Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Here's what I've to put in the users file to make it work :
DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = no
But now PEAP/MSCHAPv2 doesn't work...
If you had read the debug log, you would see WHY it doesn't work.
Repeat it like a mantra: If you're not sure, DO NOT SET AUTH-TYPE.
When I do not set Auth-Type TTLS/PAP works with users stored in the users files,
PEAP/Ms-chap-v2 works with users from LDAP storage, but TTLS/PAP from LDAP doesn't
work
The server will figure it out on it's own.
Alan DeKok.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard [EMAIL PROTECTED] wrote: When I do not set Auth-Type TTLS/PAP works with users stored in the users files, PEAP/Ms-chap-v2 works with users from LDAP storage, but TTLS/PAP from LDAP doesn't work And the debug log would tell you why. The FAQ also mentions something about statements like it doesn't work. Without looking at your configuration, I can tell that you've probably stored the passwords as NT-Passwords, so MS-CHAP works, but PAP doesn't. This isn't an issue for TTLS or PEAP, as it's completely independent of them. The rlm_pap module could be updated to compare PAP passwords from the packet with NT-Passwords retrieved from somewhere else. This could probably go into 1.0.0, as there are a few other issues with building on certain platforms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hello Christophe.
Christophe Saillard pravi:
And you set Auth-Type = EAP. DON'T DO THAT.
I do that ;). I prefer to manualy set EAP when user tries to identify as
[EMAIL PROTECTED]. Users are *NOT* allowed to use any other authentication
method :).
For the moment I've a running freeradius EAP-TTLS/PAP configuration
which works fine.
Now I'd like to get credentials from an existing LDAP user storage
instead of the Freeradius users file (I store MD5 hashed password to
have PAP compatibility).
1. It would be nice to see relevant parts of the config file
2. The `radiusd -Xxxx 21 | tee logfile` output
But there's some particular things I need to know :
- how do I have to store password in the LDAP database (because I'd like
to use TTLS/PAP) : crypt/MD5 hashed, clear text ?
That's an LDAP thingy.. Here is an example of ldap diff entry for userPassword:
userPassword: {crypt}$1$dK1Zl.Qp$khF3af1c7Te0cSf2w/tZO0
All you need is a type prefix in {...} and then a password hash. This is a perl
code snippet that creates these hashes:
my $pass = '{crypt}' . crypt($plaintext_password, '$1$' . join(, ('.', '/', 0..9,
'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]) .
'$');
The hash is the same kind as used in a /etc/shadow file. Check the crypt() man page
for details.
=
And this is in my radiusd.conf file:
modules {
pap {
encryption_scheme = clear
}
# this is for the files, passwords are plaintext there :)
ldap {
server = localhost
basedn = ou=users,dc=org,dc=tld
filter = (attribWithUserName=%{User-Name})
start_tls = no
}
...
authenticate {
Auth-Type EAP {
eap
}
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
- what do I have to put in the users file ? (I know that auth-type :=
EAP is wrong) ?
In contrary to Alans advice O;-), I have this:
# User anonymous and [EMAIL PROTECTED] should be allowed #
# activate eap for them#
DEFAULT User-Name =~ ^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[EMAIL
PROTECTED], Auth-Type := EAP
# Users with a NULL realm should be rejected #
DEFAULT Realm == NULL, Auth-Type := Reject
Fall-Through = No
# 1. Accounting fix for AP #
# 2. a static username files_test for testing #
# 3. LDAP authentication for local users #
DEFAULT Realm == org.tld, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = yes
files_test Realm == org.tld, User-Password == secret
DEFAULT Realm == org.tld, Auth-Type := LDAP, Ldap-UserDN :=
`attribWithUserName=%{User-Name},ou=users,dc=org,dc=tld`, Freeradius-Pro
xied-To == 127.0.0.1
Do notice, that I use the users username/password to bind to LDAP. This is done with the
Ldap-UserDN item.
- if it's not possible to have TTLS/PAP authentication what can I do
else (PEAP/Mschapv2 ...) ?
TTLS/PAP is working :). For MsCHAP you won't be able to use SecureW2 and
you'll need to have plaintext passwords in LDAP.
I hope my questions are not to stupid.
Radius configuration is not simple. The documentation is still lacking and
you simply have to learn as you go ;). So don't feel like you are asking
stupid questions.
--
Best regards,
Rok Papez.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hi,
Now I've a working TTLS/PAP with LDAP storage configuration ;-)
Here's what I've to put in the users file to make it work :
DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = no
But now PEAP/MSCHAPv2 doesn't work...I've try a lot of combination
(Auth-Type := MSCHAP Fall-Through = yes ...)
but none seem to work...if someone has a clue ;-)
Thanks for all !
Bye.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Try something like this for your check line:
DEFAULT Freeradius-Proxied-To == 127.0.0.1, EAP-Message !* ,
Auth-Type := PAP
--Mike
On Mon, 2004-06-21 at 06:59, Christophe Saillard wrote:
Hi,
Now I've a working TTLS/PAP with LDAP storage configuration ;-)
Here's what I've to put in the users file to make it work :
DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = no
But now PEAP/MSCHAPv2 doesn't work...I've try a lot of combination
(Auth-Type := MSCHAP Fall-Through = yes ...)
but none seem to work...if someone has a clue ;-)
Thanks for all !
