Re: LEAP,LDAP & required User-Password
Probably you need to extract your user password from the ldap entry and make it available to eap_leap. The password should be clear text for things to work i think. Check out doc/rlm_eap (EAP-MD5 and ldap) and doc/rlm_ldap on how to configure password extraction in the ldap module To complete the mailinglist entry I´ll describe what I made wrong. Maybe somone someday will made the same dumb mistake :). As listed in my first mailinglist message I used the LDIF file were User-Password was set with: "userPassword:= testpwd". Exactly here is the problem. As long as I used "userPassword:= testpwd" the error: "rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP" appeared. As soon as I deleted the "=" in entry no error message apearred and user1 could authenticate successful. There is a another way to get this to work. When I configured the entry in LDIF as following: "userPassword: {clear}testpwd" and uncommented: "password_header = "{clear}"" in LDAP section at radiusd.conf, authentication for user1 was successful again. best regards, cl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP,LDAP & required User-Password
I didn't say that. Ok, I´m sorry then I´ve misunterstood something. This means that my UserPassword entry in LDAP is unecessary? No. Ok. I was setting up a DEFAULT password for all my LDAP users in users file. I don't see why. Just to see if authentication with password in users file can be successfull instead of having the password in LDAP were the authentication always fails with the error: rlm_eap_leap: "FAILED incorrect NtChallengeResponse from AP" Put the users password into the ldap database? Alan DeKok. hmm, Ok. Thats what I already did before: setting the "userPassword" entry in LDAP. Sadly I always get this error message above. But if I understood you properly I´m on the right path get this to work when setting the var "userPassword:=". in ldif files. I don´t know were else I´m doing something wrong in configs, but if anyone has some ideas I would be really grateful! best regards, cl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP,LDAP & required User-Password
thanks for response Alan. That's for doing PAP authentication against the LDAP server. EAP isn't PAP, so you can't do EAP authentication against the LDAP server. hmm I´m confused now :/, so I can´t use LEAP with freeradius while having the whole user attributes (password entry included) in LDAP for authentication? Or am I wrong and there is a invisible User-Password delivered with EAP Message? There is no User-Password in EAP. Alan DeKok. This means that my UserPassword entry in LDAP is unecessary? How else can I set a password for the users in LDAP? Or is there no opportunity? I was setting up a DEFAULT password for all my LDAP users in users file. After that the authentication of the users was successful. Instead of the error: "rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP" the message: "rlm_eap_leap: NtChallengeResponse from AP is valid" appeared. But my main goal is to have the password entry in the LDAP database. What am I doing wrong? and how can I set the password for the users in LDAP in such a way that users can successful authenticate without having the error message: rlm_eap_leap: "FAILED incorrect NtChallengeResponse from AP"? thanks in advance for any good suggestions! regards, cl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP,LDAP & required User-Password
Alan, thanks for your response. Ok, I understand. I was reading some postings on list about LDAP and they were always putting Auth-Type to LDAP manually in users file. Thats why I thought it must be done manually. So theoretically there is no need at all for the users file if I have my whole user attributes in LDAP? Please correct me if I´m wrong I´m just tryin to understand. Now I deleted the last entry "Auth-Type LDAP" in my users file and I got the message below from debug. Could this error: “rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP” has to do with the fact that there is no User-Password delivered from AP? Or am I wrong and there is a invisible User-Password delivered with EAP Message? Thanks for help! regards, cl rad_recv: Access-Request packet from host 10.0.0.3:1070, id=46, length=138 User-Name = "user1" Cisco-AVPair = "ssid=uni" NAS-IP-Address = 10.0.0.3 Called-Station-Id = "00409656234c" Calling-Station-Id = "000a417d326d" NAS-Identifier = "ap350" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x0202000a017573657231 Message-Authenticator = 0xe9df05aa9b0d91d27f636d695b9d8a43 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop modcall[authorize]: module "attr_filter" returns noop rlm_eap: EAP packet type notification id 2 length 10 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop modcall[authorize]: module "files" returns notfound modcall[authorize]: module "mschap" returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for user1 radius_xlat: '(&(sn=user1)(ObjectClass=radiusprofile))' radius_xlat: 'ou=mainz,dc=mydomain.net' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mainz,dc=mydomain.net, with filter (&(sn=user1)(ObjectClass=radiusprofile)) rlm_ldap: checking if remote access for user1 is allowed by dialupAccess rlm_ldap: Added password = testpwd in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value 10.0.0.23 & op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: user user1 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: EAP packet type notification id 2 length 10 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type leap rlm_eap_leap: Stage 2 rlm_eap_leap: Issuing AP Challenge rlm_eap_leap: Successfully initiated modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 46 to 