Re: FreeRadius/LDAP conf : little problem
Selon Paul Bender <[EMAIL PROTECTED]>: > When you say that you manually add the hashed NT password to LDAP, how > did you create it? > > I do not know what the warning in the radiusd.conf file about needed > "0x" in front of the hashed NT password means. It has never impacted me. > > I am running Samba 3.0.3 (the one the ships with Fedora Core 2) with its > password backend configured to be LDAP. I use smbpasswd to set the > passwords. When I look at the passwords in the LDAP database, I do not > see a "0x" in front of the hashed NT password. However, my users are > able to authenticate using PEAP / EAP-MS-CHAPV2. I currently use the smbldap-tools to add/mod/remove users and workstation in the ldap. It works fine but this comment in the radiusd.cond and a post from Alan Dekok in reply to one of my problems with radius+ldap made me think something was wrong ... i still can't auth against the ldap using radiusd. I switched to another project right now, cause this gave me some much headache that i gave out and i'm still using classical tiki/wpa on the access points . I'll have to retry in a few days ... -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
Selon Paul Bender <[EMAIL PROTECTED]>: > Yes, the passwords are stored. Only the NT-Password is used for the > PEAP/EAP-MSCHAP-V2 authentication. If you use the LDAP schema provided > with Samba version 3, then the LM-Password is sambaLMPassword and the > NT-Password is sambaNTPassword. If you use this schema, then you will > need the adjust the mapping in FreeRADIUS's ldap.attrmap file, because > the file is configured to map the attributes from the Samba version 2 > LDAP schema. > Hi, I got a Samba v2 schema, everything working fine with that, but i don't have any "0x" in front of the hashed ntPassword. In the radiusd.conf it's said it won't work without the 0x ... but when i try to manually add it to the password so i have a real length of 32, of course i can't log in anymore ... would you have any idea of where the problem reside ? Thanks -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Update of the previous mail: when i choose on the client to not validate the server certificate chain, radius crashes when opening the TTLS tunnel: rlm_ldap: user arnauld.dravet authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 20 modcall: group authorize returns updated for request 20 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 20 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. Segmentation fault [EMAIL PROTECTED]:/usr/local/freeradius-cvs# -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt. c:1046:SSL alert number 48 9539:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c: 837: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 4 modcall: group authenticate returns reject for request 4 auth: Failed to validate the user. Delaying request 4 for 1 seconds Finished request 4 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 77 with timestamp 40d97726 Cleaning up request 1 ID 78 with timestamp 40d97726 Cleaning up request 2 ID 79 with timestamp 40d97726 Cleaning up request 3 ID 80 with timestamp 40d97726 Sending Access-Reject of id 81 to 192.168.6.3:1796 EAP-Message = 0x04050004 Message-Authenticator = 0x Cleaning up request 4 ID 81 with timestamp 40d97726 Nothing to do. Sleeping until we see a request. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
i really can't get CVS to work. Compiles fine, but i tried several cvs versions and i got that at startup: Module: Instantiated unix (unix) radiusd.conf[9] Failed to link to module 'rlm_eap': file not found [EMAIL PROTECTED]:/usr/local/freeradius-cvs# don't know if i can use the rlm_eap module from the non-cvs version. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error in configure radius
do you have the libssl*.so* and libcrypto*.so* ? try to make symlinks of them to /usr/local/lib or /usr/lib or whatever is the standard lib path in Solaris :) Selon Victor A Belous <[EMAIL PROTECTED]>: > *This message was transferred with a trial version of CommuniGate(tm) Pro* > Hello, > > I run sparc 64 solaris9 with gcc > > I can't configure radius freeradius-1.0.0-pre3 (also pre2 and pre1) > > I start with the command > > ./configure --with-openssl-includes=/usr/local/ssl/include > --with-openssl-libraries=/usr/local/ssl/lib > > and get the error > > checking for openssl/err.h... (cached) yes > checking for openssl/engine.h... (cached) yes > configure: warning: silently not building rlm_eap_sim. > configure: warning: FAILURE: rlm_eap_sim requires: libssl. > > but I have the libssl in > > bash-2.05# ls -l /usr/local/ssl/lib > total 4466 > -rw-r--r-- 1 root other1949856 Jun 16 10:12 libcrypto.a > -rw-r--r-- 1 root other 304440 Jun 16 10:12 libssl.a > drw-r--r-- 2 root other512 Oct 9 2003 pkgconfig > bash-2.05# > > I just compiled the last version of the openssl, but this don't help me. > > What I do wrong? > > Thanks > > Victor Belous > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