Bye.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Rok Papez [EMAIL PROTECTED] wrote: And you set Auth-Type = EAP. DON'T DO THAT. I do that ;). I prefer to manualy set EAP when user tries to identify as [EMAIL PROTECTED]. Users are *NOT* allowed to use any other authentication method :). That's about the only time you should set it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard [EMAIL PROTECTED] wrote:
Now I've a working TTLS/PAP with LDAP storage configuration ;-)
Here's what I've to put in the users file to make it work :
DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = no
But now PEAP/MSCHAPv2 doesn't work...
If you had read the debug log, you would see WHY it doesn't work.
Repeat it like a mantra: If you're not sure, DO NOT SET AUTH-TYPE.
The server will figure it out on it's own.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hi Christophe.
Christophe Saillard pravi:
For the moment I use Freeradius with EAP-TTLS and it works fine...now
I'd like to get users credentials form an existing LDAP database.
The LDAP server sends me a valable MD5 hashed password but I think
something failed in my users file configuration.
You should run the server in debug mode and check the output. I use this
command:
radiusd -Xxxx 21 | tee logfile
Does someone have such a working configuration ? If so, can you send a
copy ?
modules {
ldap {
server = localhost
basedn = ou=employees,dc=org,dc=tld
filter = (PrincipalName=%{User-Name})
start_tls = no
}
[...]
authorize {
preprocess
auth_log
attr_rewrite
suffix
group {
# the files also activates EAP for user anonymous
files {
notfound = 1
ok = return
}
ldap
}
}
authenticate {
Auth-Type EAP {
eap
}
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
In the users file I have:
# User anonymous and [EMAIL PROTECTED] should be allowed #
# activate eap for them#
anonymous Auth-Type := EAP
# Accounting fix for AP#
# LDAP authentication for local users #
DEFAULT Realm == org.tld, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = yes
DEFAULT Realm == org.tld, Auth-Type := LDAP, Ldap-UserDN :=
`PrincipalName=%{User-Name},ou=employees,dc=org,dc=tld`, Freeradius-Proxied-To ==
127.0.0.1
--
Lep pozdrav,
Rok Papez.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Thanks for your help. I think I'm not far from the end but I still have problems. Here's the debug logs : [...] Fri Jun 18 14:11:17 2004 : Debug: rlm_ldap: performing search in dc=u-strasbg,dc=fr, with filter (uid=csaillard) request 6 done Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: Added password $1$QEnpt.4f$nixixczJ/xu0CnyuvaTLV/ in check items Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for check items in directory... Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for reply items in directory... Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: user csaillard authorized to use remote access Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Fri Jun 18 14:11:31 2004 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall[authorize]: module ldap returns ok for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall: group authorize returns updated for request 4 Fri Jun 18 14:11:31 2004 : Debug: rad_check_password: Found Auth-Type EAP Fri Jun 18 14:11:31 2004 : Debug: auth: type EAP Fri Jun 18 14:11:31 2004 : Debug: Processing the authenticate section of radiusd.conf Fri Jun 18 14:11:31 2004 : Debug: modcall: entering group Auth-Type for request 4 Fri Jun 18 14:11:31 2004 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Request not found in the list Fri Jun 18 14:11:31 2004 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Failed in handler Fri Jun 18 14:11:31 2004 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall[authenticate]: module eap returns invalid for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall: group Auth-Type returns invalid for request 4 Fri Jun 18 14:11:31 2004 : Debug: auth: Failed to validate the user. [...] I use TTLS/PAP for authentication, so you can see that the LDAP server sends MD5 hased password...but I'm not sure that's what I need Could you tell me what kind of EAP method you use, with what type of password's hash ? Thanks for help ! Bye. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard [EMAIL PROTECTED] wrote: For the moment I use Freeradius with EAP-TTLS and it works fine...now I'd like to get users credentials form an existing LDAP database. The LDAP server sends me a valable MD5 hashed password but I think something failed in my users file configuration. Did you try running it debugging mode, as suggested in the FAQ, README, INSTALL, and daily on this list? Does someone have such a working configuration ? If so, can you send a copy ? Since no one knows what you're really trying to do. I doubt anyone will send you a configuration. Follow the documented instructions for running the server and asking questions on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard [EMAIL PROTECTED] wrote: Fri Jun 18 14:11:31 2004 : Debug: rad_check_password: Found Auth-Type EAP ... Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Request not found in the list Fri Jun 18 14:11:31 2004 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request ... I use TTLS/PAP for authentication, And you set Auth-Type = EAP. DON'T DO THAT. The eap.conf file has BIG HUGE COMMENTS saying DON'T DO THAT. It really means DON'T DO THAT. You're doing the exact opposite of what the documentation says, and as a result, it's not working. You might try following the recommendations of the server, which WILL allow it to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard [EMAIL PROTECTED] wrote: Now I'd like to get credentials from an existing LDAP user storage instead of the Freeradius users file That shouldn't be a problem. (I store MD5 hashed password to have PAP compatibility). That will make CHAP MS-CHAP not work. The Ldap bind is ok and I got correct uid and password when I launch a 802.1X request from a laptop client. I'm not sure what you mean by that. But there's some particular things I need to know : - how do I have to store password in the LDAP database (because I'd like to use TTLS/PAP) : crypt/MD5 hashed, clear text ? MD5 is fine if you're only doing PAP authentication. - what do I have to put in the users file ? (I know that auth-type := EAP is wrong) ? Don't put anything in the users file. - if it's not possible to have TTLS/PAP authentication what can I do else (PEAP/Mschapv2 ...) ? TTLS/PAP is possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
