Re: PAP & CHAP
I've been using this in my authenticate block for awhile and it seems to
work fine with UUNet for the dialup we resell from them:
authtype UUNET {
chap
pap
}
and just match it with Auth-Type := UUNET for an entry in the users file.
-Shawn
On Fri, 10 Jan 2003, Chris Knipe wrote:
> Hi,
>
> I tried this, and it still did not work :( Maybe I am missing something...
> Bellow's the relevant snippets from my configuration...
>
> modules {
> pap {
> encryption_scheme = clear
> }
>
> chap {
> authtype = CHAP
> }
> }
>
> authorize {
> preprocess
> attr_filter
> suffix
> files
> chap
> sql
> }
>
> # Authentication.
> authenticate {
> authtype PAP {
> pap
> }
>
> authtype CHAP {
> chap
> }
> }
>
> --
> me
>
>
> - Original Message -
> From: "3APA3A" <[EMAIL PROTECTED]>
> To: "Chris Knipe" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Thursday, January 09, 2003 10:55 AM
> Subject: Re: PAP & CHAP
>
>
> > Dear Chris Knipe,
> >
> > Set Auth-Type to PAP, add chap module to authorize section and make sure
> > you have
> >
> > chap {
> > authtype = CHAP
> > }
> >
> > in module configuration. In this case default authentication will be
> > PAP, but if CHAP-Password attribute will be found in request Auth-Type
> > will be changed to CHAP during authorization. This behavior is explained
> > in doc/rlm_mschap for MS-CHAP authentication which is very similar to
> > CHAP.
> >
> > --Thursday, January 9, 2003, 6:47:32 AM, you wrote to
> [EMAIL PROTECTED]:
> >
> > CK> Lo everyone,
> >
> > CK> I think I have a little bit of a problem (or maybe not)...
> >
> > CK> I want to use PAP and CHAP authentication... Basically, a user should
> be
> > CK> able to authenticate using PAP or CHAP... I've created a group
> attribute
> > CK> request (Auth-Type := PAP as well as Auth-Type := CHAP). However,
> > CK> Freeradius only takes the first one it gets from the database (PAP),
> and
> > CK> disregards the CHAP.
> >
> > CK> I know this is stupid, but I am presuming that Auth-Type is sent from
> the
> > CK> NAS to the Radius server in any case? How can do I get freeradius to
> accept
> > CK> both password types? My PAP is stored cleartext to make it compatible
> with
> > CK> CHAP, and when I manually remove PAP for CHAP I can authenticate using
> both
> > CK> types... Right now though, I don't really see a way how I can use both
> at
> > CK> the same time on the same accounts?
> >
> > CK> --
> > CK> me
> >
> >
> > CK> -
> > CK> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
> > --
> > ~/ZARAZA
> > Ñòðåëÿÿ âî âòîðîé ðàç, îí èñêàëå÷èë ïîñòîðîííåãî. Ïîñòîðîííèì áûë ÿ.
> (Òâåí)
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/*SQL question
> First off, is it neccessary to fill the dictionary table as well, or can
> the text version be used directly for that? More to the point, how do I
> tell radiusd to ONLY look in its sql table for authentication?
This is controlled like any other aunthentication module, via the
authenticate {} block in your radiusd.conf. If all you want is sql, then
only put the sql module in there.
> Second, is there any way to use crypted passwords in the SQL database?
> I'm keeping a fairly tight lid on security in most matters but plaintext
> passwords always make me nervous.
Use PAP exclusively for dialup. If you want to support CHAP for dialup,
passwords _must_ be cleartext. See the FAQ and list archives for more
details.
-Shawn
>
> Thanks for the software,
> -Shad
> --
> Rens Houben |opinions are mine
> Resident linux guru and sysadmin | if my employers have one
> Systemec Internet Services. |they'll tell you themselves
> PGP public key at http://suzaku.systemec.nl/shadur.key.asc
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP and Crypt
> > I want to use crypted passwords in LDAP and CHAP authentication. It works > without CHAP. > CHAP seems like only working with clear passwords. Can anybody help me with > this? Read the FAQ: http://www.freeradius.org/faq/#4.4 (PAP authentication works but CHAP fails) and http://www.freeradius.org/faq/#5.11 (How do I make CHAP work with LDAP?) -Shawn Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP/PAP Authentication
Auth-Type can be an arbitrary value. I use something like this to make
chap or pap available to the same set of users:
in users:
DEFAULT Auth-Type := CHAPPAP
in authenticate block radiusd.conf:
authtype CHAPPAP {
chap
pap
}
-Shawn
On Tue, 17 Sep 2002, ho k wrote:
> Hi
>
> Hi
> How can the user profile be set such that the PAP or
> CHAP call may be vertified.
