Hi, Robert Masters <rmast...@bunnings.com.au> wrote: > > We've been working on using Freeradius on RHEL5.4 to link a Motorola > RFS6000 with Oracle OID. > > We've had a number of hiccoughs along the way, and solved most of them - > mainly thanks to the archives of this list. > > We are now getting the following error: > "rlm_eap_gtc: ERROR: Clear-test User-Password is required for > authentication." > "Bad UNIX sysadmin *BAD*"
My git log tells me you are running a version of FreeRADIUS from *before* Aug 15 2006. Maybe I am the first to tell you, but it is 2010, and nearly 2011 :) That error message was fixed (as was the codebase) so that Cleartext-Password is used instead (as User-Password comes from the RADIUS packet). > instantiate { > exec > expr > } > authorize { > preprocess > > suffix > eap > files <---- comment out > ldap > } > authenticate { > Auth-Type PAP { > pap > } > Auth-Type CHAP { > chap > } > Auth-Type MS-CHAP { > mschap > } > unix > Auth-Type LDAP { > ldap > } > eap > } > > [snipped] > The problem is that you need to populate Cleartext-Password with whatever is expected from the user *before* you end up calling the GTC module. This is true if you want the gtc module to do the checking for you (as you have set the auth_type to 'Local'). This results in the gtc module doing the "Cleartext-Password == User-Password" check for you. What I use, other than just a version of FreeRADIUS from this decade, is something like the following: ---- eap { ... # do *not* pass to a inner virtual server for GTC (unless you # want to do secondary authentications, two-factor?) ttls { #virtual_server = "inner-tunnel" } peap { #virtual_server = "inner-tunnel" } gtc { challenge = "%{reply:Reply-Message}" # as User-Password != Cleartext-Password for rfc2289 auth_type = rfc2289 } ... } authorize { ... # gets some useful information from LDAP that lets the rfc2289 # perl module do it's thing ldap # generates Reply-Message depending on what LDAP found gtc-trial.perl gtc-trial.eap } authenticate { Auth-Type gtc-trial.eap { gtc-trial.eap } Auth-Type rfc2289 { # does the User-Password check as rfc2289 can have # several formats, and is not case sensitive, etc gtc-trial.perl } } ---- > And our users file: > DEFAULT Auth-Type = LDAP > Fall-Through = Yes > DEFAULT Service-Type == Framed-User > Framed-IP-Address = 255.255.255.254, > Framed-MTU = 576, > Service-Type = Framed-User, > Fall-Through = Yes > DEFAULT Framed-Protocol == PPP > Framed-Protocol = PPP, > Framed-Compression = Van-Jacobson-TCP-IP > DEFAULT Hint == "CSLIP" > Framed-Protocol = SLIP, > Framed-Compression = Van-Jacobson-TCP-IP > DEFAULT Hint == "SLIP" > Framed-Protocol = SLIP > This is wrong and unnecessary, you should never sent the Auth-Type (except to Reject or Accept); especially to 'LDAP'. Comment out 'files' in authorize, when 'ldap' is called it will go hunting for accounts, and if it sees it can get enough information to authenticate the user, then it will; although this is not actually what you want here. Cheers -- Alexander Clouter .sigmonster says: I am a deeply superficial person. -Andy Warhol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html