Re: PAP CHAP
I've been using this in my authenticate block for awhile and it seems to work fine with UUNet for the dialup we resell from them: authtype UUNET { chap pap } and just match it with Auth-Type := UUNET for an entry in the users file. -Shawn On Fri, 10 Jan 2003, Chris Knipe wrote: Hi, I tried this, and it still did not work :( Maybe I am missing something... Bellow's the relevant snippets from my configuration... modules { pap { encryption_scheme = clear } chap { authtype = CHAP } } authorize { preprocess attr_filter suffix files chap sql } # Authentication. authenticate { authtype PAP { pap } authtype CHAP { chap } } -- me - Original Message - From: 3APA3A [EMAIL PROTECTED] To: Chris Knipe [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, January 09, 2003 10:55 AM Subject: Re: PAP CHAP Dear Chris Knipe, Set Auth-Type to PAP, add chap module to authorize section and make sure you have chap { authtype = CHAP } in module configuration. In this case default authentication will be PAP, but if CHAP-Password attribute will be found in request Auth-Type will be changed to CHAP during authorization. This behavior is explained in doc/rlm_mschap for MS-CHAP authentication which is very similar to CHAP. --Thursday, January 9, 2003, 6:47:32 AM, you wrote to [EMAIL PROTECTED]: CK Lo everyone, CK I think I have a little bit of a problem (or maybe not)... CK I want to use PAP and CHAP authentication... Basically, a user should be CK able to authenticate using PAP or CHAP... I've created a group attribute CK request (Auth-Type := PAP as well as Auth-Type := CHAP). However, CK Freeradius only takes the first one it gets from the database (PAP), and CK disregards the CHAP. CK I know this is stupid, but I am presuming that Auth-Type is sent from the CK NAS to the Radius server in any case? How can do I get freeradius to accept CK both password types? My PAP is stored cleartext to make it compatible with CK CHAP, and when I manually remove PAP for CHAP I can authenticate using both CK types... Right now though, I don't really see a way how I can use both at CK the same time on the same accounts? CK -- CK me CK - CK List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA Ñòðåëÿÿ âî âòîðîé ðàç, îí èñêàëå÷èë ïîñòîðîííåãî. Ïîñòîðîííèì áûë ÿ. (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/*SQL question
First off, is it neccessary to fill the dictionary table as well, or can the text version be used directly for that? More to the point, how do I tell radiusd to ONLY look in its sql table for authentication? This is controlled like any other aunthentication module, via the authenticate {} block in your radiusd.conf. If all you want is sql, then only put the sql module in there. Second, is there any way to use crypted passwords in the SQL database? I'm keeping a fairly tight lid on security in most matters but plaintext passwords always make me nervous. Use PAP exclusively for dialup. If you want to support CHAP for dialup, passwords _must_ be cleartext. See the FAQ and list archives for more details. -Shawn Thanks for the software, -Shad -- Rens Houben |opinions are mine Resident linux guru and sysadmin | if my employers have one Systemec Internet Services. |they'll tell you themselves PGP public key at http://suzaku.systemec.nl/shadur.key.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP and Crypt
I want to use crypted passwords in LDAP and CHAP authentication. It works without CHAP. CHAP seems like only working with clear passwords. Can anybody help me with this? Read the FAQ: http://www.freeradius.org/faq/#4.4 (PAP authentication works but CHAP fails) and http://www.freeradius.org/faq/#5.11 (How do I make CHAP work with LDAP?) -Shawn Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP/PAP Authentication
Auth-Type can be an arbitrary value. I use something like this to make chap or pap available to the same set of users: in users: DEFAULT Auth-Type := CHAPPAP values to assign in authenticate block radiusd.conf: authtype CHAPPAP { chap pap } -Shawn On Tue, 17 Sep 2002, ho k wrote: Hi Hi How can the user profile be set such that the PAP or CHAP call may be vertified. If I used: DEFAULT Auth-Type := PAP Fall-Through = 1 the debug output is: modcall: group authorize returns ok rad_check_password: Found Auth-Type PAP auth: type PAP modcall: entering group authtype rlm_pap: Attribute Password is required for authentication. Cannot use CHAP-Password. modcall[authenticate]: module pap returns invalid modcall: group authtype returns invalid auth: Failed to validate the user. for CHAP user. Regards K ___ Do You Yahoo!? Get your free yahoo.com.hk address at http://mail.english.yahoo.com.hk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libtool libs conflicts.
