Re: FreeRadius/LDAP conf : little problem

2004-06-30 Thread Paul Bender 
Grant, Alastair Ian wrote:
Paul,
  How is your radiusd.conf configured for authorization and authentication?  Which
modules have to be enabled where?  Also, how is your eap settings configured?  If you
don't mind sending snippets from the files, that would probabyl be easiest.  Thanks!
-Al
I have attached the important snippets from my radiusd.conf file and my 
eap.conf file. The only difference from my actual files are the LDAP 
bind password with  and the comments have been removed.

The only  methods that I have configured are eap, mschap and ldap. 
Within eap, the only methods I have configured are tls, ttls, peap and 
mschapv2.

I bind to the LDAP server using an identity+password since one of the 
attributes I read (triggered by the ldap.attrmap file) is the 
sambaNTPassword (mapped to NT-Password by the ldap.attrmap file). This 
attribute is used for mschap authentication.

- begin radiusd.conf snippets -
modules {
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
}
ldap {
server = "ldap.private"
start_tls = yes
tls_cacertfile = /etc/certs/ca-bender.crt
tls_randfile = /var/urandom
tls_require_cert = "demand"
identity = "uid=_radiusd_,ou=users,dc=private"
password = ""
basedn = "dc=private"
filter = 
"(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"
groupname_attribute = cn
groupmembership_filter = 
"(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))"
}
}
authorize {
preprocess
mschap
suffix
ntdomain
eap
files
ldap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}

- end radiusd.conf snippets -
- begin eap.conf -
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
private_key_file = 
${sysconfdir}/certs/radius.private.pem
certificate_file = 
${sysconfdir}/certs/radius.private.crt
CA_file = ${sysconfdir}/certs/ca-bender.crt
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
ttls {
default_eap_type = md5
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}

- end eap.conf -
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-30 Thread Grant, Alastair Ian 
> 
> > And the userPassword is used for the LDAP bind by PAP right?
> 
> Yes.
> 
> > Do you know of a windows client that can do PAP/EAP-TTLS?
> 
> Yes, there are some Windows clients. There is even one that is free (as 
> in gratis) for personal use: . 
> However, I have not used any of them. Some of my user's do not have the 
> priviledges on their computers needed to install software. Therefore, a 
> third party client was not an option for me.
> 

Paul,
  How is your radiusd.conf configured for authorization and authentication?  Which
modules have to be enabled where?  Also, how is your eap settings configured?  If you
don't mind sending snippets from the files, that would probabyl be easiest.  Thanks!

-Al

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-29 Thread Arnauld Dravet 
Selon Paul Bender <[EMAIL PROTECTED]>:

> When you say that you manually add the hashed NT password to LDAP, how 
> did you create it?
> 
> I do not know what the warning in the radiusd.conf file about needed 
> "0x" in front of the hashed NT password means. It has never impacted me.
> 
> I am running Samba 3.0.3 (the one the ships with Fedora Core 2) with its 
> password backend configured to be LDAP. I use smbpasswd to set the 
> passwords. When I look at the passwords in the LDAP database, I do not 
> see a "0x" in front of the hashed NT password. However, my users are 
> able to authenticate using PEAP / EAP-MS-CHAPV2.

I currently use the smbldap-tools to add/mod/remove users and workstation in the 
ldap. It works fine but this comment in the radiusd.cond and a post from Alan 
Dekok in reply to one of my problems with radius+ldap made me think something 
was wrong ... i still can't auth against the ldap using radiusd. I switched to 
another project right now, cause this gave me some much headache that i gave out 
and i'm still using classical tiki/wpa on the access points . I'll have to retry 
in a few days ...



-- 
Arnauld Dravet



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-29 Thread Paul Bender 
Arnauld Dravet wrote:
Selon Paul Bender <[EMAIL PROTECTED]>:

Yes, the passwords are stored. Only the NT-Password is used for the 
PEAP/EAP-MSCHAP-V2 authentication. If you use the LDAP schema provided 
with Samba version 3, then the LM-Password is sambaLMPassword and the 
NT-Password is sambaNTPassword. If you use this schema, then you will 
need the adjust the mapping in FreeRADIUS's ldap.attrmap file, because 
the file is configured to map the attributes from the Samba version 2 
LDAP schema.


Hi,
I got a Samba v2 schema, everything working fine with that, but i don't have any 
"0x" in front of the hashed ntPassword. In the radiusd.conf it's said it won't 
work without the 0x ... but when i try to manually add it to the password so i 
have a real length of 32, of course i can't log in anymore ... would you have 
any idea of where the problem reside ?
When you say that you manually add the hashed NT password to LDAP, how 
did you create it?

I do not know what the warning in the radiusd.conf file about needed 
"0x" in front of the hashed NT password means. It has never impacted me.

