Re: Freeradius + OpenLDAP - user password problem
Still doesn't work. I tried yesterday on new machine, i set up everything and configure eap.conf to use peap. I set up server certificates and CA. When i try to login from XP client via Linksys wireless router i get error reading client certificate messege from freeRadius. Since i don't need client certificate for peap, i'm pretty confused (again :D). -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5921516 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Thanks to you too. I noticed some people feel offended by my attitude, so let me apologize - i don't mean to be a smartass, and i definetly don't have any doubts in your knowledge, but i'm a young computer engineer (first months of work) and when things get hard for me i can get a little pushy while trying to solve them. Now i configured radius to use EAP-PEAP and i tought i have only 1 step left to take - make OpenLDAP use NT hash passwords (already know how to do that), but damn, that no dialup access attribute error strikes again with radtest:( If even radtest doesn't get through (though it doesn't use eap) there is no chance a real client would, eh? And i ask again - is it normal, that i don't get access-accept with radtest without setting auth-type to ldap and can i simply ignore that(i get that dialup access attribute error), or should i get access-accept with radtest without setting auth-type to ldap? That's what i wanted to know in one of my previous posts. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5649743 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Okey i tried some things out and noticed, that what John pasted definitly isn't .ldif file. And if i set Auth-Type to LDAP in users file or if i uncomment it in authorize section of radiusd.conf -- isn't the same! If i set ldap in radiusd.conf i get rlm_ldap: no dialupAccess attribute - access denied by default with radtest. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5629052 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Phil Mayers wrote: Wrong. You're very confused about how this work. Your original mail states you want to do EAP-PEAP+MS-CHAP for wireless auth. Unless your LDAP directory contains the plaintext password or the NT hash, what you want to do is impossible. If it does contain the plaintext or NT hashes, correct configuration will make it work. Does it? Also, you've failed to register this several times, but I'll repeat it. DO NOT SET Auth-Type. At all. To anything. In common use, there's no need to set it, and in fact it can actively break things. Thank you, your reply was very usefull, and yes, i am confused about how this things work and i am not ashamed to admit it, but it's getting clearer pretty rapidly :) Now i have one last question (or at least i hope so) - which choice is more viable, using EAP-PEAP+MS-CHAP for wireless auth. (but with clear text passwords this time), like i originaly planned to, or can you recommend using something else? I really don't care, as long as it works with most wireless hardware :) -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5630872 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Thank you again, you were very helpful, but still i have issues. That's bugging me: Only under these circumstances: 1.)I have ldap in authenticate section 2.)AUTH-TYPE set ot LDAP in users fileand 3.)MUST NOT have ldap under authorize section of radiusd.conf. Only with this config i get access-accept with radtest (i tried all possible combinations of those 3). I get this message otherwise: rlm_ldap: no dialupAccess attribute - access denied by default And with my working config i get already mentioned userPassword attribute error. So, i'm afraid i don't even get so far, to have problems with password encription. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5633159 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
OK, i guess, i should paste that anyway, so here it is, hope it helps: rad_recv: Access-Request packet from host 192.168.1.1:2051, id=0, length=121 User-Name = root NAS-IP-Address = 192.168.1.1 Called-Station-Id = 0016b6016815 Calling-Station-Id = 00130237d9db NAS-Identifier = 0016b6016815 NAS-Port = 53 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020901726f6f74 Message-Authenticator = 0x4ec4b4b08fe410e47f6c233f47b4dbb0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = root, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 users: Matched entry DEFAULT at line 1 users: Matched entry DEFAULT at line 156 modcall[authorize]: module files returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 3 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 3 modcall: group Auth-Type returns invalid for request 3 auth: Failed to validate the user. Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.1:2051 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 0 with timestamp 44c9f898 Nothing to do. Sleeping until we see a request. ### -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5538103 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
And here is the example of sucessful logon with radtest: radtest bbb badblueboy 192.168.1.129 1 testing123 rad_recv: Access-Request packet from host 192.168.1.129:35640, id=191, length=55 User-Name = bbb User-Password = badblueboy NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 modcall[authorize]: module mschap returns noop for request 5 rlm_realm: No '@' in User-Name = bbb, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 users: Matched entry DEFAULT at line 1 users: Matched entry DEFAULT at line 156 modcall[authorize]: module files returns ok for request 5 modcall: group authorize returns ok for request 5 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 5 rlm_ldap: - authenticate rlm_ldap: login attempt by bbb with password badblueboy radius_xlat: '(uid=bbb)' radius_xlat: 'ou=People,dc=BLah,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=BLah,dc=si, with filter (uid=bbb) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: user DN: uid=bbb,ou=People,dc=BLah,dc=si rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=bbb,ou=People,dc=kapion,dc=si/badblueboy to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user bbb authenticated succesfully modcall[authenticate]: module ldap returns ok for request 5 modcall: group Auth-Type returns ok for request 5 Sending Access-Accept of id 191 to 192.168.1.129:35640 Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 191 with timestamp 44c9f995 Nothing to do. Sleeping until we see a request. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5538165 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + OpenLDAP - user password problem
Hello, as you can see, i must be pretty desperate to register somewhere so i can ask for help. Anyway, the situation is: i recently set up a freeradius server with openldap for auth., everything seemed to work great (radtest returns access-accept ), until i tried to login via notebook and Linksys router (with dd-wrt firmware). Linksys is properly configured, i believe. On laptop i have chosen WPA 2 security using ms-chap, and when i try to connect, access-request packet doesn't contain attribute user-password! I am really stuck here, have no idea what to do so any help would be really apprechiated. If you need additional info i will be glad to asisst (e.g. post debug output or something). -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5537868 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html