Re: PAP CHAP
I've been using this in my authenticate block for awhile and it seems to
work fine with UUNet for the dialup we resell from them:
authtype UUNET {
chap
pap
}
and just match it with Auth-Type := UUNET for an entry in the users file.
-Shawn
On Fri, 10 Jan 2003, Chris Knipe wrote:
Hi,
I tried this, and it still did not work :( Maybe I am missing something...
Bellow's the relevant snippets from my configuration...
modules {
pap {
encryption_scheme = clear
}
chap {
authtype = CHAP
}
}
authorize {
preprocess
attr_filter
suffix
files
chap
sql
}
# Authentication.
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
}
--
me
- Original Message -
From: 3APA3A [EMAIL PROTECTED]
To: Chris Knipe [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Thursday, January 09, 2003 10:55 AM
Subject: Re: PAP CHAP
Dear Chris Knipe,
Set Auth-Type to PAP, add chap module to authorize section and make sure
you have
chap {
authtype = CHAP
}
in module configuration. In this case default authentication will be
PAP, but if CHAP-Password attribute will be found in request Auth-Type
will be changed to CHAP during authorization. This behavior is explained
in doc/rlm_mschap for MS-CHAP authentication which is very similar to
CHAP.
--Thursday, January 9, 2003, 6:47:32 AM, you wrote to
[EMAIL PROTECTED]:
CK Lo everyone,
CK I think I have a little bit of a problem (or maybe not)...
CK I want to use PAP and CHAP authentication... Basically, a user should
be
CK able to authenticate using PAP or CHAP... I've created a group
attribute
CK request (Auth-Type := PAP as well as Auth-Type := CHAP). However,
CK Freeradius only takes the first one it gets from the database (PAP),
and
CK disregards the CHAP.
CK I know this is stupid, but I am presuming that Auth-Type is sent from
the
CK NAS to the Radius server in any case? How can do I get freeradius to
accept
CK both password types? My PAP is stored cleartext to make it compatible
with
CK CHAP, and when I manually remove PAP for CHAP I can authenticate using
both
CK types... Right now though, I don't really see a way how I can use both
at
CK the same time on the same accounts?
CK --
CK me
CK -
CK List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
~/ZARAZA
Ñòðåëÿÿ âî âòîðîé ðàç, îí èñêàëå÷èë ïîñòîðîííåãî. Ïîñòîðîííèì áûë ÿ.
(Òâåí)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/*SQL question
First off, is it neccessary to fill the dictionary table as well, or can
the text version be used directly for that? More to the point, how do I
tell radiusd to ONLY look in its sql table for authentication?
This is controlled like any other aunthentication module, via the
authenticate {} block in your radiusd.conf. If all you want is sql, then
only put the sql module in there.
Second, is there any way to use crypted passwords in the SQL database?
I'm keeping a fairly tight lid on security in most matters but plaintext
passwords always make me nervous.
Use PAP exclusively for dialup. If you want to support CHAP for dialup,
passwords _must_ be cleartext. See the FAQ and list archives for more
details.
-Shawn
Thanks for the software,
-Shad
--
Rens Houben |opinions are mine
Resident linux guru and sysadmin | if my employers have one
Systemec Internet Services. |they'll tell you themselves
PGP public key at http://suzaku.systemec.nl/shadur.key.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP and Crypt
I want to use crypted passwords in LDAP and CHAP authentication. It works without CHAP. CHAP seems like only working with clear passwords. Can anybody help me with this? Read the FAQ: http://www.freeradius.org/faq/#4.4 (PAP authentication works but CHAP fails) and http://www.freeradius.org/faq/#5.11 (How do I make CHAP work with LDAP?) -Shawn Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP/PAP Authentication
Auth-Type can be an arbitrary value. I use something like this to make
chap or pap available to the same set of users:
in users:
DEFAULT Auth-Type := CHAPPAP
values to assign
in authenticate block radiusd.conf:
authtype CHAPPAP {
chap
pap
}
-Shawn
On Tue, 17 Sep 2002, ho k wrote:
Hi
Hi
How can the user profile be set such that the PAP or
CHAP call may be vertified.