I am running Samba 3.0.3 (the one the ships with Fedora Core 2) with its 
password backend configured to be LDAP. I use smbpasswd to set the 
passwords. When I look at the passwords in the LDAP database, I do not 
see a "0x" in front of the hashed NT password. However, my users are 
able to authenticate using PEAP / EAP-MS-CHAPV2.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-29 Thread Arnauld Dravet 
Selon Paul Bender <[EMAIL PROTECTED]>:

> Yes, the passwords are stored. Only the NT-Password is used for the 
> PEAP/EAP-MSCHAP-V2 authentication. If you use the LDAP schema provided 
> with Samba version 3, then the LM-Password is sambaLMPassword and the 
> NT-Password is sambaNTPassword. If you use this schema, then you will 
> need the adjust the mapping in FreeRADIUS's ldap.attrmap file, because 
> the file is configured to map the attributes from the Samba version 2 
> LDAP schema.
> 

Hi,

I got a Samba v2 schema, everything working fine with that, but i don't have any 
"0x" in front of the hashed ntPassword. In the radiusd.conf it's said it won't 
work without the 0x ... but when i try to manually add it to the password so i 
have a real length of 32, of course i can't log in anymore ... would you have 
any idea of where the problem reside ?

Thanks

-- 
Arnauld Dravet



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-29 Thread Paul Bender 
Grant, Alastair Ian wrote:
Quoting Paul Bender <[EMAIL PROTECTED]>:
For Windows XP, I use PEAP with EAP-MSCHAP-V2. For everyone else, I use 
EAP-TTLS with PAP. EAP-MSCHAP-V2 authenticates using MS-CHAPv2 and the 
the NT-Password. PAP authenticates using LDAP bind.

For Windows XP users, I store userPassword (SSHA), sambaLMPassword and 
sambaNTPassword in LDAP. With the right Samba and nss_ldap/pam_ldap 
configuration, smbpasswd keeps three password in sync.

So the LMPassword and NTPassword are stored for the PEAP/MS-CHAPv2 authentication?
Yes, the passwords are stored. Only the NT-Password is used for the 
PEAP/EAP-MSCHAP-V2 authentication. If you use the LDAP schema provided 
with Samba version 3, then the LM-Password is sambaLMPassword and the 
NT-Password is sambaNTPassword. If you use this schema, then you will 
need the adjust the mapping in FreeRADIUS's ldap.attrmap file, because 
the file is configured to map the attributes from the Samba version 2 
LDAP schema.

And the userPassword is used for the LDAP bind by PAP right?
Yes.
Do you know of a windows client that can do PAP/EAP-TTLS?
Yes, there are some Windows clients. There is even one that is free (as 
in gratis) for personal use: . 
However, I have not used any of them. Some of my user's do not have the 
priviledges on their computers needed to install software. Therefore, a 
third party client was not an option for me.

Are the LMPassword and NTPasswords strongly encrypted?
They are hashed, similar to the non-cleartext userPassword. As with any 
hashed password, they are subject to dictionary attacks. Therefore, you 
should restrict access to them. For example, before FreeRADIUS can reed 
the sambaNTPassword, I require FreeRADIUS to connect to the LDAP server 
using STARTTLS and to bind to the LDAP server using a strong password. 
In fact, for each user, only Samba, FreeRADIUS and the user have access 
to the user's sambaNTPassword.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-29 Thread Grant, Alastair Ian 
Quoting Paul Bender <[EMAIL PROTECTED]>:

> Grant, Alastair Ian wrote:
> > Quoting Alan DeKok <[EMAIL PROTECTED]>:
> > 
> > 
> >>"Grant, Alastair Ian" <[EMAIL PROTECTED]> wrote:
> >>
> >>>We are using PEAP with MS-CHAPv2 and LDAP and a Win2000 supplicant
> >>>for testing.  Do I need to use the NT-Password attribute?
> >>
> >>  Yes.
> >>
> >>
> >>>I guess my big question is do the encrypted passwords in the LDAP
> >>>directory make authenticating impossible?
> >>
> >>  For PEAP, yes.
> >>
> >>
> >>>Do they need to be clear-text with the setup we have?
> >>
> >>  Or, NT-Passwords.
> > 
> > 
> > What are people out there with encrypted LDAP passwords (say SSHA) doing for
> radius
> > authentication then?  What type of authentication is being done and what supplicant
> is
> > being used?  I'd like to know what my options are.  Thanks!
> 
> For Windows XP, I use PEAP with EAP-MSCHAP-V2. For everyone else, I use 
> EAP-TTLS with PAP. EAP-MSCHAP-V2 authenticates using MS-CHAPv2 and the 
> the NT-Password. PAP authenticates using LDAP bind.
> 
> For Windows XP users, I store userPassword (SSHA), sambaLMPassword and 
> sambaNTPassword in LDAP. With the right Samba and nss_ldap/pam_ldap 
> configuration, smbpasswd keeps three password in sync.
> 

So the LMPassword and NTPassword are stored for the PEAP/MS-CHAPv2 authentication?  And
the userPassword is used for the LDAP bind by PAP right?  Do you know of a windows
client that can do PAP/EAP-TTLS?  Are the LMPassword and NTPasswords strongly
encrypted?  Thanks!

