Re: Chap-Password send encripted?

2003-01-13 Thread Alan DeKok 
"leaobicalho" <[EMAIL PROTECTED]> wrote:
> I did try it...I need know only if
> when i use in radclient Chap-Password,
> if chap-password send password to
> server encripyted  or no, undestand?

  Yes, I understand very well.

  Try using 'tcpdump'.

> if will send plain-text or encripyted...

  It follows the RFC's.  Look at the source code to see how it works.


  What I don't understand is why you would care.  Either the server
works the way the RFC's say, in which case it doesn't matter HOW, or
the server doesn't work, in which case it's a bug.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Chap-Password send encripted?

2003-01-13 Thread leaobicalho 
I did try it...I need know only if
when i use in radclient Chap-Password,
if chap-password send password to
server encripyted  or no, undestand?
if will send plain-text or encripyted...

> "leaobicalho" <[EMAIL PROTECTED]> wrote:
> > Im using in Radius Client
> > Chap-Password. I need know if
> > Chap-Password send password encripted
> > for Radius Server or only plain-text?
>
>   Did you try it?  Or, did you look at the source code?
>
>   Either way would be quicker than sending a question to the list.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

___
Animation Design®
www.animationdesign.com.br


__
E-mail Premium BOL
Antivírus, anti-spam e até 100 MB de espaço. Assine já!
http://email.bol.com.br/



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Chap-Password send encripted?

2003-01-13 Thread Alan DeKok 
"leaobicalho" <[EMAIL PROTECTED]> wrote:
> Im using in Radius Client
> Chap-Password. I need know if
> Chap-Password send password encripted
> for Radius Server or only plain-text?

  Did you try it?  Or, did you look at the source code?

  Either way would be quicker than sending a question to the list.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP-Password Authentication

2002-10-04 Thread Kostas Kalevras 

On Fri, 4 Oct 2002, steve wrote:

> Re: CHAP Authentication
>
> I recently posted a request for help re: CHAP Authentication - thanks to
> everyone for your replies.  Here is my new dilema:
>
> We need to authenticate using the unix shadow/system. Per everyones
> suggestion, we're attempting to authenticate using PAP. We've removed all
> other authentication schemes from the radiusd.conf file... this is what we
> have left:
>
>   # Authentication.
>   authenticate{
> authtype PAP {
>   pap
>   }
>
> When we receive an incoming request from the terminal server, this is what
> we get in the debug log:
>
>   
> Thread 1 handling request 0, (1 handled so far)
> User-Name = "magnus"
> CHAP-Password = 0x01a030df1ec26de22aa48fb6095472d67d
> NAS-Port-Type = Async
> Calling-Station-Id = "755270XXX"
> Called-Station-Id = "0198308066"
> X-Ascend-Data-Rate = 31200
> X-Ascend-Xmit-Rate = 50667
> NAS-IP-Address = 144.130.4.5
> Acct-Session-Id = "589[]388708091"
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Re
> jecting the user

You should set the Auth-Type to PAP somewhere (like in the users file).
For example:

authorize{
files
[...]
}

users:

DEFAULT Auth-Type := "PAP"

> auth: Failed to validate the user.
> Delaying request 0 for 1 seconds
>   
>
> The users workstation is a Windows 98 system.
>
> What am I doing wrong here?  If there is anyone out there who wants to make
> a few dollars helping me sort this out, I'm prepared to set aside my ego for
> my sanity!!! :)
>
> Thanks in advace.
>
> Steve
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP-Password Authentication

2002-10-04 Thread steve 

Re: CHAP Authentication

I recently posted a request for help re: CHAP Authentication - thanks to
everyone for your replies.  Here is my new dilema:

We need to authenticate using the unix shadow/system. Per everyones
suggestion, we're attempting to authenticate using PAP. We've removed all
other authentication schemes from the radiusd.conf file... this is what we
have left:

# Authentication.
authenticate{
  authtype PAP {
pap
}

When we receive an incoming request from the terminal server, this is what
we get in the debug log:


Thread 1 handling request 0, (1 handled so far)
User-Name = "magnus"
CHAP-Password = 0x01a030df1ec26de22aa48fb6095472d67d
NAS-Port-Type = Async
Calling-Station-Id = "755270XXX"
Called-Station-Id = "0198308066"
X-Ascend-Data-Rate = 31200
X-Ascend-Xmit-Rate = 50667
NAS-IP-Address = 144.130.4.5
Acct-Session-Id = "589[]388708091"
auth: No authenticate method (Auth-Type) configuration found for the
request: Re
jecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds


The users workstation is a Windows 98 system.

What am I doing wrong here?  If there is anyone out there who wants to make
a few dollars helping me sort this out, I'm prepared to set aside my ego for
my sanity!!! :)

Thanks in advace.

Steve



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP-Password & LDAP Auth?

2002-03-27 Thread Alan DeKok 

Kostas Kalevras <[EMAIL PROTECTED]> wrote:
> Do one of the following:
> 
> 1.
...

  Can you add this to the default 'radiusd.conf.in'?  There are enough
questions about CHAP and other modules that a template should be in
the default configuration file.

  Also, it may be useful to add an 'authorize' section to rlm_pap, and
to list it as the LAST module in the 'authorize' list.  That way, the
discovery of doing PAP authentication can be automagic.

  Hmm... src/main/files.c and src/main/auth.c do various magic to
discover Auth-Type = Local.  This should be fixed, too.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: CHAP-Password & LDAP Auth?

2002-03-27 Thread Kostas Kalevras 

On Wed, 27 Mar 2002, Michael S. McCollough wrote:

> I am usually not a complete idiot, but I cannot get this to work. Using the
> settings for radiusd you recommended I cannot get PAP or CHAP to work. PAP
> will work if I put ldap back in the authenticate section. I am beyond the
> point of embarrassed now but must keep going.
>
> Below are my results:
>
> Radiusd.conf authorize and auth sections:
> authorize {
> preprocess
> chap
> ldap
> suffix
> files
> }
>
> authenticate {
> unix
> chap
> #   ldap
> }

The ldap module will set Auth-Type to Ldap if it has not already been set.
In cases of PAP requests the chap module will not set the Auth-Type

Do one of the following:

1.
authenticate {
chap
authtype Ldap {
ldap
}
}

That is let the ldap module handle the PAP request

2. authenticate {
chap
authtype PAP {
pap
}
   }
   authorize {
chap
files <-- files is before ldap so that it can set the Auth-Type first
ldap

files:

DEFAULT  Auth-Type = PAP

That is let the pap module handle the PAP request

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf

>
> PAP Attempt:
> rad_recv: Access-Request packet from host 208.241.20.2:64305, id=17,
> length=42
> User-Name = "me"
> Password = "\207\246\031v}\\\237f\207_\307\202#\200\366Q"
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
> rlm_chap: Could not find proper Chap-Password attribute in request
>   modcall[authorize]: module "chap" returns noop
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for me
> radius_xlat:  '(uid=me)'
> radius_xlat:  'dc=uchub,dc=com'
> ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap:389:389, authentication 0
> rlm_ldap: bind as cn=manager,dc=uchub,dc=com/password
> rlm_ldap: waiting for bind result ...
> rlm_ldap: performing search in dc=uchub,dc=com, with filter (uid=me)
> rlm_ldap: Added password password in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user me authorized to use remote access
> ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok
>   modcall[authorize]: module "suffix" returns ok
> users: Matched DEFAULT at 2
>   modcall[authorize]: module "files" returns ok
> modcall: group authorize returns ok
>   rad_check_password:  Found Auth-Type ldap
> auth: type "Ldap"
> auth: Failed to validate the user.
> Login incorrect: [me/password] (from client MR-Firewall port 0)
> Sending Access-Reject of id 17 to 208.241.20.2:64305
> Finished request 0
>
>
>
> CHAP Attempt:
> rad_recv: Access-Request packet from host 208.241.20.2:64709, id=18,
> length=43
> User-Name = "me"
> CHAP-Password = "\302w\247\033\363\253S\376\346\t$.\016by=2"
> modcall: entering group authorize
>   modcall[authorize]: module "preprocess" returns ok
> rlm_chap: Adding Auth-Type = CHAP
>   modcall[authorize]: module "chap" returns ok
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for me
> radius_xlat:  '(uid=me)'
> radius_xlat:  'dc=uchub,dc=com'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=uchub,dc=com, with filter (uid=me)
> rlm_ldap: Added password password in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user me authorized to use remote access
> ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok
>   modcall[authorize]: module "suffix" returns ok
> users: Matched DEFAULT at 2
>   modcall[authorize]: module "files" returns ok
> modcall: group authorize returns ok
>   rad_check_password:  Found Auth-Type ldap
> auth: type "Ldap"
> auth: Failed to validate the user.
> Login incorrect: [me/] (from client MR-Firewall port 0)
> Sending Access-Reject of id 18 to 208.241.20.2:64709
> Finished request 1
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 1 ID 18 with timestamp 3ca1ebcd
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP-Password & LDAP Auth?

2002-03-27 Thread pavesi 


> > modcall: group authorize returns ok
> >   rad_check_password:  Found Auth-Type ldap
> > auth: type "Ldap"
>
>   Why did you tell it to use Auth-Type LDAP?  Don't do that!

This setting btw is in your 'users' file for those that are wondering..


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP-Password & LDAP Auth?

2002-03-27 Thread Alan DeKok 

"Michael S. McCollough" <[EMAIL PROTECTED]> wrote:
> I am usually not a complete idiot, but I cannot get this to work. Using the
> settings for radiusd you recommended I cannot get PAP or CHAP to work. PAP
> will work if I put ldap back in the authenticate section.

  That's probably because you're telling it to use 'Auth-Type := LDAP'

  See:

> CHAP Attempt:
> rad_recv: Access-Request packet from host 208.241.20.2:64709, id=18,
> length=43
...
> rlm_chap: Adding Auth-Type = CHAP
...
> modcall: group authorize returns ok
>   rad_check_password:  Found Auth-Type ldap
> auth: type "Ldap"

  Why did you tell it to use Auth-Type LDAP?  Don't do that!

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: CHAP-Password & LDAP Auth?

2002-03-27 Thread Michael S. McCollough 

I am usually not a complete idiot, but I cannot get this to work. Using the
settings for radiusd you recommended I cannot get PAP or CHAP to work. PAP
will work if I put ldap back in the authenticate section. I am beyond the
point of embarrassed now but must keep going.

Below are my results:

Radiusd.conf authorize and auth sections:
authorize {
preprocess
chap
ldap
  suffix
files
}

authenticate {
unix
chap
#   ldap
}

PAP Attempt:
rad_recv: Access-Request packet from host 208.241.20.2:64305, id=17,
length=42
User-Name = "me"
Password = "\207\246\031v}\\\237f\207_\307\202#\200\366Q"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
  modcall[authorize]: module "chap" returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for me
radius_xlat:  '(uid=me)'
radius_xlat:  'dc=uchub,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap:389:389, authentication 0
rlm_ldap: bind as cn=manager,dc=uchub,dc=com/password
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in dc=uchub,dc=com, with filter (uid=me)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user me authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok
  modcall[authorize]: module "suffix" returns ok
users: Matched DEFAULT at 2
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type ldap
auth: type "Ldap"
auth: Failed to validate the user.
Login incorrect: [me/password] (from client MR-Firewall port 0)
Sending Access-Reject of id 17 to 208.241.20.2:64305
Finished request 0



CHAP Attempt:
rad_recv: Access-Request packet from host 208.241.20.2:64709, id=18,
length=43
User-Name = "me"
CHAP-Password = "\302w\247\033\363\253S\376\346\t$.\016by=2"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_chap: Adding Auth-Type = CHAP
  modcall[authorize]: module "chap" returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for me
radius_xlat:  '(uid=me)'
radius_xlat:  'dc=uchub,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=uchub,dc=com, with filter (uid=me)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user me authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok
  modcall[authorize]: module "suffix" returns ok
users: Matched DEFAULT at 2
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type ldap
auth: type "Ldap"
auth: Failed to validate the user.
Login incorrect: [me/] (from client MR-Firewall port 0)
Sending Access-Reject of id 18 to 208.241.20.2:64709
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 18 with timestamp 3ca1ebcd

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: CHAP-Password & LDAP Auth?

2002-03-27 Thread Shawn O'Shea 


The passwords you are adding with this ldapadd are stored clear text.
Whenever ldapsearch prints 2 colons, it's letting you know it's base64
encoding it's output. If you base64 decode the hash that your search
output shows, you get your password:
$ echo cGFzc3dvcmQ= | base64 -d
password

-Shawn

On Wed, 27 Mar 2002, Michael S. McCollough wrote:

> I am using:
> ldapadd -h localhost -D "cn=manager,dc=uchub,dc=com" -W -f adduser.ldif -x
>
> This is what the file contains
> [root@radius migration]# cat /adduser.ldif
> dn: uid=me,ou=People,dc=uchub,dc=com
> uid: me
> cn: Test Account
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> userPassword: password
> shadowLastChange: 11764
> shadowMax: 9
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 508
> gidNumber: 509
> homeDirectory: /home/testme2
> gecos: Test Account,Test Inc.,xxx-xxx-,
>
>
> This is what is imported.
> Output of ldapsearch is:
> # me,People,dc=uchub,dc=com
> dn: uid=me,ou=People,dc=uchub,dc=com
> uid: me
> cn: Test Account
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> userPassword:: cGFzc3dvcmQ=
> shadowLastChange: 11764
> shadowMax: 9
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 508
> gidNumber: 509
> homeDirectory: /home/testme2
> gecos: Test Account,Test Inc.,xxx-xxx-,
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 176
> # numEntries: 175
> [root@radius migration]#
>
> -Original Message-
> From: pavesi [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, March 27, 2002 12:15 AM
> To: [EMAIL PROTECTED]
> Subject: RE: CHAP-Password & LDAP Auth?
>
>
>
> >Can some tell me how to override the storing of encrypted passwords?
>
> This is a function of how you are, or the routine that enters the user data
> into your ldap database is defined.  Define as crypt, it goes in encrypted.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: CHAP-Password & LDAP Auth?

