PAP authentication and multiple LDAP userpassword attributes

2009-02-06 Thread Christophe Saillard

Hi,

I'm working on upgrading from FR 1.1.7 to FR 2.1.3.

I use FR for EAP-TTLS/PAP authentication with LDAP.

FR 1.1.7 successfully authenticates users with multiple LDAPuserpassword 
attributes which are stored with crypt and/or MD5 hash, the passwords 
are not the same (even it's better if the are) :


###
[...]
rlm_ldap: performing user authorization for mylogin
radius_xlat:  '((uid=mylogin)(udsradiusProfileWifi=*))'
radius_xlat:  'ou=people,o=annuaire'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,o=annuaire, with filter 
((uid=mylogin)(udsradiusProfileWifi=*))
rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire, 
with filter (objectclass=radiusprofile)

rlm_ldap: Added password {MD5}x in check items
rlm_ldap: Added password {crypt}x in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mylogin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module LDAP_OSIRIS returns ok for request 29
modcall: leaving group LDAP_OSIRIS (returns ok) for request 29
  rad_check_password:  Found Auth-Type LDAP_OSIRIS
auth: type LDAP_OSIRIS
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP_OSIRIS for request 29
rlm_ldap: - authenticate
rlm_ldap: login attempt by saillard with password mycleartextpassword
rlm_ldap: user DN: uid=mylogin,ou=uds,ou=people,o=annuaire
rlm_ldap: (re)connect to ldaps://ldapuds.u-strasbg.fr, authentication 1
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as uid=mylogin,ou=uds,ou=people,o=annuaire/polopackvih+ 
to ldaps://ldapuds.u-strasbg.fr

rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user mylogin authenticated succesfully
[...]
###

Now with FR 2.1.3, it looks like only the first password attribute is used :

###
[...]
[ldap]  expand: 
((uid=%{Stripped-User-Name:-%{User-Name}})(udsradiusProfileWifi=*)) - 
((uid=mylogin)(udsradiusProfileWifi=*))
[ldap]  expand: ou=people,o=annuaire - ou=people,o=annuaire 

rlm_ldap: ldap_get_conn: Checking Id: 0 

rlm_ldap: ldap_get_conn: Got Id: 0 

rlm_ldap: performing search in ou=people,o=annuaire, with filter 
((uid=mylogin)(udsradiusProfileWifi=*))
rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire, 
with filter (objectclass=radiusprofile)
[ldap] Added User-Password = {crypt}x in check items 

[ldap] Added User-Password = {MD5}x in check items 

[ldap] looking for check items in directory... 


[ldap] looking for reply items in directory...
[ldap] user mylogin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[pap] returns updated
Found Auth-Type = PAP
+- entering group authenticate {...}
[pap] login attempt with password mycleartextpassword
[pap] Using CRYPT encryption.
[pap] Passwords don't match
[...]
###

Is there a way to tell FR to try with others attributes ?

My configuration is quite simple, here's my 
sites-enabled/proxy-inner-tunnel :


server proxy-inner-tunnel {

   authorize {
   eap
   ldap
   pap
   }

   authenticate {
   eap
   pap
   }

   post-proxy {
   eap
   }
}

And the pap modules :

pap {
auto_header = yes
}

Any clue ?

Thanks

--
---
Christophe Saillard
Université de Strasbourg
Direction Informatique
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Unresponsive child and accounting

2007-11-26 Thread Christophe Saillard

Hi,

I use freeradius (1.1.7) to authenticate wireless users (EAP-TTLS/PAP) 
with an OpenLDAP backend.


Our first experience with Freeradius on a FreeBSD server was a nightmare 
(it seemed to be a thread related problem, the server stopped working 
with a lot of unresponsive child error logs).


So, we tried on a Linux server (kernel 2.6.22-14-server ubuntu feisty 
fawn)  and it worked fine since last week :


Wed Nov 21 15:33:21 2007 : Auth: Login OK: [] (from client localhost 
port 576353 cli 001c.bf09.480c)
Wed Nov 21 15:33:21 2007 : Auth: Login OK: [EMAIL PROTECTED] (from 
client wds3 port 576353 cli 001c.bf09.480c)
Wed Nov 21 15:33:22 2007 : Error: WARNING: Unresponsive child (id 
3046112160) for request 2419782 (in component accounting module rlm_radutmp)
Wed Nov 21 15:33:22 2007 : Error: WARNING: Unresponsive child (id 
2841623456) for request 2419798 (in component accounting module rlm_radutmp)


The CPU went up to 100%.