-Al

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-28 Thread Paul Bender 
Grant, Alastair Ian wrote:
Quoting Alan DeKok <[EMAIL PROTECTED]>:

"Grant, Alastair Ian" <[EMAIL PROTECTED]> wrote:
We are using PEAP with MS-CHAPv2 and LDAP and a Win2000 supplicant
for testing.  Do I need to use the NT-Password attribute?
 Yes.

I guess my big question is do the encrypted passwords in the LDAP
directory make authenticating impossible?
 For PEAP, yes.

Do they need to be clear-text with the setup we have?
 Or, NT-Passwords.

What are people out there with encrypted LDAP passwords (say SSHA) doing for radius
authentication then?  What type of authentication is being done and what supplicant is
being used?  I'd like to know what my options are.  Thanks!
For Windows XP, I use PEAP with EAP-MSCHAP-V2. For everyone else, I use 
EAP-TTLS with PAP. EAP-MSCHAP-V2 authenticates using MS-CHAPv2 and the 
the NT-Password. PAP authenticates using LDAP bind.

For Windows XP users, I store userPassword (SSHA), sambaLMPassword and 
sambaNTPassword in LDAP. With the right Samba and nss_ldap/pam_ldap 
configuration, smbpasswd keeps three password in sync.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-28 Thread Grant, Alastair Ian 
Quoting Alan DeKok <[EMAIL PROTECTED]>:

> "Grant, Alastair Ian" <[EMAIL PROTECTED]> wrote:
> > We are using PEAP with MS-CHAPv2 and LDAP and a Win2000 supplicant
> > for testing.  Do I need to use the NT-Password attribute?
> 
>   Yes.
> 
> > I guess my big question is do the encrypted passwords in the LDAP
> > directory make authenticating impossible?
> 
>   For PEAP, yes.
> 
> > Do they need to be clear-text with the setup we have?
> 
>   Or, NT-Passwords.

What are people out there with encrypted LDAP passwords (say SSHA) doing for radius
authentication then?  What type of authentication is being done and what supplicant is
being used?  I'd like to know what my options are.  Thanks!

>   Alan DeKok.
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-28 Thread Alan DeKok 
"Grant, Alastair Ian" <[EMAIL PROTECTED]> wrote:
> We are using PEAP with MS-CHAPv2 and LDAP and a Win2000 supplicant
> for testing.  Do I need to use the NT-Password attribute?

  Yes.

> I guess my big question is do the encrypted passwords in the LDAP
> directory make authenticating impossible?

  For PEAP, yes.

> Do they need to be clear-text with the setup we have?

  Or, NT-Passwords.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-28 Thread Grant, Alastair Ian 
Quoting Arnauld Dravet <[EMAIL PROTECTED]>:

> >   That shouldn't be necessary.
> 
> well i'll double check tomorrow, i've done so many tests so far that maybe it's 
> not usefull anymore .. I know for sure that in debug logs, it shows the password 
> grabbed as {CRYPT}xxx.
> 
> > > rlm_ldap: Adding userPassword as Crypt-Password, value { & op=21
> > 
> >   That value doesn't look like a password.
> 

I am having this same problem when I use the Crypt-Password attribute.  Has anyone else
had this problem and overcome it?


> yes i know, and i think that's the problem. When i just use password_attribute 
> it grabs the whole password (displayed in debug logs), and not anymore when i 
> use the mapping for Crypt-Password, of course on the same ldap attribute for 
> both. i thought the '{' displayed was from the first caracter it met ( from 
> {CRYPT} ) so i tried to re-enable the password_header field in the ldap 
> section of radiusd.conf, without any good result.
> 
> >   That value should have a "0x" in front of it.
> 

We are using PEAP with MS-CHAPv2 and LDAP and a Win2000 supplicant for testing.  Do I
need to use the NT-Password attribute?  Right now our directory only stores a
userPassword attribute which is encrypted.


I guess my big question is do the encrypted passwords in the LDAP directory make
authenticating impossible?  Do they need to be clear-text with the setup we have?  We
are running FreeRadius 1.0.0pre3 on Fedora with LDAP to store attributes (userPassword
is the only password (encrypted) attribute) and using PEAP with MS-CHAPv2 to
authenticate my win2000 client.

-Al

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-21 Thread Arnauld Dravet 
>   That shouldn't be necessary.

well i'll double check tomorrow, i've done so many tests so far that maybe it's 
not usefull anymore .. I know for sure that in debug logs, it shows the password 
grabbed as {CRYPT}xxx.

