PAP authentication and multiple LDAP userpassword attributes
Hi,
I'm working on upgrading from FR 1.1.7 to FR 2.1.3.
I use FR for EAP-TTLS/PAP authentication with LDAP.
FR 1.1.7 successfully authenticates users with multiple LDAPuserpassword
attributes which are stored with crypt and/or MD5 hash, the passwords
are not the same (even it's better if the are) :
###
[...]
rlm_ldap: performing user authorization for mylogin
radius_xlat: '((uid=mylogin)(udsradiusProfileWifi=*))'
radius_xlat: 'ou=people,o=annuaire'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,o=annuaire, with filter
((uid=mylogin)(udsradiusProfileWifi=*))
rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire,
with filter (objectclass=radiusprofile)
rlm_ldap: Added password {MD5}x in check items
rlm_ldap: Added password {crypt}x in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mylogin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module LDAP_OSIRIS returns ok for request 29
modcall: leaving group LDAP_OSIRIS (returns ok) for request 29
rad_check_password: Found Auth-Type LDAP_OSIRIS
auth: type LDAP_OSIRIS
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP_OSIRIS for request 29
rlm_ldap: - authenticate
rlm_ldap: login attempt by saillard with password mycleartextpassword
rlm_ldap: user DN: uid=mylogin,ou=uds,ou=people,o=annuaire
rlm_ldap: (re)connect to ldaps://ldapuds.u-strasbg.fr, authentication 1
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as uid=mylogin,ou=uds,ou=people,o=annuaire/polopackvih+
to ldaps://ldapuds.u-strasbg.fr
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user mylogin authenticated succesfully
[...]
###
Now with FR 2.1.3, it looks like only the first password attribute is used :
###
[...]
[ldap] expand:
((uid=%{Stripped-User-Name:-%{User-Name}})(udsradiusProfileWifi=*)) -
((uid=mylogin)(udsradiusProfileWifi=*))
[ldap] expand: ou=people,o=annuaire - ou=people,o=annuaire
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,o=annuaire, with filter
((uid=mylogin)(udsradiusProfileWifi=*))
rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire,
with filter (objectclass=radiusprofile)
[ldap] Added User-Password = {crypt}x in check items
[ldap] Added User-Password = {MD5}x in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user mylogin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[pap] returns updated
Found Auth-Type = PAP
+- entering group authenticate {...}
[pap] login attempt with password mycleartextpassword
[pap] Using CRYPT encryption.
[pap] Passwords don't match
[...]
###
Is there a way to tell FR to try with others attributes ?
My configuration is quite simple, here's my
sites-enabled/proxy-inner-tunnel :
server proxy-inner-tunnel {
authorize {
eap
ldap
pap
}
authenticate {
eap
pap
}
post-proxy {
eap
}
}
And the pap modules :
pap {
auto_header = yes
}
Any clue ?
Thanks
--
---
Christophe Saillard
Université de Strasbourg
Direction Informatique
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unresponsive child and accounting
Hi,
I use freeradius (1.1.7) to authenticate wireless users (EAP-TTLS/PAP)
with an OpenLDAP backend.
Our first experience with Freeradius on a FreeBSD server was a nightmare
(it seemed to be a thread related problem, the server stopped working
with a lot of unresponsive child error logs).
So, we tried on a Linux server (kernel 2.6.22-14-server ubuntu feisty
fawn) and it worked fine since last week :
Wed Nov 21 15:33:21 2007 : Auth: Login OK: [] (from client localhost
port 576353 cli 001c.bf09.480c)
Wed Nov 21 15:33:21 2007 : Auth: Login OK: [EMAIL PROTECTED] (from
client wds3 port 576353 cli 001c.bf09.480c)
Wed Nov 21 15:33:22 2007 : Error: WARNING: Unresponsive child (id
3046112160) for request 2419782 (in component accounting module rlm_radutmp)
Wed Nov 21 15:33:22 2007 : Error: WARNING: Unresponsive child (id
2841623456) for request 2419798 (in component accounting module rlm_radutmp)
The CPU went up to 100%.
There was about 300 802.1X clients connected (with a 2 minutes reauth
period).
At this time we had no other choice than upgrading the hardware, it runs
now on a 8 processor server but even with more CPU power we noticed a
20% system load.
Here's the threading part of the radiusd.conf :
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1000
thread pool {
start_servers = 10
max_servers = 1000
min_spare_servers = 15
max_spare_servers = 30
max_requests_per_server = 300
}
I don't know if it's relevant but there were about 80 Eduroam users
connected when the problem happens.