I'm also a total newbie in wifi world =) spent 4 days on this auth thing and can't get it to work yet .. i'm not using Novell LDAP, it's an openldap with all our users infos in it: windows passwords without the 0x in front of the passwords (tried to add it manually, result is that i can't log in on a workstation after that), and unix encrypted passwords. I'll test the Aegis supplicant tomorrow, will post the results .. > This is my first attempt at anything wireless (as you may have noticed by my > previous > posts), so I haven't had much experience with the various supplicants out > there. I > think you can get a fully working demo of Odyssey (double check that) from > Funk > Software...it's supposed to do TTLS, plus some other cool stuff with Novell > Client > signons. We'll see. > > I'll let you know how my TTLS efforts go with the CVS version. BTW...are you > also > attempting Novell LDAP with TTLS? > > later, > mack -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
> It looks like maybe the 0.9.3 version of freeradius does not support TTLS. > Is this > correct? If so, does the CVS version include support? Sorry if this, too, > is > documented somewhere, but I just thought I'd ask while I was here. I grabbed & compiled the CVS few hours ago in the goal to make TTLS+mschapv2 and it crashes when i launch radiusd, saying that it can't find the rlm_eap module . .. Anyway, just for my information (still trying to get my auth working ..) are you using a supplicant like aegis, or just the one provided with your wifi card ? In my case, i used the dell drivers, freeradius 0.9.3, and got strange things during ssl initialisation. can'tg et the logs right now though .. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
> That shouldn't be necessary. well i'll double check tomorrow, i've done so many tests so far that maybe it's not usefull anymore .. I know for sure that in debug logs, it shows the password grabbed as {CRYPT}xxx. > > rlm_ldap: Adding userPassword as Crypt-Password, value { & op=21 > > That value doesn't look like a password. yes i know, and i think that's the problem. When i just use password_attribute it grabs the whole password (displayed in debug logs), and not anymore when i use the mapping for Crypt-Password, of course on the same ldap attribute for both. i thought the '{' displayed was from the first caracter it met ( from {CRYPT} ) so i tried to re-enable the password_header field in the ldap section of radiusd.conf, without any good result. > That value should have a "0x" in front of it. That's what is told in the radiusd.conf yup .. could that change something to the rest of the problem ? I'll check the smbldap-adduser.pl script i use to add windows users in the ldap tree. Anyway windows workstations work perfectly without the 0x. > LDAP doesn't do crypt'd passwords. The server does. And the server > doesn't care where that crypted password came from. Yup, but i was trying to find the moment where the radius Crypt-Password attribute was used in the ldap mapping file and from the ldap directory, to check why it doesn't grab the password from the user entry. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
Hi again Alan, > Configure the "password_header" entry in the ldap{} section, in > radiusd.conf. already done, but in the doc it's said it just strips away the {CRYPT} substring of the crypted passwd. Still have to put the encrypted password in the popup box to make it work... >You can also map that LDAP entry to the Crypt-Password > attribute, and the server will figure it out from there. Also tried it: checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem Crypt-Password userPassword checkItem SMB-Account-CTRL-TEXT acctFlags But it doesn't seem to change a lot of things: rlm_ldap: Adding userPassword as Crypt-Password, value { & op=21 rlm_ldap: Adding ntPassword as NT-Password, value EFAC11B52777F8D7A34BDC1A0F89228D & op=21 rlm_ldap: Adding lmPassword as LM-Password, value 136BE46417241D68AAD3B435B51404EE & op=21 rlm_ldap: looking for reply items in directory... I tried it with and without setting the password_attribute and password_header in the radiusd.conf. Result is the same. Anyway in the freeradius sources i can't find any reference to Crypt-Password in the rlm_ldap module, and in main.c it seems to be a reference to a user-provided password, not to the backend db. I'm using 0.9.3 do i need a CVS version ? Thanks again Arnauld -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