> > rlm_ldap: Adding userPassword as Crypt-Password, value { & op=21
> 
>   That value doesn't look like a password.

yes i know, and i think that's the problem. When i just use password_attribute 
it grabs the whole password (displayed in debug logs), and not anymore when i 
use the mapping for Crypt-Password, of course on the same ldap attribute for 
both. i thought the '{' displayed was from the first caracter it met ( from 
{CRYPT} ) so i tried to re-enable the password_header field in the ldap 
section of radiusd.conf, without any good result.

>   That value should have a "0x" in front of it.

That's what is told in the radiusd.conf yup .. could that change something to 
the rest of the problem ? I'll check the smbldap-adduser.pl script i use to add 
windows users in the ldap tree. Anyway windows workstations work perfectly 
without the 0x.

>   LDAP doesn't do crypt'd passwords.  The server does.  And the server
> doesn't care where that crypted password came from.

Yup, but i was trying to find the moment where the radius Crypt-Password 
attribute was used in the ldap mapping file and from the ldap directory, to 
check why it doesn't grab the password from the user entry.


-- 
Arnauld Dravet



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-21 Thread Alan DeKok 
Arnauld Dravet <[EMAIL PROTECTED]> wrote:
> already done, but in the doc it's said it just strips away the
> {CRYPT} substring of the crypted passwd. Still have to put the
> encrypted password in the popup box to make it work...

  That shouldn't be necessary.

> Also tried it:
> 
> checkItem   LM-Password lmPassword
> checkItem   NT-Password ntPassword
> checkItem   Crypt-Password  userPassword

  That should work.

> But it doesn't seem to change a lot of things:
> 
> rlm_ldap: Adding userPassword as Crypt-Password, value { & op=21

  That value doesn't look like a password.


> rlm_ldap: Adding ntPassword as NT-Password, value 
> EFAC11B52777F8D7A34BDC1A0F89228D & op=21

  That value should have a "0x" in front of it.

> Anyway in the freeradius sources i can't find any reference to
> Crypt-Password in the rlm_ldap module, and in main.c it seems to be
> a reference to a user-provided password, not to the backend db.

  LDAP doesn't do crypt'd passwords.  The server does.  And the server
doesn't care where that crypted password came from.

> I'm using 0.9.3 do i need a CVS version ?

  No.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-21 Thread Arnauld Dravet 
Hi again Alan,

>   Configure the "password_header" entry in the ldap{} section, in
> radiusd.conf.  

already done, but in the doc it's said it just strips away the {CRYPT} substring 
of the crypted passwd. Still have to put the encrypted password in the popup box 
to make it work...

>You can also map that LDAP entry to the Crypt-Password
> attribute, and the server will figure it out from there.

Also tried it:

checkItem   LM-Password lmPassword
checkItem   NT-Password ntPassword
checkItem   Crypt-Password  userPassword
checkItem   SMB-Account-CTRL-TEXT   acctFlags


But it doesn't seem to change a lot of things:

rlm_ldap: Adding userPassword as Crypt-Password, value { & op=21
rlm_ldap: Adding ntPassword as NT-Password, value 
EFAC11B52777F8D7A34BDC1A0F89228D & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 
136BE46417241D68AAD3B435B51404EE & op=21
rlm_ldap: looking for reply items in directory...

I tried it with and without setting the password_attribute and password_header 
in the radiusd.conf. Result is the same. Anyway in the freeradius sources i 
can't find any reference to Crypt-Password in the rlm_ldap module, and in main.c 
it seems to be a reference to a user-provided password, not to the backend db.
I'm using 0.9.3 do i need a CVS version ?

Thanks again 

Arnauld


-- 
Arnauld Dravet



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-21 Thread Alan DeKok 
Arnauld Dravet <[EMAIL PROTECTED]> wrote:
> Problem now is that i have to enter the encrypted version of the
> password in the username/password popup window. The userPassword
> field in the LDAP entries are encoded with the {CRYPT} salt. Is
> there a way to configure/hack FreeRadius to tell it to crypt the
> password before the comparison against the password the LDAP
> authorize section returns from its query ?

  Configure the "password_header" entry in the ldap{} section, in
radiusd.conf.  You can also map that LDAP entry to the Crypt-Password
attribute, and the server will figure it out from there.

  Search the list archives for more details.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-21 Thread Arnauld Dravet 
Ok, please forget my precedent message, i've just re-read aaa.txt and it's said 
that the AP sends an hash of the password it receives from the supplicant. No 
way to make freeradius crypt it it would not have any sense ... now that i'm 
lost in all those auth protocols, i don't know what to do ...

is there a way to make the auth against the ntPassword field stored in the LDAP 
instead of the userPassword wich use the {CRYPT} salt ?  I am currently 
generating certificates to use TTLS/PEAP ...


-- 
Arnauld Dravet




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-21 Thread Arnauld Dravet 
Hello again,

Thanks for your help, it works great now ... just did what you told: an ldap 
user who got read access on all fields/users of the directory.