You can use your systems libtool instead of the one that ships with the FreeRADIUS source. Add --with-system-libtool to your configure. I seemed to need that on Mandrake when I built it with my RPM (http://volcano.boulderhill.net/freeradius-rpm/) -Shawn On Mon, 9 Sep 2002, Yang-Hwee TAN wrote: Hi, i've just managed to build the freeradius rpm from an old v0.6 redhat spec file, and now i've got a problem on the libtool libs conflict with the ones build onto FreeRadius' rpm. here are the options i used to build the rpm for freeradius: %configure --prefix=%{_prefix} \ --localstatedir=%{_localstatedir} \ --sysconfdir=%{_sysconfdir} \ --mandir=%{_mandir} \ --with-threads \ --with-thread-pool \ --with-gnu-ld \ --with-rlm-krb5-include-dir=/usr/include/krb5 \ --with-rlm-krb5-lib-dir=/usr/lib i did tried to use the switch --disable-ltdl-install, but the compilation complains and it seems like its not a valid option for compiling. any help on this would be great! Does anyone knows if i can rebuild the binary without the conflict on my system's libtool libs to happen? (see the rpm conflict below). Or is this a normal thing? Meaning that i can go ahead to replace the libraries for my libtool in order to use FreeRadius? [root@lnx00 root]# rpm --test -Uvh /usr/src/RPM/RPMS/i586/freeradius-0.7-1mdk.i586.rpm Preparing...### [100%] file /usr/lib/libltdl.so.3.1.0 from install of freeradius-0.7-1mdk conflicts with file from package libltdl3-1.4.2-3mdk file /usr/lib/libltdl.a from install of freeradius-0.7-1mdk conflicts with file from package libltdl3-devel-1.4.2-3mdk file /usr/lib/libltdl.la from install of freeradius-0.7-1mdk conflicts with file from package libltdl3-devel-1.4.2-3mdk -- Cheers! Yanghwee TAN [EMAIL PROTECTED] http://krypton.bii.a-star.edu.sg/~tanyh/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about rejecting users
On Wed, 21 Aug 2002, Mark Hennessy wrote: Is there a way to reject any users not explicitly listed in the flat users file or the sql database? My defaults are able to match up to any user in my passwd file and allow access at this moment, and give them an incomplete reply. If you mean /etc/passwd, and you dont want users from there ever to authenticate against radius, then just make sure the unix module is not in your authenticate {} block of radiusd.conf This may not be what your trying to do though 8-) Hope it helps! -Shawn -- Mark P. Hennessy [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query before I choose freeradius
The way we do this is kind of new in postfix. You can specify that postfix looks at a mysql database and tables for the users and passwords. The only catch is that users must have unique usernames and they needs to have the same user/pass combo for dialup and email. I think the catch is actually a benefit, but it could be taken otherwise. This can also be done with an LDAP backend, as that is exactly what we do at my company (POP/IMAP users and RADIUS dialups authenticate against the same LDAP backend). -Shawn Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS RPMs
I've created some hopefully useful FreeRADIUS RPMs. They still need some work, but should serve well for some people. I'd like to continue to make it more robust. If not replying to this post, please use the e-mail address eth0.net address located in the README.rpm to contact me about problems/suggestions/issues/etc. Please see the README.rpm for information about what this RPM supports. http://volcano.boulderhill.net/freeradius-rpm/ Thanks, -Shawn Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS RPMs
Yes, if they're compiled, you should be able to add the rlm_* files to /usr/lib by hand -Shawn On Mon, 12 Aug 2002, Sheldon Fougere wrote: Hi Shawn, Would I be able to add the additional rlm_sql* files after I've install 0.7 with these RPM's? Thanks, Sheldon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Shawn O'Shea Sent: Monday, August 12, 2002 2:42 PM To: FreeRadius Users List Subject: FreeRADIUS RPMs I've created some hopefully useful FreeRADIUS RPMs. They still need some work, but should serve well for some people. I'd like to continue to make it more robust. If not replying to this post, please use the e-mail address eth0.net address located in the README.rpm to contact me about problems/suggestions/issues/etc. Please see the README.rpm for information about what this RPM supports. http://volcano.boulderhill.net/freeradius-rpm/ Thanks, -Shawn Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and RPM Spec File
