Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Plain password issue on Freeradius ?

    Scheduled Pinned Locked Moved pfSense Packages
    6 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      YamakasY
      last edited by

      Hi,

      I'm trying to auth EAP (Using a Accesspoint) to an FreeIPA ldap server
      using Freeradius.

      I get the following error when I use PEAP and CHAPv2

      How can I make sure the passwords are not sent in plaintext as I think
      that is my issue.

      Executing section authorize from file

      /usr/local/etc/raddb/sites-enabled/default
      +group authorize {
      ++[preprocess] = ok
      ++[chap] = noop
      ++[mschap] = noop
      ++[digest] = noop
      [suffix] No '@' in User-Name = "username", skipping NULL due to config.
      ++[suffix] = noop
      [ntdomain] No '' in User-Name = "username", skipping NULL due to config.
      ++[ntdomain] = noop
      [eap] EAP packet type response id 42 length 73
      [eap] No EAP Start, assuming it's an on-going EAP conversation
      ++[eap] = updated
      ++[files] = noop
      ++policy redundant {
      [ldap] performing user authorization for username
      [ldap]  expand: %{Stripped-User-Name} ->
      [ldap]  … expanding second conditional
      [ldap]  expand: %{User-Name} -> username
      [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=username)
      [ldap]  expand: cn=users,cn=accounts,dc=domain,dc=local ->
      cn=users,cn=accounts,dc=domain,dc=local
        [ldap] ldap_get_conn: Checking Id: 0
        [ldap] ldap_get_conn: Got Id: 0
        [ldap] performing search in cn=users,cn=accounts,dc=domain,dc=local,
      with filter (uid=username)
      [ldap] looking for check items in directory…
      [ldap] looking for reply items in directory…
      WARNING: No "known good" password was found in LDAP.  Are you sure
      that the user is configured correctly?
        [ldap] ldap_release_conn: Release Id: 0
      +++[ldap] = ok
      ++} # policy redundant = ok
      rlm_counter: Entering module authorize code
      rlm_counter: Could not find Check item value pair
      ++[daily] = noop
      rlm_counter: Entering module authorize code
      rlm_counter: Could not find Check item value pair
      ++[weekly] = noop
      rlm_counter: Entering module authorize code
      rlm_counter: Could not find Check item value pair
      ++[monthly] = noop
      rlm_counter: Entering module authorize code
      rlm_counter: Could not find Check item value pair
      ++[forever] = noop
      rlm_checkval: Item Name: Calling-Station-Id, Value: A4-07-G9-2E-41-D5
      rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
      ++[checkval] = notfound
      ++[expiration] = noop
      ++[logintime] = noop
      [pap] WARNING! No "known good" password found for the user.
      Authentication may fail because of this.
      ++[pap] = noop
      +} # group authorize = updated
      Found Auth-Type = EAP

      Thanks

      1 Reply Last reply Reply Quote 0
      • T
        thermo
        last edited by

        I thought you could only do pap with ldap?
        does authentication work with radtest?
        @YamakasY:

        Hi,

        I'm trying to auth EAP (Using a Accesspoint) to an FreeIPA ldap server
        using Freeradius.

        I get the following error when I use PEAP and CHAPv2

        How can I make sure the passwords are not sent in plaintext as I think
        that is my issue.

        Executing section authorize from file

        /usr/local/etc/raddb/sites-enabled/default
        +group authorize {
        ++[preprocess] = ok
        ++[chap] = noop
        ++[mschap] = noop
        ++[digest] = noop
        [suffix] No '@' in User-Name = "username", skipping NULL due to config.
        ++[suffix] = noop
        [ntdomain] No '' in User-Name = "username", skipping NULL due to config.
        ++[ntdomain] = noop
        [eap] EAP packet type response id 42 length 73
        [eap] No EAP Start, assuming it's an on-going EAP conversation
        ++[eap] = updated
        ++[files] = noop
        ++policy redundant {
        [ldap] performing user authorization for username
        [ldap]  expand: %{Stripped-User-Name} ->
        [ldap]  … expanding second conditional
        [ldap]  expand: %{User-Name} -> username
        [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=username)
        [ldap]  expand: cn=users,cn=accounts,dc=domain,dc=local ->
        cn=users,cn=accounts,dc=domain,dc=local
          [ldap] ldap_get_conn: Checking Id: 0
          [ldap] ldap_get_conn: Got Id: 0
          [ldap] performing search in cn=users,cn=accounts,dc=domain,dc=local,
        with filter (uid=username)
        [ldap] looking for check items in directory…
        [ldap] looking for reply items in directory…
        WARNING: No "known good" password was found in LDAP.  Are you sure
        that the user is configured correctly?
          [ldap] ldap_release_conn: Release Id: 0
        +++[ldap] = ok
        ++} # policy redundant = ok
        rlm_counter: Entering module authorize code
        rlm_counter: Could not find Check item value pair
        ++[daily] = noop
        rlm_counter: Entering module authorize code
        rlm_counter: Could not find Check item value pair
        ++[weekly] = noop
        rlm_counter: Entering module authorize code
        rlm_counter: Could not find Check item value pair
        ++[monthly] = noop
        rlm_counter: Entering module authorize code
        rlm_counter: Could not find Check item value pair
        ++[forever] = noop
        rlm_checkval: Item Name: Calling-Station-Id, Value: A4-07-G9-2E-41-D5
        rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
        ++[checkval] = notfound
        ++[expiration] = noop
        ++[logintime] = noop
        [pap] WARNING! No "known good" password found for the user.
        Authentication may fail because of this.
        ++[pap] = noop
        +} # group authorize = updated
        Found Auth-Type = EAP

        Thanks

        1 Reply Last reply Reply Quote 0
        • Y
          YamakasY
          last edited by

          As far is I know there is only PEAP in Radius and Mchap should be working native with windows.

          Or am I doing something wrong ?

          Auth works, just from using eap from my AP.

          It's also a windows thing, android comes futher but also doesn't auth right @ the end.

          1 Reply Last reply Reply Quote 0
          • Y
            YamakasY
            last edited by

            Anyone some clue here ?

            I'm trying to use EAP on my accesspoint with pfsense radius

            1 Reply Last reply Reply Quote 0
            • T
              thermo
              last edited by

              Ill repeat, Doing some more research. You'll likely find that you can only do pap with ldap.

              1 Reply Last reply Reply Quote 0
              • Y
                YamakasY
                last edited by

                @thermo:

                Ill repeat, Doing some more research. You'll likely find that you can only do pap with ldap.

                Yes true, because of the plain password.

                BUT, how am I'm going to auto my wifi (eap) against this whole thing than ?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.