> If I used:
>
>
> DEFAULT Auth-Type := PAP
> Fall-Through = 1
>
> the debug output is:
>
> modcall: group authorize returns ok
> rad_check_password: Found Auth-Type PAP
> auth: type "PAP"
> modcall: entering group authtype
> rlm_pap: Attribute "Password" is required for
> authentication. Cannot use "CHAP-Password".
> modcall[authenticate]: module "pap" returns invalid
> modcall: group authtype returns invalid
> auth: Failed to validate the user.
>
> for CHAP user.
>
> Regards
> K
>
>
> ___
> Do You Yahoo!?
> Get your free @yahoo.com.hk address at http://mail.english.yahoo.com.hk
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libtool libs conflicts.
You can use your systems libtool instead of the one that ships with the
FreeRADIUS source. Add --with-system-libtool to your configure.
I seemed to need that on Mandrake when I built it with my RPM
(http://volcano.boulderhill.net/freeradius-rpm/)
-Shawn
On Mon, 9 Sep 2002, Yang-Hwee TAN wrote:
>
> Hi,
>
> i've just managed to build the freeradius rpm from an old v0.6 redhat spec file,
> and now i've got a problem on the libtool libs conflict with the ones build onto
> FreeRadius' rpm.
>
> here are the options i used to build the rpm for freeradius:
>
> %configure --prefix=%{_prefix} \
> --localstatedir=%{_localstatedir} \
> --sysconfdir=%{_sysconfdir} \
> --mandir=%{_mandir} \
> --with-threads \
> --with-thread-pool \
> --with-gnu-ld \
> --with-rlm-krb5-include-dir=/usr/include/krb5 \
> --with-rlm-krb5-lib-dir=/usr/lib
>
> i did tried to use the switch "--disable-ltdl-install", but the compilation complains
> and it seems like its not a valid option for compiling. any help on this would be
>great!
>
> Does anyone knows if i can rebuild the binary without the conflict on my system's
> libtool libs to happen? (see the rpm conflict below). Or is this a normal thing?
> Meaning that i can go ahead to replace the libraries for my libtool in order to
> use FreeRadius?
>
>
> [root@lnx00 root]# rpm --test -Uvh
>/usr/src/RPM/RPMS/i586/freeradius-0.7-1mdk.i586.rpm
> Preparing...### [100%]
> file /usr/lib/libltdl.so.3.1.0 from install of freeradius-0.7-1mdk conflicts with
>file from package libltdl3-1.4.2-3mdk
> file /usr/lib/libltdl.a from install of freeradius-0.7-1mdk conflicts with file
>from package libltdl3-devel-1.4.2-3mdk
> file /usr/lib/libltdl.la from install of freeradius-0.7-1mdk conflicts with file
>from package libltdl3-devel-1.4.2-3mdk
>
>
> --
> Cheers!
> Yanghwee TAN <[EMAIL PROTECTED]>
> http://krypton.bii.a-star.edu.sg/~tanyh/
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about rejecting users
On Wed, 21 Aug 2002, Mark Hennessy wrote:
> Is there a way to reject any users not explicitly listed in the flat users
> file or the sql database? My defaults are able to match up to any user in
> my passwd file and allow access at this moment, and give them an
> incomplete reply.
If you mean /etc/passwd, and you dont want users from there ever to
authenticate against radius, then just make sure the "unix" module is not
in your "authenticate {}" block of radiusd.conf
This may not be what your trying to do though 8-)
Hope it helps!