2002-03-26 Thread Michael S. McCollough 

I am using:
ldapadd -h localhost -D "cn=manager,dc=uchub,dc=com" -W -f adduser.ldif -x

This is what the file contains
[root@radius migration]# cat /adduser.ldif 
dn: uid=me,ou=People,dc=uchub,dc=com
uid: me
cn: Test Account
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: password
shadowLastChange: 11764
shadowMax: 9
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 508
gidNumber: 509
homeDirectory: /home/testme2
gecos: Test Account,Test Inc.,xxx-xxx-,


This is what is imported.
Output of ldapsearch is:
# me,People,dc=uchub,dc=com
dn: uid=me,ou=People,dc=uchub,dc=com
uid: me
cn: Test Account
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: cGFzc3dvcmQ=
shadowLastChange: 11764
shadowMax: 9
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 508
gidNumber: 509
homeDirectory: /home/testme2
gecos: Test Account,Test Inc.,xxx-xxx-,

# search result
search: 2
result: 0 Success

# numResponses: 176
# numEntries: 175
[root@radius migration]#  

-Original Message-
From: pavesi [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, March 27, 2002 12:15 AM
To: [EMAIL PROTECTED]
Subject: RE: CHAP-Password & LDAP Auth? 



>Can some tell me how to override the storing of encrypted passwords?

This is a function of how you are, or the routine that enters the user data
into your ldap database is defined.  Define as crypt, it goes in encrypted.


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: CHAP-Password & LDAP Auth?

2002-03-26 Thread Michael S. McCollough 

Thanks for the answer, but I believe you conclusion is my original question.
How do you store passwords in plain text in ldap? It is plain text in my
ldif file but not in the ldap directory.

-Original Message-
From: pavesi [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, March 27, 2002 12:06 AM
To: [EMAIL PROTECTED]
Subject: RE: CHAP-Password & LDAP Auth? 



>say I will never have questions again). I have identified my problem 
>with CHAP as my ldap directory is storing encrypted passwords. I 
>removed rootdn = {crypt}q2r124lojqslk and replaced it with rootdn = 
>mypassword to see if that would trigger storing passwords in clear text 
>but to no avail.

that will not work, as the LDAP module expects (NEEDS) the passwords stored
in LDAP to be plain text for CHAP to work.

If indeed your passwords are stored in LDAP as encrypted, you'll have to
figure out how your going to convert those p/w's to plain text.


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: CHAP-Password & LDAP Auth?

2002-03-26 Thread pavesi 


>Can some tell me how to override the storing of encrypted passwords?

This is a function of how you are, or the routine that enters the user data
into your ldap database is defined.  Define as crypt, it goes in encrypted.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: CHAP-Password & LDAP Auth?

2002-03-26 Thread pavesi 


>say I will never have questions again). I have identified my problem with
>CHAP as my ldap directory is storing encrypted passwords. I removed rootdn =
>{crypt}q2r124lojqslk and replaced it with rootdn = mypassword to see if that
>would trigger storing passwords in clear text but to no avail.

that will not work, as the LDAP module expects (NEEDS) the passwords
stored in LDAP to be plain text for CHAP to work.

If indeed your passwords are stored in LDAP as encrypted, you'll have to
figure out how your going to convert those p/w's to plain text.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: CHAP-Password & LDAP Auth?

2002-03-26 Thread Michael S. McCollough 

I have only one more question and my critical elements will be done (not to
say I will never have questions again). I have identified my problem with
CHAP as my ldap directory is storing encrypted passwords. I removed rootdn =
{crypt}q2r124lojqslk and replaced it with rootdn = mypassword to see if that
would trigger storing passwords in clear text but to no avail.

Can some tell me how to override the storing of encrypted passwords? 

--
Michael

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP-Password & LDAP Auth?

2002-03-26 Thread Alan DeKok 

"Michael S. McCollough" <[EMAIL PROTECTED]> wrote:
> I just went through and tried the alphabet. I must be looking in the wrong
> place for documentation. If someone knows where this is documented, I would
> appreciate a pointer.

  doc/variables.txt

  Also, 'raddb/radiusd.conf' has text saying where to find this
information, right at the top.

  Of course, if you update the server, and never use the
'radiusd.conf' that comes with the new version, you won't ever see
this text.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: CHAP-Password & LDAP Auth?

2002-03-26 Thread Michael S. McCollough 

I figured out my realm problem with ldap. Filter has to be set to %N rather
than %n
I just went through and tried the alphabet. I must be looking in the wrong
place for documentation. If someone knows where this is documented, I would
appreciate a pointer.

Now, I truly only have chap to get working before getting Wcom's approval (I
still have other things I want to do with LDAP like filter on group for
emailonly and dialonly accounts, etc).

Thanks for you help
Michael

-Original Message-
From: Shawn O'Shea [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, March 26, 2002 4:17 PM
To: Michael S. McCollough
Cc: '[EMAIL PROTECTED]'
Subject: RE: CHAP-Password & LDAP Auth?


On Tue, 26 Mar 2002, Michael S. McCollough wrote:

> Are you using LDAP? This did not work for me. I did get the realms 
> working though.

Yes, but you _do not_ authenticate off of LDAP. You authorize off of LDAP
(where the password needs to be stored in the clear). Essentially when LDAP
is in the authorize{} section, this is the only action it takes.

Then you authenticate{} with CHAP, which takes the CHAP-Password from the
inbound packet, and constructs a CHAP-ized version of the cleartext from
LDAP to compare it with.

