(RADIATOR) 'Bad Password' error on authentication with LDAP (iPlanet)

judy jdba03 at yahoo.com
Thu Nov 18 22:15:02 CST 2004


Hi Hugh, thanks very much for your quick response. 
 
The shared secrets are specified in the file 'etc/radiator/clients' as below:
[system at server1 radiator]$ more clients
# client name           key
#--------------------   --------------------
localhost               testing123
mypcname            testing123
At the testing utility side, I use the key 'testing123' to ping my radius server 'server1' with my ldap uid/passwd. Do you mean I should modify the default setting "Secret mysecret" in file 'radius.cfg'?
 
At this moment I can only provide you my recent trace5 debug result. Seems to us that, our Radius had no problem to bind to LDAP and LDAP then looks for match; but somehow Radius could not process/compare my plaintext passwd with the ldap encrypted passwd. 

### trace 5 debug log ###
Thu Nov 18 20:01:03 2004: NOTICE: SIGTERM received: stopping
Thu Nov 18 20:02:18 2004: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg'
Thu Nov 18 20:02:18 2004: DEBUG: Reading dictionary file '/etc/radiator/dictionary'
Thu Nov 18 20:02:19 2004: DEBUG: Creating authentication port 0.0.0.0:1645
Thu Nov 18 20:02:19 2004: DEBUG: Creating accounting port 0.0.0.0:1646
Thu Nov 18 20:02:19 2004: NOTICE: Server started: Radiator 3.11 on server1
Thu Nov 18 20:02:52 2004: NOTICE: SIGTERM received: stopping
Thu Nov 18 20:05:29 2004: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg'
Thu Nov 18 20:05:29 2004: DEBUG: Reading dictionary file '/etc/radiator/dictionary'
Thu Nov 18 20:05:29 2004: DEBUG: Creating authentication port 0.0.0.0:1645
Thu Nov 18 20:05:29 2004: DEBUG: Creating accounting port 0.0.0.0:1646
Thu Nov 18 20:05:29 2004: NOTICE: Server started: Radiator 3.11 on server1
Thu Nov 18 20:06:18 2004: DEBUG: Packet dump:
*** Received from 131.249.2.40 port 3622 ....
Packet length = 46
01 00 00 2e 20 20 20 20 20 20 31 31 30 30 38 32
36 33 37 35 01 08 6d 61 74 68 65 77 02 12 d3 f4
6e 98 82 45 9c c3 7a 94 81 4c e0 a3 c0 79
Code: Access-Request
Identifier: 0
Authentic: 1100826375
Attributes:
User-Name = "judy"
User-Password = "<211><244>n<152><130>E<156><195>z<148><129>L<224><163><192>y"
Thu Nov 18 20:06:18 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Thu Nov 18 20:06:18 2004: DEBUG: Deleting session for judy, 131.249.2.40,
Thu Nov 18 20:06:18 2004: DEBUG: Handling with Radius::AuthLDAP2:
Thu Nov 18 20:06:18 2004: INFO: Connecting to ldap, port 123
Thu Nov 18 20:06:18 2004: INFO: Attempting to bind to LDAP server ldap:123)
Thu Nov 18 20:06:18 2004: DEBUG: LDAP got result for uid=judy,ou=People,o=ourcompany,c=US
Thu Nov 18 20:06:18 2004: DEBUG: LDAP got userPassword: {crypt}3xRXXXXxxgcSA
Thu Nov 18 20:06:18 2004: DEBUG: Radius::AuthLDAP2 looks for match with judy
Thu Nov 18 20:06:18 2004: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Thu Nov 18 20:06:18 2004: INFO: Access rejected for judy: Bad Password
Thu Nov 18 20:06:18 2004: DEBUG: Packet dump:
*** Sending to 131.249.2.40 port 3622 ....
Packet length = 36
03 00 00 24 54 8a 20 3d c3 61 99 9f 05 98 8f aa
e9 da 1f ea 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code: Access-Reject
