Forum Linux.debian/ubuntu Problème d'authentification Freeradius/LDAP

Posté par . Licence CC by-sa
Tags :
1
22
mar.
2016

Bonjour à tous,

J'ai installé Freeradius (Version: 2.2.5+dfsg-0.2) sur ma Debian 8.3 et j'essaye d'authentifier un utilisateur via un annuaire LDAP en 802.1x.

Lorsque je lance le service freeradius -X, voici le retour de ma tentative d'authentification :

rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111, length=48
Sending duplicate reply to client localhost port 44928 - ID: 111
Sending Access-Reject of id 111 to 127.0.0.1 port 44928
Waking up in 2.9 seconds.
Cleaning up request 2 ID 111 with timestamp +114
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111, length=48
    User-Name = "toto"
    User-Password = \325\354R\010\r\035\303b\230Fo8đ"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[mschap] = noop
[suffix] No '@' in User-Name = "toto", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
++group  {
[ldap_1] performing user authorization for toto
[ldap_1]    expand: %{Stripped-User-Name} -> 
[ldap_1]    ... expanding second conditional
[ldap_1]    expand: %{User-Name} -> toto
[ldap_1]    expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=toto)
[ldap_1]    expand: ou=Users,dc=XXXX,dc=fr -> ou=Users,dc=XXXX,dc=fr
  [ldap_1] ldap_get_conn: Checking Id: 0
  [ldap_1] ldap_get_conn: Got Id: 0
  [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter (uid=toto)
[ldap_1] checking if remote access for toto is allowed by uid
[ldap_1] No default NMAS login sequence
[ldap_1] looking for check items in directory...
  [ldap_1] sambaNtPassword -> NT-Password == 0x3344424445363937443731363930413736393230344245423132323833363738
  [ldap_1] sambaLmPassword -> LM-Password == 0x4343463931353545334537444234353341414433423433354235313430344545
  [ldap_1] userPassword -> Cleartext-Password == "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
  [ldap_1] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
  [ldap_1] sambaNtPassword -> NT-Password == 0x3344424445363937443731363930413736393230344245423132323833363738
  [ldap_1] sambaLmPassword -> LM-Password == 0x4343463931353545334537444234353341414433423433354235313430344545
[ldap_1] looking for reply items in directory...
[ldap_1] user toto authorized to use remote access
  [ldap_1] ldap_release_conn: Release Id: 0
+++[ldap_1] = ok
++} # group  = ok
++[expiration] = noop
++[logintime] = noop
+} # group authorize = ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match "known good" password.
Failed to authenticate the user.
  WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!
} # server inner-tunnel
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> toto
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 111 to 127.0.0.1 port 44928
Waking up in 4.9 seconds.
Cleaning up request 3 ID 111 with timestamp +120
Ready to process requests.

Le mot de passe saisi est correct et je ne comprend pas d'où viennent les erreurs :

WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match "known good" password.
Failed to authenticate the user.
  WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!

Merci d'avance pour vos retours.

Ben

  • # Des détails

    Posté par (page perso) . Évalué à 3.

    Seraient bienvenus ?

    type d'authentification ? …

    De mémoire il y a un binaire radtest ou quelque chose du genre.

    Système - Réseau - Sécurité Open Source

    • [^] # Re: Des détails

      Posté par . Évalué à 1.

      Seraient bienvenus ?

      Je ne comprend pas la question.

      type d'authentification ?

      LDAP

      De mémoire il y a un binaire radtest ou quelque chose du genre.

      Voici la commande lancée : radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"

Suivre le flux des commentaires

Note : les commentaires appartiennent à ceux qui les ont postés. Nous n'en sommes pas responsables.