Hi!
My userbase is LDAP. The LDIF looks like:
dn: uid=ekokor, ou=People, dc=wss-stuttgart,dc=de userPassword:: e1NTSEF9ZDNCZGZmWkFVQVZxa01SV1lJMGVZUTNnRThVcFdPNTE= loginShell: /bin/bash uidNumber: 5966 gidNumber: 831 objectClass: posixAccount objectClass: account objectClass: top objectClass: shadowAccount objectClass: radiusprofile uid: ekokor gecos: S27064 shadowLastChange: 12405 cn: Emil Kokor homeDirectory: /home/schueler/K3fti1/ekokor radiusGroupName: allowed
UserPassword is "emil" == "{SSHA}d3BdffZAUAVqkMRWYI0eYQ3gE8UpWO51" (only for testing purposes)
I'm using FreeRADIUS 1.0.0 with OpenSSL 0.9.7d (now without problems after I used --disable-shared option).
For authentication I should use (I think so) EAP-TTLS/PAP because of LDAP-Userbase and crypted passwords.
In users-File there is only one default entry to deny access for a group of users.
Are the settings so far ok? Because it doesn't work.
radiusd.conf:
.... .... pap { encryption_scheme = crypt } .. .. ldap { server = "localhost" identity = "cn=Manager,dc=wss-stuttgart,dc=de" password = wlan basedn = "ou=People,dc=wss-stuttgart,dc=de" filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusProfile))" base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
groupname_attribute = radiusGroupName
groupmembership_filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusProfile))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
..
..
files {
usersfile = ${confdir}/users
#acctusersfile = ${confdir}/acct_users
# If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } .. .. authorize { preprocess auth_log # attr_filter # chap # mschap suffix eap files ldap } .. .. authenticate { Auth-Type PAP { pap }
# Auth-Type CHAP { # chap # } # Auth-Type MS-CHAP { # mschap # } # Auth-Type LDAP { # ldap # } eap }
eap.conf:
eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { ..... }
ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no }
users:
only
DEFAULT Ldap-Group == "disabled", Auth-Type := Reject Reply-Message = "Sie sind nicht berechtigt!"
signature.asc
Description: OpenPGP digital signature