(RADIATOR) Inner auth failed due to "Bad Password" in EAP-TTLS

양승용 joshua.yang at samsung.com
Wed Mar 17 18:15:02 CST 2004


Hello Hugh
Yes you are right. I solve the problem

Thanks

Joshua



------- Original Message -------
Sender : Hugh Irvine<hugh at open.com.au> 
Date   : 2004-03-17 18:13
Title  : Re: (RADIATOR) Inner auth failed due to "Bad Password" in EAP-TTLS


Hello Joshua -

You must have cleartext passwords in your LDAP database, not encrypted  
passwords.

regards

Hugh


On 17 Mar 2004, at 19:02, 양승용 wrote:

> While testing I got following message from Radiator which says that  
> inner auth failed due to "Bad password"
> But I corretly set the username and password both in SUPPLICANT and  
> LDAP
>
> please help
>
> ======================================================================= 
> ===============
>
> Wed Mar 17 16:15:59 2004: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Mar 17 16:15:59 2004: DEBUG: Handling with EAP: code 2, 5, 151
> Wed Mar 17 16:15:59 2004: DEBUG: Response type 21
> Wed Mar 17 16:15:59 2004: DEBUG: EAP TTLS inner authentication request  
> for syyan
> g
> Wed Mar 17 16:15:59 2004: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <206>7<222><220><11><168><163><16>V<164>B<17><236>i\<197>
> Attributes:
>         User-Name = "syyang"
>         MS-CHAP-Challenge =  
> "<232><161><223><252>*<215>j:<222><171><211><130><25
> 5><194><185><246>"
>         MS-CHAP2-Response =  
> "<212><0><225>7A<7>(<234>l2<153><150>g<246><250><203
>> <242><22><0><0><0><0><0><0><0><0>@<137><0>_<216><183><187>E<199><171>< 
>> 145>'<223
>> <164>=Db<187><133><139><12>^<12>z"
>
> Wed Mar 17 16:15:59 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Wed Mar 17 16:15:59 2004: DEBUG:  Deleting session for syyang,  
> 172.23.18.110,
> Wed Mar 17 16:15:59 2004: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Mar 17 16:15:59 2004: INFO: Connecting to localhost, port 10389
> Wed Mar 17 16:15:59 2004: INFO: Attempting to bind to LDAP server  
> localhost:1038
> 9)
> Wed Mar 17 16:16:00 2004: DEBUG: LDAP got result for  
> uid=syyang,ou=People, o=sec
> ui
> Wed Mar 17 16:16:00 2004: DEBUG: LDAP got userPassword:  
> {SHA}3vhhXWO4swZ9hxvhOxg
> Zbuuq60c=
> Wed Mar 17 16:16:00 2004: DEBUG: Radius::AuthLDAP2 looks for match  
> with syyang
> Wed Mar 17 16:16:00 2004: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
> Wed Mar 17 16:16:00 2004: INFO: Connecting to localhost, port 10389
> Wed Mar 17 16:16:00 2004: INFO: Attempting to bind to LDAP server  
> localhost:1038
> 9)
> Wed Mar 17 16:16:00 2004: DEBUG: No entries for DEFAULT found in LDAP  
> database
> Wed Mar 17 16:16:00 2004: INFO: Access rejected for syyang: Bad  
> Password
> Wed Mar 17 16:16:00 2004: DEBUG: EAP result: 1, EAP TTLS inner  
> authentication re
> despatched to a Handler
> Wed Mar 17 16:16:00 2004: INFO: Access rejected for anonymous: EAP  
> TTLS inner au
> thentication redespatched to a Handler
> Wed Mar 17 16:16:00 2004: DEBUG: Packet dump:
> *** Sending to 172.23.18.110 port 1645 ....
> Code:       Access-Reject
> Identifier: 140
> Authentic:   
> <156><169><141>+<203><160><241><227>Y<1><131>-<25><1><212><250>
> Attributes:
>         EAP-Message = <4><5><0><4>
>         Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         Reply-Message = "Request Denied"
>
> =================================== environment  
> =======================================
>
> supplicant :  odyssey client with id : syyang password : syyang
> AP : cisco aironet : with shared secret "mysecret"
>
> ===================================  configuration file  
> ===============================
>
> <Client 172.23.18.110>
>         Secret  mysecret
>         DupInterval 0
> </Client>
> <Client DEFAULT>
>         Secret  mysecret
>         DupInterval 0
> </Client>
>
> <Realm DEFAULT>
>         <AuthBy LDAP2>
>                 # Tell Radiator how to talk to the LDAP server
>                 Host            localhost
>                 Port            10389
>
>                 # You will only need these if your LDAP server
>                 # requires authentication. These are the examples
>                 # in a default OpenLDAP installation
>                 # see /etc/openldap/slapd.conf
>                 AuthDN          cn=Directory Manager
>                 AuthPassword    directory
>
>                 # This the top of the search tree where users
>                 # will be found. It should match the configuration
>                 # of your server, see /etc/openldap/slapd.conf
>                 BaseDN          ou=people,o=secui
>
>                 # base, one , sub  ( scope )
>                 Scope           sub
>
>                 # This is the LDAP attribute to match the radius user  
> name
>                 UsernameAttr    uid
>
>                 # If you dont specify ServerChecksPassword, you
>                 # need to tell Radiator wjhich attribute contains
>                 # the password. It can be plaintext or encrypted
>                 PasswordAttr    userPassword
>
>                 EAPType TTLS
>                 EAPTLS_CAFile %D/certificates/ca_cls_sig.cert.pem
>                 EAPTLS_CertificateFile  
> %D/certificates/ca_svr_sig.cert.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile  
> %D/certificates/ca_svr_sig.key.pem
>                 EAPTLS_PrivateKeyPassword a123456A
>                 EAPTLS_MaxFragmentSize 1000
>                 SSLeayTrace 3
>         </AuthBy>
> </Realm>
>
> ======================================================================= 
> ================
> Directory Server SUN ONE directory server 4.1
>
> uid=syyang, ou=people, o =secui
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list