reject packet from host 10.0.0.2 port 1812, id=42, length=44
        EAP-Message = 0x04290004
        Message-Authenticator = 0xbd863e4fb16e2495681ca562d65fff14
        EAP-Id = 41
        EAP-Code = Failure

      How can I get authentication with EAP running?

      Thank you.

      Samuel Schmidt

      1 Reply Last reply Reply Quote 0
      • First post
        Last post