-Shawn
>
> --
> Mark P. Hennessy [EMAIL PROTECTED]
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query before I choose freeradius
> The way we do this is kind of new in postfix. You can specify that postfix > looks at a mysql database and tables for the users and passwords. The only > catch is that users must have unique usernames and they needs to have the > same user/pass combo for dialup and email. I think the catch is actually a > benefit, but it could be taken otherwise. This can also be done with an LDAP backend, as that is exactly what we do at my company (POP/IMAP users and RADIUS dialups authenticate against the same LDAP backend). -Shawn Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS RPMs
Yes, if they're compiled, you should be able to add the rlm_* files to /usr/lib by hand -Shawn On Mon, 12 Aug 2002, Sheldon Fougere wrote: > Hi Shawn, > > Would I be able to add the additional rlm_sql* files after I've install 0.7 > with these RPM's? > > Thanks, > Sheldon > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Shawn > O'Shea > Sent: Monday, August 12, 2002 2:42 PM > To: FreeRadius Users List > Subject: FreeRADIUS RPMs > > > > I've created some hopefully useful FreeRADIUS RPMs. They still need some > work, but should serve well for some people. I'd like to continue to make > it more robust. If not replying to this post, please use the e-mail > address eth0.net address located in the README.rpm to contact me about > problems/suggestions/issues/etc. > > Please see the README.rpm for information about what this RPM supports. > http://volcano.boulderhill.net/freeradius-rpm/ > > Thanks, > -Shawn > > Shawn K. O'Shea > Sr. Unix Administrator > DSL.net, Inc. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS RPMs
I've created some hopefully useful FreeRADIUS RPMs. They still need some work, but should serve well for some people. I'd like to continue to make it more robust. If not replying to this post, please use the e-mail address eth0.net address located in the README.rpm to contact me about problems/suggestions/issues/etc. Please see the README.rpm for information about what this RPM supports. http://volcano.boulderhill.net/freeradius-rpm/ Thanks, -Shawn Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and RPM Spec File
I'm working on a FreeRADIUS rpm that I've built from scratch. I was waiting for 0.7 (and returning from vacation, which I have) before letting people at it. I just tried building it, but there seems to be enough differences that I need to sit down and see what has changed (looks mainly like a libradius was added for my old SPEC file to work out of the box). I'll probably have something for the general public early next week. -Shawn On Thu, 1 Aug 2002, Sheldon Fougere wrote: > Hi, > > I'm new to radius and I've been experimenting with Freeradius. I started at > version 0.6. In that version in the redhat directory there was a > freeradius.spec file that I used to build an RPM of freeradius. This worked > fine. When 0.7 came out I tried the same thing. I did notice the spec file > was still for version 0.6 so I changed the spec file version to 0.7 but this > failed. The RPM didn't build. During the build process I noticed errors > stating that files weren't found. > > Is there a freeradius.spec file available for version 0.7? > > Thanks, > Sheldon > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: specify shadow passwd file
Please read the comments is radiusd.conf: # 'shadow' is commented out by default, because not all # systems have shadow passwords. Uncomment: # shadow = /etc/shadow -Shawn On Thu, 18 Jul 2002, Augustine Tsai wrote: > Hi, > > I have downloaded freeradius-0.6. > I tried to run >radiusd -X -A > > and get the following message. > >unix: cache=yes > >unix: passwd = "/etc/passed" > >unix: shadow = "(null)" > . > . > HASH: Reinitializing hash structures and lists for caching... > rlm_unix: you MUST specify a shadow password file! > HASH: unable to create uses hash table. disable caching and run debugs > radiusd.conf[426]: unix: Module instantiation failed. > > > Do you have to configure the Radius server before you run the deamon? > How to specify the shadow password file. > > Thanks in advance. > > Augustine > > > Augustine Tsai, Ph.D > Multimedia Communication Research > Room 2D-443 > Lucent Technologies > 600-700 Mountain Ave. > Murray Hill, NJ 07974-0636 > tel: 908-582-6519 > fax: 908-582-3306 > [EMAIL PROTECTED] > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Solaris 8 and rlm_sql_mysql library link problem
> this time the file il present but the system don't see it. > I think may be a problem of the LD_LIBRARY_PATH that on SOlaris (i read) > is not supported and there is not a ldconfig tool. LD_LIBRARY_PATH is indeed supported under Solaris. You can also try compiling freeradius with -R/usr/local/lib added your LDFLAGS so that binary and such get this baked into their library path. There is an ldconfig style library mechanism added to the newer solaris's but I havent had time to get my friend who uses it to point me to all the details yet. -Shawn > > So have you any idea to let Solaris see that libraries? > Thank you in Advice. > MArcello > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CHAP-Password & LDAP Auth?
