PAP authentication and multiple LDAP userpassword attributes
Hi, I'm working on upgrading from FR 1.1.7 to FR 2.1.3. I use FR for EAP-TTLS/PAP authentication with LDAP. FR 1.1.7 successfully authenticates users with multiple LDAPuserpassword attributes which are stored with crypt and/or MD5 hash, the passwords are not the same (even it's better if the are) : ### [...] rlm_ldap: performing user authorization for mylogin radius_xlat: '((uid=mylogin)(udsradiusProfileWifi=*))' radius_xlat: 'ou=people,o=annuaire' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,o=annuaire, with filter ((uid=mylogin)(udsradiusProfileWifi=*)) rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire, with filter (objectclass=radiusprofile) rlm_ldap: Added password {MD5}x in check items rlm_ldap: Added password {crypt}x in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user mylogin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module LDAP_OSIRIS returns ok for request 29 modcall: leaving group LDAP_OSIRIS (returns ok) for request 29 rad_check_password: Found Auth-Type LDAP_OSIRIS auth: type LDAP_OSIRIS Processing the authenticate section of radiusd.conf modcall: entering group LDAP_OSIRIS for request 29 rlm_ldap: - authenticate rlm_ldap: login attempt by saillard with password mycleartextpassword rlm_ldap: user DN: uid=mylogin,ou=uds,ou=people,o=annuaire rlm_ldap: (re)connect to ldaps://ldapuds.u-strasbg.fr, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as uid=mylogin,ou=uds,ou=people,o=annuaire/polopackvih+ to ldaps://ldapuds.u-strasbg.fr rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user mylogin authenticated succesfully [...] ### Now with FR 2.1.3, it looks like only the first password attribute is used : ### [...] [ldap] expand: ((uid=%{Stripped-User-Name:-%{User-Name}})(udsradiusProfileWifi=*)) - ((uid=mylogin)(udsradiusProfileWifi=*)) [ldap] expand: ou=people,o=annuaire - ou=people,o=annuaire rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,o=annuaire, with filter ((uid=mylogin)(udsradiusProfileWifi=*)) rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire, with filter (objectclass=radiusprofile) [ldap] Added User-Password = {crypt}x in check items [ldap] Added User-Password = {MD5}x in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user mylogin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[pap] returns updated Found Auth-Type = PAP +- entering group authenticate {...} [pap] login attempt with password mycleartextpassword [pap] Using CRYPT encryption. [pap] Passwords don't match [...] ### Is there a way to tell FR to try with others attributes ? My configuration is quite simple, here's my sites-enabled/proxy-inner-tunnel : server proxy-inner-tunnel { authorize { eap ldap pap } authenticate { eap pap } post-proxy { eap } } And the pap modules : pap { auto_header = yes } Any clue ? Thanks -- --- Christophe Saillard Université de Strasbourg Direction Informatique --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unresponsive child and accounting
Hi, I use freeradius (1.1.7) to authenticate wireless users (EAP-TTLS/PAP) with an OpenLDAP backend. Our first experience with Freeradius on a FreeBSD server was a nightmare (it seemed to be a thread related problem, the server stopped working with a lot of unresponsive child error logs). So, we tried on a Linux server (kernel 2.6.22-14-server ubuntu feisty fawn) and it worked fine since last week : Wed Nov 21 15:33:21 2007 : Auth: Login OK: [] (from client localhost port 576353 cli 001c.bf09.480c) Wed Nov 21 15:33:21 2007 : Auth: Login OK: [EMAIL PROTECTED] (from client wds3 port 576353 cli 001c.bf09.480c) Wed Nov 21 15:33:22 2007 : Error: WARNING: Unresponsive child (id 3046112160) for request 2419782 (in component accounting module rlm_radutmp) Wed Nov 21 15:33:22 2007 : Error: WARNING: Unresponsive child (id 2841623456) for request 2419798 (in component accounting module rlm_radutmp) The CPU went up to 100%. There was about 300 802.1X clients connected (with a 2 minutes reauth period). At this time we had no other choice than upgrading the hardware, it runs now on a 8 processor server but even with more CPU power we noticed a 20% system load. Here's the threading part of the radiusd.conf : max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1000 thread pool { start_servers = 10 max_servers = 1000 min_spare_servers = 15 max_spare_servers = 30 max_requests_per_server = 300 } I don't know if it's relevant but there were about 80 Eduroam users connected when the problem happens. Thanks. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unresponsive child problem