Problem now is that i have to enter the encrypted version of the password in the 
username/password popup window. The userPassword field in the LDAP entries are 
encoded with the {CRYPT} salt. Is there a way to configure/hack FreeRadius to 
tell it to crypt the password before the comparison against the password the 
LDAP authorize section returns from its query ?

If not possible, i have no idea how i could use in real world the 802.1x auth :
-( I just can't decrypt all passwords in the directory and put them back in 
cleartext ...

Thanks for your great job, and your support.

-- 
Arnauld Dravet




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-18 Thread Arnauld Dravet 
i'll try it on monday, don't want to go at work during the week end =)

i thought radiusd would connect as the user on the ldap server because in the 
logs it shows that the user is allowed to access some sort of information ...

thanks a lot for your help, i'll keep you up to date on monday if the problem is 
resolved, or not.

Thanks,

Arnauld


Selon Dustin Doris <[EMAIL PROTECTED]>:

> > okay i'm not really into Win stuff .. ntPassword fields seem crypted since
> i
> > can't "read" them with my eyes, but i think it's just a hash or something.
> Isn't
> > it the regular way to store NT passwords ?
> >
> > anyway, here is my ldap section in radiusd.conf:
> >
> > ldap {
> >   server = "192.168.1.6"
> >   basedn = "ou=Users,dc=mtp,dc=epsi,dc=fr"
> >   filter = "(&(objectclass=posixAccount)(uid=%u))"
> >   start_tls = no
> >   dictionary_mapping = ${raddbdir}/ldap.attrmap
> >   ldap_connections_number = 5
> >   password_attribute = ntPassword  #<--- i changed this one just to try it
> out,
> > it was originally userPassword
> >   timeout = 4
> >   timelimit = 3
> >   net_timeout = 1
> > }
> >
> >
> > and here are my sldapd access rules:
> >
> > access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=userPassword
> > by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write
> > by self write
> > by * auth
> >
> > access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=ntPassword
> > by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write
> > by self write
> > by * auth
> >
> > access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=lmPassword
> > by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write
> > by self write
> > by * auth
> >
> > if i remember well (long time i've not reconfigured openldap) the write
> perm
> > also allow read ?
> > since i didn't configure any user in the ldap section of radiusd, isn't it
> > supposed to log in the ldap server with the username/passwd received by
> radiusd,
> > and grab the user password which should be possible since it has write
> (read ?)
> > perm ?
> >
> > thanks for your help
> >
> > --
> > Arnauld Dravet
> >
> 
> No, you need to add a user to do the search for the user logging in.
> Since you don't allow anonymous reads, you'll need to create a user with
> read access.
> 
> So, first change the ldap section to include something like
> identity = "cn=freeradius,dc=mtp,dc=epsi,dc=fr"
> password = password
> 
> Then in slapd.conf add something like
> 
> access to dn.subtree="ou=Users,dc=mtp,dc=epsi,dc=fr"
>   by "cn=freeradius,dc=mtp,dc=epsi,dc=fr" read
>   by self write
>   by * auth
> 
> 
> Then add the freeradius user to ldap
> 
> $ ldapadd -D "cn=root,dc=mtp,dc=epsi,dc=fr" -W
> dn: cn=freeradius,dc=mtp,dc=epsi,dc=fr
> objectclass: person
> cn: freeradius
> sn: freeradius
> userpassword: password
> objectclass: person
> 
> Hope that helps
> 
> Dusty Doris
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 


-- 
Arnauld Dravet

Administrateur RĂ©seau & Prof. Algorithmique
EPSI Montpellier
499, Rue de la croix verte
34196 Montpellier Cedex 5
Tel Accueil/Direct: 04.67.04.2001 / 04.67.04.0008
Fax: 04.67.63.90.83


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-18 Thread Dustin Doris 
> okay i'm not really into Win stuff .. ntPassword fields seem crypted since i
> can't "read" them with my eyes, but i think it's just a hash or something. Isn't
> it the regular way to store NT passwords ?
>
> anyway, here is my ldap section in radiusd.conf:
>
> ldap {
>   server = "192.168.1.6"
>   basedn = "ou=Users,dc=mtp,dc=epsi,dc=fr"
>   filter = "(&(objectclass=posixAccount)(uid=%u))"
>   start_tls = no
>   dictionary_mapping = ${raddbdir}/ldap.attrmap
>   ldap_connections_number = 5
>   password_attribute = ntPassword  #<--- i changed this one just to try it out,
> it was originally userPassword
>   timeout = 4
>   timelimit = 3
>   net_timeout = 1
> }
>
>
> and here are my sldapd access rules:
>
> access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=userPassword
> by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write
> by self write
> by * auth
>
> access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=ntPassword
> by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write
> by self write
> by * auth
>
> access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=lmPassword
> by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write
> by self write
> by * auth
>
> if i remember well (long time i've not reconfigured openldap) the write perm
> also allow read ?
> since i didn't configure any user in the ldap section of radiusd, isn't it
> supposed to log in the ldap server with the username/passwd received by radiusd,
> and grab the user password which should be possible since it has write (read ?)
> perm ?
>
> thanks for your help
>
> --
> Arnauld Dravet
>

No, you need to add a user to do the search for the user logging in.
Since you don't allow anonymous reads, you'll need to create a user with
read access.