10.0.0.3:1070 Framed-IP-Address = 10.0.0.23 Framed-Protocol = PPP Service-Type = Framed-User EAP-Message = 0x0103001511010008cef93415f588ff937573657231 Message-Authenticator = 0x State = 0x089db0ee801263209bdf3e68e65862ab3f7bcb6fa873f1eecea7605510940377cae495da Finished request 14 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.0.3:1071, id=47, length=203 User-Name = "user1" Cisco-AVPair = "ssid=uni" NAS-IP-Address = 10.0.0.3 Called-Station-Id = "00409656234c" Calling-Station-Id = "000a417d326d" NAS-Identifier = "ap350" NAS-Port = 37 Framed-MTU = 1400 State = 0x089db0ee801263209bdf3e68e65862ab3f7bcb6fa873f1eecea7605510940377cae495da NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x0203002511010018e62e21897199cc3bbc5b407aa427e1cf83145261c044e59d7573657231 Message-Authenticator = 0x994e5c07ef90adce4cd1c14cbd0d9194 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop modcall[authorize]: module "attr_filter" returns noop rlm_eap: EAP packet type notification id 3 length 37 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop modcall[authorize]: module "files" returns notfound modcall[authorize]: module "mschap" returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for user1 radius_xlat: '(&(sn=user1)(ObjectClass=radiusprofile))' radius_xlat: 'ou=mainz,dc=mydomain.net' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=main
LEAP,LDAP & required User-Password
Hello there, i try to run the latest freeradius version with LDAP while I´m facing the following problem: Radiusd.conf: Eap { default_eap_type = leap } ldap { server = "localhost" basedn = "ou=mainz,dc=mydomain.net" filter = "(&(sn=%{Stripped-User-Name:-%{User-Name}})(ObjectClass=radiusprofile))" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } authorize { preprocess chap eap suffix files mschap ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { Chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap eap } LDIF user file: dn: cn=user1,ou=mainz,dc=mydomain.net objectclass: top objectclass: person objectclass: radiusprofile objectclass: inetOrgPerson cn: user1 userPassword:= testpwd dialupAccess: yes radiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPAddress: 10.0.0.23 sn: user1 debug message: # /usr/sbin/radiusd -A -X rad_recv: Access-Request packet from host 141.26.244.225:1052, id=28, length=138 User-Name = "user1" Cisco-AVPair = "ssid=uni" NAS-IP-Address = 10.0.0.3 Called-Station-Id = "00409656234c" Calling-Station-Id = "000a417d326d" NAS-Identifier = "ap350" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x0202000a017573657231 Message-Authenticator = 0x391930aa92b6d67152b89a39368fbbd7 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop modcall[authorize]: module "attr_filter" returns noop rlm_eap: EAP packet type notification id 2 length 10 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 158 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for user1 radius_xlat: '(&(sn=user1)(ObjectClass=radiusprofile))' radius_xlat: 'ou=mainz,dc=mydomain.net' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mainz,dc=mydomain.net, with filter (&(sn=user1)(ObjectClass=radiusprofile)) rlm_ldap: ldap_search() failed: LDAP connection lost. rlm_ldap: Attempting reconnect rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in ou=mainz,dc=mydomain.net, with filter (&(sn=user1)(ObjectClass=radiusprofile)) rlm_ldap: checking if remote access for user1 is allowed by dialupAccess rlm_ldap: Added password = testpwd in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value 10.0.0.23 & op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: user user1 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group Auth-Type rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid modcall: group Auth-Type returns invalid auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 28 to 141.26.244.225:1052 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 28 with timestamp 3f7aff57 Nothing to do. Sleeping until we see a request. It sounds to me like the User-Password value from the Supplicant isn´t carried correctly: ---> "rlm_ldap: Attribute "User-Password" is required for authentication." <--- rad_recv: Access-Request packet from host 141.26.244.225:1052, id=28, length=138 User-Name = "user1" Hmm, usually after the User-Name entry is a User-Password entry right? And I think the Password stored in LDAP is delivered correctly cause: “rlm_ldap: Added password = testpwd in check items” I have no idea why the User-Password isn´t delivered within the Access-Request packet. Would be nice if anyone has a idea or could point me into the right direction? Regards, cl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to send EAP-Message [Re: LEAP authentication fails]
Hey Dave, thanks a lot! nice thing... worked fine for me so far :). There´s tool called ntradpad(winnt), you can change the request type to send EAP messages with, but i didn´t tried it out now. I couldn´t really follow suit when it came to the point that RADIUS changes state attribute, cause i don´t know exactly what the RADIUS state attributes are and what they do, I can only imagine... but anyways thanks a lot! I´ll try to get some more information about these state attributes. regards, cl Dave Mason schrieb: Hi, Here's how I do it. I dont know of a test client that can easily build a RADIUS Access-Request with an EAP-Message - if anybody does please let us know. The radclient program supplied with Freeradius can add an EAP-Message attribute but you have to code it yourself in hex. Here's how I send an EAP/Response/Identity: $ radclient -f eapRspId.txt -r 1 localhost auth testing The eapRspId.txt file looks like this: --- [EMAIL PROTECTED], Message-Authenticator=xxx, EAP-Message="0x020100210131393230353332323830303230333130407472616e7361742e636f6d" # EAP-Resp/id=1/type=Identity/[EMAIL