unsubscribe
unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS-PAP only option for LDAP backend?
Thanks to Alan, Thor and Vladmir for getting me this far. grin I have TTLS-PAP working and authenticating against our OSX LDAP server. I was wondering if anyone has had any success getting Microsoft clients to use TTLS-PAP without installing additional software as suggested in this tutorial. http://vuksan.com/linux/dot1x/wpa-client-config.html#Windows_XP Is there a simpler way to accomplish the same thing? Cian Phillips Director Network Systems California College of the Arts Phone: (510) 594-3745 Cell: (510) 719-0091 Fax: (510) 594-3758 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x and LDAP
Greetings. I am extremely green to both 802.1x and radius and am trying to set this system up quickly as students arrive on campus in a couple of weeks so please forgive me if I ask questions that have been answered or exist in the documentation. I need to authenticate windows and osx wireless users using Cisco AP's to the freeradius server using our OSX ldap directory as the backend. I can use radtest from another host and authenticate an LDAP user via the freeradius server and get an Access-Accept packet from the server. When I attempt to connect via a windows or osx client to the AP I get error messages about User-Password being required and the Access- Request packet does not have the User-Password attribute. Many of the settings are the default. The settings I have changed have been from several online tutorials none of which talked about both 802.1x and LDAP. I'm embarrassed not to have read all the documentation but I'm really in a time pinch here. Again I beg your indulgence. Cian Phillips Director Network Systems California College of the Arts Phone: (510) 594-3745 Cell: (510) 719-0091 Fax: (510) 594-3758 email: [EMAIL PROTECTED] OUTPUT of freeradius -X radius:/etc# freeradius -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = ldap-sf.cca.edu ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = (null) ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = ldap: basedn = cn=users,dc=cca,dc=edu ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap: base_filter = (objectclass=radiusprofile) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = (null) ldap: password_attribute = (null) ldap: access_attr = uidNumber ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member= %{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=% {Ldap-UserDn}))) ldap: groupmembership_attribute = (null) ldap: dictionary_mapping = /etc/freeradius/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap
Re: 802.1x and LDAP
Sorry, I should have mentioned the pages I have already tried to follow. http://www.bughost.org/ipw/docs/freeRadius_configuration_HOWTO.TXT http://www.kevan.net/cisco_freeradius_tls_peap_auth.php http://mattzz.dyndns.org/twiki/bin/view/Projects/ FreeRadiusAuthentication http://www.missl.cs.umd.edu/wireless/eaptls/ http://lists.freeradius.org/mailman/htdig/freeradius-users/2004-June/ 033143.html http://vuksan.com/linux/dot1x/802-1x-LDAP.html#Set_up_OpenLDAP http://www.sas.upenn.edu/~omar/wireless/work_freeradius.html#freeradius http://tldp.org/HOWTO/html_single/8021X-HOWTO/ With each of these I still have the problem where the Access-Request packet doesn't contain a User-Password attribute. I am guessing that there is something very fundamental that I am not understanding.. like there isn't supposed to be a User-Password attribute coming from the AP but if that's the case then I really don't understand how we authenticate against the LDAP directory without a password. I have tried a bunch of different how-to's and haven't had any success.. if someone could say they were certain that one of them worked that in itself would be a great deal of help. I guess I should also mention that I have searched the list for rlm_ldap: Attribute User-Password is required for authentication. and some other permutations of that string but didn't find anything that seemed especially conclusive or applicable.. The problem is that I'm not sure I would know if I saw it. Again my apologies for trying to get up to speed in a couple of hours.. and many thanks for attempting to help me find a solution. Cian Phillips Director Network Systems California College of the Arts Phone: (510) 594-3745 Cell: (510) 719-0091 Fax: (510) 594-3758 email: [EMAIL PROTECTED] On Aug 19, 2005, at 10:30 AM, Thor Spruyt wrote: Cian Phillips wrote: Many of the settings are the default. The settings I have changed have been from several online tutorials none of which talked about both 802.1x and LDAP. Seems to me you didn't search well enough... http://www.google.com/search?hl=nlq=freeradius+802.1x+ldap+howto -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian 802.1x LDAP
On Aug 16, 2005, at 12:51 PM, Kris Benson wrote: FreeRadius users mailing list freeradius- [EMAIL PROTECTED] on August 15, 2005 at 23:40 -0800 wrote: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory I have googled this and found some messages that suggest compiling from source and using the --shared-disabled flag at compile time but I've tried building from source and can't even get LDAP working.. each time I un-comment the ldap line from the radiusd.conf file and try to start using radiusd -x I get a segfault. Hi Cian, Make sure you have done this: apt-get install libssl-dev apt-get install libldap2 apt-get install libldap2-dev apt-get install libmysqlclient14 apt-get install libmysqlclient14-dev apt-get install slapd apt-get install ldap-utils apt-get install db4.2-util after those packages are all installed, try compiling again. If that doesn't work, let me know and I can help you further -- this is where I solved my problem. :-) Thanks Kris! Everything appeared to compile, install and run without any errors. If you have any tips or good links for up to date information on how to set freeradius up to talk to a Cisco WAP I could use the help. grin Thanks again. Cian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html