(RADIATOR) Problem with LDAP2 authentication on Radiator-3.17.1-1
Hartmaier Alexander
Alexander.Hartmaier at t-systems.at
Mon Jul 16 11:00:51 CDT 2007
The radius protocol uses a shared key to encrypt only the value of the password field.
I guess this key doesn't match on both the radius client and server!
The radius server can't know that the decrypted password is wrong because there is no checksum.
-Alex
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
> Behalf Of Francisco Rodrigo Cortinas Maseda
> Sent: Monday, July 16, 2007 3:02 PM
> To: Radiator list
> Subject: (RADIATOR) Problem with LDAP2 authentication on Radiator-
> 3.17.1-1
>
> Hello,
>
> We are having problems with the auth by the LDAP module; we are seeing
> "Bad Password" all the time, we have checked that the LDAP server is
> working fine.
>
> We have installed the RPM version of Radiator, we have used the packet
> Radiator-3.17.1-1.noarch.rpm.
>
> From here we are having this problem:
>
> 1º We have configured the authby clause to connect to the LDAP
> repository; the clause:
>
> <AuthBy GROUP>
> Identifier ldap_i2p
> AuthByPolicy ContinueWhileIgnore
> <AuthBy LDAP2>
> Host 10.0.27.60
> Port 389
> AuthDN cn=i2p_ldap_write_root, dc=jazzlab,
> dc=com
> AuthPassword i2p_ldap_write_pwd
> BaseDN dc=jazzlab, dc=com
> UsernameAttr login
> PasswordAttr password
> AuthAttrDef sh-srv-profile,Shasta-Service-
> Profile,reply
> NoDefault
> NoDefaultIfFound
> HoldServerConnection
> FailureBackoffTime 30
> Version 3
> Debug 255
> </AuthBy>
> <AuthBy LDAP2>
> Host 10.0.27.61
> Port 389
> AuthDN cn=i2p_ldap_write_root, dc=jazzlab,
> dc=com
> AuthPassword i2p_ldap_write_pwd
> BaseDN dc=jazzlab, dc=com
> UsernameAttr login
> PasswordAttr password
> AuthAttrDef sh-srv-profile,Shasta-Service-
> Profile,reply
> NoDefault
> NoDefaultIfFound
> HoldServerConnection
> FailureBackoffTime 30
> Version 3
> </AuthBy>
> </AuthBy>
>
> 2º We launch a test with this command:
>
> radpwtst -trace 4 -s 10.0.23.126 -secret radius-2G-local -user
> teldat2 at adsl2g.cli1vpn01@i2p -password teldat2 -auth_port 1812 -noacct
> -nas_ip_address 10.252.32.42
>
> 3º We see this on the Trace 4 log archive:
>
> *** Received from 10.0.23.126 port 32807 ....
> Code: Access-Request
> Identifier: 253
> Authentic: 1234567890123456
> Attributes:
> User-Name = "teldat2 at adsl2g.cli1vpn01@i2p"
> Service-Type = Framed-User
> NAS-IP-Address = 10.252.32.42
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password = <140>_<8><130><162><174><20>HU<24>C.