So, first change the ldap section to include something like
identity = "cn=freeradius,dc=mtp,dc=epsi,dc=fr"
password = password

Then in slapd.conf add something like

access to dn.subtree="ou=Users,dc=mtp,dc=epsi,dc=fr"
  by "cn=freeradius,dc=mtp,dc=epsi,dc=fr" read
  by self write
  by * auth


Then add the freeradius user to ldap

$ ldapadd -D "cn=root,dc=mtp,dc=epsi,dc=fr" -W
dn: cn=freeradius,dc=mtp,dc=epsi,dc=fr
objectclass: person
cn: freeradius
sn: freeradius
userpassword: password
objectclass: person

Hope that helps

Dusty Doris



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-18 Thread Arnauld Dravet 
Selon Alan DeKok <[EMAIL PROTECTED]>:

>   Something other than EAP-MD5.
> 
>   LEAP should work.
> 
>   As an alternative, you could try storing NT passwords.  That will
> allow LEAP & MS-CHAP to work.
> 

okay i'm not really into Win stuff .. ntPassword fields seem crypted since i 
can't "read" them with my eyes, but i think it's just a hash or something. Isn't 
it the regular way to store NT passwords ?

anyway, here is my ldap section in radiusd.conf:

ldap {
  server = "192.168.1.6"
  basedn = "ou=Users,dc=mtp,dc=epsi,dc=fr"
  filter = "(&(objectclass=posixAccount)(uid=%u))"
  start_tls = no
  dictionary_mapping = ${raddbdir}/ldap.attrmap
  ldap_connections_number = 5
  password_attribute = ntPassword  #<--- i changed this one just to try it out, 
it was originally userPassword
  timeout = 4
  timelimit = 3
  net_timeout = 1
}


and here are my sldapd access rules:

access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=userPassword
by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write
by self write
by * auth

access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=ntPassword
by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write
by self write
by * auth

access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=lmPassword
by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write
by self write
by * auth

if i remember well (long time i've not reconfigured openldap) the write perm 
also allow read ?
since i didn't configure any user in the ldap section of radiusd, isn't it 
supposed to log in the ldap server with the username/passwd received by radiusd, 
and grab the user password which should be possible since it has write (read ?) 
perm ?

thanks for your help

-- 
Arnauld Dravet




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-18 Thread Alan DeKok 
"Grant, Alastair Ian" <[EMAIL PROTECTED]> wrote:
> rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter (uid=mda)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...

  And it doesn't say anything about adding passwords (or any other
attributes).  Make LDAP return the passwords, and it should work.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-18 Thread Alan DeKok 
Arnauld Dravet <[EMAIL PROTECTED]> wrote:
> Hmm .. i think i've read docs where i understood ppl were using samba schema 
> without problems ... what am i supposed to use to make it possible ?

  Something other than EAP-MD5.

  LEAP should work.

>  LEAP returns the same error with the missing User-Password
> attribute .. And i can't store clear passwords in the directory 

  Why not?

  As an alternative, you could try storing NT passwords.  That will
allow LEAP & MS-CHAP to work.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-18 Thread Arnauld Dravet 
> 
>   Then you can't do CHAP or EAP-MD5, which is basically CHAP.
> 
>   Yup.  EAP-MD5 doesn't work.
> 

Hmm .. i think i've read docs where i understood ppl were using samba schema 
without problems ... what am i supposed to use to make it possible ? LEAP 
returns the same error with the missing User-Password attribute .. And i can't 
store clear passwords in the directory 

I'll paste the ldap section in one hour, i can't have access to it at the moment 
..


-- 
Arnauld Dravet




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-18 Thread Grant, Alastair Ian 
I am also struggling with this same problem as Arnuald so hopefully the solution to my
problem will be the same as the solution to his.  It seems that the password is not
being extracted from ldap.  I know there has been lots of conversation going on about
this in the past, but I'm still not sure whether my configuration is correct.  I'll
post some relevant info:

radiusd.conf
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
}
..
ldap {
server = "ldap.domain.com"
basedn = "ou=people,dc=domain,dc=com"
filter = "(uid=%{User-Name})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap  
 
  
ldap_connections_number = 5
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}  The other attributes are commented out

authorize{
preprocess
eap
ldap
}

authenticate{
eap
}

Finally, here is what happens when I try to authenticate:

Ready to process requests.
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1024, id=39, length=103
NAS-IP-Address = XXX.XXX.XXX.XXX
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Message-Authenticator = 0x1212fff00a4b01a5b7a71915ca70554a
NAS-Port = 11
Framed-MTU = 1490
User-Name = "mda"
Calling-Station-Id = " 0- 2-B3- 4-DC-C7"
EAP-Message = 0x02060008016d6461
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
users: Matched DEFAULT at 181
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for mda
radius_xlat:  '(uid=mda)'
radius_xlat:  'ou=people,dc=domain,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.domian.com:389, authentication 0
rlm_ldap: bind as / to ldap.domain.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter (uid=mda)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mda authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
  rlm_eap: EAP packet type notification id 6 length 8
  rlm_eap: EAP Start not found
  modcall[authorize]: module "eap" returns updated for request 0
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 0
  rlm_eap: EAP packet type notification id 6 length 8
  rlm_eap: EAP Start not found
  rlm_eap: EAP Identity
  rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
  modcall[authenticate]: module "eap" returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [mda] (from client matt port 11 cli  0- 2-B3- 4-DC-C7)
Sending Access-Challenge of id 39 to XXX.XXX.XXX.XXX:1024
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0107001604100ef750947c7048fdaa84ff26a493
Message-Authenticator = 0x
State =
0xc2ad44327337a497591079562232c5ffcdf3d24047b349ea0e91e83f44f9bb31a8798196
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1024, id=40, length=158
NAS-IP-Address = XXX.XXX.XXX.XXX
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Message-Authenticator = 0x91075ac82afb21f4fd3b327f7a1b1bc4
NAS-Port = 11
Framed-MTU = 1490
User-Name = "mda"
Calling-Station-Id = " 0- 2-B3- 4-DC-C7"
State =
0xc2ad44327337a497591079562232c5ffcdf3d24047b349ea0e91e83f44f9bb31a8798196
EAP-Message = 0x020700190410dd6eb09c6c721bd91d603e18ef781ff46d6461
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
users: Matched DEFAULT at 181
  modcall[authorize]: module "files" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for mda
radius_xlat:  '(uid=mda)'
radius_xlat:  'ou=people,dc=domain,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter (uid=mda)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mda authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
  rlm_eap: EAP

Re: FreeRadius/LDAP conf : little problem

2004-06-18 Thread Alan DeKok 
Arnauld Dravet <[EMAIL PROTECTED]> wrote:
> I'm using a classical samba/qmail LDAP schema so that users in the
> company can authenticate against ldap with win/linux
> workstations. Basically, i got 3 password fields, lmPassword,
> ntPassword, and userPassword . All of them are encrypted ...

  Then you can't do CHAP or EAP-MD5, which is basically CHAP.

> rlm_eap_md5: User-Password is required for EAP-MD5 authentication

  Yup.  EAP-MD5 doesn't work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/LDAP conf : little problem

2004-06-18 Thread Kostas Kalevras 
On Fri, 18 Jun 2004, Arnauld Dravet wrote:

> Hello
>
> I'm facing some kind of configuration troubles with freeradius and openldap. I
> got a new Access Point wich i'm trying to use with 802.1x auth.
>
>
> I'm using a classical samba/qmail LDAP schema so that users in the company can
> authenticate against ldap with win/linux workstations. Basically, i got 3
> password fields, lmPassword, ntPassword, and userPassword . All of them are
> encrypted and, there is no "0x" in front of the ntPassword.
>
> The ldap section in radiusd.conf seems to be ok, the connection is done, and ive
> set the password_attribute to "userPassword" and later to "ntPassword" to check
> if it changed naything to the problem (no).
>
> Other sections i'm using:
>
> authorize {
>   preprocess
>   auth_log
>   ldap
>   eap
> }
>
> authenticate {
>   eap
> }
>
> now, when i set up a 802.1x client, the AP connect to the radius server and here
> is the debug output:
>
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.6.3:1134, id=71, length=172
> NAS-IP-Address = 192.168.6.3
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1
> Framed-MTU = 1400
> User-Name = "arnauld.dravet"
> Calling-Station-Id = "00904b625711"
> Called-Station-Id = "000d54fc1807"
> NAS-Identifier = "EPSI AP1"
> State = 0xa63191155f9268efbcad3167d4e42e90
> EAP-Message =
> 0x0202002404105f6aa1f2ca8bfe0b6efc3da31527335861726e61756c642e647261766574
> Message-Authenticator = 0xb917bedaab691dda63cd4364b2d93ae8
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 3
>   modcall[authorize]: module "preprocess" returns ok for request 3
> radius_xlat:  '/var/log/radius/radacct/192.168.6.3/auth-detail-20040618'
> rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.6.3/auth-detail-20040618
>   modcall[authorize]: module "auth_log" returns ok for request 3
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for arnauld.dravet
> radius_xlat:  '(&(objectclass=posixAccount)(uid=arnauld.dravet))'
> radius_xlat:  'ou=Users,dc=mtp,dc=epsi,dc=fr'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter
> (&(objectclass=posixAccount)(uid=arnauld.dravet))
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user arnauld.dravet authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0

Either you haven't configured password extraction in the ldap module or it isn't
working. Make sure the user rlm_ldap uses to connect to the ldap server is
allowed to read the userpassword entry. Posting your rlm_ldap configuration
might help.

