Re: FreeRADIUS + OpenLDAP + MSCHAPv2
Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is more up-to-date than the CentOS Yum repositories apparently). However, upon reading the documentation in modules/ldap, I see this: # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force Auth-Type = LDAP, and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I missing something again? Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
See: http://deployingradius.com/documents/protocols/oracles.html Ken On Tue, Nov 18, 2008 at 01:29:48PM -0800, Tim Gustafson wrote: Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is more up-to-date than the CentOS Yum repositories apparently). However, upon reading the documentation in modules/ldap, I see this: # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force Auth-Type = LDAP, and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I missing something again? Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
Tim Gustafson wrote: Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is more up-to-date than the CentOS Yum repositories apparently). However, upon reading the documentation in modules/ldap, I see this: ... So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I missing something again? A lot of the confusion here is terminology. People talk about pulling a password from a database and doing authentication in RADIUS as authenticating against LDAP. This is technically *not* correct. In short, LDAP doesn't do MS-CHAPv2. You can't do MS-CHAPv2 against an LDAP server. You CAN have FreeRADIUS read the clear-text password from LDAP, and then have FreeRADIUS do the MS-CHAPv2 authentication. Thinking of it in this way is the *correct* way. It also has impacts on attitudes towards network design, requirements, etc. If you think of it as doing MS-CHAPv2 against LDAP, it will be difficult to design a system based on how things really work... because the conceptual model underlying the design is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
On Nov 14 Tim Gustafson wrote:
I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine.
The easiest way to install the latest FreeRADIUS on CentOS I know of is to
visit http://koji.fedoraproject.org/koji/packageinfo?packageID=298, find
the latest source RPM and rebuild it. It's a small amount of work, but
will stop people saying upgrade a lot..
I'm trying to figure out how to configure FreeRADIUS to authenticate
against an OpenLDAP server using MSCHAPv2. I Googled a lot of different
phrases, and came up with some things that were mildly helpful. Right
now, I have FreeRADIUS authenticating against the LDAP server without
using MSCHAPv2, but I'm not understanding how to now activate the
MSCHAPv2 part.
I have it working. You need to check your ldap.attrmap (or whatever you've
set dictionary_mapping to) points at the right LDAP field. I use the
samba schema, so:
checkItem NT-Password sambaNtPassword
Then your debug log should include entries like:
rlm_ldap: sambaNtPassword - NT-Password == 0x
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
..but this is OK, since with mschap before ldap in your authorize{}
block, FreeRADIUS will handle the challenge-response stuff correctly for
MSCHAPv2 using the NT hash from OpenLDAP. Make sure you bind to OpenLDAP
with sufficient privilege to read the NT hash!
HTH
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + OpenLDAP + MSCHAPv2
Hello, I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine. I'm trying to figure out how to configure FreeRADIUS to authenticate against an OpenLDAP server using MSCHAPv2. I Googled a lot of different phrases, and came up with some things that were mildly helpful. Right now, I have FreeRADIUS authenticating against the LDAP server without using MSCHAPv2, but I'm not understanding how to now activate the MSCHAPv2 part. Can anyone point me towards some information about activating MSCHAPv2 in this kind of setup? Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine. I'm trying to figure out how to configure FreeRADIUS to authenticate against an OpenLDAP server using MSCHAPv2. I Googled a lot of different phrases, and came up with some things that were mildly helpful. Right now, I have FreeRADIUS authenticating against the LDAP server without using MSCHAPv2, but I'm not understanding how to now activate the MSCHAPv2 part. Can anyone point me towards some information about activating MSCHAPv2 in this kind of setup? There is nothing to do. It's already active in default configuration. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
There is nothing to do. It's already active in default configuration. Really? Because the default config seems to want to use ntlm_auth to authenticate mschapv2 users, which is a samba helper designed to authenticate a user against a samba server, not an OpenLDAP server. I'm thinking what I need is a replacement for ntlm_auth that goes against an OpenLDAP server rather than using the samba libraries, no? Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