The passwords you are adding with this ldapadd are stored clear text. Whenever ldapsearch prints 2 colons, it's letting you know it's base64 encoding it's output. If you base64 decode the hash that your search output shows, you get your password: $ echo cGFzc3dvcmQ= | base64 -d password -Shawn On Wed, 27 Mar 2002, Michael S. McCollough wrote: > I am using: > ldapadd -h localhost -D "cn=manager,dc=uchub,dc=com" -W -f adduser.ldif -x > > This is what the file contains > [root@radius migration]# cat /adduser.ldif > dn: uid=me,ou=People,dc=uchub,dc=com > uid: me > cn: Test Account > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > userPassword: password > shadowLastChange: 11764 > shadowMax: 9 > shadowWarning: 7 > loginShell: /bin/bash > uidNumber: 508 > gidNumber: 509 > homeDirectory: /home/testme2 > gecos: Test Account,Test Inc.,xxx-xxx-, > > > This is what is imported. > Output of ldapsearch is: > # me,People,dc=uchub,dc=com > dn: uid=me,ou=People,dc=uchub,dc=com > uid: me > cn: Test Account > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > userPassword:: cGFzc3dvcmQ= > shadowLastChange: 11764 > shadowMax: 9 > shadowWarning: 7 > loginShell: /bin/bash > uidNumber: 508 > gidNumber: 509 > homeDirectory: /home/testme2 > gecos: Test Account,Test Inc.,xxx-xxx-, > > # search result > search: 2 > result: 0 Success > > # numResponses: 176 > # numEntries: 175 > [root@radius migration]# > > -Original Message- > From: pavesi [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 27, 2002 12:15 AM > To: [EMAIL PROTECTED] > Subject: RE: CHAP-Password & LDAP Auth? > > > > >Can some tell me how to override the storing of encrypted passwords? > > This is a function of how you are, or the routine that enters the user data > into your ldap database is defined. Define as crypt, it goes in encrypted. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CHAP-Password & LDAP Auth?
On Tue, 26 Mar 2002, Michael S. McCollough wrote:
> Are you using LDAP? This did not work for me. I did get the realms working
> though.
Yes, but you _do not_ authenticate off of LDAP. You authorize off of LDAP
(where the password needs to be stored in the clear). Essentially when
LDAP is in the authorize{} section, this is the only action it takes.
Then you authenticate{} with CHAP, which takes the CHAP-Password from the
inbound packet, and constructs a CHAP-ized version of the cleartext from
LDAP to compare it with.
-Shawn
>
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication. Cannot
> use "CHAP-Password".
> modcall[authenticate]: module "ldap" returns invalid
> modcall: group authenticate returns invalid
> auth: Failed to validate the user.
> Login incorrect (rlm_ldap: User not found):
> [[EMAIL PROTECTED]/] (from client MR-Firewall port 0)
>
>
>
> -Original Message-
> From: Shawn O'Shea [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, March 26, 2002 10:48 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: CHAP-Password & LDAP Auth?
>
>
>
> I got the better part of this working on Fridayhere's most of the
> pertinent parts:
>
> radiusd.conf:
>
> -add a blank section for chap options (something complained when I didnt do
> this)
>
> chap {
> }
>
> -make sure that your ldap section is configured for your setup
>
> -make sure authorize{} has chap and ldap. Mine looks like: authorize {
> preprocess
> chap
> ldap
> suffix
> files
> }
>
> -make sure authenticate{} has chap. I have:
> authenticate {
> unix
> chap
> }
>
> I only have one type of userI'm not sure how to setup realms properly,
> so I'm being lame and matching the realm in their username attribute and
> giving them some ascend vendor attributes:
> users:
>
> DEFAULT Suffix == "@realm.mycompany.com"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Ascend-Data-Filter = "IP IN FORWARD TCP",
> Ascend-Data-Filter += "IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE",
> Ascend-Data-Filter += "IP IN DROP TCP DSTPORT = 25",
> Ascend-Data-Filter += "IP IN FORWARD 0",
> Ascend-Assign-IP-Pool = 0
>
> -Shawn
>
> On Mon, 25 Mar 2002, Michael S. McCollough wrote:
>
> > I am probably just dense but either the faq is incomplete or I cannot
> > translate to suit my needs. I cannot even get chap to work with
> > Auth-Type :=system I need it to work with ldap. Once key point may be
> > CHAP vs MS-CHAP. The radiusd.conf file only has ms-chap in it. I
> > remember log time ago when chap was proposed, ms did their own
> > version. Since the MS version became the defacto standard, I am not
> > sure is ms-chap and chap are used interchangably.