-Shawn

>
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication. 
> Cannot use "CHAP-Password".
>   modcall[authenticate]: module "ldap" returns invalid
> modcall: group authenticate returns invalid
> auth: Failed to validate the user.
> Login incorrect (rlm_ldap: User not found): 
> [[EMAIL PROTECTED]/] (from client MR-Firewall port 
> 0)
>
>
>
> -Original Message-
> From: Shawn O'Shea [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, March 26, 2002 10:48 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: CHAP-Password & LDAP Auth?
>
>
>
> I got the better part of this working on Fridayhere's most of the 
> pertinent parts:
>
> radiusd.conf:
>
> -add a blank section for chap options (something complained when I 
> didnt do
> this)
>
> chap {
> }
>
> -make sure that your ldap section is configured for your setup
>
> -make sure authorize{} has chap and ldap. Mine looks like: authorize {
>   preprocess
> chap
>   ldap
>   suffix
>   files
> }
>
> -make sure authenticate{} has chap. I have:
> authenticate {
>   unix
>   chap
> }
>
> I only have one type of userI'm not sure how to setup realms 
> properly, so I'm being lame and matching the realm in their username 
> attribute and giving them some ascend vendor attributes:
> users:
>
> DEFAULT Suffix == "@realm.mycompany.com"
>   Service-Type = Framed-User,
>   Framed-Protocol = PPP,
>   Ascend-Data-Filter = "IP IN FORWARD TCP",
>   Ascend-Data-Filter += "IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE",
>   Ascend-Data-Filter += "IP IN DROP TCP DSTPORT = 25",
>   Ascend-Data-Filter += "IP IN FORWARD 0",
>   Ascend-Assign-IP-Pool = 0
>
> -Shawn
>
> On Mon, 25 Mar 2002, Michael S. McCollough wrote:
>
> > I am probably just dense but either the faq is incomplete or I 
> > cannot translate to suit my needs. I cannot even get chap to work 
> > with Auth-Type :=system  I need it to work with ldap. Once key point 
> > may be CHAP vs MS-CHAP. The radiusd.conf file only has ms-chap in 
> > it. I remember log time ago when chap was proposed, ms did their own 
> > version. Since the MS version became the defacto standard, I am not 
> > sure is ms-chap and chap are used interchangably.
> >
> > From radiusd -X
> > rlm_ldap: Attribute "Password" is required for authentication. 
> > Cannot use "CHAP-Password".
> >
> > I need CHAP to work with LDAP but would be happy to see it work with 
> > system auth just to know it works.
> >
> > --
> > Michael
> >
> >
> > -Original Message-
> > From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, March 21, 2002 2:09 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: CHAP-Password & LDAP Auth?
> >
> >
> > On Thu, 21 Mar 2002, Mike Cathey wrote:
> >
> > > Chris,
> > >
> > >
> > > Chris Parker wrote:
> > > > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
> > > >
> > > >> Chris,
> > > >>
> > > >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC 
> > > >> it's the auth code) supports 2 menthods of LDAP auth.  One 
> > > >> method attempts to bind to the direct

RE: CHAP-Password & LDAP Auth?

2002-03-26 Thread Shawn O'Shea 

On Tue, 26 Mar 2002, Michael S. McCollough wrote:

> Are you using LDAP? This did not work for me. I did get the realms working
> though.

Yes, but you _do not_ authenticate off of LDAP. You authorize off of LDAP
(where the password needs to be stored in the clear). Essentially when
LDAP is in the authorize{} section, this is the only action it takes.

Then you authenticate{} with CHAP, which takes the CHAP-Password from the
inbound packet, and constructs a CHAP-ized version of the cleartext from
LDAP to compare it with.

-Shawn

>
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication. Cannot
> use "CHAP-Password".
>   modcall[authenticate]: module "ldap" returns invalid
> modcall: group authenticate returns invalid
> auth: Failed to validate the user.
> Login incorrect (rlm_ldap: User not found):
> [[EMAIL PROTECTED]/] (from client MR-Firewall port 0)
>
>
>
> -Original Message-
> From: Shawn O'Shea [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, March 26, 2002 10:48 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: CHAP-Password & LDAP Auth?
>
>
>
> I got the better part of this working on Fridayhere's most of the
> pertinent parts:
>
> radiusd.conf:
>
> -add a blank section for chap options (something complained when I didnt do
> this)
>
> chap {
> }
>
> -make sure that your ldap section is configured for your setup
>
> -make sure authorize{} has chap and ldap. Mine looks like: authorize {
>   preprocess
> chap
>   ldap
>   suffix
>   files
> }
>
> -make sure authenticate{} has chap. I have:
> authenticate {
>   unix
>   chap
> }
>
> I only have one type of userI'm not sure how to setup realms properly,
> so I'm being lame and matching the realm in their username attribute and
> giving them some ascend vendor attributes:
> users:
>
> DEFAULT Suffix == "@realm.mycompany.com"
>   Service-Type = Framed-User,
>   Framed-Protocol = PPP,
>   Ascend-Data-Filter = "IP IN FORWARD TCP",
>   Ascend-Data-Filter += "IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE",
>   Ascend-Data-Filter += "IP IN DROP TCP DSTPORT = 25",
>   Ascend-Data-Filter += "IP IN FORWARD 0",
>   Ascend-Assign-IP-Pool = 0
>
> -Shawn
>
> On Mon, 25 Mar 2002, Michael S. McCollough wrote:
>
> > I am probably just dense but either the faq is incomplete or I cannot
> > translate to suit my needs. I cannot even get chap to work with
> > Auth-Type :=system  I need it to work with ldap. Once key point may be
> > CHAP vs MS-CHAP. The radiusd.conf file only has ms-chap in it. I
> > remember log time ago when chap was proposed, ms did their own
> > version. Since the MS version became the defacto standard, I am not
> > sure is ms-chap and chap are used interchangably.
> >
> > From radiusd -X
> > rlm_ldap: Attribute "Password" is required for authentication. Cannot
> > use "CHAP-Password".
> >
> > I need CHAP to work with LDAP but would be happy to see it work with
> > system auth just to know it works.
> >
> > --
> > Michael
> >
> >
> > -Original Message-
> > From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, March 21, 2002 2:09 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: CHAP-Password & LDAP Auth?
> >
> >
> > On Thu, 21 Mar 2002, Mike Cathey wrote:
> >
> > > Chris,
> > >
> > >
> > > Chris Parker wrote:
> > > > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
> > > >
> > > >> Chris,
> > > >>
> > > >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC it's
> > > >> the auth code) supports 2 menthods of LDAP auth.  One method
> > > >> attempts to bind to the directory as the user, which is what it
> > > >> sounds like FreeRADIUS does.  The other methold is to bind to the
> > > >> directory as a privileged user (one who has access to all user
> > > >> attributes), crypt what the client handed you and compare it to
> > > >> userPassword.
> > > >
> > > >
> > > > The client hands you an already ( and non-reversable ) encrypted
> > > > string. Encrypting it a second time will yield nothing useful.
> > > >
> > > >> I may be possible to implement the second method in FreeRADIUS
> > > >> and use it for LDAP/CHAP auth.  Comments

RE: CHAP-Password & LDAP Auth?

2002-03-26 Thread Michael S. McCollough 

Are you using LDAP? This did not work for me. I did get the realms working
though.

rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication. Cannot
use "CHAP-Password".
  modcall[authenticate]: module "ldap" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found):
[[EMAIL PROTECTED]/] (from client MR-Firewall port 0)



-Original Message-
From: Shawn O'Shea [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, March 26, 2002 10:48 AM
To: '[EMAIL PROTECTED]'
Subject: RE: CHAP-Password & LDAP Auth?