There was about 300 802.1X clients connected (with a 2 minutes reauth 
period).


At this time we had no other choice than upgrading the hardware, it runs 
now on a 8 processor server but even with more CPU power we noticed a 
20% system load.


Here's the threading part of the radiusd.conf :

max_request_time = 30

delete_blocked_requests = no

cleanup_delay = 5

max_requests = 1000

thread pool {
start_servers = 10
max_servers = 1000
min_spare_servers = 15
max_spare_servers = 30
max_requests_per_server = 300
}


I don't know if it's relevant but there were about 80 Eduroam users 
connected when the problem happens.


Thanks.

--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Unresponsive child problem

2006-10-17 Thread Christophe Saillard
 Oct 16 14:38:23 2006 : Error: WARNING: Unresponsive child (id 
138504704) for request 193266
Mon Oct 16 14:38:23 2006 : Error: WARNING: Unresponsive child (id 
137850880) for request 193274
Mon Oct 16 14:38:23 2006 : Error: Discarding duplicate request from 
client wds3:1645 - ID: 74 due to unfinished request 193334

Mon Oct 16 14:38:24 2006 : Error: TLS Alert write:fatal:bad record mac
Mon Oct 16 14:38:24 2006 : Error: TLS_accept:error in SSLv3 read 
certificate verify A
Mon Oct 16 14:38:24 2006 : Error: rlm_eap: SSL error error:1408F455:SSL 
routines:SSL3_GET_RECORD:decryption failed or bad record mac
Mon Oct 16 14:38:24 2006 : Error: rlm_radutmp: Login entry for NAS 
atrium-ap4 port 2330 wrong order
Mon Oct 16 14:38:24 2006 : Error: rlm_eap_tls: SSL_read failed in a 
system call (-1), TLS session fails.
Mon Oct 16 14:38:25 2006 : Error: rlm_radutmp: Login entry for NAS 
sceco-ap10 port 5125 wrong order
Mon Oct 16 14:38:25 2006 : Auth: Login OK: [cwang] (from client 
localhost port 385201 cli 0013.0212.0e66)
Mon Oct 16 14:38:25 2006 : Error: rlm_eap: Either EAP-request timed out 
OR EAP-response to an unknown EAP-request
Mon Oct 16 14:38:25 2006 : Auth: Login incorrect: [anonymous] (from 
client wds6 port 38777 cli 0013.cedc.d1b9)
Mon Oct 16 14:38:25 2006 : Error: rlm_radutmp: Logout for NAS sceco-ap10 
port 5125, but no Login record
Mon Oct 16 14:38:26 2006 : Info: rlm_radutmp: Login entry for NAS 
dpt-info-ap5 port 618 duplicate
Mon Oct 16 14:38:26 2006 : Error: rlm_eap: Either EAP-request timed out 
OR EAP-response to an unknown EAP-request
Mon Oct 16 14:38:26 2006 : Auth: Login incorrect: [anonymous] (from 
client wds3 port 385204 cli 0015.0046.7656)
Mon Oct 16 14:38:26 2006 : Error: rlm_eap: Either EAP-request timed out 
OR EAP-response to an unknown EAP-request
Mon Oct 16 14:38:26 2006 : Auth: Login incorrect: [anonymous] (from 
client wds4 port 226564 cli 0009.5b95.74a3)
Mon Oct 16 14:38:27 2006 : Error: rlm_eap: Either EAP-request timed out 
OR EAP-response to an unknown EAP-request
Mon Oct 16 14:38:27 2006 : Auth: Login incorrect: [anonymous] (from 
client wds4 port 226578 cli 0013.02be.2994)
Mon Oct 16 14:38:27 2006 : Error: TLS_accept:error in SSLv3 read 
client certificate A

--

The only way to get authentication working is to kill and restart 
Freeradius.