I'm working on a FreeRADIUS rpm that I've built from scratch. I was waiting for 0.7 (and returning from vacation, which I have) before letting people at it. I just tried building it, but there seems to be enough differences that I need to sit down and see what has changed (looks mainly like a libradius was added for my old SPEC file to work out of the box). I'll probably have something for the general public early next week. -Shawn On Thu, 1 Aug 2002, Sheldon Fougere wrote: Hi, I'm new to radius and I've been experimenting with Freeradius. I started at version 0.6. In that version in the redhat directory there was a freeradius.spec file that I used to build an RPM of freeradius. This worked fine. When 0.7 came out I tried the same thing. I did notice the spec file was still for version 0.6 so I changed the spec file version to 0.7 but this failed. The RPM didn't build. During the build process I noticed errors stating that files weren't found. Is there a freeradius.spec file available for version 0.7? Thanks, Sheldon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: specify shadow passwd file
Please read the comments is radiusd.conf: # 'shadow' is commented out by default, because not all # systems have shadow passwords. Uncomment: # shadow = /etc/shadow -Shawn On Thu, 18 Jul 2002, Augustine Tsai wrote: Hi, I have downloaded freeradius-0.6. I tried to run radiusd -X -A and get the following message. unix: cache=yes unix: passwd = /etc/passed unix: shadow = (null) . . HASH: Reinitializing hash structures and lists for caching... rlm_unix: you MUST specify a shadow password file! HASH: unable to create uses hash table. disable caching and run debugs radiusd.conf[426]: unix: Module instantiation failed. Do you have to configure the Radius server before you run the deamon? How to specify the shadow password file. Thanks in advance. Augustine Augustine Tsai, Ph.D Multimedia Communication Research Room 2D-443 Lucent Technologies 600-700 Mountain Ave. Murray Hill, NJ 07974-0636 tel: 908-582-6519 fax: 908-582-3306 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CHAP-Password LDAP Auth?
Please forgive if a repost. Not sure my comments below got passed along...also wanted to tack on a a sample test packet: sample test: /usr/local/bin/radclient -x radius-server.mycompany.com auth mysharedsecret radtest.txt where radtest.txt resembles: User-Name = someradiususer CHAP-Password = cleartextofpassword NAS-IP-Address = somenas.mycompany.com NAS-Port-Id = 0 NAS-Port-Type = Async Service-Type = Framed Framed-Protocol = PPP State = Calling-Station-Id = 8475061520 Called-Station-Id = 8476311672 Acct-Session-Id = 379094840 Ascend-Data-Rate = 26400 Ascend-Xmit-Rate = 44000 Proxy-State = blah -Shawn On Tue, 26 Mar 2002, Shawn O'Shea wrote: I got the better part of this working on Fridayhere's most of the pertinent parts: radiusd.conf: -add a blank section for chap options (something complained when I didnt do this) chap { } -make sure that your ldap section is configured for your setup -make sure authorize{} has chap and ldap. Mine looks like: authorize { preprocess chap ldap suffix files } -make sure authenticate{} has chap. I have: authenticate { unix chap } I only have one type of userI'm not sure how to setup realms properly, so I'm being lame and matching the realm in their username attribute and giving them some ascend vendor attributes: users: DEFAULT Suffix == @realm.mycompany.com Service-Type = Framed-User, Framed-Protocol = PPP, Ascend-Data-Filter = IP IN FORWARD TCP, Ascend-Data-Filter += IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE, Ascend-Data-Filter += IP IN DROP TCP DSTPORT = 25, Ascend-Data-Filter += IP IN FORWARD 0, Ascend-Assign-IP-Pool = 0 -Shawn On Mon, 25 Mar 2002, Michael S. McCollough wrote: I am probably just dense but either the faq is incomplete or I cannot translate to suit my needs. I cannot even get chap to work with Auth-Type :=system I need it to work with ldap. Once key point may be CHAP vs MS-CHAP. The radiusd.conf file only has ms-chap in it. I remember log time ago when chap was proposed, ms did their own version. Since the MS version became the defacto standard, I am not sure is ms-chap and chap are used interchangably. From radiusd -X rlm_ldap: Attribute Password is required for authentication. Cannot use CHAP-Password. I need CHAP to work with LDAP but would be happy to see it work with system auth just to know it works. -- Michael -Original Message- From: Kostas Kalevras [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 2:09 PM To: [EMAIL PROTECTED] Subject: Re: CHAP-Password LDAP Auth? On Thu, 21 Mar 2002, Mike Cathey