Bonjour à tous,
J'ai installé Freeradius (Version: 2.2.5+dfsg-0.2) sur ma Debian 8.3 et j'essaye d'authentifier un utilisateur via un annuaire LDAP en 802.1x.
Lorsque je lance le service freeradius -X, voici le retour de ma tentative d'authentification :
rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111, length=48
Sending duplicate reply to client localhost port 44928 - ID: 111
Sending Access-Reject of id 111 to 127.0.0.1 port 44928
Waking up in 2.9 seconds.
Cleaning up request 2 ID 111 with timestamp +114
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111, length=48
User-Name = "toto"
User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[mschap] = noop
[suffix] No '@' in User-Name = "toto", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
++group {
[ldap_1] performing user authorization for toto
[ldap_1] expand: %{Stripped-User-Name} ->
[ldap_1] ... expanding second conditional
[ldap_1] expand: %{User-Name} -> toto
[ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=toto)
[ldap_1] expand: ou=Users,dc=XXXX,dc=fr -> ou=Users,dc=XXXX,dc=fr
[ldap_1] ldap_get_conn: Checking Id: 0
[ldap_1] ldap_get_conn: Got Id: 0
[ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter (uid=toto)
[ldap_1] checking if remote access for toto is allowed by uid
[ldap_1] No default NMAS login sequence
[ldap_1] looking for check items in directory...
[ldap_1] sambaNtPassword -> NT-Password == 0x3344424445363937443731363930413736393230344245423132323833363738
[ldap_1] sambaLmPassword -> LM-Password == 0x4343463931353545334537444234353341414433423433354235313430344545
[ldap_1] userPassword -> Cleartext-Password == "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
[ldap_1] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
[ldap_1] sambaNtPassword -> NT-Password == 0x3344424445363937443731363930413736393230344245423132323833363738
[ldap_1] sambaLmPassword -> LM-Password == 0x4343463931353545334537444234353341414433423433354235313430344545
[ldap_1] looking for reply items in directory...
[ldap_1] user toto authorized to use remote access
[ldap_1] ldap_release_conn: Release Id: 0
+++[ldap_1] = ok
++} # group = ok
++[expiration] = noop
++[logintime] = noop
+} # group authorize = ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match "known good" password.
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
} # server inner-tunnel
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> toto
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 111 to 127.0.0.1 port 44928
Waking up in 4.9 seconds.
Cleaning up request 3 ID 111 with timestamp +120
Ready to process requests.
Le mot de passe saisi est correct et je ne comprend pas d'où viennent les erreurs :
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match "known good" password.
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Merci d'avance pour vos retours.
Ben
# Des détails
Posté par nono14 (site web personnel) . Évalué à 3.
Seraient bienvenus ?
type d'authentification ? …
De mémoire il y a un binaire radtest ou quelque chose du genre.
Système - Réseau - Sécurité Open Source - Ouvert à de nouvelles opportunités
[^] # Re: Des détails
Posté par Ben22640 . Évalué à 1.
Je ne comprend pas la question.
LDAP
Voici la commande lancée : radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"
Suivre le flux des commentaires
Note : les commentaires appartiennent à celles et ceux qui les ont postés. Nous n’en sommes pas responsables.