802.1x and LDAP
Greetings. I am extremely green to both 802.1x and radius and am trying to set this system up quickly as students arrive on campus in a couple of weeks so please forgive me if I ask questions that have been answered or exist in the documentation. I need to authenticate windows and osx wireless users using Cisco AP's to the freeradius server using our OSX ldap directory as the backend. I can use radtest from another host and authenticate an LDAP user via the freeradius server and get an Access-Accept packet from the server. When I attempt to connect via a windows or osx client to the AP I get error messages about User-Password being required and the Access- Request packet does not have the User-Password attribute. Many of the settings are the default. The settings I have changed have been from several online tutorials none of which talked about both 802.1x and LDAP. I'm embarrassed not to have read all the documentation but I'm really in a time pinch here. Again I beg your indulgence. Cian Phillips Director Network & Systems California College of the Arts Phone: (510) 594-3745 Cell: (510) 719-0091 Fax: (510) 594-3758 email: [EMAIL PROTECTED] <<<<<<<<<<<< OUTPUT of freeradius -X >>>>>>>>>>>>>>>> radius:/etc# freeradius -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "ldap-sf.cca.edu" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "cn=users,dc=cca,dc=edu" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" lda
Re: 802.1x and LDAP
Cian Phillips wrote: > Many of the settings are the default. The settings I have changed > have been from several online tutorials none of which talked about > both 802.1x and LDAP. Seems to me you didn't search well enough... http://www.google.com/search?hl=nl&q=freeradius+802.1x+ldap+howto -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and LDAP
Sorry, I should have mentioned the pages I have already tried to follow. http://www.bughost.org/ipw/docs/freeRadius_configuration_HOWTO.TXT http://www.kevan.net/cisco_freeradius_tls_peap_auth.php http://mattzz.dyndns.org/twiki/bin/view/Projects/ FreeRadiusAuthentication http://www.missl.cs.umd.edu/wireless/eaptls/ http://lists.freeradius.org/mailman/htdig/freeradius-users/2004-June/ 033143.html http://vuksan.com/linux/dot1x/802-1x-LDAP.html#Set_up_OpenLDAP http://www.sas.upenn.edu/~omar/wireless/work_freeradius.html#freeradius http://tldp.org/HOWTO/html_single/8021X-HOWTO/ With each of these I still have the problem where the Access-Request packet doesn't contain a User-Password attribute. I am guessing that there is something very fundamental that I am not understanding.. like "there isn't supposed to be a User-Password attribute coming from the AP" but if that's the case then I really don't understand how we authenticate against the LDAP directory without a password. I have tried a bunch of different "how-to's" and haven't had any success.. if someone could say they were certain that one of them worked that in itself would be a great deal of help. I guess I should also mention that I have searched the list for "rlm_ldap: Attribute "User-Password" is required for authentication." and some other permutations of that string but didn't find anything that seemed especially conclusive or applicable.. The problem is that I'm not sure I would know if I saw it. Again my apologies for trying to get up to speed in a couple of hours.. and many thanks for attempting to help me find a solution. Cian Phillips Director Network & Systems California College of the Arts Phone: (510) 594-3745 Cell: (510) 719-0091 Fax: (510) 594-3758 email: [EMAIL PROTECTED] On Aug 19, 2005, at 10:30 AM, Thor Spruyt wrote: Cian Phillips wrote: Many of the settings are the default. The settings I have changed have been from several online tutorials none of which talked about both 802.1x and LDAP. Seems to me you didn't search well enough... http://www.google.com/search?hl=nl&q=freeradius+802.1x+ldap+howto -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and LDAP
Cian Phillips <[EMAIL PROTECTED]> wrote: > With each of these I still have the problem where the Access-Request > packet doesn't contain a User-Password attribute. I am guessing that > there is something very fundamental that I am not understanding.. > like "there isn't supposed to be a User-Password attribute coming > from the AP" but if that's the case then I really don't understand > how we authenticate against the LDAP directory without a password. You don't. LDAP is a database, not an authentication server. FreeRADIUS is an authentication server. It pulls the password from LDAP, and uses that to authenticate the user. > I have tried a bunch of different "how-to's" and haven't had any > success.. if someone could say they were certain that one of them > worked that in itself would be a great deal of help. If you're looking for details of how the authentication protocols work, the HOWTO's won't help you. They tell you how to get it to work, and they assume that you don't care about the internal design details of the system. If you DO really care about the design details of the authentication protocols, read the RFC's. They're in doc/rfc/*. Otherwise, configure the system as per the HOWTO's, and it *will* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and LDAP
FreeRadius users mailing list on August 19, 2005 at 10:54 -0800 wrote: >With each of these I still have the problem where the Access-Request >packet doesn't contain a User-Password attribute. I am guessing that >there is something very fundamental that I am not understanding.. >like "there isn't supposed to be a User-Password attribute coming >from the AP" but if that's the case then I really don't understand >how we authenticate against the LDAP directory without a password. Hi there, Do some reasearch on configuring TTLS with FreeRadius -- there's a howto around somewhere. Once you get TTLS/PAP working (with the auth info in the users file), you can easily make LDAP work. An understanding of the tunnelling system used with most 802.1x auth protocols would be helpful for you -- the trouble is that the password is inside the tunnel, and your FreeRadius config isn't understanding your tunnel. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and LDAP
Cian Phillips wrote: rlm_ldap: performing search in cn=users,dc=cca,dc=edu, with filter (uid=cian) rlm_ldap: checking if remote access for cian is allowed by uidNumber rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user cian authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 It appears in your users file you are setting Auth-Type to LDAP. It should be EAP or just leave it blank. FreeRADIUS will set it to EAP. What you also need to do is set the client to use PAP authentication in the inner tunnel. http://vuksan.com/linux/dot1x/wpa-client-config.html Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html