PROTECTED] -- I put the comment last because radclient stops as soon as it sees a comment. Another thing to keep in mind. Freeradius will set the RADIUS State attribute in all challenge messages to some random value, but you'll need to use the same value in the State attribute of the response. If youre using hard coded message files like this, adding a different State value every time would be a pain, so I use a test patch in rlm_eap/state.c that sets State to some known value like "state1", "state2", etc., throughout the challenge sequence, and another in my rlm_eap_ to restart back to "state1" when EAP-Success or Failure is sent. You can keep the state number in a global variable. This lets you hard code the State value in the eapRspXxx.txt message file. I now turn the patch on at compile time with a flag, but someday I'd like to make it configurable in radiusd.conf. Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP authentication fails
Hello, thanks for the quick response alan! I´m sorry! you´re right, maybe sometimes i need someone else to open my blind eyes :). I guess there is no testing tool where i can send a eap message with, or is there? regards, cl Alan DeKok schrieb: claufer <[EMAIL PROTECTED]> wrote: Below here I'll just describe what I did so far: I added two users in the /raddb/users file: test1Auth-Type := eap, User-Password == "test1pwd" Do NOT do that. The EAP module will decide whether or not to do EAP. After configuring i did : # radtest test1 test1pwd localhost 0 localpwd Sending Access-Request of id 172 to 127.0.0.1:1812 User-Name = "test1" User-Password = "test1pwd" NAS-IP-Address = wlan NAS-Port = 0 There's no EAP-Message in that packet. rlm_eap: EAP-Message not found So the EAP module doesn't do anything with it. Why isn't the first user working with Auth-Type := eap ? Because you didn't give it a request containing EAP. The error messages you posted to the list said exactly what went wrong, and you should have read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LEAP authentication fails
Hello there, i got a problem with the LEAP authentication. I run Freeradius at Version 0.9.0 · (21 July, 2003) on Solaris 9. Authenticator will be a CISCO AP 350 and Supplicant Win2k with the Aironet Client Utility. Below here I´ll just describe what I did so far: I added two users in the /raddb/users file: test1Auth-Type := eap, User-Password == "test1pwd" Service-Type = Login-User and: test2 Auth-Type := Local, User-Password == "test2pwd" Service-Type = Login-User // Radiusd.conf I changed: default_eap_type = md5 to: default_eap_type = leap I turned on the following variables so later i could see if my typed in password was correct. log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes // Clients.conf client 127.0.0.1 { secret = localpwd shortname = localhost nasttype = other } Client 10.0.0.2 { Secret = appwd Shortname = ap350 Nastype = cisco } After configuring i did : # radtest test1 test1pwd localhost 0 localpwd Sending Access-Request of id 172 to 127.0.0.1:1812 User-Name = "test1" User-Password = "test1pwd" NAS-IP-Address = wlan NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=172, length=20 And I got the following message from radiusd -X rad_recv: Access-Request packet from host 127.0.0.1:32860, id=172, length=57 User-Name = "test1" User-Password = "test1pwd" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP-Message not found modcall[authorize]: module "eap" returns noop rlm_realm: No '@' in User-Name = "test1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched test1 at 97 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type eap auth: type "EAP" modcall: entering group authenticate rlm_eap: EAP-Message not found modcall[authenticate]: module "eap" returns noop modcall: group authenticate returns noop auth: Failed to validate the user. Login incorrect: [test1/test1pwd] (from client localhost port 0) Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 172 to 127.0.0.1:32860 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 172 with timestamp 3f574020 Nothing to do. Sleeping until we see a request. But when I tried out the second user with: # radtest test2 test2pwd localhost 0 localpwd Sending Access-Request of id 177 to 127.0.0.1:1812 User-Name = "test2" User-Password = "test2pwd" NAS-IP-Address = wlan NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=177, length=26 Service-Type = Login-User I get this answer from radiusd -X rad_recv: Access-Request packet from host 127.0.0.1:32861, id=177, length=57 User-Name = "test2" User-Password = "test2pwd" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP-Message not found modcall[authorize]: module "eap" returns noop rlm_realm: No '@' in User-Name = "test2", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched test2 at 100 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [test2/test2pwd] (from client localhost port 0) Sending Access-Accept of id 177 to 127.0.0.1:32861 Service-Type = Login-User Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 177 with timestamp 3f57405d Nothing to do. Sleeping until we see a request. Why isn´t the first user working with Auth-Type := eap ? As you might have seen the given Username and Password is equal to the /raddb/users file. I first thougt that it might had to do with the problem that CISCO LEAP can´t read my stored Password, but I do use a plain-text User-Password as described in radiusd.conf. After testing locally i tried out the same thing from a different machine on the network, but unfortunately with the same results :(. Thanks in advance for any good Ideas! best regards, cl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html