Re: EAP-MD5 with LDAP
Can I set Autz-Type in users? but leave EAP to set Auth-Type?? Sure. Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpYT0I2IzaZ5.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 with LDAP
After searching for solution.. found one comment from Alan that advise not
to set Auth-Type :=LDAP because LDAP do not do authentication.. EAP does..
let server figure out itself... In case of EAP, LDAP just extract password
for EAP to do authentication.
But the problem is, my radius need to serve a few services... such as
ADSL, Wifi, Dial up .. etc. Each services have their own LDAP tree for
better management. So in radiusd.conf, there will be a few ldap modules..
See below:-
How do i set in users file in order for WIFI user to perform EAP but get
LDAP info from certain LDAP tree without having to set Auth-Type
i) users
=
DEFAULT (not to set Auth-Type but need to direct to certain LDAP
tree)
ii) radiusd.conf
==
ldap adsl {
basedn=ou=ADSL, ou=People...
}
ldap wifi {
basedn=ou=wifi, ou=People...
}
Then .. in authenticate and authorize section :-
authorize {
eap
Autz-Type=ADSL {
adsl
}
Autz-Type=WIFI {
wifi
}
}
authenticate {
Auth-Type=ADSL {
adsl
}
Auth-Type=WIFI {
wifi
}
eap
}
iii) eap.conf
... some config...
- Original Message -
From: Phil Mayers [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Saturday, June 24, 2006 5:37 PM
Subject: Re: EAP-MD5 with LDAP
Rohaizam Abu Bakar wrote:
Hi..
Using FB 6.0
FR 1.0.5
trying to configure EAP-MD5 with LDAP backend...
But it keep reporting:
rlm_ldap: Attribute User-Password is required for authentication.
EAP-MD5 requires you have the plaintext password (in the LDAP server, in
this case). If you do not, you cannot do EAP-MD5. If you do, configure the
LDAP server to give the plaintext password to the radius server (usually
in userPassword) and the radius server to map that into User-Password
(done by default) and it will work.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 with LDAP
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: How do i set in users file in order for WIFI user to perform EAP but get LDAP info from certain LDAP tree without having to set Auth-Type The EAP module will take care of setting Auth-Type. You don't have to. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 with LDAP
Can I set Autz-Type in users? but leave EAP to set Auth-Type?? --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Sunday, June 25, 2006 10:48 PM Subject: Re: EAP-MD5 with LDAP Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: How do i set in users file in order for WIFI user to perform EAP but get LDAP info from certain LDAP tree without having to set Auth-Type The EAP module will take care of setting Auth-Type. You don't have to. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 with LDAP
Rohaizam Abu Bakar wrote: Hi.. Using FB 6.0 FR 1.0.5 trying to configure EAP-MD5 with LDAP backend... But it keep reporting: rlm_ldap: Attribute User-Password is required for authentication. EAP-MD5 requires you have the plaintext password (in the LDAP server, in this case). If you do not, you cannot do EAP-MD5. If you do, configure the LDAP server to give the plaintext password to the radius server (usually in userPassword) and the radius server to map that into User-Password (done by default) and it will work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-MD5 with LDAP
Hi..
Using FB 6.0
FR 1.0.5
trying to configure EAP-MD5 with LDAP backend...
But it keep reporting:
rlm_ldap: Attribute User-Password is required for authentication.
No EAP been processed...
please see full debug log below..
Below is my config with multiple DEFAULT entry... for Wireless services
normal Dialup authentication
i) users
=
DEFAULT NAS-Identifier == Wireless-802.11, Autz-Type := Y5,
Auth-Type :=Y5
DEFAULT Autz-Type := LDAP, Auth-Type := LDAP
ii) eap.conf
eap {
default_eap_type = md5
}
md5 {
}
}
iii) radiusd.conf
$INCLUDE ${confdir}/eap.conf
authorize {
eap
Autz-Type LDAP {
ldap1
}
Autz-Type Y5 {
ldapy51
}
}
authenticate {
Auth-Type LDAP {
ldap1
}
Auth-Type Y5 {
ldapy51
}
eap
}
ldap ldap1 {
server = localhost
identity = cn=root,dc=jaring,dc=my
password = xx
basedn = ou=RADIUS,ou=People,dc=jaring,dc=my
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
ldap ldapy51 {
server = localhost
identity = cn=root,dc=jaring,dc=my
password = xx
basedn = ou=Y5,ou=People,dc=jaring,dc=my
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
rad_recv: Access-Request packet from host 202.73.10.12:1814, id=133,
length=197
Framed-MTU = 1466
NAS-IP-Address = 10.220.0.2
NAS-Identifier = OCEPOP
User-Name = jaroce
Service-Type = Framed-User
NAS-Port = 129
NAS-Port-Type = Ethernet
NAS-Port-Id = ether9_129
Called-Station-Id = 00-11-95-e1-ce-8a
Calling-Station-Id = 00-13-46-86-c3-93
Connect-Info = CONNECT Ethernet 2Mbps Full duplex
EAP-Message = 0x02020015016a61726f6365406d793031352e636f6d
Message-Authenticator = 0x6d5b3fff40ff4c920b88d100ed80a209
Proxy-State = 0x3433
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: No '/' in User-Name = jaroce, skipping NULL due to
config.