I got the better part of this working on Fridayhere's most of the
pertinent parts:

radiusd.conf:

-add a blank section for chap options (something complained when I didnt do
this)

chap {
}

-make sure that your ldap section is configured for your setup

-make sure authorize{} has chap and ldap. Mine looks like: authorize {
preprocess
chap
ldap
suffix
files
}

-make sure authenticate{} has chap. I have:
authenticate {
unix
chap
}

I only have one type of userI'm not sure how to setup realms properly,
so I'm being lame and matching the realm in their username attribute and
giving them some ascend vendor attributes:
users:

DEFAULT Suffix == "@realm.mycompany.com"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Ascend-Data-Filter = "IP IN FORWARD TCP",
Ascend-Data-Filter += "IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE",
Ascend-Data-Filter += "IP IN DROP TCP DSTPORT = 25",
Ascend-Data-Filter += "IP IN FORWARD 0",
Ascend-Assign-IP-Pool = 0

-Shawn

On Mon, 25 Mar 2002, Michael S. McCollough wrote:

> I am probably just dense but either the faq is incomplete or I cannot 
> translate to suit my needs. I cannot even get chap to work with 
> Auth-Type :=system  I need it to work with ldap. Once key point may be 
> CHAP vs MS-CHAP. The radiusd.conf file only has ms-chap in it. I 
> remember log time ago when chap was proposed, ms did their own 
> version. Since the MS version became the defacto standard, I am not 
> sure is ms-chap and chap are used interchangably.
>
> From radiusd -X
> rlm_ldap: Attribute "Password" is required for authentication. Cannot 
> use "CHAP-Password".
>
> I need CHAP to work with LDAP but would be happy to see it work with 
> system auth just to know it works.
>
> --
> Michael
>
>
> -Original Message-
> From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, March 21, 2002 2:09 PM
> To: [EMAIL PROTECTED]
> Subject: Re: CHAP-Password & LDAP Auth?
>
>
> On Thu, 21 Mar 2002, Mike Cathey wrote:
>
> > Chris,
> >
> >
> > Chris Parker wrote:
> > > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
> > >
> > >> Chris,
> > >>
> > >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC it's 
> > >> the auth code) supports 2 menthods of LDAP auth.  One method 
> > >> attempts to bind to the directory as the user, which is what it 
> > >> sounds like FreeRADIUS does.  The other methold is to bind to the 
> > >> directory as a privileged user (one who has access to all user 
> > >> attributes), crypt what the client handed you and compare it to 
> > >> userPassword.
> > >
> > >
> > > The client hands you an already ( and non-reversable ) encrypted 
> > > string. Encrypting it a second time will yield nothing useful.
> > >
> > >> I may be possible to implement the second method in FreeRADIUS 
> > >> and use it for LDAP/CHAP auth.  Comments?
> > >
> > >
> > > The only way to perform CHAP authentication is for the server to 
> > > have access to the unecrypted password locally.
> >
> > Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP.  I was just 
> > pointing out the method of binding as a privileged user (a user who 
> > has rights to access the userPassword attribute for the RADIUS 
> > users). You can then get the value of userPassword and send the 
> > 'challenge' back to the proxy.  I haven't read docs on CHAP in a 
> > while, but it seems like this would work ok.  Of course, this 
> > assumes you store all of your users passwords in plain text.
> >
> > Cheers,
> >
> > Mike
>
> It's already supported. Please read the FAQ at 
> http://www.freeradius.org/faq/#5.11
>
> and doc/rlm_ldap
>
> --
> Kostas Kalevras   Network Operations Center
> [EMAIL PROTECTED]National Technical University of Athens, Greece
> Work Phone:   +30 10 7721861
> 'Go back to the shadow'   Gandalf
>
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>


Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: CHAP-Password & LDAP Auth?

2002-03-26 Thread Shawn O'Shea 


I got the better part of this working on Fridayhere's most of the
pertinent parts:

radiusd.conf:

-add a blank section for chap options (something complained when I didnt
do this)

chap {
}

-make sure that your ldap section is configured for your setup

-make sure authorize{} has chap and ldap. Mine looks like:
authorize {
preprocess
chap
ldap
suffix
files
}

-make sure authenticate{} has chap. I have:
authenticate {
unix
chap
}

I only have one type of userI'm not sure how to setup realms properly,
so I'm being lame and matching the realm in their username attribute and
giving them some ascend vendor attributes:
users:

DEFAULT Suffix == "@realm.mycompany.com"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Ascend-Data-Filter = "IP IN FORWARD TCP",
Ascend-Data-Filter += "IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE",
Ascend-Data-Filter += "IP IN DROP TCP DSTPORT = 25",
Ascend-Data-Filter += "IP IN FORWARD 0",
Ascend-Assign-IP-Pool = 0

-Shawn

On Mon, 25 Mar 2002, Michael S. McCollough wrote:

> I am probably just dense but either the faq is incomplete or I cannot
> translate to suit my needs. I cannot even get chap to work with Auth-Type
> :=system  I need it to work with ldap. Once key point may be CHAP vs
> MS-CHAP. The radiusd.conf file only has ms-chap in it. I remember log time
> ago when chap was proposed, ms did their own version. Since the MS version
> became the defacto standard, I am not sure is ms-chap and chap are used
> interchangably.
>
> From radiusd -X
> rlm_ldap: Attribute "Password" is required for authentication. Cannot use
> "CHAP-Password".
>
> I need CHAP to work with LDAP but would be happy to see it work with system
> auth just to know it works.
>
> --
> Michael
>
>
> -Original Message-
> From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, March 21, 2002 2:09 PM
> To: [EMAIL PROTECTED]
> Subject: Re: CHAP-Password & LDAP Auth?
>
>
> On Thu, 21 Mar 2002, Mike Cathey wrote:
>
> > Chris,
> >
> >
> > Chris Parker wrote:
> > > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
> > >
> > >> Chris,
> > >>
> > >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC it's
> > >> the auth code) supports 2 menthods of LDAP auth.  One method
> > >> attempts to bind to the directory as the user, which is what it
> > >> sounds like FreeRADIUS does.  The other methold is to bind to the
> > >> directory as a privileged user (one who has access to all user
> > >> attributes), crypt what the client handed you and compare it to
> > >> userPassword.
> > >
> > >
> > > The client hands you an already ( and non-reversable ) encrypted
> > > string. Encrypting it a second time will yield nothing useful.
> > >
> > >> I may be possible to implement the second method in FreeRADIUS and
> > >> use it for LDAP/CHAP auth.  Comments?
> > >
> > >
> > > The only way to perform CHAP authentication is for the server to
> > > have access to the unecrypted password locally.
> >
> > Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP.  I was just
> > pointing out the method of binding as a privileged user (a user who
> > has rights to access the userPassword attribute for the RADIUS users).
> > You can then get the value of userPassword and send the 'challenge'
> > back to the proxy.  I haven't read docs on CHAP in a while, but it
> > seems like this would work ok.  Of course, this assumes you store all
> > of your users passwords in plain text.
> >
> > Cheers,
> >
> > Mike
>
> It's already supported. Please read the FAQ at
> http://www.freeradius.org/faq/#5.11
>
> and doc/rlm_ldap
>
> --
> Kostas Kalevras   Network Operations Center
> [EMAIL PROTECTED]National Technical University of Athens, Greece
> Work Phone:   +30 10 7721861
> 'Go back to the shadow'   Gandalf
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: CHAP-Password & LDAP Auth?