wrote: Chris, Chris Parker wrote: At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote: Chris, The qmail-ldap (http://www.nrg4u.com) code (actually IIRC it's the auth code) supports 2 menthods of LDAP auth. One method attempts to bind to the directory as the user, which is what it sounds like FreeRADIUS does. The other methold is to bind to the directory as a privileged user (one who has access to all user attributes), crypt what the client handed you and compare it to userPassword. The client hands you an already ( and non-reversable ) encrypted string. Encrypting it a second time will yield nothing useful. I may be possible to implement the second method in FreeRADIUS and use it for LDAP/CHAP auth. Comments? The only way to perform CHAP authentication is for the server to have access to the unecrypted password locally. Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was just pointing out the method of binding as a privileged user (a user who has rights to access the userPassword attribute for the RADIUS users). You can then get the value of userPassword and send the 'challenge' back to the proxy. I haven't read docs on CHAP in a while, but it seems like this would work ok. Of course, this assumes you store all of your users passwords in plain text. Cheers, Mike It's already supported. Please read the FAQ at http://www.freeradius.org/faq/#5.11 and doc/rlm_ldap -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CHAP-Password LDAP Auth?
I got the better part of this working on Fridayhere's most of the pertinent parts: radiusd.conf: -add a blank section for chap options (something complained when I didnt do this) chap { } -make sure that your ldap section is configured for your setup -make sure authorize{} has chap and ldap. Mine looks like: authorize { preprocess chap ldap suffix files } -make sure authenticate{} has chap. I have: authenticate { unix chap } I only have one type of userI'm not sure how to setup realms properly, so I'm being lame and matching the realm in their username attribute and giving them some ascend vendor attributes: users: DEFAULT Suffix == @realm.mycompany.com Service-Type = Framed-User, Framed-Protocol = PPP, Ascend-Data-Filter = IP IN FORWARD TCP, Ascend-Data-Filter += IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE, Ascend-Data-Filter += IP IN DROP TCP DSTPORT = 25, Ascend-Data-Filter += IP IN FORWARD 0, Ascend-Assign-IP-Pool = 0 -Shawn On Mon, 25 Mar 2002, Michael S. McCollough wrote: I am probably just dense but either the faq is incomplete or I cannot translate to suit my needs. I cannot even get chap to work with Auth-Type :=system I need it to work with ldap. Once key point may be CHAP vs MS-CHAP. The radiusd.conf file only has ms-chap in it. I remember log time ago when chap was proposed, ms did their own version. Since the MS version became the defacto standard, I am not sure is ms-chap and chap are used interchangably. From radiusd -X rlm_ldap: Attribute Password is required for authentication. Cannot use CHAP-Password. I need CHAP to work with LDAP but would be happy to see it work with system auth just to know it works. -- Michael -Original Message- From: Kostas Kalevras [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 2:09 PM To: [EMAIL PROTECTED] Subject: Re: CHAP-Password LDAP Auth? On Thu, 21 Mar 2002, Mike Cathey wrote: Chris, Chris Parker wrote: At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote: Chris, The qmail-ldap (http://www.nrg4u.com) code (actually IIRC it's the auth code) supports 2 menthods of LDAP auth. One method attempts to bind to the directory as the user, which is what it sounds like FreeRADIUS does. The other methold is to bind to the directory as a privileged user (one who has access to all user attributes), crypt what the client handed you and compare it to userPassword. The client hands you an already ( and non-reversable ) encrypted string. Encrypting it a second time will yield nothing useful. I may be possible to implement the second method in FreeRADIUS and use it for LDAP/CHAP auth. Comments? The only way to perform CHAP authentication is for the server to have access to the unecrypted password locally. Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was just pointing out the method of binding as a privileged user (a user who has rights to access the userPassword attribute for the RADIUS users). You can then get the value of userPassword and send the 'challenge' back to the proxy. I haven't read docs on CHAP in a while, but it seems like this would work ok. Of course, this assumes you store all of your users passwords in plain text. Cheers, Mike It's already supported. Please read the FAQ at http://www.freeradius.org/faq/#5.11 and doc/rlm_ldap -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED]National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CHAP-Password LDAP Auth?
