Re: EAP-MD5 with LDAP
Can I set Autz-Type in users? but leave EAP to set Auth-Type?? Sure. Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpYT0I2IzaZ5.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 with LDAP
After searching for solution.. found one comment from Alan that advise not to set Auth-Type :=LDAP because LDAP do not do authentication.. EAP does.. let server figure out itself... In case of EAP, LDAP just extract password for EAP to do authentication. But the problem is, my radius need to serve a few services... such as ADSL, Wifi, Dial up .. etc. Each services have their own LDAP tree for better management. So in radiusd.conf, there will be a few ldap modules.. See below:- How do i set in users file in order for WIFI user to perform EAP but get LDAP info from certain LDAP tree without having to set Auth-Type i) users = DEFAULT (not to set Auth-Type but need to direct to certain LDAP tree) ii) radiusd.conf == ldap adsl { basedn=ou=ADSL, ou=People... } ldap wifi { basedn=ou=wifi, ou=People... } Then .. in authenticate and authorize section :- authorize { eap Autz-Type=ADSL { adsl } Autz-Type=WIFI { wifi } } authenticate { Auth-Type=ADSL { adsl } Auth-Type=WIFI { wifi } eap } iii) eap.conf ... some config... - Original Message - From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Saturday, June 24, 2006 5:37 PM Subject: Re: EAP-MD5 with LDAP Rohaizam Abu Bakar wrote: Hi.. Using FB 6.0 FR 1.0.5 trying to configure EAP-MD5 with LDAP backend... But it keep reporting: rlm_ldap: Attribute User-Password is required for authentication. EAP-MD5 requires you have the plaintext password (in the LDAP server, in this case). If you do not, you cannot do EAP-MD5. If you do, configure the LDAP server to give the plaintext password to the radius server (usually in userPassword) and the radius server to map that into User-Password (done by default) and it will work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 with LDAP
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: How do i set in users file in order for WIFI user to perform EAP but get LDAP info from certain LDAP tree without having to set Auth-Type The EAP module will take care of setting Auth-Type. You don't have to. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 with LDAP
Can I set Autz-Type in users? but leave EAP to set Auth-Type?? --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Sunday, June 25, 2006 10:48 PM Subject: Re: EAP-MD5 with LDAP Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: How do i set in users file in order for WIFI user to perform EAP but get LDAP info from certain LDAP tree without having to set Auth-Type The EAP module will take care of setting Auth-Type. You don't have to. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 with LDAP
Rohaizam Abu Bakar wrote: Hi.. Using FB 6.0 FR 1.0.5 trying to configure EAP-MD5 with LDAP backend... But it keep reporting: rlm_ldap: Attribute User-Password is required for authentication. EAP-MD5 requires you have the plaintext password (in the LDAP server, in this case). If you do not, you cannot do EAP-MD5. If you do, configure the LDAP server to give the plaintext password to the radius server (usually in userPassword) and the radius server to map that into User-Password (done by default) and it will work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-MD5 with LDAP
Hi.. Using FB 6.0 FR 1.0.5 trying to configure EAP-MD5 with LDAP backend... But it keep reporting: rlm_ldap: Attribute User-Password is required for authentication. No EAP been processed... please see full debug log below.. Below is my config with multiple DEFAULT entry... for Wireless services normal Dialup authentication i) users = DEFAULT NAS-Identifier == Wireless-802.11, Autz-Type := Y5, Auth-Type :=Y5 DEFAULT Autz-Type := LDAP, Auth-Type := LDAP ii) eap.conf eap { default_eap_type = md5 } md5 { } } iii) radiusd.conf $INCLUDE ${confdir}/eap.conf authorize { eap Autz-Type LDAP { ldap1 } Autz-Type Y5 { ldapy51 } } authenticate { Auth-Type LDAP { ldap1 } Auth-Type Y5 { ldapy51 } eap } ldap ldap1 { server = localhost identity = cn=root,dc=jaring,dc=my password = xx basedn = ou=RADIUS,ou=People,dc=jaring,dc=my filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no access_attr = dialupAccess dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } ldap ldapy51 { server = localhost identity = cn=root,dc=jaring,dc=my password = xx basedn = ou=Y5,ou=People,dc=jaring,dc=my filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no access_attr = dialupAccess dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } rad_recv: Access-Request packet from host 202.73.10.12:1814, id=133, length=197 Framed-MTU = 1466 NAS-IP-Address = 10.220.0.2 NAS-Identifier = OCEPOP User-Name = jaroce Service-Type = Framed-User NAS-Port = 129 NAS-Port-Type = Ethernet NAS-Port-Id = ether9_129 Called-Station-Id = 00-11-95-e1-ce-8a Calling-Station-Id = 00-13-46-86-c3-93 Connect-Info = CONNECT Ethernet 2Mbps Full duplex EAP-Message = 0x02020015016a61726f6365406d793031352e636f6d Message-Authenticator = 0x6d5b3fff40ff4c920b88d100ed80a209 