Plain password issue on Freeradius ?



  • Hi,

    I'm trying to auth EAP (Using a Accesspoint) to an FreeIPA ldap server
    using Freeradius.

    I get the following error when I use PEAP and CHAPv2

    How can I make sure the passwords are not sent in plaintext as I think
    that is my issue.

    Executing section authorize from file

    /usr/local/etc/raddb/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "username", skipping NULL due to config.
    ++[suffix] = noop
    [ntdomain] No '' in User-Name = "username", skipping NULL due to config.
    ++[ntdomain] = noop
    [eap] EAP packet type response id 42 length 73
    [eap] No EAP Start, assuming it's an on-going EAP conversation
    ++[eap] = updated
    ++[files] = noop
    ++policy redundant {
    [ldap] performing user authorization for username
    [ldap]  expand: %{Stripped-User-Name} ->
    [ldap]  … expanding second conditional
    [ldap]  expand: %{User-Name} -> username
    [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=username)
    [ldap]  expand: cn=users,cn=accounts,dc=domain,dc=local ->
    cn=users,cn=accounts,dc=domain,dc=local
      [ldap] ldap_get_conn: Checking Id: 0
      [ldap] ldap_get_conn: Got Id: 0
      [ldap] performing search in cn=users,cn=accounts,dc=domain,dc=local,
    with filter (uid=username)
    [ldap] looking for check items in directory…
    [ldap] looking for reply items in directory…
    WARNING: No "known good" password was found in LDAP.  Are you sure
    that the user is configured correctly?
      [ldap] ldap_release_conn: Release Id: 0
    +++[ldap] = ok
    ++} # policy redundant = ok
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[daily] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[weekly] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[monthly] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[forever] = noop
    rlm_checkval: Item Name: Calling-Station-Id, Value: A4-07-G9-2E-41-D5
    rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
    ++[checkval] = notfound
    ++[expiration] = noop
    ++[logintime] = noop
    [pap] WARNING! No "known good" password found for the user.
    Authentication may fail because of this.
    ++[pap] = noop
    +} # group authorize = updated
    Found Auth-Type = EAP

    Thanks



  • I thought you could only do pap with ldap?
    does authentication work with radtest?
    @YamakasY:

    Hi,

    I'm trying to auth EAP (Using a Accesspoint) to an FreeIPA ldap server
    using Freeradius.

    I get the following error when I use PEAP and CHAPv2

    How can I make sure the passwords are not sent in plaintext as I think
    that is my issue.

    Executing section authorize from file

    /usr/local/etc/raddb/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "username", skipping NULL due to config.
    ++[suffix] = noop
    [ntdomain] No '' in User-Name = "username", skipping NULL due to config.
    ++[ntdomain] = noop
    [eap] EAP packet type response id 42 length 73
    [eap] No EAP Start, assuming it's an on-going EAP conversation
    ++[eap] = updated
    ++[files] = noop
    ++policy redundant {
    [ldap] performing user authorization for username
    [ldap]  expand: %{Stripped-User-Name} ->
    [ldap]  … expanding second conditional
    [ldap]  expand: %{User-Name} -> username
    [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=username)
    [ldap]  expand: cn=users,cn=accounts,dc=domain,dc=local ->
    cn=users,cn=accounts,dc=domain,dc=local
      [ldap] ldap_get_conn: Checking Id: 0
      [ldap] ldap_get_conn: Got Id: 0
      [ldap] performing search in cn=users,cn=accounts,dc=domain,dc=local,
    with filter (uid=username)
    [ldap] looking for check items in directory…
    [ldap] looking for reply items in directory…
    WARNING: No "known good" password was found in LDAP.  Are you sure
    that the user is configured correctly?
      [ldap] ldap_release_conn: Release Id: 0
    +++[ldap] = ok
    ++} # policy redundant = ok
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[daily] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[weekly] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[monthly] = noop
    rlm_counter: Entering module authorize code
    rlm_counter: Could not find Check item value pair
    ++[forever] = noop
    rlm_checkval: Item Name: Calling-Station-Id, Value: A4-07-G9-2E-41-D5
    rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
    ++[checkval] = notfound
    ++[expiration] = noop
    ++[logintime] = noop
    [pap] WARNING! No "known good" password found for the user.
    Authentication may fail because of this.
    ++[pap] = noop
    +} # group authorize = updated
    Found Auth-Type = EAP

    Thanks



  • As far is I know there is only PEAP in Radius and Mchap should be working native with windows.

    Or am I doing something wrong ?

    Auth works, just from using eap from my AP.

    It's also a windows thing, android comes futher but also doesn't auth right @ the end.



  • Anyone some clue here ?

    I'm trying to use EAP on my accesspoint with pfsense radius



  • Ill repeat, Doing some more research. You'll likely find that you can only do pap with ldap.



  • @thermo:

    Ill repeat, Doing some more research. You'll likely find that you can only do pap with ldap.

    Yes true, because of the plain password.

    BUT, how am I'm going to auto my wifi (eap) against this whole thing than ?