Identifier: 0
Authentic: 1100826375
Attributes:
Reply-Message = "Request Denied"
Thu Nov 18 20:07:47 2004: DEBUG: Packet dump:
*** Received from 131.249.2.40 port 3624 ....
Packet length = 46
01 01 00 2e 20 20 20 20 20 20 31 31 30 30 38 32
36 34 36 35 01 08 6d 61 74 68 65 77 02 12 13 f2
a9 ef b3 e4 4f 49 fd db 32 9b 9f b0 f1 94
Code: Access-Request
Identifier: 1
Authentic: 1100826465
Attributes:
User-Name = "judy"
User-Password = "<19><242><169><239><179><228>OI<253><219>2<155><159><176><241><148>"
Thu Nov 18 20:07:47 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Thu Nov 18 20:07:47 2004: DEBUG: Deleting session for judy, 131.249.2.40,
Thu Nov 18 20:07:47 2004: DEBUG: Handling with Radius::AuthLDAP2:
Thu Nov 18 20:07:47 2004: INFO: Connecting to ldap, port 123
Thu Nov 18 20:07:47 2004: INFO: Attempting to bind to LDAP server ldap:123)
Thu Nov 18 20:07:47 2004: DEBUG: LDAP got result for uid=judy,ou=People,o=ourcompany,c=US
Thu Nov 18 20:07:47 2004: DEBUG: LDAP got userPassword: {crypt}3nRZVX0rYgcSA
Thu Nov 18 20:07:47 2004: DEBUG: Radius::AuthLDAP2 looks for match with judy
Thu Nov 18 20:07:47 2004: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Thu Nov 18 20:07:47 2004: INFO: Access rejected for judy: Bad Password
Thu Nov 18 20:07:47 2004: DEBUG: Packet dump:
*** Sending to 131.249.2.40 port 3624 ....
Packet length = 36
03 01 00 24 35 2a 04 9e 41 b6 45 36 0e a8 39 fa
f9 ea 28 35 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code: Access-Reject
Identifier: 1
Authentic: 1100826465
Attributes:
Reply-Message = "Request Denied"
Thu Nov 18 20:12:41 2004: NOTICE: SIGTERM received: stopping
Thu Nov 18 20:12:50 2004: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg'
Thu Nov 18 20:12:50 2004: DEBUG: Reading dictionary file '/etc/radiator/dictionary'
Thu Nov 18 20:12:50 2004: DEBUG: Creating authentication port 0.0.0.0:1645
Thu Nov 18 20:12:50 2004: DEBUG: Creating accounting port 0.0.0.0:1646
Thu Nov 18 20:12:50 2004: NOTICE: Server started: Radiator 3.11 on server1
Thu Nov 18 20:13:04 2004: DEBUG: Packet dump:
*** Received from 131.249.2.40 port 3625 ....
Packet length = 46
01 02 00 2e 20 20 20 20 20 20 31 31 30 30 38 32
36 37 38 32 01 08 6d 61 74 68 65 77 02 12 29 e2
10 2d 3f 19 6b e0 42 b0 23 75 ec de 66 ca
Code: Access-Request
Identifier: 2
Authentic: 1100826782
Attributes:
User-Name = "judy"
User-Password = ")<226><16>-?<25>k<224>B<176>#u<236><222>f<202>"
Thu Nov 18 20:13:04 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Thu Nov 18 20:13:04 2004: DEBUG: Deleting session for judy, 131.249.2.40,
Thu Nov 18 20:13:04 2004: DEBUG: Handling with Radius::AuthLDAP2:
Thu Nov 18 20:13:04 2004: INFO: Connecting to ldap, port 123
Thu Nov 18 20:13:04 2004: INFO: Attempting to bind to LDAP server ldap:123)
Thu Nov 18 20:13:04 2004: DEBUG: LDAP got result for uid=judy,ou=People,o=ourcompany,c=US
Thu Nov 18 20:13:04 2004: DEBUG: LDAP got userPassword: {crypt}3xRxxxxxxxSA
Thu Nov 18 20:13:04 2004: DEBUG: Radius::AuthLDAP2 looks for match with judy
Thu Nov 18 20:13:04 2004: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password
Thu Nov 18 20:13:04 2004: INFO: Access rejected for judy: Bad Encrypted password