> >
> > From radiusd -X
> > rlm_ldap: Attribute "Password" is required for authentication. Cannot
> > use "CHAP-Password".
> >
> > I need CHAP to work with LDAP but would be happy to see it work with
> > system auth just to know it works.
> >
> > --
> > Michael
> >
> >
> > -Original Message-
> > From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, March 21, 2002 2:09 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: CHAP-Password & LDAP Auth?
> >
> >
> > On Thu, 21 Mar 2002, Mike Cathey wrote:
> >
> > > Chris,
> > >
> > >
> > > Chris Parker wrote:
> > > > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
> > > >
> > > >> Chris,
> > > >>
> > > >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC it's
> > > >> the auth code) supports 2 menthods of LDAP auth. One method
> > > >> attempts to bind to the directory as the user, which is what it
> > > >> sounds like FreeRADIUS does. The other methold is to bind to the
> > > >> directory as a privileged user (one who has access to all user
> > > >> attributes), crypt what the client handed you and compare it to
> > > >> userPassword.
> > > >
> > > >
> > > > The client hands you an already ( and non-reversable ) encrypted
> > > > string. Encrypting it a second time will yield nothing useful.
> > > >
> > > >> I may be possible to implement the second method in FreeRADIUS
> > > >> and use it for LDAP/CHAP auth. Comments
RE: CHAP-Password & LDAP Auth?
I got the better part of this working on Fridayhere's most of the
pertinent parts:
radiusd.conf:
-add a blank section for chap options (something complained when I didnt
do this)
chap {
}
-make sure that your ldap section is configured for your setup
-make sure authorize{} has chap and ldap. Mine looks like:
authorize {
preprocess
chap
ldap
suffix
files
}
-make sure authenticate{} has chap. I have:
authenticate {
unix
chap
}
I only have one type of userI'm not sure how to setup realms properly,
so I'm being lame and matching the realm in their username attribute and
giving them some ascend vendor attributes:
users:
DEFAULT Suffix == "@realm.mycompany.com"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Ascend-Data-Filter = "IP IN FORWARD TCP",
Ascend-Data-Filter += "IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE",
Ascend-Data-Filter += "IP IN DROP TCP DSTPORT = 25",
Ascend-Data-Filter += "IP IN FORWARD 0",
Ascend-Assign-IP-Pool = 0
-Shawn
On Mon, 25 Mar 2002, Michael S. McCollough wrote:
> I am probably just dense but either the faq is incomplete or I cannot
> translate to suit my needs. I cannot even get chap to work with Auth-Type
> :=system I need it to work with ldap. Once key point may be CHAP vs
> MS-CHAP. The radiusd.conf file only has ms-chap in it. I remember log time
> ago when chap was proposed, ms did their own version. Since the MS version
> became the defacto standard, I am not sure is ms-chap and chap are used
> interchangably.
>
> From radiusd -X
> rlm_ldap: Attribute "Password" is required for authentication. Cannot use
> "CHAP-Password".
>
> I need CHAP to work with LDAP but would be happy to see it work with system
> auth just to know it works.
>
> --
> Michael
>
>
> -Original Message-
> From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, March 21, 2002 2:09 PM
> To: [EMAIL PROTECTED]
> Subject: Re: CHAP-Password & LDAP Auth?
