(RADIATOR) Inner auth failed due to "Bad Password" in EAP-TTLS
Terry Simons
galimore at mac.com
Wed Mar 17 03:06:45 CST 2004
Are you using Mac OS X Panther by chance?
If you look at the log closely, you'll notice that your client is
trying to authenticate with TTLS->MSCHAPv2.
LDAP is probably using encrypted passwords, which will definitely
fail, since you need the clear-text password to properly execute the
MSCHAPv2 authentication.
If you *are* using Panther, and you are trying to use TTLS->PAP for
authentication, you will probably want to look at our Panther
instructions to avoid this bug:
http://www.laptop.lib.utah.edu/global/dot1x/macosx/panther1x.html
If you're not using Panther, then ignore the comments I made above. 8-)
You'll need to make sure that you either have a clear-text password in
LDAP, or you need to use something other than CHAP, MSCHAP, MSCHAPv2,
or MD5-derived authentication types, as these all require a cleartext
password on the server. (Unfortunately, this means PEAP too!).
I strongly suggest TTLS->PAP to ensure security for the passwords on
your server. :-)
Good luck,
- Terry
On Mar 17, 2004, at 1:02 AM, 양승용 wrote:
> While testing I got following message from Radiator which says that
> inner auth failed due to "Bad password"
> But I corretly set the username and password both in SUPPLICANT and
> LDAP
>
> please help
>
> =======================================================================
> ===============
>
> Wed Mar 17 16:15:59 2004: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Mar 17 16:15:59 2004: DEBUG: Handling with EAP: code 2, 5, 151
> Wed Mar 17 16:15:59 2004: DEBUG: Response type 21
> Wed Mar 17 16:15:59 2004: DEBUG: EAP TTLS inner authentication request
> for syyan
> g
> Wed Mar 17 16:15:59 2004: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <206>7<222><220><11><168><163><16>V<164>B<17><236>i\<197>
> Attributes:
> User-Name = "syyang"
> MS-CHAP-Challenge =
> "<232><161><223><252>*<215>j:<222><171><211><130><25
> 5><194><185><246>"
> MS-CHAP2-Response =
> "<212><0><225>7A<7>(<234>l2<153><150>g<246><250><203
>> <242><22><0><0><0><0><0><0><0><0>@<137><0>_<216><183><187>E<199><171><
>> 145>'<223
>> <164>=Db<187><133><139><12>^<12>z"
>
> Wed Mar 17 16:15:59 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Wed Mar 17 16:15:59 2004: DEBUG: Deleting session for syyang,
> 172.23.18.110,
> Wed Mar 17 16:15:59 2004: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Mar 17 16:15:59 2004: INFO: Connecting to localhost, port 10389
> Wed Mar 17 16:15:59 2004: INFO: Attempting to bind to LDAP server
> localhost:1038
> 9)
> Wed Mar 17 16:16:00 2004: DEBUG: LDAP got result for
> uid=syyang,ou=People, o=sec
> ui
> Wed Mar 17 16:16:00 2004: DEBUG: LDAP got userPassword:
> {SHA}3vhhXWO4swZ9hxvhOxg
> Zbuuq60c=
> Wed Mar 17 16:16:00 2004: DEBUG: Radius::AuthLDAP2 looks for match
> with syyang
> Wed Mar 17 16:16:00 2004: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
> Wed Mar 17 16:16:00 2004: INFO: Connecting to localhost, port 10389
> Wed Mar 17 16:16:00 2004: INFO: Attempting to bind to LDAP server
> localhost:1038
> 9)
> Wed Mar 17 16:16:00 2004: DEBUG: No entries for DEFAULT found in LDAP
> database
> Wed Mar 17 16:16:00 2004: INFO: Access rejected for syyang: Bad
> Password
> Wed Mar 17 16:16:00 2004: DEBUG: EAP result: 1, EAP TTLS inner
> authentication re
> despatched to a Handler
> Wed Mar 17 16:16:00 2004: INFO: Access rejected for anonymous: EAP
> TTLS inner au
> thentication redespatched to a Handler
> Wed Mar 17 16:16:00 2004: DEBUG: Packet dump:
> *** Sending to 172.23.18.110 port 1645 ....
> Code: Access-Reject
> Identifier: 140
> Authentic:
> <156><169><141>+<203><160><241><227>Y<1><131>-<25><1><212><250>
> Attributes:
> EAP-Message = <4><5><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
> =================================== environment
> =======================================
>
> supplicant : odyssey client with id : syyang password : syyang
> AP : cisco aironet : with shared secret "mysecret"
>
> =================================== configuration file
> ===============================
>
> <Client 172.23.18.110>
> Secret mysecret
> DupInterval 0
> </Client>
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
> <Realm DEFAULT>
> <AuthBy LDAP2>
> # Tell Radiator how to talk to the LDAP server
> Host localhost
> Port 10389
>
> # You will only need these if your LDAP server
> # requires authentication. These are the examples
> # in a default OpenLDAP installation
> # see /etc/openldap/slapd.conf
> AuthDN cn=Directory Manager
> AuthPassword directory
>
> # This the top of the search tree where users
> # will be found. It should match the configuration
> # of your server, see /etc/openldap/slapd.conf
> BaseDN ou=people,o=secui
>
> # base, one , sub ( scope )
> Scope sub
>
> # This is the LDAP attribute to match the radius user
> name
> UsernameAttr uid
>
> # If you dont specify ServerChecksPassword, you
> # need to tell Radiator wjhich attribute contains
> # the password. It can be plaintext or encrypted
> PasswordAttr userPassword
>
> EAPType TTLS
> EAPTLS_CAFile %D/certificates/ca_cls_sig.cert.pem
> EAPTLS_CertificateFile
> %D/certificates/ca_svr_sig.cert.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile
> %D/certificates/ca_svr_sig.key.pem
> EAPTLS_PrivateKeyPassword a123456A
> EAPTLS_MaxFragmentSize 1000
> SSLeayTrace 3
> </AuthBy>
> </Realm>
>
> =======================================================================
> ================
> Directory Server SUN ONE directory server 4.1
>
> uid=syyang, ou=people, o =secui
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list