Re: PAP not working with ldap
Quoting kevin J [EMAIL PROTECTED]: Thanks Alastair, But, I just want to do ldap-athorize and pap-authenticate. So, I uncommented only ldap in authorize and uncommented only pap in authenticate. I am using clear-txt so I put {clear} in module def. What I do for authentication is have LDAP do a bind to the directory with the user-name and password. I guess what you want though is to have the authorize get the password from the directory and then have PAP authenticate this password against the user's credentials. This could be done by adding the user-password as a check item. That way, the item will be retrieved from the directory and checked against the value passed from the supplicant. To do this, uncomment passwordAttribute in the ldap section and set it's value to the name of the user password attribute (typically User-Password) in the directory. I am not too sure of what settings you will need in autorize and authenticate since I never had a chance to test this method (we use encrypted passwords) but I would guess you would need ldap in authorize and nothing in authenticate (if you can leave that block empty). Just play around with it. Hopefully this is a bit more of what you want. Let me know how it works out for you. -Al It looks like that pap is not found for auth-type. : rad_check_password: Found Auth-Type LDAP auth: type LDAP ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. I guess this is authorize issue and chap or eap can work because they have authorize function. I guess radius does not run a module in authenticate if it is not identified in authorize. Give me an advice if I am wrong. Thanks, Kevin Alastair Grant wrote: Kevin, I have it working. Well I use EAP-TTLS to create a secure tunnel between RADIUS and my supplicant first but then I send the data from supplicant to Radius via PAP and do LDAP authentication. In this case it is alfa-ariss on Windows 2000. I am at home and won't be back at the office until monday but I'll do my best to explain my set up. RADIUS: my default_eap_type in the eap module is TTLS in my authorize section I have preprocess, eap and ldap uncommented. Everything else is commented out. in my authenticate section I have the LDAP block and eap uncommented. Everything else is commented out even the PAP stuff. Supplicant I use an anonymous outer identity My inner authentication method is PAP. Basically this allows the client to send a clear text password to the server (even though it is encrypted in the tunnel) and the server can then use this clear text password to do an LDAP bind for authentication. This might not seem very clear but I am doing it all from memory. If this is at all waht you are trying to do, send me an email monday and I'll send you some documentation I have on the actual setup. Good luck. -Al - Original Message - From: kevin J [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 19, 2004 5:50 PM Subject: Re: PAP not working with ldap kevin J wrote: Alan DeKok wrote: kevin J [EMAIL PROTECTED] wrote: Is it true? So, PAP and some other module can't work with ldap-authorize??? No. CHAP worked but PAP did not work. What configuration should I check? RADIUS did not bring PAP but tried LDAP for authentication. Kevin I am still having this problem. Anybody who had worked for PAP with LDAP? Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with Calling-Station-Id and Using the exec module
Hello, We are using freeradius to do authentication on username/password as well as MAC Address. Users are stored in an LDAP directory and authenticating using an LDAP bind (with EAP-TTLS/PAP) and using the checkItem to check the Calling-Station-Id (MAC). I had everything working well without the MAC Address verification and then tested that part with radclient. The problem I am having is that when our NAS (a Nortel Business Policy Switch 2000) sends the MAC address it cuts out the leading zero in each byte of the MAC Address (for example, 00-03-D2-C7-03-21 becomes 0- 3-D2-C7- 3-21). I don't manage the LDAP directory, that is part of another project but I had the schema extended to include radiusCallingStationId and had the value set to MAC address with the missing zeros. When this is read by freeRadius it only reads 0- and exlcudes the rest (I assume because of the space). Is this because the schema includes the SINGLE-VALUE for the radiusCallingStationId? When I do an ldapsearch, the full value is returned. As a work around I was thinking of using the exec module to run a sed substitution to replace the blanks with zeros and then the normal MAC could be stored in the directory. Is this possible? If so, where would I put the exec statement? I would assume it would look like Calling-Station-Id = `%{exec:sed s/ /0/g [someway to get input Calling-Station-Id]}`. I am confued where exec works. Are there any other options to resolve me problem? -Al - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