If I used:
DEFAULT Auth-Type := PAP
Fall-Through = 1
the debug output is:
modcall: group authorize returns ok
rad_check_password: Found Auth-Type PAP
auth: type PAP
modcall: entering group authtype
rlm_pap: Attribute Password is required for
authentication. Cannot use CHAP-Password.
modcall[authenticate]: module pap returns invalid
modcall: group authtype returns invalid
auth: Failed to validate the user.
for CHAP user.
Regards
K
___
Do You Yahoo!?
Get your free yahoo.com.hk address at http://mail.english.yahoo.com.hk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libtool libs conflicts.
You can use your systems libtool instead of the one that ships with the
FreeRADIUS source. Add --with-system-libtool to your configure.
I seemed to need that on Mandrake when I built it with my RPM
(http://volcano.boulderhill.net/freeradius-rpm/)
-Shawn
On Mon, 9 Sep 2002, Yang-Hwee TAN wrote:
Hi,
i've just managed to build the freeradius rpm from an old v0.6 redhat spec file,
and now i've got a problem on the libtool libs conflict with the ones build onto
FreeRadius' rpm.
here are the options i used to build the rpm for freeradius:
%configure --prefix=%{_prefix} \
--localstatedir=%{_localstatedir} \
--sysconfdir=%{_sysconfdir} \
--mandir=%{_mandir} \
--with-threads \
--with-thread-pool \
--with-gnu-ld \
--with-rlm-krb5-include-dir=/usr/include/krb5 \
--with-rlm-krb5-lib-dir=/usr/lib
i did tried to use the switch --disable-ltdl-install, but the compilation complains
and it seems like its not a valid option for compiling. any help on this would be
great!
Does anyone knows if i can rebuild the binary without the conflict on my system's
libtool libs to happen? (see the rpm conflict below). Or is this a normal thing?
Meaning that i can go ahead to replace the libraries for my libtool in order to
use FreeRadius?
[root@lnx00 root]# rpm --test -Uvh
/usr/src/RPM/RPMS/i586/freeradius-0.7-1mdk.i586.rpm
Preparing...### [100%]
file /usr/lib/libltdl.so.3.1.0 from install of freeradius-0.7-1mdk conflicts with
file from package libltdl3-1.4.2-3mdk
file /usr/lib/libltdl.a from install of freeradius-0.7-1mdk conflicts with file
from package libltdl3-devel-1.4.2-3mdk
file /usr/lib/libltdl.la from install of freeradius-0.7-1mdk conflicts with file
from package libltdl3-devel-1.4.2-3mdk
--
Cheers!
Yanghwee TAN [EMAIL PROTECTED]
http://krypton.bii.a-star.edu.sg/~tanyh/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about rejecting users
On Wed, 21 Aug 2002, Mark Hennessy wrote:
Is there a way to reject any users not explicitly listed in the flat users
file or the sql database? My defaults are able to match up to any user in
my passwd file and allow access at this moment, and give them an
incomplete reply.
If you mean /etc/passwd, and you dont want users from there ever to
authenticate against radius, then just make sure the unix module is not
in your authenticate {} block of radiusd.conf
This may not be what your trying to do though 8-)
Hope it helps!