Here's the ldap configuration for freeradius :

ldap  LDAP_OSIRIS {
server = ldap://bton.u-strasbg.fr;
basedn = ou=personnes,o=osiris

filter = 
((uid=%{Stripped-User-Name:-%{User-Name}})(radiusProfileWifi=*))


start_tls = no
profile_attribute = radiusProfileWifi

dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_connections_number = 20

password_attribute = userPassword

groupname_attribute = radiusGroupNameWifi

groupmembership_filter = 
(uid=%{Stripped-User-Name:-%{User-Name}})


timeout = 7
timelimit = 3
net_timeout = 1


}

When we get the Unresponsive child messages the server doesn't seem to 
be very busy ... strange.


The ldap server is only used by Freeradius ...

Any ideas ?

--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Accounting Problem with Cisco WDS

2004-07-01 Thread Christophe Saillard
Hello,
When WDS is activated, all EAP requests coming from APs are proxied by 
the WDS master, there's no authentication
problem (it works fine with TTLS/PAP and PEAP/MS-CHAPv2) but the 
username in the accounting detail files is replaced
by the MAC address of the supplicant (the same as calling-station-id).

Is their a way to have the real username in accounting in this case 
(with WDS) ?

Here is the users files :

anonymous   Auth-type := EAP
DEFAULT Freeradius-Proxied-To == 127.0.0.1
   User-Name = `%{User-Name}`,
   Fall-Through = Yes
$INCLUDE /usr/local/etc/raddb/ULP_USERS/crc.users
$INCLUDE /usr/local/etc/raddb/ULP_USERS/crc.invites.users
$INCLUDE /usr/local/etc/raddb/ULP_USERS/dpt-info.etudiant.users
$INCLUDE /usr/local/etc/raddb/ULP_USERS/dpt-info.prof.users
DEFAULT Auth-Type := Reject
   Fall-Through = No

I use this configuration to rewrite the tunneled identity in 
accounting otherwise I get anonymous
for all usernames, it works without WDS

Thanks.
Bye.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-22 Thread Christophe Saillard

Here's what I've to put in the users file to make it work :
DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = no
But now PEAP/MSCHAPv2 doesn't work...
 


  If you had read the debug log, you would see WHY it doesn't work.
  Repeat it like a mantra: If you're not sure, DO NOT SET AUTH-TYPE.
When I do not set Auth-Type TTLS/PAP works with users stored in the users files,
PEAP/Ms-chap-v2 works with users from LDAP storage, but TTLS/PAP from LDAP doesn't 
work
  The server will figure it out on it's own.
  Alan DeKok.


--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-21 Thread Christophe Saillard
Hi,
Now I've a working TTLS/PAP with LDAP storage configuration ;-)
Here's what I've to put in the users file to make it work :
DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
   User-Name = `%{User-Name}`,
   Fall-Through = no
But now PEAP/MSCHAPv2 doesn't work...I've try a lot of combination 
(Auth-Type := MSCHAP Fall-Through = yes ...)
but none seem to work...if someone has a clue ;-)

Thanks for all !
Bye.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


LDAP and Dynamic VLAN

2004-06-21 Thread Christophe Saillard
Hello,
I've a TTLS/PAP working configuration with dynamic VLAN allocation.
Here's a sample of the users file :
userX Crypt-Password == $1$
 Tunnel-Type:1 = 13,
 Tunnel-Medium-Type:1 = 6,
 Tunnel-Private-Group-ID:1 = 4
At the authentication's end the NAS put the userX in the vlan 4.
Now I'd like to do the same with user coming from LDAP storagebut I 
don't know where to begin :

How can I get a group attribute from LDAP and match this with a VLAN id 
which will be send to the NAS ?

Thanks.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-18 Thread Christophe Saillard
Hello,
For the moment I use Freeradius with EAP-TTLS and it works fine...now 
I'd like to get users credentials form an existing LDAP database.

The LDAP server sends me a valable MD5 hashed password but I think 
something failed in my users file configuration.

Does someone have such a working configuration ? If so, can you send a 
copy ?