On Tue, 26 Mar 2002, Michael S. McCollough wrote: Are you using LDAP? This did not work for me. I did get the realms working though. Yes, but you _do not_ authenticate off of LDAP. You authorize off of LDAP (where the password needs to be stored in the clear). Essentially when LDAP is in the authorize{} section, this is the only action it takes. Then you authenticate{} with CHAP, which takes the CHAP-Password from the inbound packet, and constructs a CHAP-ized version of the cleartext from LDAP to compare it with. -Shawn rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. Cannot use CHAP-Password. modcall[authenticate]: module ldap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [[EMAIL PROTECTED]/CHAP-Password] (from client MR-Firewall port 0) -Original Message- From: Shawn O'Shea [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 10:48 AM To: '[EMAIL PROTECTED]' Subject: RE: CHAP-Password LDAP Auth? I got the better part of this working on Fridayhere's most of the pertinent parts: radiusd.conf: -add a blank section for chap options (something complained when I didnt do this) chap { } -make sure that your ldap section is configured for your setup -make sure authorize{} has chap and ldap. Mine looks like: authorize { preprocess chap ldap suffix files } -make sure authenticate{} has chap. I have: authenticate { unix chap } I only have one type of userI'm not sure how to setup realms properly, so I'm being lame and matching the realm in their username attribute and giving them some ascend vendor attributes: users: DEFAULT Suffix == @realm.mycompany.com Service-Type = Framed-User, Framed-Protocol = PPP, Ascend-Data-Filter = IP IN FORWARD TCP, Ascend-Data-Filter += IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE, Ascend-Data-Filter += IP IN DROP TCP DSTPORT = 25, Ascend-Data-Filter += IP IN FORWARD 0, Ascend-Assign-IP-Pool = 0 -Shawn On Mon, 25 Mar 2002, Michael S. McCollough wrote: I am probably just dense but either the faq is incomplete or I cannot translate to suit my needs. I cannot even get chap to work with Auth-Type :=system I need it to work with ldap. Once key point may be CHAP vs MS-CHAP. The radiusd.conf file only has ms-chap in it. I remember log time ago when chap was proposed, ms did their own version. Since the MS version became the defacto standard, I am not sure is ms-chap and chap are used interchangably. From radiusd -X rlm_ldap: Attribute Password is required for authentication. Cannot use CHAP-Password. I need CHAP to work with LDAP but would be happy to see it work with system auth just to know it works. -- Michael -Original Message- From: Kostas Kalevras [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 2:09 PM To: [EMAIL PROTECTED] Subject: Re: CHAP-Password LDAP Auth? On Thu, 21 Mar 2002, Mike Cathey wrote: Chris, Chris Parker wrote: At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote: Chris, The qmail-ldap (http://www.nrg4u.com) code (actually IIRC it's the auth code) supports 2 menthods of LDAP auth. One method attempts to bind to the directory as the user, which is what it sounds like FreeRADIUS does. The other methold is to bind to the directory as a privileged user (one who has access to all user attributes), crypt what the client handed you and compare it to userPassword. The client hands you an already ( and non-reversable ) encrypted string. Encrypting it a second time will yield nothing useful. I may be possible to implement the second method in FreeRADIUS and use it for LDAP/CHAP auth. Comments? The only way to perform CHAP authentication is for the server to have access to the unecrypted password locally. Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was just pointing out the method of binding as a privileged user (a user who has rights to access the userPassword attribute for the RADIUS users). You can then get the value of userPassword and send the 'challenge' back to the proxy. I haven't read docs on CHAP in a while, but it seems like this would work ok. Of course, this assumes you store all of your users passwords in plain text. Cheers, Mike It's already supported. Please read the FAQ at http://www.freeradius.org/faq/#5.11 and doc/rlm_ldap -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Matching troubles in users file...