Ok, please forget my precedent message, i've just re-read aaa.txt and it's said that the AP sends an hash of the password it receives from the supplicant. No way to make freeradius crypt it it would not have any sense ... now that i'm lost in all those auth protocols, i don't know what to do ... is there a way to make the auth against the ntPassword field stored in the LDAP instead of the userPassword wich use the {CRYPT} salt ? I am currently generating certificates to use TTLS/PEAP ... -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
Hello again, Thanks for your help, it works great now ... just did what you told: an ldap user who got read access on all fields/users of the directory. Problem now is that i have to enter the encrypted version of the password in the username/password popup window. The userPassword field in the LDAP entries are encoded with the {CRYPT} salt. Is there a way to configure/hack FreeRadius to tell it to crypt the password before the comparison against the password the LDAP authorize section returns from its query ? If not possible, i have no idea how i could use in real world the 802.1x auth : -( I just can't decrypt all passwords in the directory and put them back in cleartext ... Thanks for your great job, and your support. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
i'll try it on monday, don't want to go at work during the week end =) i thought radiusd would connect as the user on the ldap server because in the logs it shows that the user is allowed to access some sort of information ... thanks a lot for your help, i'll keep you up to date on monday if the problem is resolved, or not. Thanks, Arnauld Selon Dustin Doris <[EMAIL PROTECTED]>: > > okay i'm not really into Win stuff .. ntPassword fields seem crypted since > i > > can't "read" them with my eyes, but i think it's just a hash or something. > Isn't > > it the regular way to store NT passwords ? > > > > anyway, here is my ldap section in radiusd.conf: > > > > ldap { > > server = "192.168.1.6" > > basedn = "ou=Users,dc=mtp,dc=epsi,dc=fr" > > filter = "(&(objectclass=posixAccount)(uid=%u))" > > start_tls = no > > dictionary_mapping = ${raddbdir}/ldap.attrmap > > ldap_connections_number = 5 > > password_attribute = ntPassword #<--- i changed this one just to try it > out, > > it was originally userPassword > > timeout = 4 > > timelimit = 3 > > net_timeout = 1 > > } > > > > > > and here are my sldapd access rules: > > > > access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=userPassword > > by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write > > by self write > > by * auth > > > > access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=ntPassword > > by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write > > by self write > > by * auth > > > > access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=lmPassword > > by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write > > by self write > > by * auth > > > > if i remember well (long time i've not reconfigured openldap) the write > perm > > also allow read ? > > since i didn't configure any user in the ldap section of radiusd, isn't it > > supposed to log in the ldap server with the username/passwd received by > radiusd, > > and grab the user password which should be possible since it has write > (read ?) > > perm ? > > > > thanks for your help > > > > -- > > Arnauld Dravet > > > > No, you need to add a user to do the search for the user logging in. > Since you don't allow anonymous reads, you'll need to create a user with > read access. > > So, first change the ldap section to include something like > identity = "cn=freeradius,dc=mtp,dc=epsi,dc=fr" > password = password > > Then in slapd.conf add something like > > access to dn.subtree="ou=Users,dc=mtp,dc=epsi,dc=fr" > by "cn=freeradius,dc=mtp,dc=epsi,dc=fr" read > by self write > by * auth > > > Then add the freeradius user to ldap > > $ ldapadd -D "cn=root,dc=mtp,dc=epsi,dc=fr" -W > dn: cn=freeradius,dc=mtp,dc=epsi,dc=fr > objectclass: person > cn: freeradius > sn: freeradius > userpassword: password > objectclass: person > > Hope that helps > > Dusty Doris > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Arnauld Dravet Administrateur RĂ©seau & Prof. Algorithmique EPSI Montpellier 499, Rue de la croix verte 34196 Montpellier Cedex 5 Tel Accueil/Direct: 04.67.04.2001 / 04.67.04.0008 Fax: 04.67.63.90.83 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