There is nothing to do. It's already active in default configuration. Really? Because the default config seems to want to use ntlm_auth to authenticate mschapv2 users, which is a samba helper designed to authenticate a user against a samba server, not an OpenLDAP server. ntlm_auth line is commented out by default. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
ntlm_auth line is commented out by default. Ok, I see that. From what I understand, MSCHAPv2 needs access to the unencrypted user password, and OpenLDAP doesn't offer that. I'm guessing I'll have to add an unencrypted password field to the LDAP server to make this work, but that's not been made clear in any documentation. And, how do you tell the FreeRADIUS eap/peap/MSCHAPv2 client to use the LDAP server as opposed to text files or PAM? I'm attaching my radiusd.conf to this e-mail, any comments would be greatly appreciated. I stripped out all the comments and removed the modules I wasn't using (like SQL stuff and unix/PAM/etc). Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 radiusd.conf Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
ntlm_auth line is commented out by default. Ok, I see that. From what I understand, MSCHAPv2 needs access to the unencrypted user password, and OpenLDAP doesn't offer that. I'm guessing I'll have to add an unencrypted password field to the LDAP server to make this work, but that's not been made clear in any documentation. Yes, it needs clear text or NT hashed password. You can store plain text in userPassword. http://deployingradius.com/documents/protocols/compatibility.html And, how do you tell the FreeRADIUS eap/peap/MSCHAPv2 client to use the LDAP server as opposed to text files or PAM? By listing ldap in authorize. I'm attaching my radiusd.conf to this e-mail, any comments would be greatly appreciated. I stripped out all the comments and removed the modules I wasn't using (like SQL stuff and unix/PAM/etc). And so much more (peap is misconfigured, as is ldap, mschap auth type is gone, there is nothing to get the password from ...). That will not work. Get the server working with the default configuration. Remove one thing at the time, testing that the server can start and authenticate users (and reject when needed). You have also removed all the logging and accounting so you will have no idea what is server doing. And use current version. This is something old. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
And so much more (peap is misconfigured, as is ldap, mschap auth type is gone, there is nothing to get the password from ...). That will not work. I have fixed that; the copy that I sent you was indeed broken. I can now authenticate using standard (non-MSCHAP) authentication against the LDAP server. I haven't been able to get the radeapclient program working yet - it keeps crashing with an error that apparently was fixed in 1.1.5, but I don't have that version. And use current version. This is something old. radiusd: FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu, built on May 10 2007 at 12:30:17 This is what was provided when I did a yum install freeradius on a new CentOS 5.2 box. Because of the nature of the network here, I'm strongly discouraged from using anything other than Yum and the base CentOS repositories to install packages, since there are a dozen or so people here that all have to be able to administer these machines over the long-term. I'll try to e-mail the package maintainers for CentOS, but I'm not holding my breath. Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
Tim Gustafson wrote: I have fixed that; the copy that I sent you was indeed broken. I can now authenticate using standard (non-MSCHAP) authentication against the LDAP server. I haven't been able to get the radeapclient program working yet - it keeps crashing with an error that apparently was fixed in 1.1.5, but I don't have that version. Run eapol_test from wpa_supplicant instead of radeapclient. It'd better. See my web site for instructions on doing this. And use current version. This is something old. radiusd: FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu, built on May 10 2007 at 12:30:17 This is what was provided when I did a yum install freeradius on a new CentOS 5.2 box. Because of the nature of the network here, I'm strongly discouraged from using anything other than Yum and the base CentOS repositories to install packages, since there are a dozen or so people here that all have to be able to administer these machines over the long-term. I'll try to e-mail the package maintainers for CentOS, but I'm not holding my breath. If you're not paying someone for CentOS support, install FreeRADIUS 2.1.1. That's really the only version *we* can support. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