Thu Nov 18 20:13:04 2004: DEBUG: Packet dump:
*** Sending to 131.249.2.40 port 3625 ....
Packet length = 36
03 02 00 24 05 20 54 48 35 c4 b6 64 df 53 23 2b
e8 98 62 14 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code: Access-Reject
Identifier: 2
Authentic: 1100826782
Attributes:
Reply-Message = "Request Denied"
Thu Nov 18 20:24:57 2004: NOTICE: SIGTERM received: stopping
Thu Nov 18 20:25:01 2004: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg'
Thu Nov 18 20:25:01 2004: DEBUG: Reading dictionary file '/etc/radiator/dictionary'
Thu Nov 18 20:25:02 2004: DEBUG: Creating authentication port 0.0.0.0:1645
Thu Nov 18 20:25:02 2004: DEBUG: Creating accounting port 0.0.0.0:1646
Thu Nov 18 20:25:02 2004: NOTICE: Server started: Radiator 3.11 on server1
Thu Nov 18 20:25:20 2004: DEBUG: Packet dump:
*** Received from 131.249.2.40 port 3630 ....
Packet length = 46
01 03 00 2e 20 20 20 20 20 20 31 31 30 30 38 32
37 35 31 38 01 08 6d 61 74 68 65 77 02 12 f3 0f
0e 73 66 46 49 ca 31 31 05 7a df c8 0f 04
Code: Access-Request
Identifier: 3
Authentic: 1100827518
Attributes:
User-Name = "judy"
User-Password = "<243><15><14>sfFI<202>11<5>z<223><200><15><4>"
Thu Nov 18 20:25:20 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Thu Nov 18 20:25:20 2004: DEBUG: Deleting session for judy, 131.249.2.40,
Thu Nov 18 20:25:20 2004: DEBUG: Handling with Radius::AuthLDAP2:
Thu Nov 18 20:25:20 2004: INFO: Connecting to ldap, port 123
Thu Nov 18 20:25:20 2004: INFO: Attempting to bind to LDAP server ldap:123)
Thu Nov 18 20:25:20 2004: DEBUG: LDAP got result for uid=judy,ou=People,o=ourcompany,c=US
Thu Nov 18 20:25:20 2004: ERR: There was no password attribute found for judy.
Check your LDAP database.
Thu Nov 18 20:25:20 2004: DEBUG: Radius::AuthLDAP2 looks for match with judy
Thu Nov 18 20:25:20 2004: ERR: Could not load Radius::MSCHAP to check an NT encrypted password: Can't locate Digest/MD4.pm in @INC (@INC contains: . /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 .) at /usr/lib/perl5/site_perl/Radius/MSCHAP.pm line 47, <DATA> line 283.
BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/Radius/MSCHAP.pm line 47, <DATA> line 283.
Compilation failed in require at /usr/lib/perl5/site_perl/Radius/AuthGeneric.pm line 459, <DATA> line 283.
Thu Nov 18 20:25:20 2004: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password
Thu Nov 18 20:25:20 2004: INFO: Access rejected for judy: Bad Encrypted password
Thu Nov 18 20:25:20 2004: DEBUG: Packet dump:
*** Sending to 131.249.2.40 port 3630 ....
Packet length = 36
03 03 00 24 ce 19 b1 aa 05 44 83 34 58 d0 a1 1b
64 96 ba fa 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code: Access-Reject
Identifier: 3
Authentic: 1100827518
Attributes:
Reply-Message = "Request Denied"
Thu Nov 18 20:26:39 2004: NOTICE: SIGTERM received: stopping
Thu Nov 18 20:26:44 2004: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg'
Thu Nov 18 20:26:44 2004: DEBUG: Reading dictionary file '/etc/radiator/dictionary'
Thu Nov 18 20:26:44 2004: DEBUG: Creating authentication port 0.0.0.0:1645
Thu Nov 18 20:26:44 2004: DEBUG: Creating accounting port 0.0.0.0:1646
Thu Nov 18 20:26:44 2004: NOTICE: Server started: Radiator 3.11 on server1