Thanks.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unresponsive child problem
Oct 16 14:38:23 2006 : Error: WARNING: Unresponsive child (id
138504704) for request 193266
Mon Oct 16 14:38:23 2006 : Error: WARNING: Unresponsive child (id
137850880) for request 193274
Mon Oct 16 14:38:23 2006 : Error: Discarding duplicate request from
client wds3:1645 - ID: 74 due to unfinished request 193334
Mon Oct 16 14:38:24 2006 : Error: TLS Alert write:fatal:bad record mac
Mon Oct 16 14:38:24 2006 : Error: TLS_accept:error in SSLv3 read
certificate verify A
Mon Oct 16 14:38:24 2006 : Error: rlm_eap: SSL error error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
Mon Oct 16 14:38:24 2006 : Error: rlm_radutmp: Login entry for NAS
atrium-ap4 port 2330 wrong order
Mon Oct 16 14:38:24 2006 : Error: rlm_eap_tls: SSL_read failed in a
system call (-1), TLS session fails.
Mon Oct 16 14:38:25 2006 : Error: rlm_radutmp: Login entry for NAS
sceco-ap10 port 5125 wrong order
Mon Oct 16 14:38:25 2006 : Auth: Login OK: [cwang] (from client
localhost port 385201 cli 0013.0212.0e66)
Mon Oct 16 14:38:25 2006 : Error: rlm_eap: Either EAP-request timed out
OR EAP-response to an unknown EAP-request
Mon Oct 16 14:38:25 2006 : Auth: Login incorrect: [anonymous] (from
client wds6 port 38777 cli 0013.cedc.d1b9)
Mon Oct 16 14:38:25 2006 : Error: rlm_radutmp: Logout for NAS sceco-ap10
port 5125, but no Login record
Mon Oct 16 14:38:26 2006 : Info: rlm_radutmp: Login entry for NAS
dpt-info-ap5 port 618 duplicate
Mon Oct 16 14:38:26 2006 : Error: rlm_eap: Either EAP-request timed out
OR EAP-response to an unknown EAP-request
Mon Oct 16 14:38:26 2006 : Auth: Login incorrect: [anonymous] (from
client wds3 port 385204 cli 0015.0046.7656)
Mon Oct 16 14:38:26 2006 : Error: rlm_eap: Either EAP-request timed out
OR EAP-response to an unknown EAP-request
Mon Oct 16 14:38:26 2006 : Auth: Login incorrect: [anonymous] (from
client wds4 port 226564 cli 0009.5b95.74a3)
Mon Oct 16 14:38:27 2006 : Error: rlm_eap: Either EAP-request timed out
OR EAP-response to an unknown EAP-request
Mon Oct 16 14:38:27 2006 : Auth: Login incorrect: [anonymous] (from
client wds4 port 226578 cli 0013.02be.2994)
Mon Oct 16 14:38:27 2006 : Error: TLS_accept:error in SSLv3 read
client certificate A
--
The only way to get authentication working is to kill and restart
Freeradius.
Here's the ldap configuration for freeradius :
ldap LDAP_OSIRIS {
server = ldap://bton.u-strasbg.fr;
basedn = ou=personnes,o=osiris
filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(radiusProfileWifi=*))
start_tls = no
profile_attribute = radiusProfileWifi
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 20
password_attribute = userPassword
groupname_attribute = radiusGroupNameWifi
groupmembership_filter =
(uid=%{Stripped-User-Name:-%{User-Name}})
timeout = 7
timelimit = 3
net_timeout = 1
}
When we get the Unresponsive child messages the server doesn't seem to
be very busy ... strange.
The ldap server is only used by Freeradius ...
Any ideas ?
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting Problem with Cisco WDS
Hello,
When WDS is activated, all EAP requests coming from APs are proxied by
the WDS master, there's no authentication
problem (it works fine with TTLS/PAP and PEAP/MS-CHAPv2) but the
username in the accounting detail files is replaced
by the MAC address of the supplicant (the same as calling-station-id).
Is their a way to have the real username in accounting in this case
(with WDS) ?
Here is the users files :
anonymous Auth-type := EAP
DEFAULT Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = Yes
$INCLUDE /usr/local/etc/raddb/ULP_USERS/crc.users
$INCLUDE /usr/local/etc/raddb/ULP_USERS/crc.invites.users
$INCLUDE /usr/local/etc/raddb/ULP_USERS/dpt-info.etudiant.users
$INCLUDE /usr/local/etc/raddb/ULP_USERS/dpt-info.prof.users
DEFAULT Auth-Type := Reject
Fall-Through = No
I use this configuration to rewrite the tunneled identity in
accounting otherwise I get anonymous
for all usernames, it works without WDS
Thanks.
Bye.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Here's what I've to put in the users file to make it work :
DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = no
But now PEAP/MSCHAPv2 doesn't work...
If you had read the debug log, you would see WHY it doesn't work.
Repeat it like a mantra: If you're not sure, DO NOT SET AUTH-TYPE.
