[strongSwan] eap-radius and ssha passwords

Alexey Beketov opt1k2 at mail.ru
Mon Feb 23 05:14:41 CET 2015


>What is the debug output of FreeRADIUS? 
rlm_ldap (ldap): Reserved connection (4)
(3) ldap : expand: "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(uid=test_user1)'
(3) ldap : expand: "cn=users,cn=accounts,dc=local,dc=yopt1k,dc=ru" -> 'cn=users,cn=accounts,dc=local,dc=yopt1k,dc=ru'
(3) ldap : Performing search in 'cn=users,cn=accounts,dc=local,dc=yopt1k,dc=ru' with filter '(uid=test_user1)'
(3) ldap : Waiting for search result...
(3) ldap : User object found at DN "uid=test_user1,cn=users,cn=accounts,dc=local,dc=yopt1k,dc=ru"
(3) ldap : Processing user attributes
(3) ldap : control:Password-With-Header += '{SSHA}CDKDY7QxB6DVDCHBHrEpqTMqsxyD5mJorM2nbQ=='
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Closing connection (1): Too many free connections (4 > 3)
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 129 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 129 seconds
(3) [-ldap] = ok
(3) [expiration] = noop
(3) [logintime] = noop
(3) WARNING: pap : Auth-Type already set. Not setting to PAP
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap : Expiring EAP session with state 0xe22e0a1de22f0e3e
(3) eap : Finished EAP session with state 0xe22e0a1de22f0e3e
(3) eap : Previous EAP request found for state 0xe22e0a1de22f0e3e, released from the list
(3) eap : Peer sent MD5 (4)
(3) eap : EAP MD5 (4)
(3) eap : Calling eap_md5 to process EAP data
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
(3) eap : Failed in EAP select
(3) [eap] = invalid
(3) } # authenticate = invalid
(3) Failed to authenticate the user.
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Post-Auth-Type REJECT {
(3) attr_filter.access_reject : expand: "%{User-Name}" -> 'test_user1'
(3) attr_filter.access_reject : Matched entry DEFAULT at line 11
(3) [attr_filter.access_reject] = updated
(3) eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(3) [eap] = noop
(3) remove_reply_message_if_eap remove_reply_message_if_eap {
(3) ? if (reply:EAP-Message && reply:Reply-Message)
(3) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(3) else else {
(3) [noop] = noop
(3) } # else else = noop
(3) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(3) } # Post-Auth-Type REJECT = updated
(3) Finished request 3.
Waking up in 0.2 seconds.
Waking up in 0.6 seconds.
(3) Sending delayed reject
Sending Access-Reject of id 109 from 10.0.100.249 port 1812 to 10.0.100.8 port 52342
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
>What authentication protocol does MOBIKE use?
MOBIKE is possible only with ikev2.

>You are aware of the authentication protocol and password storage compatibility matrix?  http://deployingradius.com/documents/protocols/compatibility.html
Yes. After some reading rfc 3748, it's looks like it is impossible to use eap with ssha passwords. EAP methods available in strongwan does not include cleartext. Thus we have one password in md5(or other cipher) and another in ssha. We can't decrypt them, and we can't compare them.

>Do you do a ldapbind oder ldapsearch?
I'm using:
radiusd: FreeRADIUS Version 3.0.1, for host x86_64-redhat-linux-gnu
There is no any word about ldapbind in configuration files.
I tried to use 
set_auth_type = yes
Nothing happens.
Thank you for your help!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150223/765e3c9e/attachment.html>


More information about the Users mailing list