Hello Christophe.
Christophe Saillard pravi:
And you set "Auth-Type = EAP". DON'T DO THAT.
I do that ;). I prefer to manualy set EAP when user tries to identify as "[EMAIL PROTECTED]". Users are *NOT* allowed to use any other authentication method :).
For the moment I've a running freeradius EAP-TTLS/PAP configuration which works fine.
Now I'd like to get credentials from an existing LDAP user storage instead of the Freeradius "users" file (I store MD5 hashed password to have PAP compatibility).
1. It would be nice to see relevant parts of the config file 2. The `radiusd -Xxxx 2>&1 | tee logfile` output
But there's some particular things I need to know :
- how do I have to store password in the LDAP database (because I'd like to use TTLS/PAP) : crypt/MD5 hashed, clear text ?
That's an LDAP thingy.. Here is an example of ldap diff entry for userPassword: userPassword: {crypt}$1$dK1Zl.Qp$khF3af1c7Te0cSf2w/tZO0
All you need is a type prefix in {...} and then a password hash. This is a perl
code snippet that creates these hashes:
my $pass = '{crypt}' . crypt($plaintext_password, '$1$' . join("", ('.', '/', 0..9,
'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]) .
'$');The hash is the same kind as used in a /etc/shadow file. Check the crypt() man page for details.
=====================================
And this is in my radiusd.conf file:
modules {
pap {
encryption_scheme = clear
}
# this is for the "files", passwords are plaintext there :) ldap {
server = "localhost"
basedn = "ou=users,dc=org,dc=tld"
filter = "(attribWithUserName=%{User-Name})"
start_tls = no
}
...authenticate {
Auth-Type EAP {
eap
}
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}- what do I have to put in the "users" file ? (I know that auth-type := EAP is wrong) ?
In contrary to Alans advice O;-), I have this: ######################################################## # User anonymous and [EMAIL PROTECTED] should be allowed # # activate eap for them # DEFAULT User-Name =~ "^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[EMAIL PROTECTED]", Auth-Type := EAP
########################################################
# Users with a NULL realm should be rejected #
DEFAULT Realm == NULL, Auth-Type := Reject
Fall-Through = No########################################################
# 1. Accounting fix for AP #
# 2. a static username files_test for testing #
# 3. LDAP authentication for local users #
DEFAULT Realm == org.tld, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = yesfiles_test Realm == org.tld, User-Password == "<secret>"
DEFAULT Realm == org.tld, Auth-Type := LDAP, Ldap-UserDN :=
`attribWithUserName=%{User-Name},ou=users,dc=org,dc=tld`, Freeradius-Pro
xied-To == 127.0.0.1Do notice, that I use the users username/password to bind to LDAP. This is done with the "Ldap-UserDN" item.
- if it's not possible to have TTLS/PAP authentication what can I do else (PEAP/Mschapv2 ...) ?
TTLS/PAP is working :). For MsCHAP you won't be able to use SecureW2 and you'll need to have plaintext passwords in LDAP.
I hope my questions are not to stupid.
Radius configuration is not simple. The documentation is still lacking and you simply have to "learn as you go" ;). So don't feel like you are asking stupid questions.
-- Best regards, Rok Papez.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