2002-03-26 Thread Shawn O'Shea 


Please forgive if a repost. Not sure my comments below got passed
along...also wanted to tack on a a "sample test packet":

sample test:
/usr/local/bin/radclient -x radius-server.mycompany.com auth
mysharedsecret < radtest.txt

where radtest.txt resembles:
User-Name = "someradiususer"
CHAP-Password = "cleartextofpassword"
NAS-IP-Address = somenas.mycompany.com
NAS-Port-Id = 0
NAS-Port-Type = Async
Service-Type = Framed
Framed-Protocol = PPP
State = ""
Calling-Station-Id = "8475061520"
Called-Station-Id = "8476311672"
Acct-Session-Id = "379094840"
Ascend-Data-Rate = 26400
Ascend-Xmit-Rate = 44000
Proxy-State = blah

-Shawn

On Tue, 26 Mar 2002, Shawn O'Shea wrote:

>
> I got the better part of this working on Fridayhere's most of the
> pertinent parts:
>
> radiusd.conf:
>
> -add a blank section for chap options (something complained when I didnt
> do this)
>
> chap {
> }
>
> -make sure that your ldap section is configured for your setup
>
> -make sure authorize{} has chap and ldap. Mine looks like:
> authorize {
>   preprocess
> chap
>   ldap
>   suffix
>   files
> }
>
> -make sure authenticate{} has chap. I have:
> authenticate {
>   unix
>   chap
> }
>
> I only have one type of userI'm not sure how to setup realms properly,
> so I'm being lame and matching the realm in their username attribute and
> giving them some ascend vendor attributes:
> users:
>
> DEFAULT Suffix == "@realm.mycompany.com"
>   Service-Type = Framed-User,
>   Framed-Protocol = PPP,
>   Ascend-Data-Filter = "IP IN FORWARD TCP",
>   Ascend-Data-Filter += "IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE",
>   Ascend-Data-Filter += "IP IN DROP TCP DSTPORT = 25",
>   Ascend-Data-Filter += "IP IN FORWARD 0",
>   Ascend-Assign-IP-Pool = 0
>
> -Shawn
>
> On Mon, 25 Mar 2002, Michael S. McCollough wrote:
>
> > I am probably just dense but either the faq is incomplete or I cannot
> > translate to suit my needs. I cannot even get chap to work with Auth-Type
> > :=system  I need it to work with ldap. Once key point may be CHAP vs
> > MS-CHAP. The radiusd.conf file only has ms-chap in it. I remember log time
> > ago when chap was proposed, ms did their own version. Since the MS version
> > became the defacto standard, I am not sure is ms-chap and chap are used
> > interchangably.
> >
> > From radiusd -X
> > rlm_ldap: Attribute "Password" is required for authentication. Cannot use
> > "CHAP-Password".
> >
> > I need CHAP to work with LDAP but would be happy to see it work with system
> > auth just to know it works.
> >
> > --
> > Michael
> >
> >
> > -Original Message-
> > From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, March 21, 2002 2:09 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: CHAP-Password & LDAP Auth?
> >
> >
> > On Thu, 21 Mar 2002, Mike Cathey wrote:
> >
> > > Chris,
> > >
> > >
> > > Chris Parker wrote:
> > > > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
> > > >
> > > >> Chris,
> > > >>
> > > >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC it's
> > > >> the auth code) supports 2 menthods of LDAP auth.  One method
> > > >> attempts to bind to the directory as the user, which is what it
> > > >> sounds like FreeRADIUS does.  The other methold is to bind to the
> > > >> directory as a privileged user (one who has access to all user
> > > >> attributes), crypt what the client handed you and compare it to
> > > >> userPassword.
> > > >
> > > >
> > > > The client hands you an already ( and non-reversable ) encrypted
> > > > string. Encrypting it a second time will yield nothing useful.
> > > >
> > > >> I may be possible to implement the second method in FreeRADIUS and
> > > >> use it for LDAP/CHAP auth.  Comments?
> > > >
> > > >
> > > > The only way to perform CHAP authentication is for the server to
> > > > have access to the unecrypted password locally.
> > >
> > > Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP.  I was just
> > > pointing out the method of binding as a privileged user (a user who
> > > has rights to access the userPassword attribute for the RADIUS users).
> &

RE: CHAP-Password & LDAP Auth?

2002-03-25 Thread Michael S. McCollough 

I am probably just dense but either the faq is incomplete or I cannot
translate to suit my needs. I cannot even get chap to work with Auth-Type
:=system  I need it to work with ldap. Once key point may be CHAP vs
MS-CHAP. The radiusd.conf file only has ms-chap in it. I remember log time
ago when chap was proposed, ms did their own version. Since the MS version
became the defacto standard, I am not sure is ms-chap and chap are used
interchangably.

>From radiusd -X
rlm_ldap: Attribute "Password" is required for authentication. Cannot use
"CHAP-Password".

I need CHAP to work with LDAP but would be happy to see it work with system
auth just to know it works.

--
Michael


-Original Message-
From: Kostas Kalevras [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, March 21, 2002 2:09 PM
To: [EMAIL PROTECTED]
Subject: Re: CHAP-Password & LDAP Auth?


On Thu, 21 Mar 2002, Mike Cathey wrote:

> Chris,
>
>
> Chris Parker wrote:
> > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
> >
> >> Chris,
> >>
> >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC it's 
> >> the auth code) supports 2 menthods of LDAP auth.  One method 
> >> attempts to bind to the directory as the user, which is what it 
> >> sounds like FreeRADIUS does.  The other methold is to bind to the 
> >> directory as a privileged user (one who has access to all user 
> >> attributes), crypt what the client handed you and compare it to 
> >> userPassword.
> >
> >
> > The client hands you an already ( and non-reversable ) encrypted 
> > string. Encrypting it a second time will yield nothing useful.
> >
> >> I may be possible to implement the second method in FreeRADIUS and 
> >> use it for LDAP/CHAP auth.  Comments?
> >
> >
> > The only way to perform CHAP authentication is for the server to 
> > have access to the unecrypted password locally.
>
> Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP.  I was just 
> pointing out the method of binding as a privileged user (a user who 
> has rights to access the userPassword attribute for the RADIUS users).  
> You can then get the value of userPassword and send the 'challenge' 
> back to the proxy.  I haven't read docs on CHAP in a while, but it 
> seems like this would work ok.  Of course, this assumes you store all 
> of your users passwords in plain text.
>
> Cheers,
>
> Mike

It's already supported. Please read the FAQ at
http://www.freeradius.org/faq/#5.11

and doc/rlm_ldap

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf



- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP-Password & LDAP Auth?