Thanks.
Bye.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-18 Thread Christophe Saillard
Thanks for your help.
I think I'm not far from the end but I still have problems.
Here's the debug logs :
[...]
Fri Jun 18 14:11:17 2004 : Debug: rlm_ldap: performing search in 
dc=u-strasbg,dc=fr, with filter (uid=csaillard)
request 6 done
Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: Added password 
$1$QEnpt.4f$nixixczJ/xu0CnyuvaTLV/ in check items
Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for check items in 
directory...
Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for reply items in 
directory...
Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: user csaillard authorized to 
use remote access
Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Fri Jun 18 14:11:31 2004 : Debug:   modsingle[authorize]: returned from 
ldap (rlm_ldap) for request 4
Fri Jun 18 14:11:31 2004 : Debug:   modcall[authorize]: module ldap 
returns ok for request 4
Fri Jun 18 14:11:31 2004 : Debug: modcall: group authorize returns 
updated for request 4
Fri Jun 18 14:11:31 2004 : Debug:   rad_check_password:  Found Auth-Type EAP
Fri Jun 18 14:11:31 2004 : Debug: auth: type EAP
Fri Jun 18 14:11:31 2004 : Debug:   Processing the authenticate section 
of radiusd.conf
Fri Jun 18 14:11:31 2004 : Debug: modcall: entering group Auth-Type for 
request 4
Fri Jun 18 14:11:31 2004 : Debug:   modsingle[authenticate]: calling eap 
(rlm_eap) for request 4
Fri Jun 18 14:11:31 2004 : Debug:   rlm_eap: Request not found in the list
Fri Jun 18 14:11:31 2004 : Error: rlm_eap: Either EAP-request timed out 
OR EAP-response to an unknown EAP-request
Fri Jun 18 14:11:31 2004 : Debug:   rlm_eap: Failed in handler
Fri Jun 18 14:11:31 2004 : Debug:   modsingle[authenticate]: returned 
from eap (rlm_eap) for request 4
Fri Jun 18 14:11:31 2004 : Debug:   modcall[authenticate]: module eap 
returns invalid for request 4
Fri Jun 18 14:11:31 2004 : Debug: modcall: group Auth-Type returns 
invalid for request 4
Fri Jun 18 14:11:31 2004 : Debug: auth: Failed to validate the user.
[...]

I use TTLS/PAP for authentication, so you can see that the LDAP server 
sends MD5 hased password...but I'm not sure that's what I need
Could you tell me what kind of EAP method you use, with what type of 
password's hash ?

Thanks for help !
Bye.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-18 Thread Christophe Saillard
And you set Auth-Type = EAP.  DON'T DO THAT.
 The eap.conf file has BIG HUGE COMMENTS saying DON'T DO THAT.  It
really means DON'T DO THAT.
 You're doing the exact opposite of what the documentation says, and
as a result, it's not working.  You might try following the
recommendations of the server, which WILL allow it to work.
 Alan DeKok.
Ok. Sorry for being such a fool...
Here's what I want to do :
For the moment I've a running freeradius EAP-TTLS/PAP configuration which works fine.
Now I'd like to get credentials from an existing LDAP user storage instead of the Freeradius users file 
(I store MD5 hashed password to have PAP compatibility).

The Ldap bind is ok and I got correct uid and password when I launch a 802.1X request 
from
a laptop client.
But there's some particular things I need to know :
- how do I have to store password in the LDAP database (because I'd like to use 
TTLS/PAP) : crypt/MD5 hashed, clear text ?
- what do I have to put in the users file ? (I know that auth-type := EAP is wrong) ?
- if it's not possible to have TTLS/PAP authentication what can I do else 
(PEAP/Mschapv2 ...) ?
I hope my questions are not to stupid.
Thanks.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Using MD5 hashed passwords

2004-01-22 Thread Christophe Saillard
Hi,

Here's what I want to do :

- EAP-TTLS or PEAP authentication with login/password in the second phase (no 
EAP-TLS)
- Users are stored in the local Freeradius Database with Crypt-password 
attributes (MD5 hashed, because logins and passwords come from a Unix User 
Database)
- Authentication leads to assign users in a correct VLAN (Tunnel-Type ... 
attributes)

I've succeed with PEAP/MSCHAPv2 authentication but my password was in 
clear-text (with Meetinghouse Aegis Client)...

If you have any clue (configuration examples ...) I'll be very happy !!


-- 
Christophe.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html