Erik Denny <[EMAIL PROTECTED]> wrote: > I can auth PAP requests all day long, however, I get the following error > when a CHAP term server requests auth. > > Thu Sep 2 13:27:40 2004 : Auth: rlm_ldap: Attribute "User-Password" is > required for authentication. Cannot use "CHAP-Password". > Thu Sep 2 11:35:47 2004 : Auth: Login incorrect: [EMAIL PROTECTED]/<CHAP-Password>]
You are setting "Auth-Type := LDAP". You are setting "Auth-Type := LDAP", even for CHAP requests. That's the source of the problem. This is why the server is configured by default to set "Auth-Type := CHAP" for CHAP requests: because no other module can do CHAP. The LDAP module sets "Auth-Type = LDAP" only if it has not already been set. So if you're getting that error for Access-Requests containing CHAP, it's because you've over-ridden the default configuration, and told the server to NOT use the CHAP module for CHAP requests. > This is the result of a test from a term server with an account that has a > clear-text password. You are confusing passwords in the LDAP database with passwords in the Access-Request. Let's look at a little matrix: authentication data in Access-Request PAP CHAP passwords in LDAP clear Auth-Type := LDAP Auth-Type := CHAP crypt Auth-Type := LDAP impossible The fact that the "account has a clear-text password" is IRRELEVANT. The Access-Request has a CHAP password, and LDAP doesn't do CHAP. End of story. Don't force LDAP to handle CHAP requests. > Now, as far as I can see in the configs and code, we have not removed > anything that would break it, AND there is no "User-Password" defined in > the bundled schema for LDAP v3 in the doc directory. > (RADIUS-LDAPv3.schema) There appears to be NO conversion from "uid" to > "User-Name" anywhere that I can see, so how can this work out of the box? If the Access-Request contains a PAP password, then Auth-Type := LDAP will work. > BTW- I don't see how you can test CHAP auth with anything other than a > term server- radtest/radclient don't appear to support the option? $ cat radtest | sed 's/User-Password/CHAP-Password/' > radchaptest $ chmod +x radchaptest And then use "radchaptest" to sent CHAP requests. > > Honestly, if PAP works for a user, then MS-CHAP works, too. Trust > > me in this. The problem is that many people get confused between authorization and authentication. LDAP is a *database*, not an authentication server. Let LDAP store passwords, and let FreeRADIUS do authentication. The whole problem starts when you configure FreeRADIUS to use LDAP for authenticating users. Don't do that. Use LDAP to store clear-text passwords. LDAP doesn't do CHAP, MS-CHAP, EAP, or anything other than PAP. So if there isn't a User-Password attribute in the Access-Request, packet, then setting "Auth-Type := LDAP" will ALWAYS FAIL. i.e. Don't list "ldap" in "authenticate". Yes, you may discover that some things break. This means you've probably got to set "Auth-Type := Local", for PAP requests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html