If you passed authenticate then add a bunch of attributes to make you work If you failed authenticate then send back only a Reply-Message attribute To do this generally would require a post-authenticate stage. The server doesn't have this right now. If the authentication fails, the server *does* remove almost all of the attributes in the reply, before sending a reject. Ok, this seems to be what's driving me nuts. I can live without adding a Reply-Message, but when an auth fails, it removes everything but Proxy-State (which I want) and a couple of Ascend attributes (that I dont want in there). Thanks, -Shawn Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP-Password LDAP Auth?
Wed Mar 20 15:35:57 2002 : Auth: Login incorrect: [{ed: whatever username -sko}/CHAP-Password] (from nas UNKNOWN-NAS port 0 cli 8475061520) If I use just User-Password, this works like a dream. Any suggetions? Don't use CHAP. Ok, well the UUNET docs states that I can use PAP or CHAP. Here's what their doc says about it though: Althought the REseller may not be using CHAP, they must configure their RADIUS server to respond to a CHAP request by requesting PAP authentication after declining CHAP. This is done during the LCP phase of creating a PPP session. Is this doable in freeradius? From what I recall, the LDAP module tries to authenticate to the LDAP server, usin g the username/password supplied in the packet. Therefore, it needs access to the plain-text password, as it's telling you. Running freeradius in debug mode, this is indeed what the LDAP module is doing. After reading through the section of the FAQ you pointed out, and the Interoperation wiþ PAP and CHAP section of RFC2138 I'm starting to understand what the deal is. Thanks, -Shawn The alternative is to use a DB which stores the password in clear text. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matching troubles in users file...
I'm having a hard time wrapping my head around how to do the matching that I want in the users file and was hoping for some help. I really only have one type of user, so what I would like to say is: If you passed authenticate then add a bunch of attributes to make you work If you failed authenticate then send back only a Reply-Message attribute Help? =) Thanks, -Shawn Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP-Password LDAP Auth?
I'm currently using Steel Belted Radius w/ UU.net and trying to replicate the functionality of our stell belted server w/ freeradius. Basically we take incoming proxied auth requests from UU, auth them, and reply back to the proxy. I grabbed some of the inbound packets off the wire so I could look at what attributes we're recieving, so that I could build similar looking access requests with radclient. My problem is that the packets from them send the password as CHAP-Password attribute. If I set this in my test data for radclient, my freeradius 0.5 server says: Wed Mar 20 15:35:57 2002 : Auth: rlm_ldap: Attribute User-Password is required for authentication. Cannot use CHAP-Password. Wed Mar 20 15:35:57 2002 : Auth: Login incorrect: [{ed: whatever username -sko}/CHAP-Password] (from nas UNKNOWN-NAS port 0 cli 8475061520) If I use just User-Password, this works like a dream. Any suggetions? -Shawn Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html