>
>
> On Thu, 21 Mar 2002, Mike Cathey wrote:
>
> > Chris,
> >
> >
> > Chris Parker wrote:
> > > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
> > >
> > >> Chris,
> > >>
> > >> The qmail-ldap () code (actually IIRC it's
> > >> the auth code) supports 2 menthods of LDAP auth. One method
> > >> attempts to bind to the directory as the user, which is what it
> > >> sounds like FreeRADIUS does. The other methold is to bind to the
> > >> directory as a privileged user (one who has access to all user
> > >> attributes), crypt what the client handed you and compare it to
> > >> userPassword.
> > >
> > >
> > > The client hands you an already ( and non-reversable ) encrypted
> > > string. Encrypting it a second time will yield nothing useful.
> > >
> > >> I may be possible to implement the second method in FreeRADIUS and
> > >> use it for LDAP/CHAP auth. Comments?
> > >
> > >
> > > The only way to perform CHAP authentication is for the server to
> > > have access to the unecrypted password locally.
> >
> > Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was just
> > pointing out the method of binding as a privileged user (a user who
> > has rights to access the userPassword attribute for the RADIUS users).
> > You can then get the value of userPassword and send the 'challenge'
> > back to the proxy. I haven't read docs on CHAP in a while, but it
> > seems like this would work ok. Of course, this assumes you store all
> > of your users passwords in plain text.
> >
> > Cheers,
> >
> > Mike
>
> It's already supported. Please read the FAQ at
> http://www.freeradius.org/faq/#5.11
>
> and doc/rlm_ldap
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED]National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CHAP-Password & LDAP Auth?
Please forgive if a repost. Not sure my comments below got passed
along...also wanted to tack on a a "sample test packet":
sample test:
/usr/local/bin/radclient -x radius-server.mycompany.com auth
mysharedsecret < radtest.txt
where radtest.txt resembles:
User-Name = "someradiususer"
CHAP-Password = "cleartextofpassword"
NAS-IP-Address = somenas.mycompany.com
NAS-Port-Id = 0
NAS-Port-Type = Async
Service-Type = Framed
Framed-Protocol = PPP
State = ""
Calling-Station-Id = "8475061520"
Called-Station-Id = "8476311672"
Acct-Session-Id = "379094840"
Ascend-Data-Rate = 26400
Ascend-Xmit-Rate = 44000
Proxy-State = blah
-Shawn
On Tue, 26 Mar 2002, Shawn O'Shea wrote:
>
> I got the better part of this working on Fridayhere's most of the
> pertinent parts:
>
> radiusd.conf:
>
> -add a blank section for chap options (something complained when I didnt
> do this)
>
> chap {
> }
>
> -make sure that your ldap section is configured for your setup
>
> -make sure authorize{} has chap and ldap. Mine looks like:
> authorize {
> preprocess
> chap
> ldap
> suffix
> files
> }
>
> -make sure authenticate{} has chap. I have:
> authenticate {
> unix
> chap
> }
>
> I only have one type of userI'm not sure how to setup realms properly,
> so I'm being lame and matching the realm in their username attribute and
> giving them some ascend vendor attributes:
> users:
>
> DEFAULT Suffix == "@realm.mycompany.com"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Ascend-Data-Filter = "IP IN FORWARD TCP",
> Ascend-Data-Filter += "IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE",
> Ascend-Data-Filter += "IP IN DROP TCP DSTPORT = 25",
> Ascend-Data-Filter += "IP IN FORWARD 0",
> Ascend-Assign-IP-Pool = 0
>
> -Shawn
>
> On Mon, 25 Mar 2002, Michael S. McCollough wrote:
>
> > I am probably just dense but either the faq is incomplete or I cannot
> > translate to suit my needs. I cannot even get chap to work with Auth-Type
> > :=system I need it to work with ldap. Once key point may be CHAP vs
> > MS-CHAP. The radiusd.conf file only has ms-chap in it. I remember log time
> > ago when chap was proposed, ms did their own version. Since the MS version
> > became the defacto standard, I am not sure is ms-chap and chap are used
> > interchangably.
> >
> > From radiusd -X
> > rlm_ldap: Attribute "Password" is required for authentication. Cannot use
> > "CHAP-Password".
> >
> > I need CHAP to work with LDAP but would be happy to see it work with system
> > auth just to know it works.
> >
> > --
> > Michael
> >
> >
> > -Original Message-
> > From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, March 21, 2002 2:09 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: CHAP-Password & LDAP Auth?