modcall[authorize]: module IPASS returns noop for request 1
rlm_realm: No '@' in User-Name = jaroce, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = jaroce
rlm_realm: Proxying request from user jaroce to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: EAP packet type response id 2 length 21
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 1
users: Matched entry DEFAULT at line 68
modcall[authorize]: module files returns ok for request 1
modcall: group authorize returns updated for request 1
Processing the authorize section of radiusd.conf
modcall: entering group Autz-Type for request 1
modcall: entering group redundant for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jaroce
radius_xlat: '(uid=jaroce)'
radius_xlat: 'ou=RADIUS,ou=People,dc=jaring,dc=my'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with
filter (uid=jaroce)
rlm_ldap: checking if remote access for jaroce is allowed by dialupAccess
rlm_ldap: Added password j4r1ng in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
Van-Jacobson-TCP-IP op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP
op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User
op=11
rlm_ldap: user jaroce authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap1 returns ok
Re: EAP-MD5 with LDAP
Hi, trying to configure EAP-MD5 with LDAP backend... rlm_ldap: Attribute User-Password is required for authentication. oh, a classic. You are trying to use a backend that requires to have the clear text password, but are instead feeding it with a one-way crypted password. This won't work out-of-the-box. What you *might* be able to do is retrieve the user's password during authorize with an administrator account, and then during authenticate let the server compare things themselves, without calling ldap during authenticate. Never done that, but it seems possible to me. Good luck. Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
On Mon, 24 Jan 2005, Matt Moore wrote: Hey, Thanks for the help... Still having difficulty, although I think you are right on target. LDAP appear to respond correctly then Radius states that the User-Password attribute is missing. Isn't this what I set with the ldap.attrmap and dictionary_mapping in the radiusd.conf? Here are snippets from configs and the radiusd -X output for the failed eap request... Please let me know if more is needed. Thanks, Matt DEFAULT Auth-Type := LDAP Fall-Through = 1 You are setting Auth-Type to LDAP. The ldap module does not perform authentication, the eap module does. The ldap module will just extract the user password (in the authorize face). Freeradius should be able to figure out things on it's own without you having to worry about setting Auth-Type to anything. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
Kostas - Thank you. I had misunderstood this section (obviously) in what I had read. The explanation below helps alot... All is working now. Thanks, Matt --- Kostas Kalevras [EMAIL PROTECTED] wrote: ... You are setting Auth-Type to LDAP. The ldap module does not perform authentication, the eap module does. The ldap module will just extract the user password (in the authorize face). Freeradius should be able to figure out things on it's own without you having to worry about setting Auth-Type to anything. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-md5 with ldap backend
Hello all, I am trying to setup a radius service for eap with an ldap backend. I have gotten the ldap backend working and I have gotten eap to work with a user defined in the users file. Next 2 lines from my users file. testuser Auth-Type := EAP, User-Password == testpass DEFAULT Auth-Type := LDAP But, how do I get EAP to work with ldap backend in this situation? Or am I missing something more fundamental? I have looked through the archives, but turned up only help on ldap or eap, not combining the two... any pointers? Thanks, Matt Moore __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
I solved this problem using an other attribute : in /etc/freeradius/ldap.attrmap : checkItem User-Password radiusTunnelPassword and set up passwords in it ;-) I think it's only an access right problem on the LDAP 'userPassword' attribute... If that don't solve your problem, please send a copy of your config. files and give more informations : It'll be easier to help. Regards Matt Moore a écrit : Hello all, I am trying to setup a radius service for eap with an ldap backend. I have gotten the ldap backend working and I have gotten eap to work with a user defined in the users file. Next 2 lines from my users file. testuser Auth-Type := EAP, User-Password == testpass DEFAULT Auth-Type := LDAP But, how do I get EAP to work with ldap backend in this situation? Or am I missing something more fundamental? I have looked through the archives, but turned up only help on ldap or eap, not combining the two... any pointers? Thanks, Matt Moore __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- NextGen$. --- In a world without fences nor walls - who needs windows and gates ? On peut obéïr aux lois en souhaitant qu'elles changent, comme on sert à la guerre en souhaitant la paix. Merleau Ponty L'éloge de la philosophie signature.asc Description: OpenPGP digital signature
Re: eap-md5 with ldap backend
Hey, Thanks for the help...
Still having difficulty, although I think you are
right on target.