-Shawn
--
Mark P. Hennessy [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query before I choose freeradius
The way we do this is kind of new in postfix. You can specify that postfix looks at a mysql database and tables for the users and passwords. The only catch is that users must have unique usernames and they needs to have the same user/pass combo for dialup and email. I think the catch is actually a benefit, but it could be taken otherwise. This can also be done with an LDAP backend, as that is exactly what we do at my company (POP/IMAP users and RADIUS dialups authenticate against the same LDAP backend). -Shawn Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS RPMs
I've created some hopefully useful FreeRADIUS RPMs. They still need some work, but should serve well for some people. I'd like to continue to make it more robust. If not replying to this post, please use the e-mail address eth0.net address located in the README.rpm to contact me about problems/suggestions/issues/etc. Please see the README.rpm for information about what this RPM supports. http://volcano.boulderhill.net/freeradius-rpm/ Thanks, -Shawn Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS RPMs
Yes, if they're compiled, you should be able to add the rlm_* files to /usr/lib by hand -Shawn On Mon, 12 Aug 2002, Sheldon Fougere wrote: Hi Shawn, Would I be able to add the additional rlm_sql* files after I've install 0.7 with these RPM's? Thanks, Sheldon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Shawn O'Shea Sent: Monday, August 12, 2002 2:42 PM To: FreeRadius Users List Subject: FreeRADIUS RPMs I've created some hopefully useful FreeRADIUS RPMs. They still need some work, but should serve well for some people. I'd like to continue to make it more robust. If not replying to this post, please use the e-mail address eth0.net address located in the README.rpm to contact me about problems/suggestions/issues/etc. Please see the README.rpm for information about what this RPM supports. http://volcano.boulderhill.net/freeradius-rpm/ Thanks, -Shawn Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and RPM Spec File
I'm working on a FreeRADIUS rpm that I've built from scratch. I was waiting for 0.7 (and returning from vacation, which I have) before letting people at it. I just tried building it, but there seems to be enough differences that I need to sit down and see what has changed (looks mainly like a libradius was added for my old SPEC file to work out of the box). I'll probably have something for the general public early next week. -Shawn On Thu, 1 Aug 2002, Sheldon Fougere wrote: Hi, I'm new to radius and I've been experimenting with Freeradius. I started at version 0.6. In that version in the redhat directory there was a freeradius.spec file that I used to build an RPM of freeradius. This worked fine. When 0.7 came out I tried the same thing. I did notice the spec file was still for version 0.6 so I changed the spec file version to 0.7 but this failed. The RPM didn't build. During the build process I noticed errors stating that files weren't found. Is there a freeradius.spec file available for version 0.7? Thanks, Sheldon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: specify shadow passwd file
Please read the comments is radiusd.conf: # 'shadow' is commented out by default, because not all # systems have shadow passwords. Uncomment: # shadow = /etc/shadow -Shawn On Thu, 18 Jul 2002, Augustine Tsai wrote: Hi, I have downloaded freeradius-0.6. I tried to run radiusd -X -A and get the following message. unix: cache=yes unix: passwd = /etc/passed unix: shadow = (null) . . HASH: Reinitializing hash structures and lists for caching... rlm_unix: you MUST specify a shadow password file! HASH: unable to create uses hash table. disable caching and run debugs radiusd.conf[426]: unix: Module instantiation failed. Do you have to configure the Radius server before you run the deamon? How to specify the shadow password file. Thanks in advance. Augustine Augustine Tsai, Ph.D Multimedia Communication Research Room 2D-443 Lucent Technologies 600-700 Mountain Ave. Murray Hill, NJ 07974-0636 tel: 908-582-6519 fax: 908-582-3306 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CHAP-Password LDAP Auth?
Please forgive if a repost. Not sure my comments below got passed
along...also wanted to tack on a a sample test packet:
sample test:
/usr/local/bin/radclient -x radius-server.mycompany.com auth
mysharedsecret radtest.txt
where radtest.txt resembles:
User-Name = someradiususer
CHAP-Password = cleartextofpassword
NAS-IP-Address = somenas.mycompany.com
NAS-Port-Id = 0
NAS-Port-Type = Async
Service-Type = Framed
Framed-Protocol = PPP
State =
Calling-Station-Id = 8475061520
Called-Station-Id = 8476311672
Acct-Session-Id = 379094840
Ascend-Data-Rate = 26400
Ascend-Xmit-Rate = 44000
Proxy-State = blah
-Shawn
On Tue, 26 Mar 2002, Shawn O'Shea wrote:
I got the better part of this working on Fridayhere's most of the
pertinent parts:
radiusd.conf:
-add a blank section for chap options (something complained when I didnt
do this)
chap {
}
-make sure that your ldap section is configured for your setup
-make sure authorize{} has chap and ldap. Mine looks like:
authorize {
preprocess
chap
ldap
suffix
files
}
-make sure authenticate{} has chap. I have:
authenticate {
unix
chap
}
I only have one type of userI'm not sure how to setup realms properly,
so I'm being lame and matching the realm in their username attribute and
giving them some ascend vendor attributes:
users:
DEFAULT Suffix == @realm.mycompany.com
Service-Type = Framed-User,
Framed-Protocol = PPP,
Ascend-Data-Filter = IP IN FORWARD TCP,
Ascend-Data-Filter += IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE,
Ascend-Data-Filter += IP IN DROP TCP DSTPORT = 25,
Ascend-Data-Filter += IP IN FORWARD 0,
Ascend-Assign-IP-Pool = 0
-Shawn
On Mon, 25 Mar 2002, Michael S. McCollough wrote:
I am probably just dense but either the faq is incomplete or I cannot
translate to suit my needs. I cannot even get chap to work with Auth-Type
:=system I need it to work with ldap. Once key point may be CHAP vs
MS-CHAP. The radiusd.conf file only has ms-chap in it. I remember log time
ago when chap was proposed, ms did their own version. Since the MS version
became the defacto standard, I am not sure is ms-chap and chap are used
interchangably.