When I do not set Auth-Type TTLS/PAP works with users stored in the users files,
PEAP/Ms-chap-v2 works with users from LDAP storage, but TTLS/PAP from LDAP doesn't
work
The server will figure it out on it's own.
Alan DeKok.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hi,
Now I've a working TTLS/PAP with LDAP storage configuration ;-)
Here's what I've to put in the users file to make it work :
DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = no
But now PEAP/MSCHAPv2 doesn't work...I've try a lot of combination
(Auth-Type := MSCHAP Fall-Through = yes ...)
but none seem to work...if someone has a clue ;-)
Thanks for all !
Bye.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP and Dynamic VLAN
Hello, I've a TTLS/PAP working configuration with dynamic VLAN allocation. Here's a sample of the users file : userX Crypt-Password == $1$ Tunnel-Type:1 = 13, Tunnel-Medium-Type:1 = 6, Tunnel-Private-Group-ID:1 = 4 At the authentication's end the NAS put the userX in the vlan 4. Now I'd like to do the same with user coming from LDAP storagebut I don't know where to begin : How can I get a group attribute from LDAP and match this with a VLAN id which will be send to the NAS ? Thanks. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Freeradius with LDAP storage and EAP-TTLS authentication
Hello, For the moment I use Freeradius with EAP-TTLS and it works fine...now I'd like to get users credentials form an existing LDAP database. The LDAP server sends me a valable MD5 hashed password but I think something failed in my users file configuration. Does someone have such a working configuration ? If so, can you send a copy ? Thanks. Bye. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Thanks for your help. I think I'm not far from the end but I still have problems. Here's the debug logs : [...] Fri Jun 18 14:11:17 2004 : Debug: rlm_ldap: performing search in dc=u-strasbg,dc=fr, with filter (uid=csaillard) request 6 done Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: Added password $1$QEnpt.4f$nixixczJ/xu0CnyuvaTLV/ in check items Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for check items in directory... Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for reply items in directory... Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: user csaillard authorized to use remote access Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Fri Jun 18 14:11:31 2004 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall[authorize]: module ldap returns ok for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall: group authorize returns updated for request 4 Fri Jun 18 14:11:31 2004 : Debug: rad_check_password: Found Auth-Type EAP Fri Jun 18 14:11:31 2004 : Debug: auth: type EAP Fri Jun 18 14:11:31 2004 : Debug: Processing the authenticate section of radiusd.conf Fri Jun 18 14:11:31 2004 : Debug: modcall: entering group Auth-Type for request 4 Fri Jun 18 14:11:31 2004 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Request not found in the list Fri Jun 18 14:11:31 2004 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Failed in handler Fri Jun 18 14:11:31 2004 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall[authenticate]: module eap returns invalid for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall: group Auth-Type returns invalid for request 4 Fri Jun 18 14:11:31 2004 : Debug: auth: Failed to validate the user. [...] I use TTLS/PAP for authentication, so you can see that the LDAP server sends MD5 hased password...but I'm not sure that's what I need Could you tell me what kind of EAP method you use, with what type of password's hash ? Thanks for help ! Bye. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Freeradius with LDAP storage and EAP-TTLS authentication
And you set Auth-Type = EAP. DON'T DO THAT. The eap.conf file has BIG HUGE COMMENTS saying DON'T DO THAT. It really means DON'T DO THAT. You're doing the exact opposite of what the documentation says, and as a result, it's not working. You might try following the recommendations of the server, which WILL allow it to work. Alan DeKok. Ok. Sorry for being such a fool... Here's what I want to do : For the moment I've a running freeradius EAP-TTLS/PAP configuration which works fine. Now I'd like to get credentials from an existing LDAP user storage instead of the Freeradius users file (I store MD5 hashed password to have PAP compatibility). The Ldap bind is ok and I got correct uid and password when I launch a 802.1X request from a laptop client. But there's some particular things I need to know : - how do I have to store password in the LDAP database (because I'd like to use TTLS/PAP) : crypt/MD5 hashed, clear text ? - what do I have to put in the users file ? (I know that auth-type := EAP is wrong) ? - if it's not possible to have TTLS/PAP authentication what can I do else (PEAP/Mschapv2 ...) ? I hope my questions are not to stupid. Thanks. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using MD5 hashed passwords
Hi, Here's what I want to do : - EAP-TTLS or PEAP authentication with login/password in the second phase (no EAP-TLS) - Users are stored in the local Freeradius Database with Crypt-password attributes (MD5 hashed, because logins and passwords come from a Unix User Database) - Authentication leads to assign users in a correct VLAN (Tunnel-Type ... attributes) I've succeed with PEAP/MSCHAPv2 authentication but my password was in clear-text (with Meetinghouse Aegis Client)... If you have any clue (configuration examples ...) I'll be very happy !! -- Christophe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