LDAP appear to respond correctly then Radius states
that the User-Password attribute is missing. Isn't
this what I set with the ldap.attrmap and
dictionary_mapping in the radiusd.conf?
Here are snippets from configs and the radiusd -X
output for the failed eap request...
Please let me know if more is needed.
Thanks,
Matt
ldap.attrmap:
checkItem User-Password userPassword
radiusd.conf:
modules {
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
mschap {
authtype = MS-CHAP
}
ldap {
server = localhost
identity = cn=Manager,dc=yoyo,dc=com
password = secret
basedn = dc=yoyo,dc=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
}
authorize {
preprocess
eap
files
mschap
ldap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
*Users File:
testuser Auth-Type := EAP, User-Password ==
testpass
raduser Auth-Type := Local, User-Password ==
testpass
DEFAULT Auth-Type := LDAP
Fall-Through = 1
*radiusd -X output to failed eap request for
ldap user
rad_recv: Access-Request packet from host
143.116.5.238:2048, id=98, length=117
NAS-IP-Address = 192.168.1.238
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Message-Authenticator =
0xf884d8f729a9e770bd73e8e33f6e22e7
NAS-Port = 20
Framed-MTU = 1490
User-Name = matt_moore
Calling-Station-Id = 00-B0-D0-74-C3-5A
EAP-Message = 0x0201000f016d6174745f6d6f6f7265
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_eap: EAP packet type notification id 1 length 15
rlm_eap: EAP Start not found
modcall[authorize]: module eap returns updated
users: Matched DEFAULT at 154
modcall[authorize]: module files returns ok
modcall[authorize]: module mschap returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for matt_moore
radius_xlat: '(uid=matt_moore)'
radius_xlat: 'dc=yoyo,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=yoyo,dc=com, with
filter (uid=matt_moore)
rlm_ldap: Added password test123 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value
test123 op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user matt_moore authorized to use remote
access
ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
modcall: entering group Auth-Type
rlm_ldap: - authenticate
rlm_ldap: Attribute User-Password is required for
authentication.
modcall[authenticate]: module ldap returns invalid
modcall: group Auth-Type returns invalid
auth: Failed to validate the user.
Login incorrect: [matt_moore/no User-Password
attribute] (from client plant1 port 20 cli
00-B0-D0-74-C3-5A)
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host
192.168.1.238:2048, id=98, length=117
Sending Access-Reject of id 98 to 192.168.1.238:2048
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 98 with timestamp 41f56ee2
Nothing to do. Sleeping until we see a request.
--- NextGen$'s ShaDow [EMAIL PROTECTED] wrote:
I solved this problem using an other attribute :
in /etc/freeradius/ldap.attrmap :
checkItem User-Password
radiusTunnelPassword
and set up passwords in it ;-)
I think it's only an access right problem on the
LDAP 'userPassword'
attribute...
If that don't solve your problem, please send a copy
of your config.
files and give more informations : It'll be easier
to help.
Regards
Matt Moore a écrit :
Hello all,
I am trying to setup a radius service for eap with
an
ldap backend. I have gotten the ldap backend
working
and I have gotten eap to work with a user defined
in
the users file. Next 2 lines from my users file.
testuser Auth-Type := EAP, User-Password ==
testpass
DEFAULT Auth-Type := LDAP
But, how do
Re: eap-md5 with ldap backend
Matt Moore [EMAIL PROTECTED] wrote: DEFAULT Auth-Type := LDAP Fall-Through = 1 ... rad_recv: Access-Request packet from host 143.116.5.238:2048, id=98, length=117 ... User-Name = matt_moore EAP-Message = 0x0201000f016d6174745f6d6f6f7265 LDAP doesn't do EAP, as you may have discovered. The solution is to not set Auth-Type. Please READ radiusd.conf. The text before the authenticate section explains this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/MD5 and LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I did set up 802.1x EAP/MD5 with authentication via configuration files and it works. Now I want to connect the RADIUS to a LDAP database. Authentication fails and in the RADIUS log I see: Login incorrect: [example/CHAP-Password] Is there any way to get the CHAP password authenticated by the LDAP or do I have to use EAP/TLS ? - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP-ID: 15F925D9CEF94F2C Fingerprint: AF27 2674 4631 E230 B431 F68D 15F9 25D9 CEF9 4F2C -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQFAseuZFfkl2c75TywRAmbcAJoCC7dLxT9DEAieJtleBSGkVWCg7QCffBxh Zh4QhOLcqWxOp8vd8YgwNXc= =oS6Y -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/MD5 and LDAP
Michael Schwartzkopff [EMAIL PROTECTED] wrote: I did set up 802.1x EAP/MD5 with authentication via configuration files and it works. Now I want to connect the RADIUS to a LDAP database. Authentication fails and in the RADIUS log I see: Login incorrect: [example/CHAP-Password] That message has nothing to do with EAP. If you want to see why the authentication really failed, run the server in debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