> >
> >
> > On Thu, 21 Mar 2002, Mike Cathey wrote:
> >
> > > Chris,
> > >
> > >
> > > Chris Parker wrote:
> > > > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
> > > >
> > > >> Chris,
> > > >>
> > > >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC it's
> > > >> the auth code) supports 2 menthods of LDAP auth. One method
> > > >> attempts to bind to the directory as the user, which is what it
> > > >> sounds like FreeRADIUS does. The other methold is to bind to the
> > > >> directory as a privileged user (one who has access to all user
> > > >> attributes), crypt what the client handed you and compare it to
> > > >> userPassword.
> > > >
> > > >
> > > > The client hands you an already ( and non-reversable ) encrypted
> > > > string. Encrypting it a second time will yield nothing useful.
> > > >
> > > >> I may be possible to implement the second method in FreeRADIUS and
> > > >> use it for LDAP/CHAP auth. Comments?
> > > >
> > > >
> > > > The only way to perform CHAP authentication is for the server to
> > > > have access to the unecrypted password locally.
> > >
> > > Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was just
> > > pointing out the method of binding as a privileged user (a user who
> > > has rights to access the userPassword attribute for the RADIUS users).
> &
Re: Matching troubles in users file...
> > If you passed then add a bunch of attributes to make you > > work > > If you failed then send back only a Reply-Message attribute > > To do this generally would require a post-authenticate stage. The > server doesn't have this right now. > > If the authentication fails, the server *does* remove almost all of > the attributes in the reply, before sending a reject. Ok, this seems to be what's driving me nuts. I can live without adding a Reply-Message, but when an auth fails, it removes everything but Proxy-State (which I want) and a couple of Ascend attributes (that I dont want in there). Thanks, -Shawn > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matching troubles in users file...
I'm having a hard time wrapping my head around how to do the matching that I want in the users file and was hoping for some help. I really only have one type of user, so what I would like to say is: If you passed then add a bunch of attributes to make you work If you failed then send back only a Reply-Message attribute Help? =) Thanks, -Shawn Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP-Password & LDAP Auth?
>
> > Wed Mar 20 15:35:57 2002 : Auth: Login incorrect:
> > [{ed: whatever username -sko}/] (from nas
> > UNKNOWN-NAS port 0 cli 8475061520)
> >
> > If I use just User-Password, this works like a dream. Any suggetions?
>
> Don't use CHAP.
Ok, well the UUNET docs states that I can use PAP or CHAP. Here's what
their doc says about it though:
Althought the REseller may not be using CHAP, they must configure their
RADIUS server to respond to a CHAP request by requesting PAP
authentication after declining CHAP. This is done during the LCP phase of
creating a PPP session.
Is this doable in freeradius?
> From what I recall, the LDAP module tries to authenticate to the
> LDAP server, usin g the username/password supplied in the packet.
> Therefore, it needs access to the plain-text password, as it's telling
> you.
Running freeradius in debug mode, this is indeed what the LDAP module is
doing. After reading through the section of the FAQ you pointed out, and
the "Interoperation wiþ PAP and CHAP" section of RFC2138 I'm starting to
understand what the deal is.
Thanks,
-Shawn
>
> The alternative is to use a DB which stores the password in clear text.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP-Password & LDAP Auth?
I'm currently using Steel Belted Radius w/ UU.net and trying to replicate
the functionality of our stell belted server w/ freeradius. Basically we
take incoming proxied auth requests from UU, auth them, and reply back to
the proxy.
I grabbed some of the inbound packets off the wire so I could look at what
attributes we're recieving, so that I could build similar looking access
requests with radclient.
My problem is that the packets from them send the password as
CHAP-Password attribute. If I set this in my test data for radclient, my
freeradius 0.5 server says:
Wed Mar 20 15:35:57 2002 : Auth: rlm_ldap: Attribute "User-Password" is
required for authentication. Cannot use "CHAP-Password".
Wed Mar 20 15:35:57 2002 : Auth: Login incorrect:
[{ed: whatever username -sko}/] (from nas
UNKNOWN-NAS port 0 cli 8475061520)
If I use just User-Password, this works like a dream. Any suggetions?
-Shawn
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
