Hi!
My userbase is LDAP. The LDIF looks like:
dn: uid=ekokor, ou=People, dc=wss-stuttgart,dc=de userPassword:: e1NTSEF9ZDNCZGZmWkFVQVZxa01SV1lJMGVZUTNnRThVcFdPNTE= loginShell: /bin/bash uidNumber: 5966 gidNumber: 831 objectClass: posixAccount objectClass: account objectClass: top objectClass: shadowAccount objectClass: radiusprofile uid: ekokor gecos: S27064 shadowLastChange: 12405 cn: Emil Kokor homeDirectory: /home/schueler/K3fti1/ekokor radiusGroupName: allowed
UserPassword is "emil" == "{SSHA}d3BdffZAUAVqkMRWYI0eYQ3gE8UpWO51"
(only for testing purposes)I'm using FreeRADIUS 1.0.0 with OpenSSL 0.9.7d (now without problems after I used --disable-shared option).
For authentication I should use (I think so) EAP-TTLS/PAP because of LDAP-Userbase and crypted passwords.
In users-File there is only one default entry to deny access for a group of users.
Are the settings so far ok? Because it doesn't work.
radiusd.conf:
....
....
pap {
encryption_scheme = crypt
}
..
..
ldap {
server = "localhost"
identity = "cn=Manager,dc=wss-stuttgart,dc=de"
password = wlan
basedn = "ou=People,dc=wss-stuttgart,dc=de"
filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusProfile))"
base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
#access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmapldap_connections_number = 5
password_attribute = userPassword
groupname_attribute = radiusGroupName
groupmembership_filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusProfile))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
..
..
files {
usersfile = ${confdir}/users
#acctusersfile = ${confdir}/acct_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
..
..
authorize {
preprocess
auth_log
# attr_filter
# chap
# mschap
suffix
eap
files
ldap
}
..
..
authenticate {
Auth-Type PAP {
pap
}# Auth-Type CHAP {
# chap
# }
# Auth-Type MS-CHAP {
# mschap
# }
# Auth-Type LDAP {
# ldap
# }
eap
}eap.conf:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
.....
} ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}users:
only
DEFAULT Ldap-Group == "disabled", Auth-Type := Reject
Reply-Message = "Sie sind nicht berechtigt!"
signature.asc
Description: OpenPGP digital signature