2002-03-21 Thread Kostas Kalevras 

On Thu, 21 Mar 2002, Mike Cathey wrote:

> Chris,
>
>
> Chris Parker wrote:
> > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
> >
> >> Chris,
> >>
> >> The qmail-ldap () code (actually IIRC it's the
> >> auth code) supports 2 menthods of LDAP auth.  One method attempts to
> >> bind to the directory as the user, which is what it sounds like
> >> FreeRADIUS does.  The other methold is to bind to the directory as a
> >> privileged user (one who has access to all user attributes), crypt
> >> what the client handed you and compare it to userPassword.
> >
> >
> > The client hands you an already ( and non-reversable ) encrypted string.
> > Encrypting it a second time will yield nothing useful.
> >
> >> I may be possible to implement the second method in FreeRADIUS and use
> >> it for LDAP/CHAP auth.  Comments?
> >
> >
> > The only way to perform CHAP authentication is for the server to have
> > access to the unecrypted password locally.
>
> Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP.  I was just
> pointing out the method of binding as a privileged user (a user who has
> rights to access the userPassword attribute for the RADIUS users).  You
> can then get the value of userPassword and send the 'challenge' back to
> the proxy.  I haven't read docs on CHAP in a while, but it seems like
> this would work ok.  Of course, this assumes you store all of your users
> passwords in plain text.
>
> Cheers,
>
> Mike

It's already supported. Please read the FAQ at
http://www.freeradius.org/faq/#5.11

and doc/rlm_ldap

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]  National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP-Password & LDAP Auth?

2002-03-21 Thread Mike Cathey 

Chris,


Chris Parker wrote:
> At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
> 
>> Chris,
>>
>> The qmail-ldap () code (actually IIRC it's the 
>> auth code) supports 2 menthods of LDAP auth.  One method attempts to 
>> bind to the directory as the user, which is what it sounds like 
>> FreeRADIUS does.  The other methold is to bind to the directory as a 
>> privileged user (one who has access to all user attributes), crypt 
>> what the client handed you and compare it to userPassword.
> 
> 
> The client hands you an already ( and non-reversable ) encrypted string.
> Encrypting it a second time will yield nothing useful.
> 
>> I may be possible to implement the second method in FreeRADIUS and use 
>> it for LDAP/CHAP auth.  Comments?
> 
> 
> The only way to perform CHAP authentication is for the server to have
> access to the unecrypted password locally.

Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP.  I was just 
pointing out the method of binding as a privileged user (a user who has 
rights to access the userPassword attribute for the RADIUS users).  You 
can then get the value of userPassword and send the 'challenge' back to 
the proxy.  I haven't read docs on CHAP in a while, but it seems like 
this would work ok.  Of course, this assumes you store all of your users 
passwords in plain text.

Cheers,

Mike




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP-Password & LDAP Auth?

2002-03-21 Thread Chris Parker 

At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
>Chris,
>
>The qmail-ldap () code (actually IIRC it's the auth 
>code) supports 2 menthods of LDAP auth.  One method attempts to bind to 
>the directory as the user, which is what it sounds like FreeRADIUS 
>does.  The other methold is to bind to the directory as a privileged user 
>(one who has access to all user attributes), crypt what the client handed 
>you and compare it to userPassword.

The client hands you an already ( and non-reversable ) encrypted string.
Encrypting it a second time will yield nothing useful.

>I may be possible to implement the second method in FreeRADIUS and use it 
>for LDAP/CHAP auth.  Comments?

The only way to perform CHAP authentication is for the server to have
access to the unecrypted password locally.

-Chris

--
\\\|||///  \  StarNet Inc.  \Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP-Password & LDAP Auth?

2002-03-21 Thread Mike Cathey 

Chris,

Chris Parker wrote:
> At 11:22 AM 3/21/2002 -0500, Shawn O'Shea wrote:
> 
>> >
>> >  > Wed Mar 20 15:35:57 2002 : Auth: Login incorrect:
>> > > [{ed: whatever username -sko}/] (from nas
>> > > UNKNOWN-NAS port 0 cli 8475061520)
>> > >
>> > > If I use just User-Password, this works like a dream. Any suggetions?
>> >
>> >   Don't use CHAP.
>>
>> Ok, well the UUNET docs states that I can use PAP or CHAP. Here's what
>> their doc says about it though:
>>
>> Althought the REseller may not be using CHAP, they must configure their
>> RADIUS server to respond to a CHAP request by requesting PAP
>> authentication after declining CHAP. This is done during the LCP phase of
>> creating a PPP session.
>>
>> Is this doable in freeradius?
> 

The qmail-ldap () code (actually IIRC it's the 
auth code) supports 2 menthods of LDAP auth.  One method attempts to 
bind to the directory as the user, which is what it sounds like 
FreeRADIUS does.  The other methold is to bind to the directory as a 
privileged user (one who has access to all user attributes), crypt what 
the client handed you and compare it to userPassword.

I may be possible to implement the second method in FreeRADIUS and use 
it for LDAP/CHAP auth.  Comments?

Cheers,

Mike

-- 

Mike Cathey - http://www.mikecathey.com/
Network Administrator
RTC Internet - http://www.catt.com/


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP-Password & LDAP Auth?

2002-03-21 Thread Chris Parker 

At 11:22 AM 3/21/2002 -0500, Shawn O'Shea wrote:
> >
> >  > Wed Mar 20 15:35:57 2002 : Auth: Login incorrect:
> > > [{ed: whatever username -sko}/] (from nas
> > > UNKNOWN-NAS port 0 cli 8475061520)
> > >
> > > If I use just User-Password, this works like a dream. Any suggetions?
> >
> >   Don't use CHAP.
>
>Ok, well the UUNET docs states that I can use PAP or CHAP. Here's what
>their doc says about it though:
>
>Althought the REseller may not be using CHAP, they must configure their
>RADIUS server to respond to a CHAP request by requesting PAP
>authentication after declining CHAP. This is done during the LCP phase of
>creating a PPP session.
>
>Is this doable in freeradius?

Not really a function of RADIUS.  The LCP phase of the PPP session is
between the dialup-client ( end-user ) and the NAS.  Radius is not
involved until after the LCP negotiation is done.

UUNet wants you do this because they primarily run Ascend TNTs.  In
presenting the authentication types to the dialup-client the older
Ascend code offered CHAP first, and if that was refused, offered PAP.

The one problem with this is Windows DUN if offered CHAP will always
accept it ( so you'd never get to PAP ).  They changed this in about
TAOS 9.x, where there is an option called 'PAP preferred' to set the
auth method.  This reverses the order they are presented so that PAP is
given as the first option, and CHAP as the second option.

Windows DUN *can* be made to reject PAP and use CHAP ( via the 'Require
Encrypted Password' option ), but it *cannot* be made to reject CHAP
if it is offered.

> >   From what I recall, the LDAP module tries to authenticate to the
> > LDAP server, usin g the username/password supplied in the packet.
> > Therefore, it needs access to the plain-text password, as it's telling
> > you.
>
>Running freeradius in debug mode, this is indeed what the LDAP module is
>doing. After reading through the section of the FAQ you pointed out, and
>the "Interoperation wiþ PAP and CHAP" section of RFC2138 I'm starting to
>understand what the deal is.

If effect, though UUNet "supports" PAP, you can only use that if the
clients reject CHAP, which DUN can't do.  So in effect, UUNet is CHAP
only ( unless you have a non Windows DUN client that can be made to
reject CHAP ).

Good luck trying to get UUNet to change.  You're going to have to figure
out how to get CHAP working with LDAP, because you won't be able to get
PAP requests sent.

