unsubscribe
unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS-PAP only option for LDAP backend?
Thanks to Alan, Thor and Vladmir for getting me this far. grin I have TTLS-PAP working and authenticating against our OSX LDAP server. I was wondering if anyone has had any success getting Microsoft clients to use TTLS-PAP without installing additional software as suggested in this tutorial. http://vuksan.com/linux/dot1x/wpa-client-config.html#Windows_XP Is there a simpler way to accomplish the same thing? Cian Phillips Director Network Systems California College of the Arts Phone: (510) 594-3745 Cell: (510) 719-0091 Fax: (510) 594-3758 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x and LDAP
Greetings.
I am extremely green to both 802.1x and radius and am trying to set
this system up quickly as students arrive on campus in a couple of
weeks so please forgive me if I ask questions that have been answered
or exist in the documentation.
I need to authenticate windows and osx wireless users using Cisco
AP's to the freeradius server using our OSX ldap directory as the
backend.
I can use radtest from another host and authenticate an LDAP user via
the freeradius server and get an Access-Accept packet from the server.
When I attempt to connect via a windows or osx client to the AP I get
error messages about User-Password being required and the Access-
Request packet does not have the User-Password attribute.
Many of the settings are the default. The settings I have changed
have been from several online tutorials none of which talked about
both 802.1x and LDAP.
I'm embarrassed not to have read all the documentation but I'm really
in a time pinch here. Again I beg your indulgence.
Cian Phillips
Director Network Systems
California College of the Arts
Phone: (510) 594-3745
Cell: (510) 719-0091
Fax: (510) 594-3758
email: [EMAIL PROTECTED]
OUTPUT of freeradius -X
radius:/etc# freeradius -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/freeradius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/freeradius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/freeradius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/freeradius/freeradius.pid
main: user = freerad
main: group = freerad
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/freeradius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = ldap-sf.cca.edu
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity =
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password =
ldap: basedn = cn=users,dc=cca,dc=edu
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = (null)
ldap: access_attr = uidNumber
ldap: groupname_attribute = cn
ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=
%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%
{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /etc/freeradius/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap
Re: 802.1x and LDAP
Sorry, I should have mentioned the pages I have already tried to follow. http://www.bughost.org/ipw/docs/freeRadius_configuration_HOWTO.TXT http://www.kevan.net/cisco_freeradius_tls_peap_auth.php http://mattzz.dyndns.org/twiki/bin/view/Projects/ FreeRadiusAuthentication http://www.missl.cs.umd.edu/wireless/eaptls/ http://lists.freeradius.org/mailman/htdig/freeradius-users/2004-June/ 033143.html http://vuksan.com/linux/dot1x/802-1x-LDAP.html#Set_up_OpenLDAP http://www.sas.upenn.edu/~omar/wireless/work_freeradius.html#freeradius http://tldp.org/HOWTO/html_single/8021X-HOWTO/ With each of these I still have the problem where the Access-Request packet doesn't contain a User-Password attribute. I am guessing that there is something very fundamental that I am not understanding.. like there isn't supposed to be a User-Password attribute coming from the AP but if that's the case then I really don't understand how we authenticate against the LDAP directory without a password. I have tried a bunch of different how-to's and haven't had any success.. if someone could say they were certain that one of them worked that in itself would be a great deal of help. I guess I should also mention that I have searched the list for rlm_ldap: Attribute User-Password is required for authentication. and some other permutations of that string but didn't find anything that seemed especially conclusive or applicable.. The problem is that I'm not sure I would know if I saw it. Again my apologies for trying to get up to speed in a couple of hours.. and many thanks for attempting to help me find a solution. Cian Phillips Director Network Systems California College of the Arts Phone: (510) 594-3745 Cell: (510) 719-0091 Fax: (510) 594-3758 email: [EMAIL PROTECTED] On Aug 19, 2005, at 10:30 AM, Thor Spruyt wrote: Cian Phillips wrote: Many of the settings are the default. The settings I have changed have been from several online tutorials none of which talked about both 802.1x and LDAP. Seems to me you didn't search well enough... http://www.google.com/search?hl=nlq=freeradius+802.1x+ldap+howto -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian 802.1x LDAP
On Aug 16, 2005, at 12:51 PM, Kris Benson wrote: FreeRadius users mailing list freeradius- [EMAIL PROTECTED] on August 15, 2005 at 23:40 -0800 wrote: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory I have googled this and found some messages that suggest compiling from source and using the --shared-disabled flag at compile time but I've tried building from source and can't even get LDAP working.. each time I un-comment the ldap line from the radiusd.conf file and try to start using radiusd -x I get a segfault. Hi Cian, Make sure you have done this: apt-get install libssl-dev apt-get install libldap2 apt-get install libldap2-dev apt-get install libmysqlclient14 apt-get install libmysqlclient14-dev apt-get install slapd apt-get install ldap-utils apt-get install db4.2-util after those packages are all installed, try compiling again. If that doesn't work, let me know and I can help you further -- this is where I solved my problem. :-) Thanks Kris! Everything appeared to compile, install and run without any errors. If you have any tips or good links for up to date information on how to set freeradius up to talk to a Cisco WAP I could use the help. grin Thanks again. Cian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