From radiusd -X
rlm_ldap: Attribute Password is required for authentication. Cannot use
CHAP-Password.
I need CHAP to work with LDAP but would be happy to see it work with system
auth just to know it works.
--
Michael
-Original Message-
From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 21, 2002 2:09 PM
To: [EMAIL PROTECTED]
Subject: Re: CHAP-Password LDAP Auth?
On Thu, 21 Mar 2002, Mike Cathey wrote:
Chris,
Chris Parker wrote:
At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
Chris,
The qmail-ldap (http://www.nrg4u.com) code (actually IIRC it's
the auth code) supports 2 menthods of LDAP auth. One method
attempts to bind to the directory as the user, which is what it
sounds like FreeRADIUS does. The other methold is to bind to the
directory as a privileged user (one who has access to all user
attributes), crypt what the client handed you and compare it to
userPassword.
The client hands you an already ( and non-reversable ) encrypted
string. Encrypting it a second time will yield nothing useful.
I may be possible to implement the second method in FreeRADIUS and
use it for LDAP/CHAP auth. Comments?
The only way to perform CHAP authentication is for the server to
have access to the unecrypted password locally.
Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was just
pointing out the method of binding as a privileged user (a user who
has rights to access the userPassword attribute for the RADIUS users).
You can then get the value of userPassword and send the 'challenge'
back to the proxy. I haven't read docs on CHAP in a while, but it
seems like this would work ok. Of course, this assumes you store all
of your users passwords in plain text.
Cheers,
Mike
It's already supported. Please read the FAQ at
http://www.freeradius.org/faq/#5.11
and doc/rlm_ldap
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CHAP-Password LDAP Auth?
I got the better part of this working on Fridayhere's most of the
pertinent parts:
radiusd.conf:
-add a blank section for chap options (something complained when I didnt
do this)
chap {
}
-make sure that your ldap section is configured for your setup
-make sure authorize{} has chap and ldap. Mine looks like:
authorize {
preprocess
chap
ldap
suffix
files
}
-make sure authenticate{} has chap. I have:
authenticate {
unix
chap
}
I only have one type of userI'm not sure how to setup realms properly,
so I'm being lame and matching the realm in their username attribute and
giving them some ascend vendor attributes:
users:
DEFAULT Suffix == @realm.mycompany.com
Service-Type = Framed-User,
Framed-Protocol = PPP,
Ascend-Data-Filter = IP IN FORWARD TCP,
Ascend-Data-Filter += IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE,
Ascend-Data-Filter += IP IN DROP TCP DSTPORT = 25,
Ascend-Data-Filter += IP IN FORWARD 0,
Ascend-Assign-IP-Pool = 0
-Shawn
On Mon, 25 Mar 2002, Michael S. McCollough wrote:
I am probably just dense but either the faq is incomplete or I cannot
translate to suit my needs. I cannot even get chap to work with Auth-Type
:=system I need it to work with ldap. Once key point may be CHAP vs
MS-CHAP. The radiusd.conf file only has ms-chap in it. I remember log time
ago when chap was proposed, ms did their own version. Since the MS version
became the defacto standard, I am not sure is ms-chap and chap are used
interchangably.
From radiusd -X
rlm_ldap: Attribute Password is required for authentication. Cannot use
CHAP-Password.
I need CHAP to work with LDAP but would be happy to see it work with system
auth just to know it works.
--
Michael
-Original Message-
From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 21, 2002 2:09 PM
To: [EMAIL PROTECTED]
Subject: Re: CHAP-Password LDAP Auth?
