Hi all,
I think i'm having problems too with EAP-TTLS / PAP with LDAP password
stored in ssha-1.
I've newest release of freeradius : 1.1.2.
In debug mode :
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user wifilsh authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id:0
modcall[autohrize]: module "ldap1" return ok for request 0
users: Matched entry DEFAULT at line 172
modcall[autohrize]: module "files" return ok for request 0
rlm_eap: No EAP-Message, not doing EAP
...
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" return noop for request 0
...
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request : Rejecting the user
auth: Failed to validate the user.
and i tried several configurations in my radiusd.conf :
pap {
encryption_scheme = sha1 (or auto_header = yes,
encryption_scheme=ssha)
}
EAP-TTLS / PAP authentication works good with clear password.
Can i use realm rlm_pap to crypt password in SSHA-1 ?
Do anyone have an idea for these problems ?
Thanks,
Guillaume
Matt Ashfield wrote:
I think I'm having similar problems. Trying to do EAP-TTLS against LDAP with
passwords stored in ssha-1 I get the following in my debug:
rlm_ldap: Added password {SSHA}sBKY63Qm0H8T/Rx25tveoZfGaYd9Rjk45TCrWA== in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mda authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 4
modcall: group authorize returns ok for request 4
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
ERROR: Unknown value specified for Auth-Type. Cannot perform requested
action.
auth: Failed to validate the user.
The above seems to indicate to me that I was authorized, but not
authenticated?
Although in my radiusd.conf, I do have the following which I assumed was
correct:
pap {
encryption_scheme = sha1
}
Cheers
Matt Ashfield
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Phil Mayers
Sent: July 15, 2006 8:09 AM
To: FreeRadius users mailing list
Subject: Re: EAP-TTLS-PAP-LDAP
Rohaizam Abu Bakar wrote:
Thanks Phil.. what a stupid move to paste all that passwd.. I've
changed it as soon as i get ur mail... thanks again...
cannot find any article related to repeating LDAP query for EAP... pls
help..
You don't need to worry about the EAP. The EAP is working fine. It's the
PAP request that lives inside the EAP that's failing.
I think the problem coz by RADIUS cannot figure out to set Auth-Type and
then it require plain passwd.. When I change password to plain. with the
same setting.. it's working...
It's definitely not that. Auth-Type is being set to Local, probably by
the default entries in the "users" file, and the server is therefore
trying to compare the passwords in the PAP requests with the ones frmo
LDAP, which is correct. But as I said, your LDAP directory contains
password of the form "{crypt}sombytes". This is breaking it. You have
three choices:
1. Upgrade the server to a version which can correctly deal with the
"{type}" prefixes.
2. Re-format the passwords, either in the LDAP directory or with an
external script, so that the {type} is stripped and the value set in the
Crypt-Password attribute. For example, in radiusd.conf:
modules {
ldap {
server = ...
basedn = ...
# do NOT copy the password attribute here, do it
# in ldap.attrmap instead - see below for why
# password_attribute
# other config items
}
exec strip_password_header {
wait = yes
program = "/usr/local/bin/strip_password_header.sh"
input_pairs = config
output_pairs = config
}
}
authorize {
preprocess
eap
files
Autz-Type ttls-inner-bit {
ldap
strip_password_header
}
}
authenticate {
eap
}
...and in users:
# Match the PAP "inside" bit of EAP-TTLS and set the Autz-Type so
# that we only run the ldap query and crypt password rewrite then
# Also set Auth-Type to Local so the radius server will check the
# passwords
DEFAULT Client-IP-Address == 127.0.0.1, Autz-Type := ttls-inner-bit,
Auth-Type := Local
...and in ldap.attrmap:
checkItem Crypt-Password userPassword
...and in /usr/local/bin/strip_password_header.sh:
#!/bin/sh
stripped_pw=`echo $CRYPT_PASSWORD | sed -e 's/^{crypt}//g'`
echo "Crypt-Password := \"$stripped_pw\""
Basically, what this does is:
* do EAP
* when the inner PAP request happens
* fetch the "{crypt}foobar" from LDAP
* rewrite it to "foobar" with a script
* let the radius server compare the passwords
3. Stop copying the password over at all, and authenticate the PAP bit
with an LDAP simple bind to the directory. See the archives for many
posts about "LDAP simple bind PAP"
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html