Re: LEAP,LDAP & required User-Password
Probably you need to extract your user password from the ldap entry and make it
available to eap_leap. The password should be clear text for things to work i
think. Check out doc/rlm_eap (EAP-MD5 and ldap) and doc/rlm_ldap on how to
configure password extraction in the ldap module
To complete the mailinglist entry I´ll describe what I made wrong. Maybe
somone someday will made the same dumb mistake :).
As listed in my first mailinglist message I used the LDIF file were
User-Password was set with: "userPassword:= testpwd". Exactly here is
the problem. As long as I used "userPassword:= testpwd" the error:
"rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP" appeared.
As soon as I deleted the "=" in entry no error message apearred and
user1 could authenticate successful. There is a another way to get this
to work. When I configured the entry in LDIF as following:
"userPassword: {clear}testpwd" and uncommented: "password_header =
"{clear}"" in LDAP section at radiusd.conf, authentication for user1 was
successful again.
best regards,
cl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP,LDAP & required User-Password
I didn't say that. Ok, I´m sorry then I´ve misunterstood something. This means that my UserPassword entry in LDAP is unecessary? No. Ok. I was setting up a DEFAULT password for all my LDAP users in users file. I don't see why. Just to see if authentication with password in users file can be successfull instead of having the password in LDAP were the authentication always fails with the error: rlm_eap_leap: "FAILED incorrect NtChallengeResponse from AP" Put the users password into the ldap database? Alan DeKok. hmm, Ok. Thats what I already did before: setting the "userPassword" entry in LDAP. Sadly I always get this error message above. But if I understood you properly I´m on the right path get this to work when setting the var "userPassword:=". in ldif files. I don´t know were else I´m doing something wrong in configs, but if anyone has some ideas I would be really grateful! best regards, cl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP,LDAP & required User-Password
thanks for response Alan. That's for doing PAP authentication against the LDAP server. EAP isn't PAP, so you can't do EAP authentication against the LDAP server. hmm I´m confused now :/, so I can´t use LEAP with freeradius while having the whole user attributes (password entry included) in LDAP for authentication? Or am I wrong and there is a invisible User-Password delivered with EAP Message? There is no User-Password in EAP. Alan DeKok. This means that my UserPassword entry in LDAP is unecessary? How else can I set a password for the users in LDAP? Or is there no opportunity? I was setting up a DEFAULT password for all my LDAP users in users file. After that the authentication of the users was successful. Instead of the error: "rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP" the message: "rlm_eap_leap: NtChallengeResponse from AP is valid" appeared. But my main goal is to have the password entry in the LDAP database. What am I doing wrong? and how can I set the password for the users in LDAP in such a way that users can successful authenticate without having the error message: rlm_eap_leap: "FAILED incorrect NtChallengeResponse from AP"? thanks in advance for any good suggestions! regards, cl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP,LDAP & required User-Password
Alan, thanks for your response. Ok, I understand. I was reading some postings on list about LDAP and they were always putting Auth-Type to LDAP manually in users file. Thats why I thought it must be done manually. So theoretically there is no need at all for the users file if I have my whole user attributes in LDAP? Please correct me if I´m wrong I´m just tryin to understand. Now I deleted the last entry "Auth-Type LDAP" in my users file and I got the message below from debug. Could this error: “rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP” has to do with the fact that there is no User-Password delivered from AP? Or am I wrong and there is a invisible User-Password delivered with EAP Message? Thanks for help! regards, cl rad_recv: Access-Request packet from host 10.0.0.3:1070, id=46, length=138 User-Name = "user1" Cisco-AVPair = "ssid=uni" NAS-IP-Address = 10.0.0.3 Called-Station-Id = "00409656234c" Calling-Station-Id = "000a417d326d" NAS-Identifier = "ap350" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x0202000a017573657231 Message-Authenticator = 0xe9df05aa9b0d91d27f636d695b9d8a43 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop modcall[authorize]: module "attr_filter" returns noop rlm_eap: EAP packet type notification id 2 length 10 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop modcall[authorize]: module "files" returns notfound modcall[authorize]: module "mschap" returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for user1 radius_xlat: '(&(sn=user1)(ObjectClass=radiusprofile))' radius_xlat: 'ou=mainz,dc=mydomain.net' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mainz,dc=mydomain.net, with filter (&(sn=user1)(ObjectClass=radiusprofile)) rlm_ldap: checking if remote access for user1 is allowed by dialupAccess rlm_ldap: Added password = testpwd in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value 10.0.0.23 & op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: user user1 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: EAP packet type notification id 2 length 10 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type leap rlm_eap_leap: Stage 2 rlm_eap_leap: Issuing AP Challenge rlm_eap_leap: Successfully initiated modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 46 to 10.0.0.3:1070 Framed-IP-Address = 10.0.0.23 Framed-Protocol = PPP Service-Type = Framed-User EAP-Message = 0x0103001511010008cef93415f588ff937573657231 Message-Authenticator = 0x State = 0x089db0ee801263209bdf3e68e65862ab3f7bcb6fa873f1eecea7605510940377cae495da Finished request 14 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.0.3:1071, id=47, length=203 User-Name = "user1" Cisco-AVPair = "ssid=uni" NAS-IP-Address = 10.0.0.3 Called-Station-Id = "00409656234c" Calling-Station-Id = "000a417d326d" NAS-Identifier = "ap350" NAS-Port = 37 Framed-MTU = 1400 State = 0x089db0ee801263209bdf3e68e65862ab3f7bcb6fa873f1eecea7605510940377cae495da NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x0203002511010018e62e21897199cc3bbc5b407aa427e1cf83145261c044e59d7573657231 Message-Authenticator = 0x994e5c07ef90adce4cd1c14cbd0d9194 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop modcall[authorize]: module "attr_filter" returns noop rlm_eap: EAP packet type notification id 3 length 37 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop modcall[authorize]: module "files" returns notfound modcall[authorize]: module "mschap" returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for user1 radius_xlat: '(&(sn=user1)(ObjectClass=radiusprofile))' radius_xlat: 'ou=mainz,dc=mydomain.net' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=main
LEAP,LDAP & required User-Password
Hello there,
i try to run the latest freeradius version with LDAP while I´m facing
the following problem:
Radiusd.conf:
Eap {
default_eap_type = leap
}
ldap {
server = "localhost"
basedn = "ou=mainz,dc=mydomain.net"
filter =
"(&(sn=%{Stripped-User-Name:-%{User-Name}})(ObjectClass=radiusprofile))"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
preprocess
chap
eap
suffix
files
mschap
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
Chap
} Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
eap
}
LDIF user file:
dn: cn=user1,ou=mainz,dc=mydomain.net
objectclass: top
objectclass: person
objectclass: radiusprofile
objectclass: inetOrgPerson
cn: user1
userPassword:= testpwd
dialupAccess: yes
radiusServiceType: Framed-User
radiusFramedProtocol: PPP
radiusFramedIPAddress: 10.0.0.23
sn: user1
debug message:
# /usr/sbin/radiusd -A -X
rad_recv: Access-Request packet from host 141.26.244.225:1052, id=28,
length=138
User-Name = "user1"
Cisco-AVPair = "ssid=uni"
NAS-IP-Address = 10.0.0.3
Called-Station-Id = "00409656234c"
Calling-Station-Id = "000a417d326d"
NAS-Identifier = "ap350"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x0202000a017573657231
Message-Authenticator = 0x391930aa92b6d67152b89a39368fbbd7
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "attr_filter" returns noop
rlm_eap: EAP packet type notification id 2 length 10
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 158
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user1
radius_xlat: '(&(sn=user1)(ObjectClass=radiusprofile))'
radius_xlat: 'ou=mainz,dc=mydomain.net'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=mainz,dc=mydomain.net, with filter
(&(sn=user1)(ObjectClass=radiusprofile))
rlm_ldap: ldap_search() failed: LDAP connection lost.
rlm_ldap: Attempting reconnect
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=mainz,dc=mydomain.net, with filter
(&(sn=user1)(ObjectClass=radiusprofile))
rlm_ldap: checking if remote access for user1 is allowed by dialupAccess
rlm_ldap: Added password = testpwd in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value
10.0.0.23 & op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User &
op=11
rlm_ldap: user user1 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "ldap" returns invalid
modcall: group Auth-Type returns invalid
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 28 to 141.26.244.225:1052
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 28 with timestamp 3f7aff57
Nothing to do. Sleeping until we see a request.
It sounds to me like the User-Password value from the Supplicant isn´t
carried correctly:
---> "rlm_ldap: Attribute "User-Password" is required for
authentication." <---
rad_recv: Access-Request packet from host 141.26.244.225:1052, id=28,
length=138
User-Name = "user1"
Hmm, usually after the User-Name entry is a User-Password entry right?
And I think the Password stored in LDAP is delivered correctly cause:
“rlm_ldap: Added password = testpwd in check items”
I have no idea why the User-Password isn´t delivered within the
Access-Request packet.
Would be nice if anyone has a idea or could point me into the right
direction?
