Dear Stephen A. Moore,
Set Auth-Type to MS-CHAP.
--Friday, March 21, 2003, 6:01:52 PM, you wrote to [EMAIL PROTECTED]:
SAM> I am working on a project to provide a secure wireless network using VPN's
SAM> for encryption and authentication.
SAM> All users of the network are already registered on a central LDAP database.
SAM> The problem currently encountered is that passwords must be sent using
SAM> MS-CHAP to an LDAP server (via freeRADIUS) storing plain text passwords. My
SAM> understand of the LDAP configuration is that a password cannot be
SAM> 'retrieved' from LDAP and instead a supplied password can only be compared
SAM> to that which is stored. To get around this we have created an extra
SAM> attribute in the LDAP database in which an MS-CHAP encrypted version of the
SAM> users password is stored. This should allow MS-CHAP to MS-CHAP comparison
SAM> however it doesn't appear to be working.
SAM> The ldap.attrib file has been changed to map NT-Password to point to the
SAM> gecos field (where the MS-CHAP password is stored). I am running freeRADIUS
SAM> 0.8.1 on RedHat Linux 7.3. freeRADIUS itself is running fine and will
SAM> authenticate PAP against the LDAP database so I know that the freeRADIUS to
SAM> LDAP communication is fine.
SAM> A copy of the LDAP module from radiusd.conf is shown here:
SAM> ldap {
SAM> server = "xxx"
SAM> port = 389
SAM> basedn = "o=uol"
SAM> filter =
SAM> "(&(objectClass=User)(cn=%{Stripped-User-Name:-%{User-Name}})(loginDisabled
SAM> =FALSE))"
SAM> dictionary_mapping = ${raddbdir}/ldap.attrmap
SAM> ldap_connections_number = 5
SAM> password_attribute = "NT-Password"
SAM> timeout = 4
SAM> timelimit = 3
SAM> net_timeout = 1
SAM> }
SAM> Also the authorize and authentication sections are also as follows:
SAM> authorize {
SAM> preprocess
SAM> ldap
SAM> }
SAM> authenticate {
SAM> authtype MS-CHAP {
SAM> mschap
SAM> }
SAM> }
SAM> and finally to test this I am using the Microsoft Windows 2000 VPN client,
SAM> set to send MS-CHAP passwords to the radius server. The debug output from
SAM> freeRADIUS is as follows:
SAM> Ready to process requests.
SAM> rad_recv: Access-Request packet from host 127.0.0.1:32804, id=140,
SAM> length=126
SAM> Service-Type = Framed-User
SAM> Framed-Protocol = PPP
SAM> User-Name = "testuser"
SAM> MS-CHAP-Challenge = 0x55f62411fc71c9c1
SAM> MS-CHAP-Response =
SAM> 0x010100000000000000000000000000000000000000000000000
SAM> 0442ccd457fa62aeb0191c5762fee6cecd8bde7f16e5e00b3
SAM> NAS-IP-Address = x.x.x.x
SAM> NAS-Port = 0
SAM> modcall: entering group authorize
SAM> modcall[authorize]: module "preprocess" returns ok
SAM> rlm_ldap: - authorize
SAM> rlm_ldap: performing user authorization for dtyson
SAM> radius_xlat: '(&(objectClass=User)(cn=testuser)(loginDisabled=FALSE))'
SAM> radius_xlat: 'o=uol'
SAM> ldap_get_conn: Got Id: 0
SAM> rlm_ldap: attempting LDAP reconnection
SAM> rlm_ldap: (re)connect to xxx:389, authentication 0
SAM> rlm_ldap: bind as / to xxx:389
SAM> rlm_ldap: waiting for bind result ...
SAM> rlm_ldap: performing search in o=uol, with filter
SAM> (&(objectClass=User)(cn=testuser
SAM> )(loginDisabled=FALSE))
SAM> rlm_ldap: looking for check items in directory...
SAM> rlm_ldap: Adding gecos as NT-Password, value
SAM> 937958CFCA106B3CDAE1645D3377E078 &
SAM> op=21
SAM> rlm_ldap: looking for reply items in directory...
SAM> rlm_ldap: user testuser authorized to use remote access
SAM> ldap_release_conn: Release Id: 0
SAM> modcall[authorize]: module "ldap" returns ok
SAM> modcall: group authorize returns ok
SAM> rad_check_password: Found Auth-Type LDAP
SAM> auth: type "LDAP"
SAM> auth: Failed to validate the user.
SAM> Login incorrect: [testuser/<no User-Password attribute>] (from client
SAM> localhost po
SAM> rt 0)
SAM> Delaying request 0 for 1 seconds
SAM> Finished request 0
SAM> Going to the next request
SAM> --- Walking the entire request list ---
SAM> Waking up in 1 seconds...
SAM> --- Walking the entire request list ---
SAM> Waking up in 1 seconds...
SAM> --- Walking the entire request list ---
SAM> Sending Access-Reject of id 140 to 127.0.0.1:32804
SAM> Waking up in 4 seconds...
SAM> --- Walking the entire request list ---
SAM> Cleaning up request 0 ID 140 with timestamp 3e7ad9e9
SAM> Nothing to do. Sleeping until we see a request.
SAM> Thanks in advance,
SAM> Stephen A. Moore
SAM> PC & Network Support Engineer
SAM> Computing Services Department
SAM> The University of Liverpool
SAM> -
SAM> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
~/ZARAZA
Человек это тайна... я занимаюсь этой тайной чтобы быть человеком. (Достоевский)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
