Plain password issue on Freeradius ?

YamakasY

Hi,

I'm trying to auth EAP (Using a Accesspoint) to an FreeIPA ldap server
using Freeradius.

I get the following error when I use PEAP and CHAPv2

How can I make sure the passwords are not sent in plaintext as I think
that is my issue.

Executing section authorize from file

/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "username", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '' in User-Name = "username", skipping NULL due to config.
++[ntdomain] = noop
[eap] EAP packet type response id 42 length 73
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++policy redundant {
[ldap] performing user authorization for username
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  … expanding second conditional
[ldap]  expand: %{User-Name} -> username
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=username)
[ldap]  expand: cn=users,cn=accounts,dc=domain,dc=local ->
cn=users,cn=accounts,dc=domain,dc=local
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in cn=users,cn=accounts,dc=domain,dc=local,
with filter (uid=username)
[ldap] looking for check items in directory…
[ldap] looking for reply items in directory…
WARNING: No "known good" password was found in LDAP.  Are you sure
that the user is configured correctly?
  [ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Item Name: Calling-Station-Id, Value: A4-07-G9-2E-41-D5
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP

Thanks

thermo

I thought you could only do pap with ldap?
does authentication work with radtest?
@YamakasY:

Hi,

I'm trying to auth EAP (Using a Accesspoint) to an FreeIPA ldap server
using Freeradius.

I get the following error when I use PEAP and CHAPv2

How can I make sure the passwords are not sent in plaintext as I think
that is my issue.

Executing section authorize from file

/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "username", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '' in User-Name = "username", skipping NULL due to config.
++[ntdomain] = noop
[eap] EAP packet type response id 42 length 73
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++policy redundant {
[ldap] performing user authorization for username
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  … expanding second conditional
[ldap]  expand: %{User-Name} -> username
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=username)
[ldap]  expand: cn=users,cn=accounts,dc=domain,dc=local ->
cn=users,cn=accounts,dc=domain,dc=local
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in cn=users,cn=accounts,dc=domain,dc=local,
with filter (uid=username)
[ldap] looking for check items in directory…
[ldap] looking for reply items in directory…
WARNING: No "known good" password was found in LDAP.  Are you sure
that the user is configured correctly?
  [ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Item Name: Calling-Station-Id, Value: A4-07-G9-2E-41-D5
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP

Thanks

YamakasY

As far is I know there is only PEAP in Radius and Mchap should be working native with windows.

Or am I doing something wrong ?

Auth works, just from using eap from my AP.

It's also a windows thing, android comes futher but also doesn't auth right @ the end.

YamakasY

Anyone some clue here ?

I'm trying to use EAP on my accesspoint with pfsense radius

thermo

Ill repeat, Doing some more research. You'll likely find that you can only do pap with ldap.

YamakasY

@thermo:

Ill repeat, Doing some more research. You'll likely find that you can only do pap with ldap.

Yes true, because of the plain password.

BUT, how am I'm going to auto my wifi (eap) against this whole thing than ?