URL: https://linuxfr.org/forums/linux-debian-ubuntu/posts/probleme-d-authentification-freeradius-ldap Title: Problème d'authentification Freeradius/LDAP Authors: Ben22640 Date: 2016年03月22日T14:56:41+01:00 License: CC By-SA Tags: freeradius et debian Score: 1 Bonjour à tous, J'ai installé Freeradius (Version: 2.2.5+dfsg-0.2) sur ma Debian 8.3 et j'essaye d'authentifier un utilisateur via un annuaire LDAP en 802.1x. Lorsque je lance le service freeradius -X, voici le retour de ma tentative d'authentification : ```ruby rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111, length=48 Sending duplicate reply to client localhost port 44928 - ID: 111 Sending Access-Reject of id 111 to 127.0.0.1 port 44928 Waking up in 2.9 seconds. Cleaning up request 2 ID 111 with timestamp +114 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111, length=48 User-Name = "toto" User-Password = "Ғ325円354円R010円\r035円303円b230円Fo8đ" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[mschap] = noop [suffix] No '@' in User-Name = "toto", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[files] = noop ++group { [ldap_1] performing user authorization for toto [ldap_1] expand: %{Stripped-User-Name} -> [ldap_1] ... expanding second conditional [ldap_1] expand: %{User-Name} -> toto [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=toto) [ldap_1] expand: ou=Users,dc=XXXX,dc=fr -> ou=Users,dc=XXXX,dc=fr [ldap_1] ldap_get_conn: Checking Id: 0 [ldap_1] ldap_get_conn: Got Id: 0 [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter (uid=toto) [ldap_1] checking if remote access for toto is allowed by uid [ldap_1] No default NMAS login sequence [ldap_1] looking for check items in directory... [ldap_1] sambaNtPassword -> NT-Password == 0x3344424445363937443731363930413736393230344245423132323833363738 [ldap_1] sambaLmPassword -> LM-Password == 0x4343463931353545334537444234353341414433423433354235313430344545 [ldap_1] userPassword -> Cleartext-Password == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap_1] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap_1] sambaNtPassword -> NT-Password == 0x3344424445363937443731363930413736393230344245423132323833363738 [ldap_1] sambaLmPassword -> LM-Password == 0x4343463931353545334537444234353341414433423433354235313430344545 [ldap_1] looking for reply items in directory... [ldap_1] user toto authorized to use remote access [ldap_1] ldap_release_conn: Release Id: 0 +++[ldap_1] = ok ++} # group = ok ++[expiration] = noop ++[logintime] = noop +} # group authorize = ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match "known good" password. Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! } # server inner-tunnel Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> toto attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 111 to 127.0.0.1 port 44928 Waking up in 4.9 seconds. Cleaning up request 3 ID 111 with timestamp +120 Ready to process requests. ``` Le mot de passe saisi est correct et je ne comprend pas d'où viennent les erreurs : ```ruby WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match "known good" password. Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! ``` Merci d'avance pour vos retours. Ben

AltStyle によって変換されたページ (->オリジナル) /