Re: migrate PAP to CHAP for LDAP
On Wed, Dec 17, 2003 at 06:21:12PM +0800, Rohaizam Abu Bakar wrote: > > > # debug MODE > [deleted] > auth: type "LDAP" why are you setting your auth type to LDAP when you want CHAP authentication ? > modcall: entering group Auth-Type for request 0 > rlm_ldap: - authenticate > rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use > "CHAP-Password". The above line tells you all, ldap is not supposed to do the auth. Let it extract the the password and let the mschap module set the Auth-Type to MSCHAP. -- Andrej Brkic Fakultet Prometnih Znanosti, Zagreb, Croatia E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can MS-CHAP and LDAP work?
On Tue, Dec 02, 2003 at 01:22:21AM +, jiang chong wrote: > Dear Andrej Brkic > Thank you for your help again.You are enthusiastic man.I think that > openldap and PAP work well now.My NAS is a cisco pix525 that provides VPN > tunnal for people who maybe in home or on a tour.Cisco pix525 can provides > kinds of authentications with PAP,CHAP,MS-CHAP-V1.But most of clients is > windows 2K,and the default VPN authentication requests of win2k is > MS-CHAP.So i just want to use MS-CHAP with LDAP.I think that i misconfig > some relative files,Maybe radiusd.conf,or users.In users file,i do nothing > except commenting out the line of "DEFAULT Auth-Type = System > Fall-Through = 1".In radiusd.conf file,i configure some parameter of > "ldap" module in modules section.And i think LDAP works.All passwords are > cleartext in my ldap server.I read some documents of freeradius,but i can't > find any hint.Can you give me any hint,thank you very much. > MS-CHAP is not the default, it is REQUIRED if you want MPPE VPN connections from your Win2k/XP clients. How to do it with LDAP ? The trick here is to extract the password from LDAP, let the mschap module set the Auth-Type and do it's job in the authenticate part. In your case radiusd -X is your best friend, the debug output will tell you what is happening. -- Andrej Brkic Fakultet Prometnih Znanosti, Zagreb, Croatia E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can MS-CHAP and LDAP work?
On Mon, Dec 01, 2003 at 11:05:59AM +, jiang chong wrote: > anybody can tell me ? > thanks in advance. > Yes it can. -- Andrej Brkic Fakultet Prometnih Znanosti, Zagreb, Croatia E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: why does not work LDAP with MS-CHAP in freeradius?
On Thu, Nov 27, 2003 at 10:14:41AM +, jiang chong wrote: > Andrej Brkic, > thanks for your response.I have a question yet.I use cleartext password > in my LDAP Server.But it doesn't work.When i run "radtest test test > localhost:1645 0 testing123",it's say ok.The 'test,test'is my LDAP entry.so > i think my LDAP Server is ok.But when i connect my cisco NAS,it said the > list blow: > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: No LM-Password or NT-Password attribute found. Cannot > perform MS-CHAP authentication. > modcall[authenticate]: module "mschap" returns fail for request 0. > thank you for your help. > In that case you are not extracting the right ldap attribute that contains the passwrod or your autorize block is misconfigured. Check the rlm_ldap docs on how to extract the password and pass it on to the mschap module for authentication. -- Andrej Brkic Fakultet Prometnih Znanosti, Zagreb, Croatia E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: why does not work LDAP with MS-CHAP in freeradius?
On Thu, Nov 27, 2003 at 08:53:51AM +, jiang chong wrote: > why why why ?My NAS is cisco PIX525,but cisco NAS only use MS-CHAP > authentication method. > i want to go to die. > MS-CHAP in fact does work with LDAP, the only issue is that you need either cleartext or md4 passwords in your LDAP directory. Now you can do this two ways, either put all the passwords in cleartext or add additional attribute to your ldap schema containing md4 passwords. Anyway, not a reason to die. -- Andrej Brkic Fakultet Prometnih Znanosti, Zagreb, Croatia E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAPv2 + LDAP
On Wed, Nov 26, 2003 at 12:12:54PM +0100, Giosuè Pacifico wrote: > Hi, > you could include the samba schema in the ldap server using > the ntPassword attribute for password. > Use "smbencrypt [string]" to generate a NT Hash for testing. > On samba site you should find more about automating this step in ldap-pdc > docs. > Better than nothing.. > Bye > Giosuè > > Thanks, I will try that, but that kind of defeats my original setup which was to use exsiting usernames and passwords. Generating new NT passwords for thousands of people is a bit too much. Thanks for the response. -- Andrej Brkic Fakultet Prometnih Znanosti, Zagreb, Croatia E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAPv2 + LDAP
Greetings to all the list readers, Running freeradius 0.9.3 and trying to make MS-CHAP work with LDAP, the setup is following: I have clients connecting to a pptp server with MPPE. MS-CHAPv2 is required for MPPE to work. Now since I have a LDAP database with all the users which is also used for other purposes i tought it would be very nice to use it for VPN access also. Now here is the problem: the userPassword in the LDAP database is SHA1 encrypted and MS-CHAP need cleartext passwords and of course this is not working, is there any way of making this work without having cleartext passwords in LDAP ? Thanks in advance. -- Andrej Brkic Fakultet Prometnih Znanosti, Zagreb, Croatia E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html