Oct 16 14:38:23 2006 : Error: WARNING: Unresponsive child (id 138504704) for request 193266 Mon Oct 16 14:38:23 2006 : Error: WARNING: Unresponsive child (id 137850880) for request 193274 Mon Oct 16 14:38:23 2006 : Error: Discarding duplicate request from client wds3:1645 - ID: 74 due to unfinished request 193334 Mon Oct 16 14:38:24 2006 : Error: TLS Alert write:fatal:bad record mac Mon Oct 16 14:38:24 2006 : Error: TLS_accept:error in SSLv3 read certificate verify A Mon Oct 16 14:38:24 2006 : Error: rlm_eap: SSL error error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Mon Oct 16 14:38:24 2006 : Error: rlm_radutmp: Login entry for NAS atrium-ap4 port 2330 wrong order Mon Oct 16 14:38:24 2006 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Mon Oct 16 14:38:25 2006 : Error: rlm_radutmp: Login entry for NAS sceco-ap10 port 5125 wrong order Mon Oct 16 14:38:25 2006 : Auth: Login OK: [cwang] (from client localhost port 385201 cli 0013.0212.0e66) Mon Oct 16 14:38:25 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Oct 16 14:38:25 2006 : Auth: Login incorrect: [anonymous] (from client wds6 port 38777 cli 0013.cedc.d1b9) Mon Oct 16 14:38:25 2006 : Error: rlm_radutmp: Logout for NAS sceco-ap10 port 5125, but no Login record Mon Oct 16 14:38:26 2006 : Info: rlm_radutmp: Login entry for NAS dpt-info-ap5 port 618 duplicate Mon Oct 16 14:38:26 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Oct 16 14:38:26 2006 : Auth: Login incorrect: [anonymous] (from client wds3 port 385204 cli 0015.0046.7656) Mon Oct 16 14:38:26 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Oct 16 14:38:26 2006 : Auth: Login incorrect: [anonymous] (from client wds4 port 226564 cli 0009.5b95.74a3) Mon Oct 16 14:38:27 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Oct 16 14:38:27 2006 : Auth: Login incorrect: [anonymous] (from client wds4 port 226578 cli 0013.02be.2994) Mon Oct 16 14:38:27 2006 : Error: TLS_accept:error in SSLv3 read client certificate A -- The only way to get authentication working is to kill and restart Freeradius. Here's the ldap configuration for freeradius : ldap LDAP_OSIRIS { server = ldap://bton.u-strasbg.fr; basedn = ou=personnes,o=osiris filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(radiusProfileWifi=*)) start_tls = no profile_attribute = radiusProfileWifi dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 20 password_attribute = userPassword groupname_attribute = radiusGroupNameWifi groupmembership_filter = (uid=%{Stripped-User-Name:-%{User-Name}}) timeout = 7 timelimit = 3 net_timeout = 1 } When we get the Unresponsive child messages the server doesn't seem to be very busy ... strange. The ldap server is only used by Freeradius ... Any ideas ? -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting Problem with Cisco WDS
Hello, When WDS is activated, all EAP requests coming from APs are proxied by the WDS master, there's no authentication problem (it works fine with TTLS/PAP and PEAP/MS-CHAPv2) but the username in the accounting detail files is replaced by the MAC address of the supplicant (the same as calling-station-id). Is their a way to have the real username in accounting in this case (with WDS) ? Here is the users files : anonymous Auth-type := EAP DEFAULT Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = Yes $INCLUDE /usr/local/etc/raddb/ULP_USERS/crc.users $INCLUDE /usr/local/etc/raddb/ULP_USERS/crc.invites.users $INCLUDE /usr/local/etc/raddb/ULP_USERS/dpt-info.etudiant.users $INCLUDE /usr/local/etc/raddb/ULP_USERS/dpt-info.prof.users DEFAULT Auth-Type := Reject Fall-Through = No I use this configuration to rewrite the tunneled identity in accounting otherwise I get anonymous for all usernames, it works without WDS Thanks. Bye. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Here's what I've to put in the users file to make it work : DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = no But now PEAP/MSCHAPv2 doesn't work... If you had read the debug log, you would see WHY it doesn't work. Repeat it like a mantra: If you're not sure, DO NOT SET AUTH-TYPE. When I do not set Auth-Type TTLS/PAP works with users stored in the users files, PEAP/Ms-chap-v2 works with users from LDAP storage, but TTLS/PAP from LDAP doesn't work The server will figure it out on it's own. Alan DeKok. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hi, Now I've a working TTLS/PAP with LDAP storage configuration ;-) Here's what I've to put in the users file to make it work : DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = no But now PEAP/MSCHAPv2 doesn't work...I've try a lot of combination (Auth-Type := MSCHAP Fall-Through = yes ...) but none seem to work...if someone has a clue ;-) Thanks for all ! Bye. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP and Dynamic VLAN