Regards,
cl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to send EAP-Message [Re: LEAP authentication fails]
Hey Dave, thanks a lot! nice thing... worked fine for me so far :). There´s tool called ntradpad(winnt), you can change the request type to send EAP messages with, but i didn´t tried it out now. I couldn´t really follow suit when it came to the point that RADIUS changes state attribute, cause i don´t know exactly what the RADIUS state attributes are and what they do, I can only imagine... but anyways thanks a lot! I´ll try to get some more information about these state attributes. regards, cl Dave Mason schrieb: Hi, Here's how I do it. I dont know of a test client that can easily build a RADIUS Access-Request with an EAP-Message - if anybody does please let us know. The radclient program supplied with Freeradius can add an EAP-Message attribute but you have to code it yourself in hex. Here's how I send an EAP/Response/Identity: $ radclient -f eapRspId.txt -r 1 localhost auth testing The eapRspId.txt file looks like this: --- [EMAIL PROTECTED], Message-Authenticator=xxx, EAP-Message="0x020100210131393230353332323830303230333130407472616e7361742e636f6d" # EAP-Resp/id=1/type=Identity/[EMAIL PROTECTED] -- I put the comment last because radclient stops as soon as it sees a comment. Another thing to keep in mind. Freeradius will set the RADIUS State attribute in all challenge messages to some random value, but you'll need to use the same value in the State attribute of the response. If youre using hard coded message files like this, adding a different State value every time would be a pain, so I use a test patch in rlm_eap/state.c that sets State to some known value like "state1", "state2", etc., throughout the challenge sequence, and another in my rlm_eap_ to restart back to "state1" when EAP-Success or Failure is sent. You can keep the state number in a global variable. This lets you hard code the State value in the eapRspXxx.txt message file. I now turn the patch on at compile time with a flag, but someday I'd like to make it configurable in radiusd.conf. Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP authentication fails
Hello, thanks for the quick response alan! I´m sorry! you´re right, maybe sometimes i need someone else to open my blind eyes :). I guess there is no testing tool where i can send a eap message with, or is there? regards, cl Alan DeKok schrieb: claufer <[EMAIL PROTECTED]> wrote: Below here I'll just describe what I did so far: I added two users in the /raddb/users file: test1Auth-Type := eap, User-Password == "test1pwd" Do NOT do that. The EAP module will decide whether or not to do EAP. After configuring i did : # radtest test1 test1pwd localhost 0 localpwd Sending Access-Request of id 172 to 127.0.0.1:1812 User-Name = "test1" User-Password = "test1pwd" NAS-IP-Address = wlan NAS-Port = 0 There's no EAP-Message in that packet. rlm_eap: EAP-Message not found So the EAP module doesn't do anything with it. Why isn't the first user working with Auth-Type := eap ? Because you didn't give it a request containing EAP. The error messages you posted to the list said exactly what went wrong, and you should have read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LEAP authentication fails
Hello there,
i got a problem with the LEAP authentication.
I run Freeradius at Version 0.9.0 · (21 July, 2003) on Solaris 9.
Authenticator will be a CISCO AP 350 and Supplicant Win2k with the
Aironet Client Utility.
Below here I´ll just describe what I did so far:
I added two users in the /raddb/users file:
test1Auth-Type := eap, User-Password == "test1pwd"
Service-Type = Login-User
and:
test2 Auth-Type := Local, User-Password == "test2pwd"
Service-Type = Login-User
// Radiusd.conf
I changed: default_eap_type = md5
to:
default_eap_type = leap
I turned on the following variables so later i could see if my typed in
password was correct.
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
// Clients.conf
client 127.0.0.1 {
secret = localpwd
shortname = localhost
nasttype = other
}
Client 10.0.0.2 {
Secret = appwd
Shortname = ap350
Nastype = cisco
}
After configuring i did :
# radtest test1 test1pwd localhost 0 localpwd
Sending Access-Request of id 172 to 127.0.0.1:1812
User-Name = "test1"
User-Password = "test1pwd"
NAS-IP-Address = wlan
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=172, length=20
And I got the following message from radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1:32860, id=172, length=57
User-Name = "test1"
User-Password = "test1pwd"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_eap: EAP-Message not found
modcall[authorize]: module "eap" returns noop
rlm_realm: No '@' in User-Name = "test1", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched test1 at 97
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns ok
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP-Message not found
modcall[authenticate]: module "eap" returns noop
modcall: group authenticate returns noop
auth: Failed to validate the user.
Login incorrect: [test1/test1pwd] (from client localhost port 0)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 172 to 127.0.0.1:32860
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 172 with timestamp 3f574020
Nothing to do. Sleeping until we see a request.
But when I tried out the second user with:
# radtest test2 test2pwd localhost 0 localpwd
Sending Access-Request of id 177 to 127.0.0.1:1812
User-Name = "test2"
User-Password = "test2pwd"
NAS-IP-Address = wlan
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=177, length=26
Service-Type = Login-User
I get this answer from radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1:32861, id=177, length=57
User-Name = "test2"
User-Password = "test2pwd"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_eap: EAP-Message not found
modcall[authorize]: module "eap" returns noop
rlm_realm: No '@' in User-Name = "test2", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched test2 at 100
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [test2/test2pwd] (from client localhost port 0)
Sending Access-Accept of id 177 to 127.0.0.1:32861
Service-Type = Login-User
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 177 with timestamp 3f57405d
Nothing to do. Sleeping until we see a request.
Why isn´t the first user working with Auth-Type := eap ?
As you might have seen the given Username and Password is equal to the
/raddb/users file.
I first thougt that it might had to do with the problem that CISCO LEAP
can´t read my stored Password, but I do use a plain-text User-Password
as described in radiusd.conf.
After testing locally i tried out the same thing from a different
machine on the network, but unfortunately with the same results :(.
Thanks in advance for any good Ideas!
best regards,
cl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