> <137><169><132>
>
> Mon Jul 16 14:38:13 2007 705184: DEBUG: Handling request with Handler
> 'Realm=/^adsl2g\.[a-z][a-z][a-z]\wvpn\d\d/i, User-Realm=/i2p$/i'
> Mon Jul 16 14:38:13 2007 705624: DEBUG: Rewrote user name to
> teldat2 at adsl2g.cli1vpn01
> Mon Jul 16 14:38:13 2007 705993: DEBUG: Deleting session for
> teldat2 at adsl2g.cli1vpn01@i2p, 10.252.32.42, 1234
> Mon Jul 16 14:38:13 2007 706239: DEBUG: Handling with
> Radius::AuthGROUP: ldap_i2p
> Mon Jul 16 14:38:13 2007 706498: DEBUG: Handling with
> Radius::AuthLDAP2:
> Mon Jul 16 14:38:13 2007 706834: INFO: Connecting to 10.0.27.60:389
> Mon Jul 16 14:38:13 2007 711031: INFO: Attempting to bind to LDAP
> server 10.0.27.60:389
> Mon Jul 16 14:38:13 2007 892214: DEBUG: LDAP got result for
> login=teldat2 at adsl2g.cli1vpn01,realmId=adsl2g,o=cli1vpn01,dc=jazzlab,dc
> =com
> Mon Jul 16 14:38:13 2007 892538: DEBUG: LDAP got password: teldat2
> Mon Jul 16 14:38:13 2007 892765: DEBUG: LDAP got sh-srv-profile:
> Modalidad-2G-2M/640
> Mon Jul 16 14:38:13 2007 893058: DEBUG: Radius::AuthLDAP2 looks for
> match with teldat2 at adsl2g.cli1vpn01 [teldat2 at adsl2g.cli1vpn01@i2p]
> Mon Jul 16 14:38:13 2007 893814: DEBUG: Radius::AuthLDAP2 REJECT: Bad
> Password: teldat2 at adsl2g.cli1vpn01 [teldat2 at adsl2g.cli1vpn01@i2p]
> Mon Jul 16 14:38:13 2007 894065: DEBUG: AuthBy GROUP result: REJECT,
> Bad Password
> Mon Jul 16 14:38:13 2007 894414: INFO: Access rejected for
> teldat2 at adsl2g.cli1vpn01: Bad Password
> Mon Jul 16 14:38:13 2007 895562: DEBUG: Packet dump:
> *** Sending to 10.0.23.126 port 32807 ....
> Code: Access-Reject
> Identifier: 253
> Authentic: 1234567890123456
> Attributes:
> Tunnel-Server-Endpoint = 1:XXX.XXX.XXX.XXX
> Reply-Message = "Request Denied"
> Tunnel-Type = 1:L2TP
> Tunnel-Client-Auth-ID = 1:I2PADSL2G
> Tunnel-Server-Auth-ID = 1:LNS-I2PADSL2G
> Tunnel-Password =
> "<1><184>0<19><198>"pE<168><19><230><154><165><247>Ek<255><177><11>"
>
> [root at RAD0MA11 radiator]#
>
> 4º On the password file we are seen this:
>
> Mon Jul 16 14:18:49 2007:1184588329:fprc1868:`ÒX{Y¶ˆé
> JŽøôÑ:acc05006:FAIL
>
>
> Anybody can imagine what is happening?
>
> Thanks to all.
>
> Antes de imprimir este e-mail piense bien si es necesario hacerlo.
>
> *********
> Este mensaje es privado y CONFIDENCIAL y se dirige exclusivamente a su
> destinatario. Si usted ha recibido este mensaje por error, no debe
> revelar, copiar, distribuir o usarlo en ningún sentido. Le rogamos lo
> comunique al remitente y borre dicho mensaje y cualquier documento
> adjunto que pudiera contener. El correo electrónico via Internet no
> permite asegurar la confidencialidad de los mensajes que se transmiten
> ni su integridad o correcta recepción. JAZZTEL no asume responsabilidad
> por estas circunstancias. Si el destinatario de este mensaje no
> consintiera la utilización del correo electrónico via Internet y la
> grabación de los mensajes, rogamos lo ponga en nuestro conocimiento de
> forma inmediata.Cualquier opinión expresada en este mensaje pertenece
> únicamente al autor remitente, y no representa necesariamente la
> opinión de JAZZTEL, a no ser que expresamente se diga y el remitente
> esté autorizado para hacerlo.
> *********
> This message is private and CONFIDENTIAL and it is intended exclusively
> for its addressee. If you receive this message in error, you should not
> disclose, copy, distribute this e-mail or use it in any other way.
> Please inform the sender and delete the message and attachments from
> your system.Internet e-mail neither guarantees the confidentiality nor
> the integrity or proper receipt of the messages sent. JAZZTEL does not
> assume any liability for those circumstances. If the addressee of this
> message does not consent to the use of Internet e-mail and message
> recording, please notify us immediately.Any views or opinions contained
> in this message are solely those of the author, and do not necessarily
> represent those of JAZZTEL, unless otherwise specifically stated and
> the sender is authorised to do so.
> *********
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list