HI, Im now trying your suggestions for getting FR and PEAP working together. Below is the result of a radtest that I did.
The password that is being supplied by radtest is in plain-text, should I be supplying it in ntPassword-encrypted format? It looks to me like I have something wrong with my authenticate section. My authorize section looks like: authorize { preprocess chap mschap suffix eap Autz-Type Ldap1 { redundant-load-balance{ unbldap unbldap2 } mschap } } The radtest result is below: rad_recv: Access-Request packet from host 127.0.0.1 port 32769, id=97, length=55 User-Name = "mda" User-Password = "abc123" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Tue Jun 10 10:07:34 2008 : Debug: +- entering group authorize Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[preprocess] returns ok Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[chap] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[mschap] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Tue Jun 10 10:07:34 2008 : Debug: rlm_realm: No '@' in User-Name = "mda", looking up realm NULL Tue Jun 10 10:07:34 2008 : Debug: rlm_realm: No such realm "NULL" Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[suffix] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: rlm_eap: No EAP-Message, not doing EAP Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[eap] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[files] returns noop Tue Jun 10 10:07:34 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Tue Jun 10 10:07:34 2008 : Debug: auth: Failed to validate the user. Tue Jun 10 10:07:34 2008 : Auth: Login incorrect: [mda] (from client localhost port 0) Tue Jun 10 10:07:34 2008 : Debug: Delaying reject of request 0 for 1 seconds Tue Jun 10 10:07:34 2008 : Debug: Going to the next request Tue Jun 10 10:07:34 2008 : Debug: Waking up in 0.9 seconds. Tue Jun 10 10:07:35 2008 : Debug: Sending delayed reject for request 0 Sending Access-Reject of id 97 to 127.0.0.1 port 32769 Tue Jun 10 10:07:35 2008 : Debug: Waking up in 4.9 seconds. Tue Jun 10 10:07:40 2008 : Debug: Cleaning up request 0 ID 97 with timestamp +17 Tue Jun 10 10:07:40 2008 : Debug: Ready to process requests. Any assistance is appreciated. Thanks Matt [EMAIL PROTECTED] -----Original Message----- From: Thibault Le Meur [mailto:[EMAIL PROTECTED] Sent: Monday, May 26, 2008 11:00 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: FR and PEAP question Matt Ashfield a écrit : > > Hi, > > Were looking into using PEAP with MSChapV2, instead of PAP (dont > want to use the SecureW2 client anymore) so are investigating ways to > store the password in LDAP. > > According to > http://deployingradius.com/documents/protocols/compatibility.html ,the > options are storing the password in Clear-Text or in an NT Hash > (ntlm_auth). > > In talking with our LDAP people, I was told the following: > > SunOne does not support nt-hash passwords. Supported formats are > CLEAR, CRYPT, DES, NS-MTA-MD5 (Netscape MD5), SHA, and SSHA. > > Fedora Directory Server 1.1.0 supports CLEAR, CRYPT, DES, MD5, > NS-MTA-MD5, SHA, SHA256, SHA384, SHA512, SSHA, SSHA256, SSHA384, and > SSHA512. > This means that your userPassword attribute must contain your password in the previously mentionned has forms. This userPassword attribute is used internally by your LDAP directory in order to authenticate your access (bind) to the LDAP server. > It sounds to me like if we want to do PEAP/MSChapV2 wed have to store > the password in cleartext? I would just like to verify this via this list. > Not necessarily. You may _not_ want to use ldap binding as the authentication process, but only use your LDAP directory as a database backend in which FR will read a given ldap attribute (different from 'userPassword') and maps it to the NT-Hash version of the user password. In other words (setup for FR1.7): * in your LDAP directory entries add a new attribute (that will hold the NT-Hash version of the user password) * update the configuration file ldap.attrmap so that the new ldap attribute maps to the radius NT-Password attribute * setup your rlm_ldap module and use it in the authorize section (NOT the authenticate section) * don't forget to use the mschap module in your authorize section (after the ldap one) so that the MS-CHAP Authentication will see the encrypted user password and sets Auth-Type accordingly Hope this helps, Thibault > Any advice is appreciated. > > Thanks > > Matt > > [EMAIL PROTECTED] > > ------------------------------------------------------------------------ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html