Hello, I've a TTLS/PAP working configuration with dynamic VLAN allocation. Here's a sample of the users file : userX Crypt-Password == $1$ Tunnel-Type:1 = 13, Tunnel-Medium-Type:1 = 6, Tunnel-Private-Group-ID:1 = 4 At the authentication's end the NAS put the userX in the vlan 4. Now I'd like to do the same with user coming from LDAP storagebut I don't know where to begin : How can I get a group attribute from LDAP and match this with a VLAN id which will be send to the NAS ? Thanks. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Freeradius with LDAP storage and EAP-TTLS authentication
Hello, For the moment I use Freeradius with EAP-TTLS and it works fine...now I'd like to get users credentials form an existing LDAP database. The LDAP server sends me a valable MD5 hashed password but I think something failed in my users file configuration. Does someone have such a working configuration ? If so, can you send a copy ? Thanks. Bye. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Thanks for your help. I think I'm not far from the end but I still have problems. Here's the debug logs : [...] Fri Jun 18 14:11:17 2004 : Debug: rlm_ldap: performing search in dc=u-strasbg,dc=fr, with filter (uid=csaillard) request 6 done Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: Added password $1$QEnpt.4f$nixixczJ/xu0CnyuvaTLV/ in check items Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for check items in directory... Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for reply items in directory... Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: user csaillard authorized to use remote access Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Fri Jun 18 14:11:31 2004 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall[authorize]: module ldap returns ok for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall: group authorize returns updated for request 4 Fri Jun 18 14:11:31 2004 : Debug: rad_check_password: Found Auth-Type EAP Fri Jun 18 14:11:31 2004 : Debug: auth: type EAP Fri Jun 18 14:11:31 2004 : Debug: Processing the authenticate section of radiusd.conf Fri Jun 18 14:11:31 2004 : Debug: modcall: entering group Auth-Type for request 4 Fri Jun 18 14:11:31 2004 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Request not found in the list Fri Jun 18 14:11:31 2004 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Failed in handler Fri Jun 18 14:11:31 2004 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall[authenticate]: module eap returns invalid for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall: group Auth-Type returns invalid for request 4 Fri Jun 18 14:11:31 2004 : Debug: auth: Failed to validate the user. [...] I use TTLS/PAP for authentication, so you can see that the LDAP server sends MD5 hased password...but I'm not sure that's what I need Could you tell me what kind of EAP method you use, with what type of password's hash ? Thanks for help ! Bye. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Freeradius with LDAP storage and EAP-TTLS authentication
And you set Auth-Type = EAP. DON'T DO THAT. The eap.conf file has BIG HUGE COMMENTS saying DON'T DO THAT. It really means DON'T DO THAT. You're doing the exact opposite of what the documentation says, and as a result, it's not working. You might try following the recommendations of the server, which WILL allow it to work. Alan DeKok. Ok. Sorry for being such a fool... Here's what I want to do : For the moment I've a running freeradius EAP-TTLS/PAP configuration which works fine. Now I'd like to get credentials from an existing LDAP user storage instead of the Freeradius users file (I store MD5 hashed password to have PAP compatibility). The Ldap bind is ok and I got correct uid and password when I launch a 802.1X request from a laptop client. But there's some particular things I need to know : - how do I have to store password in the LDAP database (because I'd like to use TTLS/PAP) : crypt/MD5 hashed, clear text ? - what do I have to put in the users file ? (I know that auth-type := EAP is wrong) ? - if it's not possible to have TTLS/PAP authentication what can I do else (PEAP/Mschapv2 ...) ? I hope my questions are not to stupid. Thanks. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using MD5 hashed passwords
Hi, Here's what I want to do : - EAP-TTLS or PEAP authentication with login/password in the second phase (no EAP-TLS) - Users are stored in the local Freeradius Database with Crypt-password attributes (MD5 hashed, because logins and passwords come from a Unix User Database) - Authentication leads to assign users in a correct VLAN (Tunnel-Type ... attributes) I've succeed with PEAP/MSCHAPv2 authentication but my password was in clear-text (with Meetinghouse Aegis Client)... If you have any clue (configuration examples ...) I'll be very happy !! -- Christophe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html