> >   The alternative is to use a DB which stores the password in clear text.

Or to use a dialup wholesaler that offers PAP first and CHAP second, so
that you can actually receive PAP requests.  ;)

-Chris
--
\\\|||///  \  StarNet Inc.  \Chris Parker
\ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
| @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
   \ Wholesale Internet Services - http://www.megapop.net



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP-Password & LDAP Auth?

2002-03-21 Thread Shawn O'Shea 

>
>  > Wed Mar 20 15:35:57 2002 : Auth: Login incorrect:
> > [{ed: whatever username -sko}/] (from nas
> > UNKNOWN-NAS port 0 cli 8475061520)
> >
> > If I use just User-Password, this works like a dream. Any suggetions?
>
>   Don't use CHAP.

Ok, well the UUNET docs states that I can use PAP or CHAP. Here's what
their doc says about it though:

Althought the REseller may not be using CHAP, they must configure their
RADIUS server to respond to a CHAP request by requesting PAP
authentication after declining CHAP. This is done during the LCP phase of
creating a PPP session.

Is this doable in freeradius?

>   From what I recall, the LDAP module tries to authenticate to the
> LDAP server, usin g the username/password supplied in the packet.
> Therefore, it needs access to the plain-text password, as it's telling
> you.

Running freeradius in debug mode, this is indeed what the LDAP module is
doing. After reading through the section of the FAQ you pointed out, and
the "Interoperation wiþ PAP and CHAP" section of RFC2138 I'm starting to
understand what the deal is.

Thanks,
-Shawn

>
>   The alternative is to use a DB which stores the password in clear text.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: CHAP-Password & LDAP Auth?

2002-03-20 Thread Michael S. McCollough 


We are in the process of setting up Radius to work with Wcom/UUNet resell as
well. If you could share your user config with me so I could see how the
setup looks (I assume yours is working), it would save me a lot of time
trying to understand their less than adaquate documentation on how to set it
up to meet their needs.

I would owe you a big one and will even help research the Chap issue for
you. I will be testing with Wcom tomorrow and have a small window so any
guidance you have would be appreciated. If you send you users file, just
comment out your passwords and such.

Thanks
Michael


-Original Message-
From: Shawn O'Shea [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, March 20, 2002 3:43 PM
To: [EMAIL PROTECTED]
Subject: CHAP-Password & LDAP Auth?



I'm currently using Steel Belted Radius w/ UU.net and trying to replicate
the functionality of our stell belted server w/ freeradius. Basically we
take incoming proxied auth requests from UU, auth them, and reply back to
the proxy.

I grabbed some of the inbound packets off the wire so I could look at what
attributes we're recieving, so that I could build similar looking access
requests with radclient.

My problem is that the packets from them send the password as CHAP-Password
attribute. If I set this in my test data for radclient, my freeradius 0.5
server says: Wed Mar 20 15:35:57 2002 : Auth: rlm_ldap: Attribute
"User-Password" is required for authentication. Cannot use "CHAP-Password".
Wed Mar 20 15:35:57 2002 : Auth: Login incorrect:
[{ed: whatever username -sko}/] (from nas UNKNOWN-NAS port 0
cli 8475061520)

If I use just User-Password, this works like a dream. Any suggetions?

-Shawn


Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, March 20, 2002 4:13 PM
To: [EMAIL PROTECTED]
Subject: Re: CHAP-Password & LDAP Auth? 


Shawn O'Shea <[EMAIL PROTECTED]> wrote:
> My problem is that the packets from them send the password as 
> CHAP-Password attribute. If I set this in my test data for radclient, 
> my freeradius 0.5 server says: Wed Mar 20 15:35:57 2002 : Auth: 
> rlm_ldap: Attribute "User-Password" is required for authentication. 
> Cannot use "CHAP-Password".

  See the FAQ for further explanation.

 > Wed Mar 20 15:35:57 2002 : Auth: Login incorrect:
> [{ed: whatever username -sko}/] (from nas UNKNOWN-NAS 
> port 0 cli 8475061520)
> 
> If I use just User-Password, this works like a dream. Any suggetions?

  Don't use CHAP.

  From what I recall, the LDAP module tries to authenticate to the LDAP
server, usin g the username/password supplied in the packet. Therefore, it
needs access to the plain-text password, as it's telling you.

  The alternative is to use a DB which stores the password in clear text.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: CHAP-Password & LDAP Auth?

2002-03-20 Thread Michael S. McCollough 

Funny thing is Wcom give you a choice in their configure sheet of using PAP
or CHAP but then tell you both must be supported when you go to schedule the
test time. :)

-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, March 20, 2002 4:13 PM
To: [EMAIL PROTECTED]
Subject: Re: CHAP-Password & LDAP Auth? 


Shawn O'Shea <[EMAIL PROTECTED]> wrote:
> My problem is that the packets from them send the password as 
> CHAP-Password attribute. If I set this in my test data for radclient, 
> my freeradius 0.5 server says: Wed Mar 20 15:35:57 2002 : Auth: 
> rlm_ldap: Attribute "User-Password" is required for authentication. 
> Cannot use "CHAP-Password".

  See the FAQ for further explanation.

 > Wed Mar 20 15:35:57 2002 : Auth: Login incorrect:
> [{ed: whatever username -sko}/] (from nas UNKNOWN-NAS 
> port 0 cli 8475061520)
> 
> If I use just User-Password, this works like a dream. Any suggetions?

  Don't use CHAP.

  From what I recall, the LDAP module tries to authenticate to the LDAP
server, usin g the username/password supplied in the packet. Therefore, it
needs access to the plain-text password, as it's telling you.

  The alternative is to use a DB which stores the password in clear text.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP-Password & LDAP Auth?

2002-03-20 Thread Alan DeKok 

Shawn O'Shea <[EMAIL PROTECTED]> wrote:
> My problem is that the packets from them send the password as
> CHAP-Password attribute. If I set this in my test data for radclient, my
> freeradius 0.5 server says:
> Wed Mar 20 15:35:57 2002 : Auth: rlm_ldap: Attribute "User-Password" is
> required for authentication. Cannot use "CHAP-Password".

  See the FAQ for further explanation.

 > Wed Mar 20 15:35:57 2002 : Auth: Login incorrect:
> [{ed: whatever username -sko}/] (from nas
> UNKNOWN-NAS port 0 cli 8475061520)
> 
> If I use just User-Password, this works like a dream. Any suggetions?

  Don't use CHAP.

  From what I recall, the LDAP module tries to authenticate to the
LDAP server, usin g the username/password supplied in the packet.
Therefore, it needs access to the plain-text password, as it's telling
you.

  The alternative is to use a DB which stores the password in clear text.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP password problem!!

2002-01-15 Thread aland 

"Vijay Rana" <[EMAIL PROTECTED]> wrote:
> But everytime i'm sending i'm receiving an Access Reject message from
> the server .Can anyone tell me what can be the reasons for this?

  Not without access to your machine.

  But if you run the server in debugging mode as described in the FAQ
and README, then *it* will tell you the reason for the authentication
reject.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html