And the userPassword is used for the LDAP bind by PAP right? Yes. Do you know of a windows client that can do PAP/EAP-TTLS? Yes, there are some Windows clients. There is even one that is free (as in gratis) for personal use: http://www.securew2.com/uk/downloadbuy/. However, I have not used any of them. Some of my user's do not have the priviledges on their computers needed to install software. Therefore, a third party client was not an option for me. Paul, How is your radiusd.conf configured for authorization and authentication? Which modules have to be enabled where? Also, how is your eap settings configured? If you don't mind sending snippets from the files, that would probabyl be easiest. Thanks! -Al - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Bind authentication and Other Attributes
Hello, If the type of authentication being done is an LDAP bind, is it possible to retrieve other attributes from the LDAP directory, such as the Calling-Station-ID, and authenticate against them as well? I have an LDAP bind authentication working (with username and password) but I would like to authenticate based on a MAC Address as well (3 things in total). Thanks in advance! -Al - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
Quoting Paul Bender [EMAIL PROTECTED]: Grant, Alastair Ian wrote: Quoting Alan DeKok [EMAIL PROTECTED]: Grant, Alastair Ian [EMAIL PROTECTED] wrote: We are using PEAP with MS-CHAPv2 and LDAP and a Win2000 supplicant for testing. Do I need to use the NT-Password attribute? Yes. I guess my big question is do the encrypted passwords in the LDAP directory make authenticating impossible? For PEAP, yes. Do they need to be clear-text with the setup we have? Or, NT-Passwords. What are people out there with encrypted LDAP passwords (say SSHA) doing for radius authentication then? What type of authentication is being done and what supplicant is being used? I'd like to know what my options are. Thanks! For Windows XP, I use PEAP with EAP-MSCHAP-V2. For everyone else, I use EAP-TTLS with PAP. EAP-MSCHAP-V2 authenticates using MS-CHAPv2 and the the NT-Password. PAP authenticates using LDAP bind. For Windows XP users, I store userPassword (SSHA), sambaLMPassword and sambaNTPassword in LDAP. With the right Samba and nss_ldap/pam_ldap configuration, smbpasswd keeps three password in sync. So the LMPassword and NTPassword are stored for the PEAP/MS-CHAPv2 authentication? And the userPassword is used for the LDAP bind by PAP right? Do you know of a windows client that can do PAP/EAP-TTLS? Are the LMPassword and NTPasswords strongly encrypted? Thanks! -Al - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
Quoting Alan DeKok [EMAIL PROTECTED]: Grant, Alastair Ian [EMAIL PROTECTED] wrote: We are using PEAP with MS-CHAPv2 and LDAP and a Win2000 supplicant for testing. Do I need to use the NT-Password attribute? Yes. I guess my big question is do the encrypted passwords in the LDAP directory make authenticating impossible? For PEAP, yes. Do they need to be clear-text with the setup we have? Or, NT-Passwords. What are people out there with encrypted LDAP passwords (say SSHA) doing for radius authentication then? What type of authentication is being done and what supplicant is being used? I'd like to know what my options are. Thanks! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Porting issue.
Quoting Mark Coccimiglio [EMAIL PROTECTED]: I had a problem building freeradius-1.0.0-pre2 on RH Fedora Core2 and was able to figure a workaround. Basically the build stopped because my system lacked the file com_err.h So I installed the current RPM for krb5 and still ran into the problem. It appears that the file is located at /usr/include/et when freeradius is looking for the file at /usr/include. As a quick and dirty fix I soft linked the file in the et directory into /usr/include (ln -s /usr/include/et/com_err.h /usr/include/com_err.h) and the build completed sucessfully. The other solution is to configure as: CFLAGS=-I/usr/include/et ./configure [other options] Just thought I let everyone know. Mark C. I guess creating a symbolic link would allow other applications to use the header file as well. That's probably a better choice. -Al - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap tls configuration problem
Quoting Heath Partington [EMAIL PROTECTED]: Apparently must have had the wrong combination of openssl and/or permissions levels. Anyway it seems that if you use the eaptls howto with the latest released openssl and pre2 everything is fine. Thanks for your help. When I installed openSSL, I configured with: ./configure --prefix=/usr/local/openssl I'm not sure if this matters, it might be setting the path to the place the freeRadius will look for the SSL librearies. When I configured freeRadius 0.9.3 I had to: CFLAGS=-I/usr/include/et ./configure to include a library. Hopefully this helps... -Al -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Friday, June 18, 2004 12:34 PM To: [EMAIL PROTECTED] Subject: Re: eap tls configuration problem Heath Partington [EMAIL PROTECTED] wrote: Sounds like you need a vacation. Sniping at the people helping you won't help. configure: warning: FAILURE: rlm_eap_sim requires: libssl. configure: warning: silently not building rlm_eap_tls. You don't have SSL installed. Install it. OR, you have an older version of SSL installed, and the server doesn't like it. READ the output of configure. It will tell you what's going wrong, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html