Selon Alan DeKok <[EMAIL PROTECTED]>: > Something other than EAP-MD5. > > LEAP should work. > > As an alternative, you could try storing NT passwords. That will > allow LEAP & MS-CHAP to work. > okay i'm not really into Win stuff .. ntPassword fields seem crypted since i can't "read" them with my eyes, but i think it's just a hash or something. Isn't it the regular way to store NT passwords ? anyway, here is my ldap section in radiusd.conf: ldap { server = "192.168.1.6" basedn = "ou=Users,dc=mtp,dc=epsi,dc=fr" filter = "(&(objectclass=posixAccount)(uid=%u))" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = ntPassword #<--- i changed this one just to try it out, it was originally userPassword timeout = 4 timelimit = 3 net_timeout = 1 } and here are my sldapd access rules: access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=userPassword by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write by self write by * auth access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=ntPassword by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write by self write by * auth access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=lmPassword by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write by self write by * auth if i remember well (long time i've not reconfigured openldap) the write perm also allow read ? since i didn't configure any user in the ldap section of radiusd, isn't it supposed to log in the ldap server with the username/passwd received by radiusd, and grab the user password which should be possible since it has write (read ?) perm ? thanks for your help -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
> > Then you can't do CHAP or EAP-MD5, which is basically CHAP. > > Yup. EAP-MD5 doesn't work. > Hmm .. i think i've read docs where i understood ppl were using samba schema without problems ... what am i supposed to use to make it possible ? LEAP returns the same error with the missing User-Password attribute .. And i can't store clear passwords in the directory I'll paste the ldap section in one hour, i can't have access to it at the moment .. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius/LDAP conf : little problem
Hello I'm facing some kind of configuration troubles with freeradius and openldap. I got a new Access Point wich i'm trying to use with 802.1x auth. I'm using a classical samba/qmail LDAP schema so that users in the company can authenticate against ldap with win/linux workstations. Basically, i got 3 password fields, lmPassword, ntPassword, and userPassword . All of them are encrypted and, there is no "0x" in front of the ntPassword. The ldap section in radiusd.conf seems to be ok, the connection is done, and ive set the password_attribute to "userPassword" and later to "ntPassword" to check if it changed naything to the problem (no). Other sections i'm using: authorize { preprocess auth_log ldap eap } authenticate { eap } now, when i set up a 802.1x client, the AP connect to the radius server and here is the debug output: Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.6.3:1134, id=71, length=172 NAS-IP-Address = 192.168.6.3 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Framed-MTU = 1400 User-Name = "arnauld.dravet" Calling-Station-Id = "00904b625711" Called-Station-Id = "000d54fc1807" NAS-Identifier = "EPSI AP1" State = 0xa63191155f9268efbcad3167d4e42e90 EAP-Message = 0x0202002404105f6aa1f2ca8bfe0b6efc3da31527335861726e61756c642e647261766574 Message-Authenticator = 0xb917bedaab691dda63cd4364b2d93ae8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 radius_xlat: '/var/log/radius/radacct/192.168.6.3/auth-detail-20040618' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.6.3/auth-detail-20040618 modcall[authorize]: module "auth_log" returns ok for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for arnauld.dravet radius_xlat: '(&(objectclass=posixAccount)(uid=arnauld.dravet))' radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter (&(objectclass=posixAccount)(uid=arnauld.dravet)) rlm_ldap: looking for check items in directory... rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user arnauld.dravet authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 rlm_eap: EAP packet type response id 2 length 36 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type LDAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'arnauld.dravet' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 3 modcall: group authenticate returns invalid for request 3 auth: Failed to validate the user. Login incorrect: [arnauld.dravet/] (from client ap1 port 1 cli 00904b625711) Delaying request 3 for 2 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Sending Access-Reject of id 71 to 192.168.6.3:1134 EAP-Message = 0x04020004 Message-Authenticator = 0x Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 70 with timestamp 40d298d0 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 71 with timestamp 40d298d1 Nothing to do. Sleeping until we see a request. It's been two days i'm stuck on this problem, i think i've read all the documentation and mailing lists archives .. i've tried different things, but it still finish with a message saying it miss the User-Password attribute ... I've of course also try to use ldap in the authenticate section. I tested the initial config with radtest and it worked fine when i used ldap in the authenticate section, cause radtest won't use eap ... Thanks for any help you can give :) -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html