Dear Stephen A. Moore, Set Auth-Type to MS-CHAP.
--Friday, March 21, 2003, 6:01:52 PM, you wrote to [EMAIL PROTECTED]: SAM> I am working on a project to provide a secure wireless network using VPN's SAM> for encryption and authentication. SAM> All users of the network are already registered on a central LDAP database. SAM> The problem currently encountered is that passwords must be sent using SAM> MS-CHAP to an LDAP server (via freeRADIUS) storing plain text passwords. My SAM> understand of the LDAP configuration is that a password cannot be SAM> 'retrieved' from LDAP and instead a supplied password can only be compared SAM> to that which is stored. To get around this we have created an extra SAM> attribute in the LDAP database in which an MS-CHAP encrypted version of the SAM> users password is stored. This should allow MS-CHAP to MS-CHAP comparison SAM> however it doesn't appear to be working. SAM> The ldap.attrib file has been changed to map NT-Password to point to the SAM> gecos field (where the MS-CHAP password is stored). I am running freeRADIUS SAM> 0.8.1 on RedHat Linux 7.3. freeRADIUS itself is running fine and will SAM> authenticate PAP against the LDAP database so I know that the freeRADIUS to SAM> LDAP communication is fine. SAM> A copy of the LDAP module from radiusd.conf is shown here: SAM> ldap { SAM> server = "xxx" SAM> port = 389 SAM> basedn = "o=uol" SAM> filter = SAM> "(&(objectClass=User)(cn=%{Stripped-User-Name:-%{User-Name}})(loginDisabled SAM> =FALSE))" SAM> dictionary_mapping = ${raddbdir}/ldap.attrmap SAM> ldap_connections_number = 5 SAM> password_attribute = "NT-Password" SAM> timeout = 4 SAM> timelimit = 3 SAM> net_timeout = 1 SAM> } SAM> Also the authorize and authentication sections are also as follows: SAM> authorize { SAM> preprocess SAM> ldap SAM> } SAM> authenticate { SAM> authtype MS-CHAP { SAM> mschap SAM> } SAM> } SAM> and finally to test this I am using the Microsoft Windows 2000 VPN client, SAM> set to send MS-CHAP passwords to the radius server. The debug output from SAM> freeRADIUS is as follows: SAM> Ready to process requests. SAM> rad_recv: Access-Request packet from host 127.0.0.1:32804, id=140, SAM> length=126 SAM> Service-Type = Framed-User SAM> Framed-Protocol = PPP SAM> User-Name = "testuser" SAM> MS-CHAP-Challenge = 0x55f62411fc71c9c1 SAM> MS-CHAP-Response = SAM> 0x010100000000000000000000000000000000000000000000000 SAM> 0442ccd457fa62aeb0191c5762fee6cecd8bde7f16e5e00b3 SAM> NAS-IP-Address = x.x.x.x SAM> NAS-Port = 0 SAM> modcall: entering group authorize SAM> modcall[authorize]: module "preprocess" returns ok SAM> rlm_ldap: - authorize SAM> rlm_ldap: performing user authorization for dtyson SAM> radius_xlat: '(&(objectClass=User)(cn=testuser)(loginDisabled=FALSE))' SAM> radius_xlat: 'o=uol' SAM> ldap_get_conn: Got Id: 0 SAM> rlm_ldap: attempting LDAP reconnection SAM> rlm_ldap: (re)connect to xxx:389, authentication 0 SAM> rlm_ldap: bind as / to xxx:389 SAM> rlm_ldap: waiting for bind result ... SAM> rlm_ldap: performing search in o=uol, with filter SAM> (&(objectClass=User)(cn=testuser SAM> )(loginDisabled=FALSE)) SAM> rlm_ldap: looking for check items in directory... SAM> rlm_ldap: Adding gecos as NT-Password, value SAM> 937958CFCA106B3CDAE1645D3377E078 & SAM> op=21 SAM> rlm_ldap: looking for reply items in directory... SAM> rlm_ldap: user testuser authorized to use remote access SAM> ldap_release_conn: Release Id: 0 SAM> modcall[authorize]: module "ldap" returns ok SAM> modcall: group authorize returns ok SAM> rad_check_password: Found Auth-Type LDAP SAM> auth: type "LDAP" SAM> auth: Failed to validate the user. SAM> Login incorrect: [testuser/<no User-Password attribute>] (from client SAM> localhost po SAM> rt 0) SAM> Delaying request 0 for 1 seconds SAM> Finished request 0 SAM> Going to the next request SAM> --- Walking the entire request list --- SAM> Waking up in 1 seconds... SAM> --- Walking the entire request list --- SAM> Waking up in 1 seconds... SAM> --- Walking the entire request list --- SAM> Sending Access-Reject of id 140 to 127.0.0.1:32804 SAM> Waking up in 4 seconds... SAM> --- Walking the entire request list --- SAM> Cleaning up request 0 ID 140 with timestamp 3e7ad9e9 SAM> Nothing to do. Sleeping until we see a request. SAM> Thanks in advance, SAM> Stephen A. Moore SAM> PC & Network Support Engineer SAM> Computing Services Department SAM> The University of Liverpool SAM> - SAM> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA Человек это тайна... я занимаюсь этой тайной чтобы быть человеком. (Достоевский) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html