Proxy-State = 0x3433 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '/' in User-Name = jaroce, skipping NULL due to config. modcall[authorize]: module IPASS returns noop for request 1 rlm_realm: No '@' in User-Name = jaroce, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = jaroce rlm_realm: Proxying request from user jaroce to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 2 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry DEFAULT at line 68 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 Processing the authorize section of radiusd.conf modcall: entering group Autz-Type for request 1 modcall: entering group redundant for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for jaroce radius_xlat: '(uid=jaroce)' radius_xlat: 'ou=RADIUS,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with filter (uid=jaroce) rlm_ldap: checking if remote access for jaroce is allowed by dialupAccess rlm_ldap: Added password j4r1ng in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User op=11 rlm_ldap: user jaroce authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns ok
Re: EAP-MD5 with LDAP
Hi, trying to configure EAP-MD5 with LDAP backend... rlm_ldap: Attribute User-Password is required for authentication. oh, a classic. You are trying to use a backend that requires to have the clear text password, but are instead feeding it with a one-way crypted password. This won't work out-of-the-box. What you *might* be able to do is retrieve the user's password during authorize with an administrator account, and then during authenticate let the server compare things themselves, without calling ldap during authenticate. Never done that, but it seems possible to me. Good luck. Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
On Mon, 24 Jan 2005, Matt Moore wrote: Hey, Thanks for the help... Still having difficulty, although I think you are right on target. LDAP appear to respond correctly then Radius states that the User-Password attribute is missing. Isn't this what I set with the ldap.attrmap and dictionary_mapping in the radiusd.conf? Here are snippets from configs and the radiusd -X output for the failed eap request... Please let me know if more is needed. Thanks, Matt DEFAULT Auth-Type := LDAP Fall-Through = 1 You are setting Auth-Type to LDAP. The ldap module does not perform authentication, the eap module does. The ldap module will just extract the user password (in the authorize face). Freeradius should be able to figure out things on it's own without you having to worry about setting Auth-Type to anything. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
Kostas - Thank you. I had misunderstood this section (obviously) in what I had read. The explanation below helps alot... All is working now. Thanks, Matt --- Kostas Kalevras [EMAIL PROTECTED] wrote: ... You are setting Auth-Type to LDAP. The ldap module does not perform authentication, the eap module does. The ldap module will just extract the user password (in the authorize face). Freeradius should be able to figure out things on it's own without you having to worry about setting Auth-Type to anything. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-md5 with ldap backend
Hello all, I am trying to setup a radius service for eap with an ldap backend. I have gotten the ldap backend working and I have gotten eap to work with a user defined in the users file. Next 2 lines from my users file. testuser Auth-Type := EAP, User-Password == testpass DEFAULT Auth-Type := LDAP But, how do I get EAP to work with ldap backend in this situation? Or am I missing something more fundamental? I have looked through the archives, but turned up only help on ldap or eap, not combining the two... any pointers? Thanks, Matt Moore __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
I solved this problem using an other attribute : in /etc/freeradius/ldap.attrmap : checkItem User-Password radiusTunnelPassword and set up passwords in it ;-) I think it's only an access right problem on the LDAP 'userPassword' attribute... If that don't solve your problem, please send a copy of your config. files and give more informations : It'll be easier to help. Regards Matt Moore a écrit : Hello all, I am trying to setup a radius service for eap with an ldap backend. I have gotten the ldap backend working and I have gotten eap to work with a user defined in the users file. Next 2 lines from my users file. testuser Auth-Type := EAP, User-Password == testpass DEFAULT Auth-Type := LDAP But, how do I get EAP to work with ldap backend in this situation? Or am I missing something more fundamental? I have looked through the archives, but turned up only help on ldap or eap, not combining the two... any pointers? Thanks, Matt Moore __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- NextGen$. --- In a world without fences nor walls - who needs windows and gates ? On peut obéïr aux lois en souhaitant qu'elles changent, comme on sert à la guerre en souhaitant la paix. Merleau Ponty L'éloge de la philosophie signature.asc Description: OpenPGP digital signature
