CP authentication against freeradius fails - password encryption problem?

factorx

Hi,

I've got a pfsense 1.0.1 box running that I want to use as Captive Portal for a WLAN subnet. Also I have a Freeradius 1.1.6 on an external network that I want to use as authentication server for the portal.
We're using this freeradius for 802.1x EAP-TTLS and Cisco-VPN so it works just fine, at least for those appliances.
The usernames and passwords that are to be checked by freeradius/CP are stored in LDAP in plaintext.

So I set up the Captive Portal to use that remote radius server, entered the secret, but if I try to authenticate in that network via CP with 100% correct user credentials, the authentication process fails.

The freeradius log says:

Auth: Login incorrect (rlm_ldap: Bind as user failed): [my_username] (from client pfsensebox port 1 cli 00:17:f2:xx:yy:zz)

As I said, the same username/password works fine with all other radius clients, so I'm wondering what's wrong in this case. So I guess freeradius expects another encryption, respectively another password authentication protocol. Maybe my freeradius is misconfigured…

What can I do?

Here is an excerpt from my radiusd.conf

modules {

        pap {
                encryption_scheme = crypt
        }

        chap {
                authtype = CHAP
        }

        pam {
                pam_auth = radiusd
        }

        $INCLUDE ${confdir}/eap.conf

        mschap {
                authtype = MS-CHAP
                use_mppe = yes
                require_encryption = yes
        }

        ldap {
                server = "myldapserver.de"
                basedn = "mydn"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                access_attr = "uid"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_attribute = userPassword
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }

authorize {
        auth_log
        chap
        mschap
        suffix
        eap
        ldap
        files
        daily
        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        Auth-Type LDAP {
                ldap
        }
        eap
}

factorx

I just made a dump of the debugging output from radiusd -x and marked the probably relevant lines.
Note that "?+@¬ÇÀcV?Ð?^w_?Ý" is actually not my password but it's what freeradius expects it to be since the CP sends something like that.

rad_recv: Access-Request packet from host 111.222.333.444:56974, id=231, length=131
        NAS-IP-Address = 111.222.333.444
        NAS-Identifier = "pfsense.local"
        User-Name = "my_username"
        User-Password = "\022+@\254\307\300cV\003\320\031^w_\025\335"
        Service-Type = Login-User
        NAS-Port-Type = Ethernet
        NAS-Port = 1
        Framed-IP-Address = 192.168.23.200
        Called-Station-Id = "00:01:02:xx:yy:zz"
        Calling-Station-Id = "00:17:f2:xx:yy:zz"
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
rlm_ldap: - authorize
rlm_ldap: performing user authorization for my_username
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: (re)connect to ldapserver.mydomain.de:389, authentication 0
rlm_ldap: bind as / to ldapserver.mydomain.de:389
rlm_ldap: waiting for bind result …
rlm_ldap: Bind was successful
rlm_ldap: checking if remote access for my_username is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding uid as User-Name, value my_username & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user my_username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "my_username" with password "?+@¬ÇÀcV?Ð?^w_?Ý"
rlm_ldap: user DN: uid=my_username,ou=People,...
rlm_ldap: (re)connect to ldapserver.mydomain.de:389, authentication 1
rlm_ldap: bind as uid=my_username,ou=People,…/?+@¬ÇÀcV?Ð?^w_?Ý to ldapserver.mydomain.de:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
Login incorrect (rlm_ldap: Bind as user failed): [my_username] (from client pfsensebox port 1 cli 00:17:f2:xx:yy:zz)
rad_recv: Access-Request packet from host 111.222.333.444:56974, id=231, length=131
Sending Access-Reject of id 231 to 111.222.333.444 port 56974

pierotr

I have the same problem. I have a freeradius Server which authenticates users from Active Directory using  EAP-TLS authentication. I want configure pfSense captive portal to authenticate against Freeradius server but user authentication fails.
I think  the  problem is that captive portal misses EAP-TLS authentication.
Is there any configuration ?