On Thu, 21 Mar 2002, Mike Cathey wrote:
Chris,
Chris Parker wrote:
At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
Chris,
The qmail-ldap (http://www.nrg4u.com) code (actually IIRC it's
the auth code) supports 2 menthods of LDAP auth. One method
attempts to bind to the directory as the user, which is what it
sounds like FreeRADIUS does. The other methold is to bind to the
directory as a privileged user (one who has access to all user
attributes), crypt what the client handed you and compare it to
userPassword.
The client hands you an already ( and non-reversable ) encrypted
string. Encrypting it a second time will yield nothing useful.
I may be possible to implement the second method in FreeRADIUS and
use it for LDAP/CHAP auth. Comments?
The only way to perform CHAP authentication is for the server to
have access to the unecrypted password locally.
Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was just
pointing out the method of binding as a privileged user (a user who
has rights to access the userPassword attribute for the RADIUS users).
You can then get the value of userPassword and send the 'challenge'
back to the proxy. I haven't read docs on CHAP in a while, but it
seems like this would work ok. Of course, this assumes you store all
of your users passwords in plain text.
Cheers,
Mike
It's already supported. Please read the FAQ at
http://www.freeradius.org/faq/#5.11
and doc/rlm_ldap
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CHAP-Password LDAP Auth?
On Tue, 26 Mar 2002, Michael S. McCollough wrote:
Are you using LDAP? This did not work for me. I did get the realms working
though.
Yes, but you _do not_ authenticate off of LDAP. You authorize off of LDAP
(where the password needs to be stored in the clear). Essentially when
LDAP is in the authorize{} section, this is the only action it takes.
Then you authenticate{} with CHAP, which takes the CHAP-Password from the
inbound packet, and constructs a CHAP-ized version of the cleartext from
LDAP to compare it with.
-Shawn
rlm_ldap: - authenticate
rlm_ldap: Attribute User-Password is required for authentication. Cannot
use CHAP-Password.
modcall[authenticate]: module ldap returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found):
[[EMAIL PROTECTED]/CHAP-Password] (from client MR-Firewall port 0)
-Original Message-
From: Shawn O'Shea [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 26, 2002 10:48 AM
To: '[EMAIL PROTECTED]'
Subject: RE: CHAP-Password LDAP Auth?
I got the better part of this working on Fridayhere's most of the
pertinent parts:
radiusd.conf:
-add a blank section for chap options (something complained when I didnt do
this)
chap {
}
-make sure that your ldap section is configured for your setup
-make sure authorize{} has chap and ldap. Mine looks like: authorize {
preprocess
chap
ldap
suffix
files
}
-make sure authenticate{} has chap. I have:
authenticate {
unix
chap
}
I only have one type of userI'm not sure how to setup realms properly,
so I'm being lame and matching the realm in their username attribute and
giving them some ascend vendor attributes:
users:
DEFAULT Suffix == @realm.mycompany.com
Service-Type = Framed-User,
Framed-Protocol = PPP,
Ascend-Data-Filter = IP IN FORWARD TCP,
Ascend-Data-Filter += IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE,
Ascend-Data-Filter += IP IN DROP TCP DSTPORT = 25,
Ascend-Data-Filter += IP IN FORWARD 0,
Ascend-Assign-IP-Pool = 0
-Shawn
On Mon, 25 Mar 2002, Michael S. McCollough wrote:
I am probably just dense but either the faq is incomplete or I cannot
translate to suit my needs. I cannot even get chap to work with
Auth-Type :=system I need it to work with ldap. Once key point may be
CHAP vs MS-CHAP. The radiusd.conf file only has ms-chap in it. I
remember log time ago when chap was proposed, ms did their own
version. Since the MS version became the defacto standard, I am not
sure is ms-chap and chap are used interchangably.
From radiusd -X
rlm_ldap: Attribute Password is required for authentication. Cannot
use CHAP-Password.
I need CHAP to work with LDAP but would be happy to see it work with
system auth just to know it works.
--
Michael
-Original Message-
From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 21, 2002 2:09 PM
To: [EMAIL PROTECTED]
Subject: Re: CHAP-Password LDAP Auth?