Re: eap-md5 with ldap backend
Hey, Thanks for the help... Still having difficulty, although I think you are right on target. LDAP appear to respond correctly then Radius states that the User-Password attribute is missing. Isn't this what I set with the ldap.attrmap and dictionary_mapping in the radiusd.conf? Here are snippets from configs and the radiusd -X output for the failed eap request... Please let me know if more is needed. Thanks, Matt ldap.attrmap: checkItem User-Password userPassword radiusd.conf: modules { eap { default_eap_type = md5 timer_expire = 60 md5 { } mschap { authtype = MS-CHAP } ldap { server = localhost identity = cn=Manager,dc=yoyo,dc=com password = secret basedn = dc=yoyo,dc=com filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } } authorize { preprocess eap files mschap ldap } authenticate { Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } *Users File: testuser Auth-Type := EAP, User-Password == testpass raduser Auth-Type := Local, User-Password == testpass DEFAULT Auth-Type := LDAP Fall-Through = 1 *radiusd -X output to failed eap request for ldap user rad_recv: Access-Request packet from host 143.116.5.238:2048, id=98, length=117 NAS-IP-Address = 192.168.1.238 NAS-Port-Type = Ethernet Service-Type = Framed-User Message-Authenticator = 0xf884d8f729a9e770bd73e8e33f6e22e7 NAS-Port = 20 Framed-MTU = 1490 User-Name = matt_moore Calling-Station-Id = 00-B0-D0-74-C3-5A EAP-Message = 0x0201000f016d6174745f6d6f6f7265 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_eap: EAP packet type notification id 1 length 15 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated users: Matched DEFAULT at 154 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for matt_moore radius_xlat: '(uid=matt_moore)' radius_xlat: 'dc=yoyo,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=yoyo,dc=com, with filter (uid=matt_moore) rlm_ldap: Added password test123 in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value test123 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user matt_moore authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group Auth-Type rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid modcall: group Auth-Type returns invalid auth: Failed to validate the user. Login incorrect: [matt_moore/no User-Password attribute] (from client plant1 port 20 cli 00-B0-D0-74-C3-5A) Delaying request 4 for 1 seconds Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.1.238:2048, id=98, length=117 Sending Access-Reject of id 98 to 192.168.1.238:2048 --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 98 with timestamp 41f56ee2 Nothing to do. Sleeping until we see a request. --- NextGen$'s ShaDow [EMAIL PROTECTED] wrote: I solved this problem using an other attribute : in /etc/freeradius/ldap.attrmap : checkItem User-Password radiusTunnelPassword and set up passwords in it ;-) I think it's only an access right problem on the LDAP 'userPassword' attribute... If that don't solve your problem, please send a copy of your config. files and give more informations : It'll be easier to help. Regards Matt Moore a écrit : Hello all, I am trying to setup a radius service for eap with an ldap backend. I have gotten the ldap backend working and I have gotten eap to work with a user defined in the users file. Next 2 lines from my users file. testuser Auth-Type := EAP, User-Password == testpass DEFAULT Auth-Type := LDAP But, how do
Re: eap-md5 with ldap backend
Matt Moore [EMAIL PROTECTED] wrote: DEFAULT Auth-Type := LDAP Fall-Through = 1 ... rad_recv: Access-Request packet from host 143.116.5.238:2048, id=98, length=117 ... User-Name = matt_moore EAP-Message = 0x0201000f016d6174745f6d6f6f7265 LDAP doesn't do EAP, as you may have discovered. The solution is to not set Auth-Type. Please READ radiusd.conf. The text before the authenticate section explains this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/MD5 and LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I did set up 802.1x EAP/MD5 with authentication via configuration files and it works. Now I want to connect the RADIUS to a LDAP database. Authentication fails and in the RADIUS log I see: Login incorrect: [example/CHAP-Password] Is there any way to get the CHAP password authenticated by the LDAP or do I have to use EAP/TLS ? - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP-ID: 15F925D9CEF94F2C Fingerprint: AF27 2674 4631 E230 B431 F68D 15F9 25D9 CEF9 4F2C -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQFAseuZFfkl2c75TywRAmbcAJoCC7dLxT9DEAieJtleBSGkVWCg7QCffBxh Zh4QhOLcqWxOp8vd8YgwNXc= =oS6Y -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/MD5 and LDAP
Michael Schwartzkopff [EMAIL PROTECTED] wrote: I did set up 802.1x EAP/MD5 with authentication via configuration files and it works. Now I want to connect the RADIUS to a LDAP database. Authentication fails and in the RADIUS log I see: Login incorrect: [example/CHAP-Password] That message has nothing to do with EAP. If you want to see why the authentication really failed, run the server in debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html