Thanks again,
Judy
 
 
Hugh Irvine <hugh at open.com.au> wrote:

Hello Judy -

Could you please send me a trace 4 debug showing the packet dumps and 
the processing?

Have you checked that the shared secrets are correct?

regards

Hugh


On 19 Nov 2004, at 11:36, judy wrote:

> Hi all,
>  
>  
> I installed Radiator 3.11 on a linux (RH9) box and tried to configured 
> it to authenticate users through LDAP server (iPlanet on solaris 
> server). We used NTRadPing as the testing tool.
>  
> Initially we could successfully authenticate users from local user 
> file; then we changed the radius.cfg to test connection to LDAP 
> server. But we failed with some problem related to password (that was 
> plain-text and sent from Radius to ldap server), no matter we 
> configured radius.cfg by using 'PasswordAttr' or 
> 'EncryptedPasswordAttr').  Accually, our ldap password are in the form 
> of {crypt}xxxxxxxxx  -- so we're supposed to use 'PasswordAttr' as 
> specified in the reference manual. I checked the name fields like 
> 'userPassword' are matching the ones in ldap.
>  
> -------------------------------------
> Errors in Radius's  log file:
> -------------------------------------
> ...
> Thu Nov 18 16:58:31 2004: INFO: Connecting to ldap, port 123
> Thu Nov 18 16:58:31 2004: INFO: Attempting to bind to LDAP server 
> ldap:123)
> Thu Nov 18 16:58:31 2004: INFO: Access rejected for judy: Bad Password
> Thu Nov 18 18:23:24 2004: NOTICE: SIGTERM received: stopping
> Thu Nov 18 18:23:31 2004: NOTICE: Server started: Radiator 3.11 on xxx
> Thu Nov 18 18:23:59 2004: INFO: Connecting to ldap, port 123
> Thu Nov 18 18:23:59 2004: INFO: Attempting to bind to LDAP server 
> ldap:123)
> Thu Nov 18 18:23:59 2004: INFO: Access rejected for judy: Bad 
> Encrypted password
>  
>  
> -----------------------------------------------------------
> info in the access error log file on ldap:
> -----------------------------------------------------------
> showing the failed access records with host and user information
>
>  
> ---------------------
> Raduis.cfg file:
> ---------------------
> ...
> LogDir          /var/log/radius
> DbDir           /etc/radiator
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> Trace           3
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> 
>         Secret  mysecret
>         DupInterval 0
> 
> 
>         
>           AuthDN uid=admin,o=ourcompany,c=US
>           AuthPassword adminpswd
>           BaseDN o=ourcompany, c=US
>           Host ldapsvr
>           NoDefault
>           PasswordAttr userPassword
>           UsernameAttr uid
>           Port 389
>           SearchFilter (&(uid=%{User-Name})(employeeType=CURRENT))
>           Debug 255
>         
>         # Log accounting to a detail file
>         AcctLogFileName %L/detail
> 
>
>  
> Thanks for any feedback in advance,
> Judy
>
> Do you Yahoo!?
> The all-new My Yahoo! – Get yours free!

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


		
---------------------------------
Do you Yahoo!?
 Discover all that’s new in My Yahoo!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20041118/9a298860/attachment.html>


More information about the radiator mailing list