On Thu, 21 Mar 2002, Mike Cathey wrote:
Chris,
Chris Parker wrote:
At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
Chris,
The qmail-ldap (http://www.nrg4u.com) code (actually IIRC it's
the auth code) supports 2 menthods of LDAP auth. One method
attempts to bind to the directory as the user, which is what it
sounds like FreeRADIUS does. The other methold is to bind to the
directory as a privileged user (one who has access to all user
attributes), crypt what the client handed you and compare it to
userPassword.
The client hands you an already ( and non-reversable ) encrypted
string. Encrypting it a second time will yield nothing useful.
I may be possible to implement the second method in FreeRADIUS
and use it for LDAP/CHAP auth. Comments?
The only way to perform CHAP authentication is for the server to
have access to the unecrypted password locally.
Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was just
pointing out the method of binding as a privileged user (a user who
has rights to access the userPassword attribute for the RADIUS
users). You can then get the value of userPassword and send the
'challenge' back to the proxy. I haven't read docs on CHAP in a
while, but it seems like this would work ok. Of course, this
assumes you store all of your users passwords in plain text.
Cheers,
Mike
It's already supported. Please read the FAQ at
http://www.freeradius.org/faq/#5.11
and doc/rlm_ldap
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Re: Matching troubles in users file...
If you passed authenticate then add a bunch of attributes to make you work If you failed authenticate then send back only a Reply-Message attribute To do this generally would require a post-authenticate stage. The server doesn't have this right now. If the authentication fails, the server *does* remove almost all of the attributes in the reply, before sending a reject. Ok, this seems to be what's driving me nuts. I can live without adding a Reply-Message, but when an auth fails, it removes everything but Proxy-State (which I want) and a couple of Ascend attributes (that I dont want in there). Thanks, -Shawn Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP-Password LDAP Auth?
Wed Mar 20 15:35:57 2002 : Auth: Login incorrect:
[{ed: whatever username -sko}/CHAP-Password] (from nas
UNKNOWN-NAS port 0 cli 8475061520)
If I use just User-Password, this works like a dream. Any suggetions?
Don't use CHAP.
Ok, well the UUNET docs states that I can use PAP or CHAP. Here's what
their doc says about it though:
Althought the REseller may not be using CHAP, they must configure their
RADIUS server to respond to a CHAP request by requesting PAP
authentication after declining CHAP. This is done during the LCP phase of
creating a PPP session.
Is this doable in freeradius?
From what I recall, the LDAP module tries to authenticate to the
LDAP server, usin g the username/password supplied in the packet.
Therefore, it needs access to the plain-text password, as it's telling
you.
Running freeradius in debug mode, this is indeed what the LDAP module is
doing. After reading through the section of the FAQ you pointed out, and
the Interoperation wiþ PAP and CHAP section of RFC2138 I'm starting to
understand what the deal is.
Thanks,
-Shawn
The alternative is to use a DB which stores the password in clear text.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matching troubles in users file...
I'm having a hard time wrapping my head around how to do the matching that I want in the users file and was hoping for some help. I really only have one type of user, so what I would like to say is: If you passed authenticate then add a bunch of attributes to make you work If you failed authenticate then send back only a Reply-Message attribute Help? =) Thanks, -Shawn Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP-Password LDAP Auth?
I'm currently using Steel Belted Radius w/ UU.net and trying to replicate
the functionality of our stell belted server w/ freeradius. Basically we
take incoming proxied auth requests from UU, auth them, and reply back to
the proxy.
I grabbed some of the inbound packets off the wire so I could look at what
attributes we're recieving, so that I could build similar looking access
requests with radclient.
My problem is that the packets from them send the password as
CHAP-Password attribute. If I set this in my test data for radclient, my
freeradius 0.5 server says:
Wed Mar 20 15:35:57 2002 : Auth: rlm_ldap: Attribute User-Password is
required for authentication. Cannot use CHAP-Password.
Wed Mar 20 15:35:57 2002 : Auth: Login incorrect:
[{ed: whatever username -sko}/CHAP-Password] (from nas
UNKNOWN-NAS port 0 cli 8475061520)
If I use just User-Password, this works like a dream. Any suggetions?
-Shawn
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