>   modcall[authorize]: module "ldap" returns ok for request 3
>   rlm_eap: EAP packet type response id 2 length 36
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 3
> modcall: group authorize returns updated for request 3
>   rad_check_password:  Found Auth-Type LDAP
>   rad_check_password:  Found Auth-Type EAP
> Warning:  Found 2 auth-types on request for user 'arnauld.dravet'
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 3
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/md5
>   rlm_eap: processing type md5
> rlm_eap_md5: User-Password is required for EAP-MD5 authentication
>  rlm_eap: Handler failed in EAP/md5
>   rlm_eap: Failed in EAP select
>   modcall[authenticate]: module "eap" returns invalid for request 3
> modcall: group authenticate returns invalid for request 3
> auth: Failed to validate the user.
> Login incorrect: [arnauld.dravet/] (from client ap1
> port 1 cli 00904b625711)
> Delaying request 3 for 2 seconds
> Finished request 3
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 2 seconds...
> --- Walking the entire request list ---
> Waking up in 2 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 71 to 192.168.6.3:1134
> EAP-Message = 0x04020004
> Message-Authenticator = 0x
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 2 ID 70 with timestamp 40d298d0
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 3 ID 71 with timestamp 40d298d1
> Nothing to do.  Sleeping until we see a request.
>
>
> It's been two days i'm stuck on this problem, i think i've read all the
> documentation and mailing lists archives .. i've tried different things, but it
> still finish with a message saying it mis

FreeRadius/LDAP conf : little problem

2004-06-18 Thread Arnauld Dravet 
Hello

I'm facing some kind of configuration troubles with freeradius and openldap. I 
got a new Access Point wich i'm trying to use with 802.1x auth.


I'm using a classical samba/qmail LDAP schema so that users in the company can 
authenticate against ldap with win/linux workstations. Basically, i got 3 
password fields, lmPassword, ntPassword, and userPassword . All of them are 
encrypted and, there is no "0x" in front of the ntPassword.

The ldap section in radiusd.conf seems to be ok, the connection is done, and ive 
set the password_attribute to "userPassword" and later to "ntPassword" to check 
if it changed naything to the problem (no).

Other sections i'm using:

authorize {
  preprocess
  auth_log
  ldap
  eap
}

authenticate {
  eap
}

now, when i set up a 802.1x client, the AP connect to the radius server and here 
is the debug output:

Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.6.3:1134, id=71, length=172
NAS-IP-Address = 192.168.6.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = "arnauld.dravet"
Calling-Station-Id = "00904b625711"
Called-Station-Id = "000d54fc1807"
NAS-Identifier = "EPSI AP1"
State = 0xa63191155f9268efbcad3167d4e42e90
EAP-Message = 
0x0202002404105f6aa1f2ca8bfe0b6efc3da31527335861726e61756c642e647261766574
Message-Authenticator = 0xb917bedaab691dda63cd4364b2d93ae8
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
radius_xlat:  '/var/log/radius/radacct/192.168.6.3/auth-detail-20040618'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to /var/log/radius/radacct/192.168.6.3/auth-detail-20040618
  modcall[authorize]: module "auth_log" returns ok for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for arnauld.dravet
radius_xlat:  '(&(objectclass=posixAccount)(uid=arnauld.dravet))'
radius_xlat:  'ou=Users,dc=mtp,dc=epsi,dc=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter 
(&(objectclass=posixAccount)(uid=arnauld.dravet))
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user arnauld.dravet authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 3
  rlm_eap: EAP packet type response id 2 length 36
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
modcall: group authorize returns updated for request 3
  rad_check_password:  Found Auth-Type LDAP
  rad_check_password:  Found Auth-Type EAP
Warning:  Found 2 auth-types on request for user 'arnauld.dravet'
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/md5
  rlm_eap: processing type md5
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
 rlm_eap: Handler failed in EAP/md5
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 3
modcall: group authenticate returns invalid for request 3
auth: Failed to validate the user.
Login incorrect: [arnauld.dravet/] (from client ap1 
port 1 cli 00904b625711)
Delaying request 3 for 2 seconds
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 71 to 192.168.6.3:1134
EAP-Message = 0x04020004
Message-Authenticator = 0x
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 70 with timestamp 40d298d0
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 71 with timestamp 40d298d1
Nothing to do.  Sleeping until we see a request.


It's been two days i'm stuck on this problem, i think i've read all the 
documentation and mailing lists archives .. i've tried different things, but it 
still finish with a message saying it miss the User-Password attribute ... I've 
of course also try to use ldap in the authenticate section. I tested the initial 
config with radtest and it worked fine when i used ldap in the authenticate 
section, cause radtest won't use eap ...

Thanks for any help you can give :)

-- 
Arnauld Dravet




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html