Two days ago I have updated my ClearOS.
Both OpenLDAP and FreeRadius were updated.
I am not sure if it is LDAP issue or Radius issue, but Radius clients are unable to authenticate when using chap or mschap.
Only pap works, and this is it...
It does not make sense that this is LDAP issue, but I am not such an expert with any of them.
Before this update, everything worked perfectly.
LDAP module returns user, but then this happens:
Both OpenLDAP and FreeRadius were updated.
I am not sure if it is LDAP issue or Radius issue, but Radius clients are unable to authenticate when using chap or mschap.
Only pap works, and this is it...
It does not make sense that this is LDAP issue, but I am not such an expert with any of them.
Before this update, everything worked perfectly.
LDAP module returns user, but then this happens:
(0) [ldap] = updated
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: Converted: &control:Password-With-Header -> &control:SHA1-Password
(0) pap: Removing &control:Password-With-Header
(0) pap: Normalizing SHA1-Password from base64 encoding, 28 bytes -> 20 bytes
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = updated
(0) Found Auth-Type = mschap
(0) Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
Share this post:
Responses (9)
-
Accepted Answer
-
Accepted Answer
Many thanks for the detective work! It looks like the default configuration file changed upstream -- here's the git commit:
https://github.com/FreeRADIUS/freeradius-server/commit/712629318a84d15acc7a97a0d1d1d756cfceb88e -
Accepted Answer
I think that I have tried to do this, but without luck.
Tried it again, and still without luck.
Tried restarting Radisu multiple times, still without luck.
Stopped it, started radiusd -X, and it worked!
After normal service start everything works as it should!
Thanks for getting me back on track!
For anyone else ending up here, path is:
/etc/raddb/sites-available/default -
Accepted Answer
there is /etc/raddb/default
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# For old names, too.
#
mschap
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest
I think in your one there is no lines which i make bold, so just add it there. -
Accepted Answer
Well, i just fixed it.
In /etc/raddb/default.rpmnew (which is old version of /etc/raddb/default) there are strings
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# For old names, too.
#
mschap
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest
and in /etc/raddb/default there is only
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest
So you should make /etc/raddb/defaut looks like it was in this part. Just add word "mschap" just previus to "digest" -
Accepted Answer
Samba was one of the things i was suspicious of, since I have issues with mounting samba shares on owncloud also, but this was not a solution.
It may be the ldap issue, but as I have said, I am not an expert, nor have investigated in details.
First impression is that there is a problem with password hash transformation for validation.
Why? I have no clue...
Thanks for your response, anyway. -
Accepted Answer
Yesterday Community updated to 7.4 and a couple of issues have appeared. There is an LDAP one which is being investigated and a Samba one. Please can you try the Samba fix as it affects PPTP logins so could be relevant. If it is still an LDAP issue, please post back but the devs may need to find the solution.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »