freeradius ldap auth sort of working ?

[Horatiu Nimigean]

Greetings.
I have a problem with freeradius using ldap to auth, here are my system 
specs:


Centos 6 64bit
freeradius installed from repo

rpm -qa | grep -i freeradius
freeradius-ldap-2.1.12-4.el6_3.x86_64
freeradius-2.1.12-4.el6_3.x86_64
freeradius-utils-2.1.12-4.el6_3.x86_64
ldap already up and running, on localhost. everything is local btw, 
there are no remote services and ldap is (test environment) accepting 
unsecured connections.

rpm -qa | grep -i openld
openldap-devel-2.4.23-32.el6_4.1.x86_64
openldap-clients-2.4.23-32.el6_4.1.x86_64
openldap-servers-2.4.23-32.el6_4.1.x86_64
openldap-2.4.23-32.el6_4.1.x86_64


radtest fails

radtest testuser_1 letmein_1 localhost 2 testing123
Sending Access-Request of id 214 to 127.0.0.1 port 1812
User-Name = testuser_1
User-Password = letmein_1
NAS-IP-Address = 127.0.0.1
NAS-Port = 2
Message-Authenticator = 0x
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=214, 
length=20

and this is the output from radius (ran as radiusd -X)
http://pastebin.com/MT0txW2c

i don't understand. it auths but then it doesn't.. the final result is 
not successful

Thanks in advance,

Horatiu


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius ldap auth sort of working ?

[Arran Cudbard-Bell]

On 1 Jul 2013, at 12:27, Horatiu Nimigean horatiu.nimig...@ddnet.ro wrote:

 Greetings.
 I have a problem with freeradius using ldap to auth, here are my system specs:
 
 Centos 6 64bit
 freeradius installed from repo
 rpm -qa | grep -i freeradius
 freeradius-ldap-2.1.12-4.el6_3.x86_64
 freeradius-2.1.12-4.el6_3.x86_64
 freeradius-utils-2.1.12-4.el6_3.x86_64
 ldap already up and running, on localhost. everything is local btw, there are 
 no remote services and ldap is (test environment) accepting unsecured 
 connections.
 rpm -qa | grep -i openld
 openldap-devel-2.4.23-32.el6_4.1.x86_64
 openldap-clients-2.4.23-32.el6_4.1.x86_64
 openldap-servers-2.4.23-32.el6_4.1.x86_64
 openldap-2.4.23-32.el6_4.1.x86_64
 
 radtest fails
 radtest testuser_1 letmein_1 localhost 2 testing123
 Sending Access-Request of id 214 to 127.0.0.1 port 1812
User-Name = testuser_1
User-Password = letmein_1
NAS-IP-Address = 127.0.0.1
NAS-Port = 2
Message-Authenticator = 0x
 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=214, 
 length=20
 and this is the output from radius (ran as radiusd -X)
 http://pastebin.com/MT0txW2c
 
 i don't understand. it auths but then it doesn't.. the final result is not 
 successful
 Thanks in advance,

No.

Your admin user managed to bind and retrieve credentials for your user, your 
user bind never succeeded.

Seeing as you have access to the crypt hash of the user's password you should 
use PAP to do authentication.

Set set_auth_type = no in modules/ldap.

and make sure 'pap' is listed in authorize.

If the password you're using in radtest is correct, this will work. If it isn't 
then authentication will continue to fail.

-Arran

Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius ldap auth sort of working ?

[A . L . M . Buxey]

Hi,

 and this is the output from radius (ran as radiusd -X)
 http://pastebin.com/MT0txW2c

please post to the list - avoids more work at this end.

the output shows this:

Found Auth-Type = LDAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by testuser_1 with password letmein_1
[ldap] user DN: uid=testuser_1,ou=People,dc=vps03,dc=local
  [ldap] (re)connect to 127.0.0.1:389, authentication 1
  [ldap] bind as uid=testuser_1,ou=People,dc=vps03,dc=local/letmein_1 to 
127.0.0.1:389
  [ldap] waiting for bind result ...
  [ldap] Bind failed with invalid credentials
++[ldap] returns reject

 i don't understand. it auths but then it doesn't.. the final result
 is not successful

it does a SEARCH for authorization. finds some details...then it checks
authentication...and doesnt work.  verify that you can connect/verify
with this user/password combo. LDAP is not an authentication method..its
just an oracle of data really

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

pptpd+freeradius+ldap: which password encryption can I use?

[Alberto Aldrigo]

Hi Everybody,

I'm trying to setup a PPTPD server which would authenticate users using 
my openLDAP user database, in doing so I need freeradius.
By now the only setup that actually works is: users in LDAP with clear 
text password.
Obviously I want to use some kind of encryption for passwords and I 
don't like the solution of using cleartext passwords and the use of a 
specific user allowed to access to the password attribute, so my 
question is: which other possibilities I have?
Looking to this table 
http://deployingradius.com/documents/protocols/compatibility.html I 
understand that I can use pap + sha1 but I can't understand how. Can 
anyone help me understand what is possible and what not?

Many thanks

Alberto
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pptpd+freeradius+ldap: which password encryption can I use?

[Alan DeKok]

Alberto Aldrigo wrote:
 I'm trying to setup a PPTPD server which would authenticate users using
 my openLDAP user database, in doing so I need freeradius.
 By now the only setup that actually works is: users in LDAP with clear
 text password.

  What kind of authentication method is PPTPD using?  You can tell by
looking at the FreeRADIUS debug log... which is suggested daily on this
list.

 Obviously I want to use some kind of encryption for passwords and I
 don't like the solution of using cleartext passwords and the use of a
 specific user allowed to access to the password attribute, so my
 question is: which other possibilities I have?
 Looking to this table
 http://deployingradius.com/documents/protocols/compatibility.html I
 understand that I can use pap + sha1 but I can't understand how. Can
 anyone help me understand what is possible and what not?

  You're really asking the wrong question.  If the only thing that works
is LDAP with clear-text passwords, then the authentication method
doesn't support encrypted passwords.

  That's why the web page says it's *IMPOSSIBLE*.  Because, well, it's
impossible.  What other conclusion did you reach after reading that page?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pptpd+freeradius+ldap: which password encryption can I use?

[John Dennis]

On 04/30/2013 06:11 AM, Alberto Aldrigo wrote:

Hi Everybody,

I'm trying to setup a PPTPD server which would authenticate users using
my openLDAP user database, in doing so I need freeradius.
By now the only setup that actually works is: users in LDAP with clear
text password.
Obviously I want to use some kind of encryption for passwords and I
don't like the solution of using cleartext passwords and the use of a
specific user allowed to access to the password attribute, so my
question is: which other possibilities I have?
Looking to this table
http://deployingradius.com/documents/protocols/compatibility.html I
understand that I can use pap + sha1 but I can't understand how. Can
anyone help me understand what is possible and what not?
Many thanks


cleartext passwords should work for most everything as shown in the 
compatibility table, if it's not you've broken something.


You other option is to hash your passwords, refer to the table for what 
will work, you'll probably need to prefix your password values with a 
scheme prefix.


However hashing is *not* encryption nor is hashing secure. Do not depend 
on hashing to provide protection! Most hashes can be broken easily, This 
is especially true if they can be retrieved for offline cracking which 
is the gift you're giving your attacker if you don't lock down your 
password attributes.


Bottom line, there is no short-cut or excuse not to lock down password 
attributes with ACL's such that only a select subset of users can see 
them (e.g. radiusd, root).



--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

pptpd+freeradius+ldap ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user

[Alberto Aldrigo]

Hi everybody,

I'm having some problems with freeradius and ldap authentication.
I need to authenticate an user connecting in vpn to my pptpd daemon, 
which will ask permission to freeradius.
I installed freeradius and configured it to use ldap in this way (i 
stripped comments to shorten the config files):


sites-available/default:


authorize {
ldap
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
expiration
logintime
pap
}

authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
}


preacct {
preprocess
acct_unique
suffix
files
}

accounting {
detail
unix
radutmp
exec
}

session {
radutmp
}

post-auth {
ldap
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}

pre-proxy {
}

post-proxy {
eap
}

modules/ldap:

ldap {
server = 10.1.98.50
identity = cn=admin,dc=domain,dc=private
password = password
basedn = dc=domain,dc=private
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3

net_timeout = 1

tls {
start_tls = no

}

dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = userPassword
edir_account_policy_check = no
}


radiusd.conf

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct

name = freeradius

confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}

db_dir = ${raddbdir}

libdir = /usr/lib/freeradius

pidfile = ${run_dir}/${name}.pid

user = freerad
group = freerad
max_request_time = 30

cleanup_delay = 5
max_requests = 1024

listen {
type = auth

ipaddr = *
port = 0
}

listen {
ipaddr = *
port = 0
type = acct
}

hostname_lookups = no

allow_core_dumps = no
regular_expressions= yes
extended_expressions= yes

log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no

}

checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}

proxy_requests  = yes
$INCLUDE proxy.conf

$INCLUDE clients.conf

thread pool {
start_servers = 5
max_servers = 32

min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}

modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}

instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/


When I run freeradius -X this is what I get:

FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 
2012 at 17:58:57

Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/passwd
including configuration file 
/etc/freeradius/modules/sqlcounter_expire_on_login

including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/otp
including configuration file 

Re: pptpd+freeradius+ldap ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user

[Adam Bishop]

On 18 Apr 2013, at 11:43, Alberto Aldrigo aaldr...@ca-tron.com wrote:

 rad_recv: Access-Request packet from host 10.1.98.52 port 45105, id=139, 
 length=77
 Service-Type = Framed-User
 Framed-Protocol = PPP
 User-Name = user
 Calling-Station-Id = 10.1.0.136
 NAS-IP-Address = 127.0.1.1
 NAS-Port = 0

PPPD isn't sending a password. 

The hash is being found by LDAP fine, but there is no password in the radius 
request for it to validate.

You need to fix PPPD, then it should work.

Thanks,

Adam Bishop

   gpg: 0x6609D460

Janet, the UK's research and education network.


Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius +LDAP + Samba integrates to Active Derectory

[John]

Thanks. Alan 

--- 13年4月12日，周五, Alan DeKok al...@deployingradius.com 写道：

发件人: Alan DeKok al...@deployingradius.com
主题: Re: Freeradius +LDAP + Samba integrates to Active Derectory
收件人: FreeRadius users mailing list freeradius-users@lists.freeradius.org
日期: 2013年4月12日,周五,下午9:48

John wrote:
 We deploy freeradius integrated to Active Directory, but the AD enabled
 Require signing option (see the attachement).

  That's really an AD question.

 net join is OK after we set LDAP SASL wrapping to 'sign'. But LDAP
 search failed.  Is there a way to let LDAP search work? Can someone show
 me some reference or guide?

  Look in Microsoft support forums.  Once you get LDAP search working,
FreeRADIUS will work, too.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius +LDAP + Samba integrates to Active Derectory

[John]

Hi all,
 
We deploy freeradius integrated to Active Directory, but the AD enabled 
Require signing option (see the attachement).
 
net join is OK after we set LDAP SASL wrapping to 'sign'. But LDAP search 
failed.  Is there a way to let LDAP search work? Can someone show me some 
reference or guide?
 
Thanks,
Johnattachment: LDAP SASL wrapping.JPG-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius +LDAP + Samba integrates to Active Derectory

[Alan DeKok]

John wrote:
 We deploy freeradius integrated to Active Directory, but the AD enabled
 Require signing option (see the attachement).

  That's really an AD question.

 net join is OK after we set LDAP SASL wrapping to 'sign'. But LDAP
 search failed.  Is there a way to let LDAP search work? Can someone show
 me some reference or guide?

  Look in Microsoft support forums.  Once you get LDAP search working,
FreeRADIUS will work, too.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: Freeradius + LDAP

[Matthias Nagel]

Hello,
what exactly ist your problem?
a) Do you want to know how to configure a web administration GUI (phpldapadmin) 
for your LDAP server? Then your problem is purly related to LDAP server, PHP 
and a web server. Hence, this is Thermometer wrong mailing list to ask for 
advice.

b) Or do you want to know how to use a LDAP directory as a password backend? 
But then this question has nothing to do with phpldapadmin. You said, that 
RADIUS is already configured and running. Where are the user credentials stored 
at the moment?

Matthias

Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe

Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
ICQ: 499797758
Skype: nagmat84Brekler Custodio brekle...@hotmail.com hat geschrieben:Hello 
guys, i was wondering, anyone knows how to configure an LDAP (phpldapadmin) to 
work with freeradius ?
I search all over the web and couldnt find a tutorial that teachs how to 
configure a simple DB to work with FR.
The FR is configured already, its very simple, but the LDAP i cant handle.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + LDAP

[Brekler Custodio]

Hello guys, i was wondering, anyone knows how to configure an LDAP 
(phpldapadmin) to work with freeradius ?I search all over the web and couldnt 
find a tutorial that teachs how to configure a simple DB to work with FR.The FR 
is configured already, its very simple, but the LDAP i cant handle.
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius LDAP OID Numbering

[Alan DeKok]

Peter Lambrechtsen wrote:
 There is the FR LDAP Schema LDIF file to import FreeRadius related
 schema into your LDAP directory.
 
 Searching around it seems that OID 1.3.6.1.4.1.3317.4.3.1 up to 68 is
 allocated.
 
 http://permalink.gmane.org/gmane.comp.freeradius.devel/6134

  Why search the list?  The LDIF file is included with the server.

 Who owns the OID and I could ask to get 69 registered formally?

  The OID is a private enterprise code.  3317 is some other open source
project (I forget which, and don't care to look).  It was used because
one of the people there contributed the LDIF file.

 I would like to add the LDAP Attribute radiusFramedPool for
 Framed-Pool VSA
 
 Should I just build a DIFF and submit it to the list, or is there an
 owner of the OID numbering who I would need to contact?

  Just add it.  We effectively own that space.  They're not using it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius LDAP OID Numbering

[Peter Lambrechtsen]

A question for Alan, or others on the list.

There is the FR LDAP Schema LDIF file to import FreeRadius related schema
into your LDAP directory.

Searching around it seems that OID 1.3.6.1.4.1.3317.4.3.1 up to 68 is
allocated.

http://permalink.gmane.org/gmane.comp.freeradius.devel/6134

Who owns the OID and I could ask to get 69 registered formally?

I would like to add the LDAP Attribute radiusFramedPool for Framed-Pool
VSA

Should I just build a DIFF and submit it to the list, or is there an owner
of the OID numbering who I would need to contact?

Cheers

Peter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Wired 802.1X + FreeRADIUS + LDAP issue

[Ryan Garland]

On Mon, Dec 12, 2011 at 6:30 PM, Ryan Garland she...@gmail.com wrote:

 Thanks for the response, Alan.

 It turns out part of my issue was certificate related.  This has been
 resolved, but eapol_test continues to fail for a different reason.
 However, I am having trouble determining a fix.

 Attached is the eapol_test configuration, debug output, FreeRADIUS
 configuration  debug output.

 It appears that the relevant portion of the FreeRADIUS debug output is:

 Found Auth-Type = EAP
 # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
 +- entering group authenticate {...}
 [eap] Request found, released from the list
 [eap] EAP/md5
 [eap] processing type md5
 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
 [eap] Handler failed in EAP/md5
 [eap] Failed in EAP select
 ++[eap] returns invalid
 Failed to authenticate the user.
 } # server inner-tunnel
 [ttls] Got tunneled reply code 3
        EAP-Message = 0x04010004
        Message-Authenticator = 0x
 [ttls] Got tunneled Access-Reject
 [eap] Handler failed in EAP/ttls
 rlm_eap_ttls: Freeing handler for user ryan
 [eap] Failed in EAP select
 ++[eap] returns invalid
 Failed to authenticate the user.

 I am having an even more difficult time deciphering the eapol_test
 debug output - I just see the EAP failure from the radius server.

 I have also tried commenting out 'virtual_server = inner-tunnel' in
 the ttls section of eap.conf to force it to use default (as the
 documentation inside the default virtual server would seem to imply
 I should do) and I get the same result.  I may be mis-reading it,
 however.

 Do you see something glaringly wrong?  I appreciate any insight you can 
 provide.

Sorry, I should have been more clear.

I'm not sure what my options are with regards to Cleartext-Password
and using EAP-MD5, if that is indeed what is causing the failure.

I am attempting to get eapol_test to work since it sounds like this
should be my first priority.  The OS X supplicant continues not to
respond to the Access-Challenge even though its profile is set up with
the corrected ca.der - but, one step at a time.

-RG

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Wired 802.1X + FreeRADIUS + LDAP issue

[Fajar A. Nugraha]

On Tue, Dec 13, 2011 at 9:37 AM, Ryan Garland she...@gmail.com wrote:
 [eap] EAP/md5
 [eap] processing type md5
 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
 [eap] Handler failed in EAP/md5
 [eap] Failed in EAP select
 ++[eap] returns invalid
 Failed to authenticate the user.

 Sorry, I should have been more clear.

 I'm not sure what my options are with regards to Cleartext-Password
 and using EAP-MD5, if that is indeed what is causing the failure.

Then don't use EAP-MD5. If TTLS-PAP works for wireless, use the same
one for wired.
There should be an option to select which authentication method to use
for wired 802.1x.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Wired 802.1X + FreeRADIUS + LDAP issue

[Ryan Garland]

On Mon, Dec 12, 2011 at 7:12 PM, Fajar A. Nugraha l...@fajar.net wrote:
 On Tue, Dec 13, 2011 at 9:37 AM, Ryan Garland she...@gmail.com wrote:

 Sorry, I should have been more clear.

 I'm not sure what my options are with regards to Cleartext-Password
 and using EAP-MD5, if that is indeed what is causing the failure.

 Then don't use EAP-MD5. If TTLS-PAP works for wireless, use the same
 one for wired.
 There should be an option to select which authentication method to use
 for wired 802.1x.

Ok, I changed auth type to PAP in the eapol_test configuration and it
worked.  Thanks, I didn't realize it was as simple as changing the
phase2 auth type.

However, my original problem persists.  My supplicant continues not to
respond to the FreeRADIUS Access-Challenge.

Keep in mind I am using the same .mobileconfig on my OS X Lion machine
and my iPhone 4S (IOS 5) and TTLS+PAP works fine for Wireless.  I am
not sure how to tell which authentication method the supplicant is
using for Wired as I can only see authentication protocols listed
under the Wi-Fi section of the profile generated using the iPhone
Configuration Utility (I was led to believe that the same profile can
work with both Wired and Wireless 802.1X, hence me being stumped).

If there is not an issue with FreeRADIUS as far as the experts on this
list can tell from the debug output in my original post (the Wired
failure attachment), then I may have to look elsewhere for input
(Apple support forums perhaps?  Ugh :P)

Thanks again for your assistance thus far.

-RG
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Wired 802.1X + FreeRADIUS + LDAP issue

[Fajar A. Nugraha]

On Tue, Dec 13, 2011 at 11:34 AM, Ryan Garland she...@gmail.com wrote:
 However, my original problem persists.  My supplicant continues not to
 respond to the FreeRADIUS Access-Challenge.

 Keep in mind I am using the same .mobileconfig on my OS X Lion machine
 and my iPhone 4S (IOS 5) and TTLS+PAP works fine for Wireless.  I am
 not sure how to tell which authentication method the supplicant is
 using for Wired as I can only see authentication protocols listed
 under the Wi-Fi section of the profile generated using the iPhone
 Configuration Utility (I was led to believe that the same profile can
 work with both Wired and Wireless 802.1X, hence me being stumped).

Try using something that you know you can configure to use TTLS-PAP.
Like Ubuntu. Just to be extra sure. Even using live CD should be
enough.


 If there is not an issue with FreeRADIUS as far as the experts on this
 list can tell from the debug output in my original post (the Wired
 failure attachment),

Pretty much so. You don't have cleartext password in your LDAP schema,
so EAP-MD5 (as well as EAP-PEAP-MSCHAPv2) won't work.

 then I may have to look elsewhere for input
 (Apple support forums perhaps?  Ugh :P)

If Ubuntu works, then it's 100% Apple issue :)

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Wired 802.1X + FreeRADIUS + LDAP issue

[Alan DeKok]

Ryan Garland wrote:
 I get a Warning message from FreeRADIUS indicating that EAP did not
 complete.  The message directs me to a Certificate Compatibility page on
 the FR wiki, but unfortunately that points a lot of fingers at Windows,
 which my laptop is not running.

  Whether it's windows or not, the supplicant is *always* the one who
chooses to stop doing EAP.

 We have also tried creating the certs with the bootstrap program and
 modifying eap.conf accordingly, to no avail.
 
 For reference, eapol_test also fails in the same manner when running
 locally on the FreeRADIUS box.

  Uh... then all bets are off.  If eapol_test doesn't work, then you
broke the FR configuration.  FR  eapol_test work together.  I do this
pretty much every day.

  Post the output from eapol_test.  It should produce *many* messages
describing exactly what is going wrong, and why.

 I am sure I am missing something - probably something simple - but I
 just have not been able to figure it out, and I am clearly not very good
 at reading the debug output. :-(

  You read it fine.  Something *else* is going on.

 I have been researching this for quite some time and have found a lot of
 helpful information from people on this list, so I hope somebody can
 help me pinpoint the issue.
 
 My apologies if I was too wordy.  Any help is greatly appreciated.

  Wordy is better than I tried stuff and it didn't work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Troubleshooting FreeRadius +LDAP

[Ricardo Sousa]

Greetings list users,

I'm trying setup FreeRadius to work with LDAP in a deployment of ClearOS and 
have followed this How-To 
http://www.clearfoundation.com/docs/howtos/setting_up_freeradius2_to_use_ldap 
and this How-To http://deployingradius.com/documents/configuration/pap.html 
with success, up to the part of the inital radtest with credentials inserted in 
the users file. But when trying to use credentials from the LDAP directory, the 
Radius server returns an Access-Reject packet. 
Below is the output from the debug mode. 

***
login as: root
root@192.168.3.5's password:
Last login: Mon Sep 12 13:31:45 2011 from 192.168.3.2
[root@system ~]# service radiusd stop
Stopping RADIUS server:[  OK  ]
[root@system ~]# radiusd -X
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on May 19 2010 
at 13:10:59
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clearos-clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/clearos-eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/clearos-inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
 log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
 }
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
radiusd:  Loading Realms 

Re: Freeradius Ldap mosule is authenticating with wrong password also

[vijaysingh]

Thanks, Issue has been resolved.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Freeradius-Ldap-mosule-is-authenticating-with-wrong-password-also-tp4623550p4634082.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ldap mosule is authenticating with wrong password also

[vijaysingh]

Thanks, Issue has been resolved.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Freeradius-Ldap-mosule-is-authenticating-with-wrong-password-also-tp4623550p4634084.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ldap mosule is authenticating with wrong password also

[Alan Buxey]

Hi,

 DEFAULT LDAP-Group == CiscoRWL2Lr, Auth-Type := Accept
 Reply-Message = Welcome! You have administrative access.,
 Service-Type = NAS-Prompt-User,
 cisco-avpair = shell:priv-lvl=15

as already said, you've configured your RADIUS server to accept
ANYONE who is in the CiscoRW2Lr group - even if their password
is 100% wrong.  Auth-Type := Accept opens your box to basically not
caring about authentication only authorization.

remove the auth-type and ensure your authentication is working - 
which will need some work for AD

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ldap mosule is authenticating with wrong password also

[vijaysingh]

=Networking,DC=kochar,DC=com, with filter
((cn=CiscoRWL2Lr)(|((objectClass=group)(member=))((objectClass=top)(uniquemember=
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in CN=Vijay
Singh,OU=ASR,OU=Networking,DC=kochar,DC=com, with filter (objectclass=*)
  [ldap] performing search in
CN=CiscoRWL2Lr,OU=UsersAdminSystem,DC=kochar,DC=com, with filter
(cn=CiscoRWL2Lr)
rlm_ldap::ldap_groupcmp: User found in group CiscoRWL2Lr
  [ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
[ldap] performing user authorization for vijay.singh
[ldap] WARNING: Deprecated conditional expansion :-.  See man unlang for
details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - vijay.singh
[ldap] expand: ((sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -
((sAMAccountName=vijay.singh))
[ldap] expand: OU=Networking,DC=kochar,DC=com -
OU=Networking,DC=kochar,DC=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in OU=Networking,DC=kochar,DC=com, with filter
((sAMAccountName=vijay.singh))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap] user vijay.singh authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [vijay.singh] (from client KiplAsrNetwork port 1 cli 172.17.27.9)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 26 to 172.17.3.182 port 1645
Reply-Message = Welcome! You have administrative access.
Service-Type = NAS-Prompt-User
Cisco-AVPair = shell:priv-lvl=15
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 26 with timestamp +22
Ready to process requests.

[root@radiusasr ~]# 
#

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Freeradius-Ldap-mosule-is-authenticating-with-wrong-password-also-tp4623550p4625455.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ldap mosule is authenticating with wrong password also

[Fajar A. Nugraha]

On Sat, Jul 23, 2011 at 1:25 PM, vijaysingh vijay.si...@kochar.com wrote:
 Please find below the configuration and logs :-

 ##
 /etc/raddb/users
 ##
 DEFAULT LDAP-Group == CiscoRWL2Lr, Auth-Type := Accept

There you go. That line effectively means if the user is member of
CiscoRWL2Lr LDAP group, then accept it. Period. No password check
whatsoever.

I'd recommend you just remove all Auth-Type := Accept part ...

        Reply-Message = Welcome! You have administrative access.,
        Service-Type = NAS-Prompt-User,
        cisco-avpair = shell:priv-lvl=15

 DEFAULT LDAP-Group == CiscoROL2Lr, Auth-Type := Accept
        Reply-Message = Welcome! You have limited access.,
        Service-Type = NAS-Prompt-User,
        cisco-avpair = shell:priv-lvl=1

 DEFAULT Auth-Type := Reject

... and simply use that Auth-Type := Reject to reject users not in the
two LDAP groups.

But that's only half of the problem.

 [ldap] looking for check items in directory...
 [ldap] looking for reply items in directory...
 WARNING: No known good password was found in LDAP.  Are you sure that the
 user is configured correctly?

the other half is that you're AD, which does not store plain text
password or hand out NT-hashes. For this part try reading active
directory guide on FR wiki or deployingradius.com

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius Ldap mosule is authenticating with wrong password also

[vijaysingh]

Hi,

I have configured freeradius with LDAP authetication with my windows 2008
active directory. Two condition should met to authenticate the user 1.) User
password should match 2.) user should be member of cisco group. 
Freeradius is cheking second condition only and if user enter wrong or blank
password it is autheticating the user. Kindly help what can be the issue? I
am getting following two errors in logs :-

[ldap] WARNING: Deprecated conditional expansion :-.  See man unlang for
details
[ldap] ... expanding second conditional

[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP.  Are you sure that the
user is configured correctly?

If required I can post full logs and configuration file here.

Vijay.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Freeradius-Ldap-mosule-is-authenticating-with-wrong-password-also-tp4623550p4623550.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ldap mosule is authenticating with wrong password also

[Alan Buxey]

Hi,

 If required I can post full logs and configuration file here.

err, yes. 

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius - LDAP

[m4xmr]

 password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by ldapuser with password MTIxMjEyIA==
[ldap] user DN: uid=ldapuser,ou=People,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/MTIxMjEyIA==
to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
++[ldap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - ldapuser
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.5 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 207 to 127.0.0.1 port 36725
Waking up in 4.9 seconds.
Cleaning up request 0 ID 207 with timestamp +1224
Ready to process requests.

Do you have any idea?
I'm not seeing something?


Regards,
Max


 
 -- 
 Fajar
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 
 
 If you reply to this email, your message will be added to the discussion
 below:
 http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615111.html
 
 To unsubscribe from FreeRadius - LDAP, click here
 http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=4615085code=bS50b21tYXNpQHB1cnBsZXNybC5jb218NDYxNTA4NXwxMTQ4Njc3MDIx.
 


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615357.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius - LDAP

[up]

 was successful
 rlm_ldap: performing search in dc=example,dc=com, with filter (uid=ldapuser)
 [ldap] looking for check items in directory...
 [ldap] looking for reply items in directory...
 WARNING: No known good password was found in LDAP.  Are you sure that
 the user is configured correctly?
 [ldap] Setting Auth-Type = LDAP
 [ldap] user ldapuser authorized to use remote access
 rlm_ldap: ldap_release_conn: Release Id: 0
 ++[ldap] returns ok
 ++[expiration] returns noop
 ++[logintime] returns noop
 [pap] WARNING! No known good password found for the user.
 Authentication may fail because of this.
 ++[pap] returns noop
 Found Auth-Type = LDAP
 +- entering group LDAP {...}
 [ldap] login attempt by ldapuser with password MTIxMjEyIA==
 [ldap] user DN: uid=ldapuser,ou=People,dc=example,dc=com
 rlm_ldap: (re)connect to localhost:389, authentication 1
 rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/MTIxMjEyIA==
 to localhost:389
 rlm_ldap: waiting for bind result ...
 rlm_ldap: Bind failed with invalid credentials
 ++[ldap] returns reject
 Failed to authenticate the user.
 Using Post-Auth-Type Reject
 +- entering group REJECT {...}
 [attr_filter.access_reject]   expand: %{User-Name} - ldapuser
  attr_filter: Matched entry DEFAULT at line 11
 ++[attr_filter.access_reject] returns updated
 Delaying reject of request 0 for 1 seconds
 Going to the next request
 Waking up in 0.5 seconds.
 Sending delayed reject for request 0
 Sending Access-Reject of id 207 to 127.0.0.1 port 36725
 Waking up in 4.9 seconds.
 Cleaning up request 0 ID 207 with timestamp +1224
 Ready to process requests.

 Do you have any idea?
 I'm not seeing something?


 Regards,
 Max



 --
 Fajar

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


 
 If you reply to this email, your message will be added to the discussion
 below:
 http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615111.html

 To unsubscribe from FreeRadius - LDAP, click here
 http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=4615085code=bS50b21tYXNpQHB1cnBsZXNybC5jb218NDYxNTA4NXwxMTQ4Njc3MDIx.



 --
 View this message in context:
 http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615357.html
 Sent from the FreeRadius - User mailing list archive at Nabble.com.-
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius - LDAP

[Massimiliano Tommasi]

 {...} for more modules to load
  Module: Checking post-auth {...} for more modules to load
  } # modules
 } # server
 radiusd:  Opening IP addresses and Ports 
 listen {
  type = auth
  ipaddr = *
  port = 0
 }
 listen {
  type = acct
  ipaddr = *
  port = 0
 }
 listen {
  type = control
  listen {
  socket = /var/run/radiusd/radiusd.sock
  }
 }
 Listening on authentication address * port 1812
 Listening on accounting address * port 1813
 Listening on command file /var/run/radiusd/radiusd.sock
 Listening on proxy address * port 1814
 Ready to process requests.

 ---

 NOW, when I try the auth:
 radtest ldapuser 121212 localhost 2 testing123

 I get this output on the client side

 Sending Access-Request of id 207 to 127.0.0.1 port 1812
  User-Name = ldapuser
  User-Password = MTIxMjEyIA==
  NAS-IP-Address = 127.0.0.1
  NAS-Port = 2
 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=207,
 length=20

 AND this one on the radius server side:

 rad_recv: Access-Request packet from host 127.0.0.1 port 36725, id=207,
 length=60
  User-Name = ldapuser
  User-Password = MTIxMjEyIA==
  NAS-IP-Address = 127.0.0.1
  NAS-Port = 2
 +- entering group authorize {...}
 ++[preprocess] returns ok
 ++[chap] returns noop
 ++[mschap] returns noop
 [suffix] No '@' in User-Name = ldapuser, looking up realm NULL
 [suffix] No such realm NULL
 ++[suffix] returns noop
 [eap] No EAP-Message, not doing EAP
 ++[eap] returns noop
 ++[unix] returns notfound
 ++[files] returns noop
 [ldap] performing user authorization for ldapuser
 [ldap]   expand: %{Stripped-User-Name} -
 [ldap]   expand: %{User-Name} - ldapuser
 [ldap]   expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
 (uid=ldapuser)
 [ldap]   expand: dc=example,dc=com - dc=example,dc=com
 rlm_ldap: ldap_get_conn: Checking Id: 0
 rlm_ldap: ldap_get_conn: Got Id: 0
 rlm_ldap: attempting LDAP reconnection
 rlm_ldap: (re)connect to localhost:389, authentication 0
 rlm_ldap: bind as / to localhost:389
 rlm_ldap: waiting for bind result ...
 rlm_ldap: Bind was successful
 rlm_ldap: performing search in dc=example,dc=com, with filter (uid=ldapuser)
 [ldap] looking for check items in directory...
 [ldap] looking for reply items in directory...
 WARNING: No known good password was found in LDAP.  Are you sure that
 the user is configured correctly?
 [ldap] Setting Auth-Type = LDAP
 [ldap] user ldapuser authorized to use remote access
 rlm_ldap: ldap_release_conn: Release Id: 0
 ++[ldap] returns ok
 ++[expiration] returns noop
 ++[logintime] returns noop
 [pap] WARNING! No known good password found for the user.
 Authentication may fail because of this.
 ++[pap] returns noop
 Found Auth-Type = LDAP
 +- entering group LDAP {...}
 [ldap] login attempt by ldapuser with password MTIxMjEyIA==
 [ldap] user DN: uid=ldapuser,ou=People,dc=example,dc=com
 rlm_ldap: (re)connect to localhost:389, authentication 1
 rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/MTIxMjEyIA==
 to localhost:389
 rlm_ldap: waiting for bind result ...
 rlm_ldap: Bind failed with invalid credentials
 ++[ldap] returns reject
 Failed to authenticate the user.
 Using Post-Auth-Type Reject
 +- entering group REJECT {...}
 [attr_filter.access_reject]  expand: %{User-Name} - ldapuser
  attr_filter: Matched entry DEFAULT at line 11
 ++[attr_filter.access_reject] returns updated
 Delaying reject of request 0 for 1 seconds
 Going to the next request
 Waking up in 0.5 seconds.
 Sending delayed reject for request 0
 Sending Access-Reject of id 207 to 127.0.0.1 port 36725
 Waking up in 4.9 seconds.
 Cleaning up request 0 ID 207 with timestamp +1224
 Ready to process requests.

 Do you have any idea?
 I'm not seeing something?


 Regards,
 Max



 --
 Fajar

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


 
 If you reply to this email, your message will be added to the discussion
 below:
 http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615111.html

 To unsubscribe from FreeRadius - LDAP, click here
 http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=4615085code=bS50b21tYXNpQHB1cnBsZXNybC5jb218NDYxNTA4NXwxMTQ4Njc3MDIx.



 --
 View this message in context:
 http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615357.html
 Sent from the FreeRadius - User mailing list archive at Nabble.com.-
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
:: P u r p l e   s r l
:: security and network
:: via Vittorio Veneto 8/B :: i-20091 Bresso - Milano
:: web: www.purplesrl.com

:: Massimiliano Tommasi
:: email: m.tomm...@purplesrl.com
:: phone: +39 02 36687280 :: fax: +39 02 700511249

-
List info/subscribe/unsubscribe? See http

Re: FreeRadius - LDAP

[Massimiliano Tommasi]

 search in dc=example,dc=com, with filter (uid=ldapuser)
 [ldap] looking for check items in directory...
 [ldap] looking for reply items in directory...
 WARNING: No known good password was found in LDAP.  Are you sure that
 the user is configured correctly?
 [ldap] Setting Auth-Type = LDAP
 [ldap] user ldapuser authorized to use remote access
 rlm_ldap: ldap_release_conn: Release Id: 0
 ++[ldap] returns ok
 ++[expiration] returns noop
 ++[logintime] returns noop
 [pap] WARNING! No known good password found for the user.
 Authentication may fail because of this.
 ++[pap] returns noop
 Found Auth-Type = LDAP
 +- entering group LDAP {...}
 [ldap] login attempt by ldapuser with password MTIxMjEyIA==
 [ldap] user DN: uid=ldapuser,ou=People,dc=example,dc=com
 rlm_ldap: (re)connect to localhost:389, authentication 1
 rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/MTIxMjEyIA==
 to localhost:389
 rlm_ldap: waiting for bind result ...
 rlm_ldap: Bind failed with invalid credentials
 ++[ldap] returns reject
 Failed to authenticate the user.
 Using Post-Auth-Type Reject
 +- entering group REJECT {...}
 [attr_filter.access_reject]  expand: %{User-Name} - ldapuser
  attr_filter: Matched entry DEFAULT at line 11
 ++[attr_filter.access_reject] returns updated
 Delaying reject of request 0 for 1 seconds
 Going to the next request
 Waking up in 0.5 seconds.
 Sending delayed reject for request 0
 Sending Access-Reject of id 207 to 127.0.0.1 port 36725
 Waking up in 4.9 seconds.
 Cleaning up request 0 ID 207 with timestamp +1224
 Ready to process requests.

 Do you have any idea?
 I'm not seeing something?


 Regards,
 Max



 --
 Fajar

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


 
 If you reply to this email, your message will be added to the discussion
 below:
 http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615111.html

 To unsubscribe from FreeRadius - LDAP, click here
 http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=4615085code=bS50b21tYXNpQHB1cnBsZXNybC5jb218NDYxNTA4NXwxMTQ4Njc3MDIx.



 --
 View this message in context:
 http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615357.html
 Sent from the FreeRadius - User mailing list archive at Nabble.com.-
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + Ldap + SSL/TLS

[RATSIMIVEH Remi]

Hi,

I install freeradius on Debian machine. I have my user in ldap
and I use that directory to authentication.But when I want
to use SSL or TLS in connections between radius and ldap, I have that error

in radius log. (Freeradius -X)

-
 [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to ldap.corporate.com:1793, authentication 0
  [ldap] setting TLS CACert File to /etc/freradius/certs/RootCA.pem
  [ldap] setting TLS CACert Directory to /etc/freeradius/certs/
  [ldap] setting TLS Cert File to /etc/freeradius/certs/RootCA.crt
  [ldap] setting TLS Key File to /etc/freeradius/certs/SSLSubCA.pem
  [ldap] setting TLS Key File to /etc/freeradius/certs/
  [ldap] bind as uid=...,dc=...,dc=...,dc=.../pssword to
ldap.corporate.com:1793
  [ldap] waiting for bind result ...
  [ldap] ldap_result()
  [ldap] uid=...,dc=...,dc=...,dc=.../pssword to
ldap.corporate.com:1793failed: timeout
  [ldap] (re)connection attempt failed
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
-

i have in ldap.conf :

ldap {

server = ldap.corporate.com
port= 1793
...
tls {
# cacertfile= /path/to/cacert.pem
# cacertdir = /path/to/certs/
# certfile= /path/to/radius.crt
# keyfile= /path/to/radius.key
# randfile= /path/to/rnd
# require_cert= demand

 cacertfile= /etc/freradius/certs/RootCA.pem
 cacertdir= /etc/freeradius/certs/
 certfile= /etc/freeradius/certs/RootCA.crt
 keyfile= /etc/freeradius/certs/SSLSubCA.pem
 randfile= /etc/freeradius/certs/
 require_cert= allow

it's an another team who manage this ldap corporate.
This team request me to import the Corporate.Root.CA and Corporate.SSL.CA to
be able to SSL connections.
About them, my radius server don't used SSL connections. I don't know where
put them...
Sorry for my English, the french replies will be accepted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius+ldap: Invalid DN syntax

[ziko]

Hello. 
I am using Freeradius 2 with openldap 2.3.43 on my CentOS 5.

My OPenldap works grate without freeradius, and freeradius works without ldap.

But i cant connect ldap and freeradius.

my ldapsearch output:

ldapsearch -x
# extended LDIF
#
# LDAPv3
# base dc=my-domain,dc=com (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# my-domain.com
dn: dc=my-domain,dc=com
objectClass: organization
objectClass: dcObject
dc: my-domain
o: my-domain

# People, my-domain.com
dn: ou=People,dc=my-domain,dc=com
objectClass: organizationalUnit
ou: People

# group, my-domain.com
dn: ou=group,dc=my-domain,dc=com
objectClass: organizationalUnit
ou: group

# machines, my-domain.com
dn: ou=machines,dc=my-domain,dc=com
objectClass: organizationalUnit
ou: machines

# office, group, my-domain.com
dn: cn=office,ou=group,dc=my-domain,dc=com
objectClass: posixGroup
description: office group
gidNumber: 1
cn: office

# gchkhetiani, People, my-domain.com
dn: uid=gchkhetiani,ou=People,dc=my-domain,dc=com
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/gchkhetiani
loginShell: /bin/bash
uid: gchkhetiani
cn:: 4YOS4YOY4YOd4YOg4YOS4YOYIOGDqeGDruGDlOGDouGDmOGDkOGDnOGDmA==
uidNumber: 1
gidNumber: 1
sn:: 4YOp4YOu4YOU4YOi4YOY4YOQ4YOc4YOY
givenName:: 4YOS4YOY4YOd4YOg4YOS4YOY

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6







my /etc/raddb/modules/ldap:

ldap {
#
#  Note that this needs to match the name in the LDAP
#  server certificate, if you're using ldaps.
server = server2.**.ge
identity = cn=Manager,dc=my-domain,dc=com
password = **
basedn = dn=my-domain,dn=com
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})



radtest command:
radtest gchkhetiani   localhost 2 testing123


radiusd -X output:

[ldap] performing user authorization for gchkhetiani
[ldap] expand: %{Stripped-User-Name} - 
[ldap] expand: %{User-Name} - gchkhetiani
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - 
(uid=gchkhetiani)
[ldap] expand: dn=my-domain,dn=com - dn=my-domain,dn=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to server2.**.ge:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=my-domain,dc=com/** to server2.**.ge:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dn=my-domain,dn=com, with filter 
(uid=gchkhetiani)
rlm_ldap: ldap_search() failed: Invalid DN syntax
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail
Invalid user: [gchkhetiani/svani] (from client localhost port 2)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - gchkhetiani
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 218 to 127.0.0.1 port 35291


There is rlm_ldap: ldap_search() failed: Invalid DN syntax error. How can I fix 
it?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius+ldap: Invalid DN syntax

[James J J Hooper]

On 02/04/2011 18:29, ziko wrote:

Hello.
I am using Freeradius 2 with openldap 2.3.43 on my CentOS 5.

My OPenldap works grate without freeradius, and freeradius works without ldap.

But i cant connect ldap and freeradius.

my ldapsearch output:

ldapsearch -x
# extended LDIF
#
# LDAPv3
# base dc=my-domain,dc=com (default) with scope subtree

..^^...^^


my /etc/raddb/modules/ldap:

ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = server2.**.ge
identity = cn=Manager,dc=my-domain,dc=com
password = **
basedn = dn=my-domain,dn=com

^^...^^

radiusd -X output:


.

rlm_ldap: performing search in dn=my-domain,dn=com, with filter
(uid=gchkhetiani)
rlm_ldap: ldap_search() failed: Invalid DN syntax




There is rlm_ldap: ldap_search() failed: Invalid DN syntax error. How can
I fix it?



...configure the basedn correctly!!
wrong:  basedn = dn=my-domain,dn=com
correct:basedn = dc=my-domain,dc=com

-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius+ldap: Invalid DN syntax

[ziko]

Thank you very much! 
I am new to ldap :(
thank you it works now!





From: James J J Hooper jjj.hoo...@bristol.ac.uk
To: freeradius-users@lists.freeradius.org
Sent: Sat, April 2, 2011 9:54:26 PM
Subject: Re: freeradius+ldap: Invalid DN syntax

On 02/04/2011 18:29, ziko wrote:
 Hello.
 I am using Freeradius 2 with openldap 2.3.43 on my CentOS 5.

 My OPenldap works grate without freeradius, and freeradius works without ldap.

 But i cant connect ldap and freeradius.

 my ldapsearch output:

 ldapsearch -x
 # extended LDIF
 #
 # LDAPv3
 # base dc=my-domain,dc=com (default) with scope subtree
..^^...^^

 my /etc/raddb/modules/ldap:

 ldap {
 #
 # Note that this needs to match the name in the LDAP
 # server certificate, if you're using ldaps.
 server = server2.**.ge
 identity = cn=Manager,dc=my-domain,dc=com
 password = **
 basedn = dn=my-domain,dn=com
^^...^^
 radiusd -X output:

.
 rlm_ldap: performing search in dn=my-domain,dn=com, with filter
 (uid=gchkhetiani)
 rlm_ldap: ldap_search() failed: Invalid DN syntax


 There is rlm_ldap: ldap_search() failed: Invalid DN syntax error. How can
 I fix it?


...configure the basedn correctly!!
wrong: basedn = dn=my-domain,dn=com
correct:basedn = dc=my-domain,dc=com

-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ldap

[Usuário do Sistema]

Hello everyone,


after a long time my freeradius it's working with Ldap.

The problem it was because I hasn't Installed the Samba.

my aim is to use the freeradius to authencticate my wireless users with
EAP-TLS. As I'm using the MSCHAP it's necessary the attributes
SambaNTPassword and SambaLMPassword then it's need install Samba and Ldap.

I'm using the freeradius version 2.1.7 on the Red-Hat Enterprise 5.6


Thank Joaocdc!!














2011/3/21 Sven Hartge s...@svenhartge.de

 Usuário do Sistema maico...@ig.com.br wrote:

  Hello everyone, I'm dificult with freeradius and LDAP.

  the user autheticate only it's work when I put in the user file
  User-Password clear text as follow.

  maicon.pereiraCleartext-Password := meleca
 Reply-Message = Hello, %{User-Name}
  however, my integration between Freeradius and Ldap it isn't working.

  My question is: there is possible to make the intragation?? because
  I've read that freeradius needs supply to ldap User-Password clear
  text.

  it's true ??

 That depends. If you want to use _any_ Challenge-Handshake auth method
 like MSCHAPv2 for wireless LAN you need to supply a cleartext password.

 If you only want to use PAP, you can keep using ldap_bind() and an
 encrypted/hashed password.

 [-- text/html, encoding quoted-printable, charset: ISO-8859-1, 30
 lines --]

 Ugh.

 Grüße,
 Sven.

 --
 Sig lost. Core dumped.

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius Ldap

[Usuário do Sistema]

Hello everyone, I'm dificult with freeradius and LDAP.

the user autheticate only it's work when I put in the user file
User-Password clear text as follow.

maicon.pereiraCleartext-Password := meleca
Reply-Message = Hello, %{User-Name}
however, my integration between Freeradius and Ldap it isn't working.

My question is: there is possible to make the intragation?? because I've
read that freeradius needs supply to ldap User-Password clear text.

it's true ??

I wish to use the ldap as database authetication.


thank!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ldap

[joao...@gmail.com]

Maicon,

como vi o Pereira no seu nome, deduzo que você seja do Brasil, portanto irei
responder sua pergunta em português.

1º Sim o freeradius se integra perfeitamente com o LDAP

2º Que base LDAP vc esta utilizando? OpenLDAP, Active Directory???

3° Como esta a configuração de seu arquivo ldap? isso é onde você define a
árvore de pesquisa do LDAP.

4º A partir de onde você esta tentando se autenticar?? Windows, linux, mac,
(ou esta testando com os utilitários radtest e epol_test).

5º para ajudar poste aqui a saída de debug do seu freeradius (basta executar
o freeradius com o comando  freeradius -X)

Com essas informações acredito que posso te ajudar.


Abraços.

Att.

Em 21 de março de 2011 18:04, Usuário do Sistema maico...@ig.com.brescreveu:

 Hello everyone, I'm dificult with freeradius and LDAP.

 the user autheticate only it's work when I put in the user file
 User-Password clear text as follow.

 maicon.pereiraCleartext-Password := meleca
 Reply-Message = Hello, %{User-Name}
 however, my integration between Freeradius and Ldap it isn't working.

 My question is: there is possible to make the intragation?? because I've
 read that freeradius needs supply to ldap User-Password clear text.

 it's true ??

 I wish to use the ldap as database authetication.


 thank!








 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
João Paulo de Lima Barbosa
Fone: (45) 9938-8399
Blog: http://joao.us
Twitter: @joaocdc

O erro dos que tem poder é colocar barreiras para que ninguém os alcance,
incentivando-nos a buscar todas as formas que encontramos para alcança-los.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ldap

[Sven Hartge]

Usuário do Sistema maico...@ig.com.br wrote:

 Hello everyone, I'm dificult with freeradius and LDAP.

 the user autheticate only it's work when I put in the user file
 User-Password clear text as follow.

 maicon.pereiraCleartext-Password := meleca
Reply-Message = Hello, %{User-Name}
 however, my integration between Freeradius and Ldap it isn't working.

 My question is: there is possible to make the intragation?? because
 I've read that freeradius needs supply to ldap User-Password clear
 text.

 it's true ??

That depends. If you want to use _any_ Challenge-Handshake auth method
like MSCHAPv2 for wireless LAN you need to supply a cleartext password.

If you only want to use PAP, you can keep using ldap_bind() and an
encrypted/hashed password.

[-- text/html, encoding quoted-printable, charset: ISO-8859-1, 30 lines --]

Ugh.

Grüße,
Sven.

-- 
Sig lost. Core dumped.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeRadius/LDAP per NAS access

[Guy]

On 7 Mar 2011, at 22:14, Alexander Clouter wrote:

 Guy g...@britewhite.net wrote:
 
 I now have FreeRadius granting access and using LDAP for username and 
 password information.
 
 My next challenge, using the same Radius and LDAP server I would like 
 to grant different users access via different NAS clients.
 
 eg in LDAP I would have:
 
 uid=guy
 services: VPN
 services: WiFi
 
 If I have the services: VPN then I would be allowed to connect to 
 the VPN server and if I don't have that entry in my LDIF then it would 
 not be allowed to access.
 
 Any ideas on how to do this, simply?
 
 ...Dear Lazyweb eh?  You should really *attempt* to try, or show you 
 have attempted something, 

Dear Teacher, just like back at school Please show your working.. :)

I did spend quite some time searching for the answer, however documentation 
end-to-end seems to be a little lacking.

 
 http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59481.html
 http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.html
 
 Now use %{client:keyword} in your LDAP xlat search query...
 

Thanks for the the hints.. I've now got this to work...

In modules/ldap

I changed filter to: 

filter = 
((uid=%{%{Stripped-User-Name}:-%{User-Name}})(authorizedService=%{client:service}))

Then in clients.conf.. just added a an entry to each client:

client VPN_Server {
secret  = ssshhh!
shortname   = vpn
nastype  = other
service = VPN
}


And finally for each user in the LDAP database I add the entry:

authorsizedService: VPN


That's it I can now control access to each client via VPN data.


 To be honest though, your approach *abuses* LDAP, you should be adding 
 them to a *group*, not bloating-up and overloading the user object; 
 otherwise you might as well use something horrible like SQL...
 

I would argue that point most strongly but this is not the place..

Thanks again for the help

--Guy


 Cheers
 
 -- 
 Alexander Clouter
 .sigmonster says: A woman can never be too rich or too thin.
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeRadius/LDAP per NAS access

[Guy]

Hi all,

I now have FreeRadius granting access and using LDAP for username and password 
information.

My next challenge, using the same Radius and LDAP server I would like to grant 
different users access via different NAS clients.

eg in LDAP I would have:

uid=guy
services: VPN
services: WiFi

If I have the services: VPN then I would be allowed to connect to the VPN 
server and if I don't have that entry in my LDIF then it would not be allowed 
to access.

Any ideas on how to do this, simply?

Thanks
---Guy


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeRadius/LDAP per NAS access

[Alexander Clouter]

Guy g...@britewhite.net wrote:
 
 I now have FreeRadius granting access and using LDAP for username and 
 password information.
 
 My next challenge, using the same Radius and LDAP server I would like 
 to grant different users access via different NAS clients.
 
 eg in LDAP I would have:
 
 uid=guy
 services: VPN
 services: WiFi
 
 If I have the services: VPN then I would be allowed to connect to 
 the VPN server and if I don't have that entry in my LDIF then it would 
 not be allowed to access.
 
 Any ideas on how to do this, simply?

...Dear Lazyweb eh?  You should really *attempt* to try, or show you 
have attempted something, 
 
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59481.html
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.html

Now use %{client:keyword} in your LDAP xlat search query...

To be honest though, your approach *abuses* LDAP, you should be adding 
them to a *group*, not bloating-up and overloading the user object; 
otherwise you might as well use something horrible like SQL...

Cheers

-- 
Alexander Clouter
.sigmonster says: A woman can never be too rich or too thin.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + LDAP for WPA-Enterprise

[Max Schröder]

Hello to all,

I would like to use Freeradius to authenticate my wireless network using 
OpenWRT and Freeradius + LDAP. What I've done:


First Authenticated Users in WLan using EAP-TTLS and files in 
Freeradius. WORKED! Then I've configured ldap-Modul + added ldap in 
the authorize- and Auth-Type LDAP { ldap } in the 
authenticate-section. The test via radtest succeeded.


But now the authentication using OpenWRT (EAP-TTLS) like the first try 
with files - now with ldap did not work. I do noticed the following comment


# Note that this means check plain-text password against
# the ldap database, which means that EAP won't work,
# as it does not supply a plain-text password.
Auth-Type LDAP { ldap }

but I don't know what to change that it worked like my first try with 
the difference the users are in LDAP instead of a file.


Hope to get any hints

Best regards.
MS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius + LDAP for WPA-Enterprise

[Gary Gatten]

I'm barely a novice with FR, so take this with a grain of salt:

You forced ALL Authentication requests to use LDAP.  EAP / LDAP don't play well 
together.  Remove the Auth Type LDAP - for now.

You almost never want to set the Auth-Type directly, FR figures it out from 
the request.  For testing and troubleshooting it's OK, and if you really know 
what the consequences are its OK, but generally speaking don't set the auth 
type.

As for accomplishing your goal, unfortunately others will have to help you with 
that - I don't know FR/LDAP/EAP well enough.  But, I don't THINK you can 
authenticate EAP requests against LDAP directly because of the no clear text 
password issue.

Gary


-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Max Schröder
Sent: Friday, February 11, 2011 11:06 AM
To: freeradius-users@lists.freeradius.org
Subject: Freeradius + LDAP for WPA-Enterprise

Hello to all,

I would like to use Freeradius to authenticate my wireless network using 
OpenWRT and Freeradius + LDAP. What I've done:

First Authenticated Users in WLan using EAP-TTLS and files in 
Freeradius. WORKED! Then I've configured ldap-Modul + added ldap in 
the authorize- and Auth-Type LDAP { ldap } in the 
authenticate-section. The test via radtest succeeded.

But now the authentication using OpenWRT (EAP-TTLS) like the first try 
with files - now with ldap did not work. I do noticed the following comment

# Note that this means check plain-text password against
# the ldap database, which means that EAP won't work,
# as it does not supply a plain-text password.
Auth-Type LDAP { ldap }

but I don't know what to change that it worked like my first try with 
the difference the users are in LDAP instead of a file.

Hope to get any hints

Best regards.
MS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP for WPA-Enterprise

[Vinicius Teixeira Coelho]

Hello, I'm trying to do the same thing, I know I have to use winbind and
samba to get it, but in reading the news I found this freeradius 2.1 Added 
Password-With-Header == userPassword to raddb / ldap.attrmap This Will
automaticallyconvert more passwords

[]'s
--
Vinicius Teixeira Coelho

Registered Linux User #469313
The Ubuntu Counter Project - user number # 21463


On Fri, Feb 11, 2011 at 3:37 PM, Gary Gatten ggat...@waddell.com wrote:

 I'm barely a novice with FR, so take this with a grain of salt:

 You forced ALL Authentication requests to use LDAP.  EAP / LDAP don't play
 well together.  Remove the Auth Type LDAP - for now.

 You almost never want to set the Auth-Type directly, FR figures it out
 from the request.  For testing and troubleshooting it's OK, and if you
 really know what the consequences are its OK, but generally speaking don't
 set the auth type.

 As for accomplishing your goal, unfortunately others will have to help you
 with that - I don't know FR/LDAP/EAP well enough.  But, I don't THINK you
 can authenticate EAP requests against LDAP directly because of the no clear
 text password issue.

 Gary


 -Original Message-
 From: 
 freeradius-users-bounces+ggatten=waddell@lists.freeradius.org[mailto:
 freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
 Behalf Of Max Schröder
 Sent: Friday, February 11, 2011 11:06 AM
 To: freeradius-users@lists.freeradius.org
 Subject: Freeradius + LDAP for WPA-Enterprise

 Hello to all,

 I would like to use Freeradius to authenticate my wireless network using
 OpenWRT and Freeradius + LDAP. What I've done:

 First Authenticated Users in WLan using EAP-TTLS and files in
 Freeradius. WORKED! Then I've configured ldap-Modul + added ldap in
 the authorize- and Auth-Type LDAP { ldap } in the
 authenticate-section. The test via radtest succeeded.

 But now the authentication using OpenWRT (EAP-TTLS) like the first try
 with files - now with ldap did not work. I do noticed the following comment

 # Note that this means check plain-text password against
 # the ldap database, which means that EAP won't work,
 # as it does not supply a plain-text password.
 Auth-Type LDAP { ldap }

 but I don't know what to change that it worked like my first try with
 the difference the users are in LDAP instead of a file.

 Hope to get any hints

 Best regards.
 MS
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html





 font size=1
 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in
 0in 1.0pt 0in'
 /div
 This email is intended to be reviewed by only the intended recipient
  and may contain information that is privileged and/or confidential.
  If you are not the intended recipient, you are hereby notified that
  any review, use, dissemination, disclosure or copying of this email
  and its attachments, if any, is strictly prohibited.  If you have
  received this email in error, please immediately notify the sender by
  return email and delete this email from your system.
 /font


 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius + LDAP for WPA-Enterprise

[Sallee, Stephen (Jake)]

 As for accomplishing your goal, unfortunately others will have to help you 
 with that - I don't know FR/LDAP/EAP well enough.  But, I don't THINK you 
 can authenticate EAP requests against LDAP directly because of the no clear 
 text password issue.

I think he is right ... I know that we had to use the ntlm_auth exec module ... 
is there a reason you are doing EAP instead of PEAP?

PEAP/MSCHAPv2 or PEAP/TTLS work great with Linux hosts ... even MACs (which are 
nothing more that bastardized Linux boxes) Windows hosts require a bit of 
configuring on the client to make it work but then they work too.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Friday, February 11, 2011 11:37 AM
To: 'FreeRadius users mailing list'
Subject: RE: Freeradius + LDAP for WPA-Enterprise

I'm barely a novice with FR, so take this with a grain of salt:

You forced ALL Authentication requests to use LDAP.  EAP / LDAP don't play well 
together.  Remove the Auth Type LDAP - for now.

You almost never want to set the Auth-Type directly, FR figures it out from 
the request.  For testing and troubleshooting it's OK, and if you really know 
what the consequences are its OK, but generally speaking don't set the auth 
type.

As for accomplishing your goal, unfortunately others will have to help you with 
that - I don't know FR/LDAP/EAP well enough.  But, I don't THINK you can 
authenticate EAP requests against LDAP directly because of the no clear text 
password issue.

Gary


-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Max Schröder
Sent: Friday, February 11, 2011 11:06 AM
To: freeradius-users@lists.freeradius.org
Subject: Freeradius + LDAP for WPA-Enterprise

Hello to all,

I would like to use Freeradius to authenticate my wireless network using 
OpenWRT and Freeradius + LDAP. What I've done:

First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. 
WORKED! Then I've configured ldap-Modul + added ldap in the authorize- and 
Auth-Type LDAP { ldap } in the authenticate-section. The test via radtest 
succeeded.

But now the authentication using OpenWRT (EAP-TTLS) like the first try with 
files - now with ldap did not work. I do noticed the following comment

# Note that this means check plain-text password against # the ldap database, 
which means that EAP won't work, # as it does not supply a plain-text password.
Auth-Type LDAP { ldap }

but I don't know what to change that it worked like my first try with the 
difference the users are in LDAP instead of a file.

Hope to get any hints

Best regards.
MS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in' /div This email is intended to be reviewed by only the intended 
recipient  and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that  any 
review, use, dissemination, disclosure or copying of this email  and its 
attachments, if any, is strictly prohibited.  If you have  received this email 
in error, please immediately notify the sender by  return email and delete this 
email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius + LDAP for WPA-Enterprise

[Gary Gatten]

Yeah, but that's SAMBA - not LDAP.  (Added Password-With-Header == 
userPassword to raddb / ldap.attrmap ) sounds interesting!


From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Vinicius Teixeira Coelho
Sent: Friday, February 11, 2011 12:09 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius + LDAP for WPA-Enterprise

Hello, I'm trying to do the same thing, I know I have to use winbind and samba 
to get it, but in reading the news I found this freeradius 2.1 Added 
Password-With-Header == userPassword to raddb / ldap.attrmap This Will 
automaticallyconvert more passwords

[]'s
--
Vinicius Teixeira Coelho

Registered Linux User #469313
The Ubuntu Counter Project - user number # 21463

On Fri, Feb 11, 2011 at 3:37 PM, Gary Gatten 
ggat...@waddell.commailto:ggat...@waddell.com wrote:
I'm barely a novice with FR, so take this with a grain of salt:

You forced ALL Authentication requests to use LDAP.  EAP / LDAP don't play well 
together.  Remove the Auth Type LDAP - for now.

You almost never want to set the Auth-Type directly, FR figures it out from 
the request.  For testing and troubleshooting it's OK, and if you really know 
what the consequences are its OK, but generally speaking don't set the auth 
type.

As for accomplishing your goal, unfortunately others will have to help you with 
that - I don't know FR/LDAP/EAP well enough.  But, I don't THINK you can 
authenticate EAP requests against LDAP directly because of the no clear text 
password issue.

Gary


-Original Message-
From: 
freeradius-users-bounces+ggatten=waddell.comhttp://waddell.com@lists.freeradius.orghttp://lists.freeradius.org
 
[mailto:freeradius-users-bounces+ggattenmailto:freeradius-users-bounces%2Bggatten=waddell.comhttp://waddell.com@lists.freeradius.orghttp://lists.freeradius.org]
 On Behalf Of Max Schröder
Sent: Friday, February 11, 2011 11:06 AM
To: 
freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org
Subject: Freeradius + LDAP for WPA-Enterprise

Hello to all,

I would like to use Freeradius to authenticate my wireless network using
OpenWRT and Freeradius + LDAP. What I've done:

First Authenticated Users in WLan using EAP-TTLS and files in
Freeradius. WORKED! Then I've configured ldap-Modul + added ldap in
the authorize- and Auth-Type LDAP { ldap } in the
authenticate-section. The test via radtest succeeded.

But now the authentication using OpenWRT (EAP-TTLS) like the first try
with files - now with ldap did not work. I do noticed the following comment

# Note that this means check plain-text password against
# the ldap database, which means that EAP won't work,
# as it does not supply a plain-text password.
Auth-Type LDAP { ldap }

but I don't know what to change that it worked like my first try with
the difference the users are in LDAP instead of a file.

Hope to get any hints

Best regards.
MS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP for WPA-Enterprise

[Vinicius Teixeira Coelho]

Yes, but your samba is using the ldap

[]'s
--
Vinicius Teixeira Coelho

Registered Linux User #469313
The Ubuntu Counter Project - user number # 21463


On Fri, Feb 11, 2011 at 4:35 PM, Gary Gatten ggat...@waddell.com wrote:

  Yeah, but that’s SAMBA – not LDAP.  (Added Password-With-Header ==
 userPassword to raddb / ldap.attrmap ) sounds interesting!


  --

 *From:* 
 freeradius-users-bounces+ggatten=waddell@lists.freeradius.org[mailto:
 freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] *On
 Behalf Of *Vinicius Teixeira Coelho
 *Sent:* Friday, February 11, 2011 12:09 PM

 *To:* FreeRadius users mailing list
 *Subject:* Re: Freeradius + LDAP for WPA-Enterprise



 Hello, I'm trying to do the same thing, I know I have to use winbind and
 samba to get it, but in reading the news I found this freeradius 2.1 Added
  Password-With-Header == userPassword to raddb / ldap.attrmap This Will
 automaticallyconvert more passwords



 []'s
 --
 Vinicius Teixeira Coelho

 Registered Linux User #469313
 The Ubuntu Counter Project - user number # 21463

  On Fri, Feb 11, 2011 at 3:37 PM, Gary Gatten ggat...@waddell.com wrote:

 I'm barely a novice with FR, so take this with a grain of salt:

 You forced ALL Authentication requests to use LDAP.  EAP / LDAP don't play
 well together.  Remove the Auth Type LDAP - for now.

 You almost never want to set the Auth-Type directly, FR figures it out
 from the request.  For testing and troubleshooting it's OK, and if you
 really know what the consequences are its OK, but generally speaking don't
 set the auth type.

 As for accomplishing your goal, unfortunately others will have to help you
 with that - I don't know FR/LDAP/EAP well enough.  But, I don't THINK you
 can authenticate EAP requests against LDAP directly because of the no clear
 text password issue.

 Gary



 -Original Message-
 From: 
 freeradius-users-bounces+ggatten=waddell@lists.freeradius.org[mailto:
 freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
 Behalf Of Max Schröder
 Sent: Friday, February 11, 2011 11:06 AM
 To: freeradius-users@lists.freeradius.org
 Subject: Freeradius + LDAP for WPA-Enterprise

 Hello to all,

 I would like to use Freeradius to authenticate my wireless network using
 OpenWRT and Freeradius + LDAP. What I've done:

 First Authenticated Users in WLan using EAP-TTLS and files in
 Freeradius. WORKED! Then I've configured ldap-Modul + added ldap in
 the authorize- and Auth-Type LDAP { ldap } in the
 authenticate-section. The test via radtest succeeded.

 But now the authentication using OpenWRT (EAP-TTLS) like the first try
 with files - now with ldap did not work. I do noticed the following comment

 # Note that this means check plain-text password against
 # the ldap database, which means that EAP won't work,
 # as it does not supply a plain-text password.
 Auth-Type LDAP { ldap }

 but I don't know what to change that it worked like my first try with
 the difference the users are in LDAP instead of a file.

 Hope to get any hints

 Best regards.
 MS
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




   font size=1
 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in
 0in 1.0pt 0in'
 /div
 This email is intended to be reviewed by only the intended recipient
  and may contain information that is privileged and/or confidential.
  If you are not the intended recipient, you are hereby notified that
  any review, use, dissemination, disclosure or copying of this email
  and its attachments, if any, is strictly prohibited.  If you have
  received this email in error, please immediately notify the sender by
  return email and delete this email from your system.
 /font



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential. If you
 are not the intended recipient, you are hereby notified that any review,
 use, dissemination, disclosure or copying of this email and its attachments,
 if any, is strictly prohibited. If you have received this email in error,
 please immediately notify the sender by return email and delete this email
 from your system.

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP for WPA-Enterprise

[Gary Gatten]

I don't think ntlm_auth makes any ldap calls.

From: Vinicius Teixeira Coelho [mailto:vinicius...@gmail.com]
Sent: Friday, February 11, 2011 12:41 PM
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: Freeradius + LDAP for WPA-Enterprise

Yes, but your samba is using the ldap

[]'s
--
Vinicius Teixeira Coelho

Registered Linux User #469313
The Ubuntu Counter Project - user number # 21463


On Fri, Feb 11, 2011 at 4:35 PM, Gary Gatten 
ggat...@waddell.commailto:ggat...@waddell.com wrote:
Yeah, but that’s SAMBA – not LDAP.  (Added Password-With-Header == 
userPassword to raddb / ldap.attrmap ) sounds interesting!


From: 
freeradius-users-bounces+ggatten=waddell.comhttp://waddell.com@lists.freeradius.orghttp://lists.freeradius.org
 
[mailto:freeradius-users-bounces+ggattenmailto:freeradius-users-bounces%2Bggatten=waddell.comhttp://waddell.com@lists.freeradius.orghttp://lists.freeradius.org]
 On Behalf Of Vinicius Teixeira Coelho
Sent: Friday, February 11, 2011 12:09 PM

To: FreeRadius users mailing list
Subject: Re: Freeradius + LDAP for WPA-Enterprise

Hello, I'm trying to do the same thing, I know I have to use winbind and samba 
to get it, but in reading the news I found this freeradius 2.1 Added 
Password-With-Header == userPassword to raddb / ldap.attrmap This Will 
automaticallyconvert more passwords

[]'s
--
Vinicius Teixeira Coelho

Registered Linux User #469313
The Ubuntu Counter Project - user number # 21463

On Fri, Feb 11, 2011 at 3:37 PM, Gary Gatten 
ggat...@waddell.commailto:ggat...@waddell.com wrote:
I'm barely a novice with FR, so take this with a grain of salt:

You forced ALL Authentication requests to use LDAP.  EAP / LDAP don't play well 
together.  Remove the Auth Type LDAP - for now.

You almost never want to set the Auth-Type directly, FR figures it out from 
the request.  For testing and troubleshooting it's OK, and if you really know 
what the consequences are its OK, but generally speaking don't set the auth 
type.

As for accomplishing your goal, unfortunately others will have to help you with 
that - I don't know FR/LDAP/EAP well enough.  But, I don't THINK you can 
authenticate EAP requests against LDAP directly because of the no clear text 
password issue.

Gary


-Original Message-
From: 
freeradius-users-bounces+ggatten=waddell.comhttp://waddell.com@lists.freeradius.orghttp://lists.freeradius.org
 
[mailto:freeradius-users-bounces+ggattenmailto:freeradius-users-bounces%2Bggatten=waddell.comhttp://waddell.com@lists.freeradius.orghttp://lists.freeradius.org]
 On Behalf Of Max Schröder
Sent: Friday, February 11, 2011 11:06 AM
To: 
freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org
Subject: Freeradius + LDAP for WPA-Enterprise

Hello to all,

I would like to use Freeradius to authenticate my wireless network using
OpenWRT and Freeradius + LDAP. What I've done:

First Authenticated Users in WLan using EAP-TTLS and files in
Freeradius. WORKED! Then I've configured ldap-Modul + added ldap in
the authorize- and Auth-Type LDAP { ldap } in the
authenticate-section. The test via radtest succeeded.

But now the authentication using OpenWRT (EAP-TTLS) like the first try
with files - now with ldap did not work. I do noticed the following comment

# Note that this means check plain-text password against
# the ldap database, which means that EAP won't work,
# as it does not supply a plain-text password.
Auth-Type LDAP { ldap }

but I don't know what to change that it worked like my first try with
the difference the users are in LDAP instead of a file.

Hope to get any hints

Best regards.
MS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

This email is intended to be reviewed by only the intended recipient and may 
contain information that is privileged and/or confidential. If you are not the 
intended recipient, you are hereby notified that any review, use, 
dissemination, disclosure or copying of this email and its attachments, if any, 
is strictly prohibited. If you have received this email in error, please 
immediately notify the sender by return email and delete this email from your 
system.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






font size=1
div

Re: Freeradius + LDAP for WPA-Enterprise

[Max Schröder]

Gary Gatten wrote:

You forced ALL Authentication requests to use LDAP.  EAP / LDAP don't play well together. 
 Remove the Auth Type LDAP - for now.
  
If I remove that the radtest failed for a LDAP-User. It returns a 
rejected Message.

As for accomplishing your goal, unfortunately others will have to help you with that - I 
don't know FR/LDAP/EAP well enough.  But, I don't THINK you can authenticate EAP requests 
against LDAP directly because of the no clear text password issue.
  
How else would you authenticate a WPA(2)-Enterprise with Radius using 
LDAP-Accounts?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius + LDAP for WPA-Enterprise

[Gary Gatten]

We just started using WPA2-Enterprise.  We use SAMBA / ntlm_auth / AD.  I 
honestly don't know if / how you can do it using pure LDAP.  Someone else 
posted something about new LDAP attributes that may work, but that's way over 
my head.  Maybe if you use certs instead of uname/passwords it will work with 
pure LDAP?  Sorry I can't help much

G


-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Max Schröder
Sent: Friday, February 11, 2011 2:31 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius + LDAP for WPA-Enterprise

Gary Gatten wrote:
 You forced ALL Authentication requests to use LDAP.  EAP / LDAP don't play 
 well together.  Remove the Auth Type LDAP - for now.
   
If I remove that the radtest failed for a LDAP-User. It returns a 
rejected Message.
 As for accomplishing your goal, unfortunately others will have to help you 
 with that - I don't know FR/LDAP/EAP well enough.  But, I don't THINK you can 
 authenticate EAP requests against LDAP directly because of the no clear text 
 password issue.
   
How else would you authenticate a WPA(2)-Enterprise with Radius using 
LDAP-Accounts?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius + LDAP for WPA-Enterprise

[Gary Gatten]

PS: We also use ntlm_auth for 802.1x.  All the docs I read and the comments 
within the various FR files say EAP and LDAP won't work - for Authentication.  
Authorization should be fine.

G


-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Max Schröder
Sent: Friday, February 11, 2011 2:31 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius + LDAP for WPA-Enterprise

Gary Gatten wrote:
 You forced ALL Authentication requests to use LDAP.  EAP / LDAP don't play 
 well together.  Remove the Auth Type LDAP - for now.
   
If I remove that the radtest failed for a LDAP-User. It returns a 
rejected Message.
 As for accomplishing your goal, unfortunately others will have to help you 
 with that - I don't know FR/LDAP/EAP well enough.  But, I don't THINK you can 
 authenticate EAP requests against LDAP directly because of the no clear text 
 password issue.
   
How else would you authenticate a WPA(2)-Enterprise with Radius using 
LDAP-Accounts?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP for WPA-Enterprise

[schilling]

If you want to use ldap as authentication source, either you have
plaintext password in ldap or ntPassword hash stored in ldap.  You can
search the list of my name, I just got both eap/peap against Active
Directory w/ ntlm_auth and against ldap w/ ntPassword recently. I
posted my configuration on the list.  I am using peap because of we
don't want to install a third party supplicant.


Schilling

On Fri, Feb 11, 2011 at 3:44 PM, Gary Gatten ggat...@waddell.com wrote:
 PS: We also use ntlm_auth for 802.1x.  All the docs I read and the comments 
 within the various FR files say EAP and LDAP won't work - for Authentication. 
  Authorization should be fine.

 G


 -Original Message-
 From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
 Behalf Of Max Schröder
 Sent: Friday, February 11, 2011 2:31 PM
 To: FreeRadius users mailing list
 Subject: Re: Freeradius + LDAP for WPA-Enterprise

 Gary Gatten wrote:
 You forced ALL Authentication requests to use LDAP.  EAP / LDAP don't play 
 well together.  Remove the Auth Type LDAP - for now.

 If I remove that the radtest failed for a LDAP-User. It returns a
 rejected Message.
 As for accomplishing your goal, unfortunately others will have to help you 
 with that - I don't know FR/LDAP/EAP well enough.  But, I don't THINK you 
 can authenticate EAP requests against LDAP directly because of the no clear 
 text password issue.

 How else would you authenticate a WPA(2)-Enterprise with Radius using
 LDAP-Accounts?
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





 font size=1
 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 
 0in 1.0pt 0in'
 /div
 This email is intended to be reviewed by only the intended recipient
  and may contain information that is privileged and/or confidential.
  If you are not the intended recipient, you are hereby notified that
  any review, use, dissemination, disclosure or copying of this email
  and its attachments, if any, is strictly prohibited.  If you have
  received this email in error, please immediately notify the sender by
  return email and delete this email from your system.
 /font


 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP for WPA-Enterprise

[Vinicius Teixeira Coelho]

this is great, i will search.

Enviado via iPhone

Em 11/02/2011, às 19:04, schilling schilling2...@gmail.com escreveu:

 If you want to use ldap as authentication source, either you have
 plaintext password in ldap or ntPassword hash stored in ldap.  You can
 search the list of my name, I just got both eap/peap against Active
 Directory w/ ntlm_auth and against ldap w/ ntPassword recently. I
 posted my configuration on the list.  I am using peap because of we
 don't want to install a third party supplicant.
 
 
 Schilling
 
 On Fri, Feb 11, 2011 at 3:44 PM, Gary Gatten ggat...@waddell.com wrote:
 PS: We also use ntlm_auth for 802.1x.  All the docs I read and the comments 
 within the various FR files say EAP and LDAP won't work - for 
 Authentication.  Authorization should be fine.
 
 G
 
 
 -Original Message-
 From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
 [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] 
 On Behalf Of Max Schröder
 Sent: Friday, February 11, 2011 2:31 PM
 To: FreeRadius users mailing list
 Subject: Re: Freeradius + LDAP for WPA-Enterprise
 
 Gary Gatten wrote:
 You forced ALL Authentication requests to use LDAP.  EAP / LDAP don't play 
 well together.  Remove the Auth Type LDAP - for now.
 
 If I remove that the radtest failed for a LDAP-User. It returns a
 rejected Message.
 As for accomplishing your goal, unfortunately others will have to help you 
 with that - I don't know FR/LDAP/EAP well enough.  But, I don't THINK you 
 can authenticate EAP requests against LDAP directly because of the no 
 clear text password issue.
 
 How else would you authenticate a WPA(2)-Enterprise with Radius using
 LDAP-Accounts?
 -
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 
 
 
 
 
 font size=1
 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 
 0in 1.0pt 0in'
 /div
 This email is intended to be reviewed by only the intended recipient
  and may contain information that is privileged and/or confidential.
  If you are not the intended recipient, you are hereby notified that
  any review, use, dissemination, disclosure or copying of this email
  and its attachments, if any, is strictly prohibited.  If you have
  received this email in error, please immediately notify the sender by
  return email and delete this email from your system.
 /font
 
 
 -
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Josip Rodin]

On Thu, Dec 02, 2010 at 03:48:34PM +0100, Josip Rodin wrote:
  The configuration that work:
  
  ldap ldapPerson{
 set_auth_type = yes
  }
 
 I think this is the catch. I don't have this particular option in my config,
 but I see now that it looks like they're all 2.1.8.

I re-checked the documentation and I see now that it had nothing to do
with versions, but a simple fact that the LDAP module defers to
any other Auth-Type - and you had a PAP handler there.

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Ana Gallardo]

Josip, thanks for your response.


Add LDAP into the authenticate section, so that it simply tries to re-bind
 with the provided credentials? Like this:

Auth-Type LDAP {
ldapPerson
}


I try this configuration too, but it doesn't work for me. Freeradius doesn't
set the value to Auth-Type attribute. I thik that this is because the
userPassword attribute is only visible to each particular user when binds.

rad_recv: Access-Request packet from host X.X.X.X port 49621, id=130,
length=58
User-Name = aigalla...@unex.es
User-Password = 
server test {
# Executing section authorize from file /etc/freeradius/sites-enabled/test
+- entering group authorize {...}
[suffix] Looking up realm unex.es for User-Name = aigalla...@unex.es
[suffix] Found realm unex.es
[suffix] Adding Stripped-User-Name = aigallardo
[suffix] Adding Realm = unex.es
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 33
++[files] returns ok
[ldapPerson] performing user authorization for aigallardo
[ldapPerson] expand: %{Stripped-User-Name} - aigallardo
[ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=aigallardo)
[ldapPerson] expand: ou=people,dc=unex,dc=es - ou=people,dc=unex,dc=es
  [ldapPerson] ldap_get_conn: Checking Id: 0
  [ldapPerson] ldap_get_conn: Got Id: 0
  [ldapPerson] attempting LDAP reconnection
  [ldapPerson] (re)connect to ldap.unex.es:389, authentication 0
  [ldapPerson] bind as / to ldap.unex.es:389
  [ldapPerson] waiting for bind result ...
  [ldapPerson] Bind was successful
  [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter
(uid=aigallardo)
[ldapPerson] No default NMAS login sequence
[ldapPerson] looking for check items in directory...
[ldapPerson] looking for reply items in directory...
  [ldapPerson] gecos - Nombre-Completo = Ana-Isabel Gallardo Gomez,Dpto.
Tecno. Computadores y Comuni.,,
WARNING: No known good password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldapPerson] user aigallardo authorized to use remote access
  [ldapPerson] ldap_release_conn: Release Id: 0
++[ldapPerson] returns ok
++[expiration] returns noop
[pap] WARNING! No known good password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
} # server test


Thank you very much and sorry for my english.



++ Ana Gallardo Gómez ++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Josip Rodin]

On Thu, Dec 02, 2010 at 09:09:51AM +0100, Ana Gallardo wrote:
  Add LDAP into the authenticate section, so that it simply tries to re-bind
  with the provided credentials? Like this:
 
 Auth-Type LDAP {
 ldapPerson
 }
 
 
 I try this configuration too, but it doesn't work for me. Freeradius doesn't
 set the value to Auth-Type attribute. I thik that this is because the
 userPassword attribute is only visible to each particular user when binds.

This is an orthogonal issue; you don't have to allow anyone to read the
value of the userPassword attribute, you just have to get the FR ldap
module to *bind* to the LDAP server with the username and password from
the request. Then the LDAP server verifies it against whatever it needs
in the background, and you don't care.

 # Executing section authorize from file /etc/freeradius/sites-enabled/test
 +- entering group authorize {...}
   [ldapPerson] bind as / to ldap.unex.es:389
   [ldapPerson] waiting for bind result ...
   [ldapPerson] Bind was successful

This is log output for an anonymous bind in authorize section (bind as /
to means bind as no user/no password). What is the output for the
authenticated bind, that happens in the authenticate section?

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Ana Gallardo]

Hello again. Ok, now I can authenticate an user using LDAP.

I'm using freeradius 2.1.10 and I want to use ldap like a backend in
 authorize section to take userPassword attribute (unix crypt) to
 authenticate the user.

My problem is: the ldap server don't have public key that an admin user (who
 bind) can take. So I have to bind in the authorize section with the user and
 password (clear text) in the request.

Is this posible?


I have read that this is not ok

http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html


 What are my posibilities?


I think that what I can do is:
- in authorize section bind like anonymous user and take the public
attributes that I need to authorize the user.
- in authenticate section bind like the user who want to access

The configuration that work:


LDAP MODULE

ldap ldapPerson{
   server = xxx
   basedn = ou=people,dc=unex,dc=es
   filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
   ldap_connections_number = 5
   timeout = 4
   timelimit = 3
   net_timeout = 1
   tls {
  start_tls = no
   }
   dictionary_mapping = ${confdir}/ldapPerson.attrmap
   edir_account_policy_check = no
   set_auth_type = yes
}

SERVER

server test{

authorize {
  suffix
  files
  ldapPerson
  expiration
  update control {
 Auth-Type := LDAP
  }
}

authenticate {
  Auth-Type LDAP {
ldapPerson
  }
}

}

DEBUG


rad_recv: Access-Request packet from host x.x.x.x port 48259, id=145,
length=58
User-Name = aigalla...@unex.es
User-Password = 
server test {
# Executing section authorize from file /etc/freeradius/sites-enabled/test
+- entering group authorize {...}
[suffix] Looking up realm unex.es for User-Name = aigalla...@unex.es
[suffix] Found realm unex.es
[suffix] Adding Stripped-User-Name = aigallardo
[suffix] Adding Realm = unex.es
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 33
++[files] returns ok
[ldapPerson] performing user authorization for aigallardo
[ldapPerson] expand: %{Stripped-User-Name} - aigallardo
[ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=aigallardo)
[ldapPerson] expand: ou=people,dc=unex,dc=es - ou=people,dc=unex,dc=es
  [ldapPerson] ldap_get_conn: Checking Id: 0
  [ldapPerson] ldap_get_conn: Got Id: 0
  [ldapPerson] attempting LDAP reconnection
  [ldapPerson] (re)connect to x.x.x.x:389, authentication 0
  [ldapPerson] bind as / to x.x.x.x:389
  [ldapPerson] waiting for bind result ...
  [ldapPerson] Bind was successful
  [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter
(uid=aigallardo)
[ldapPerson] No default NMAS login sequence
[ldapPerson] looking for check items in directory...
[ldapPerson] looking for reply items in directory...
  [ldapPerson] gecos - Nombre-Completo = Ana-Isabel Gallardo Gomez...
WARNING: No known good password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldapPerson] user aigallardo authorized to use remote access
  [ldapPerson] ldap_release_conn: Release Id: 0
++[ldapPerson] returns ok
++[expiration] returns noop
++[control] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/test
+- entering group LDAP {...}
[ldapPerson] login attempt by aigallardo with password 
[ldapPerson] user DN: uid=aigallardo,ou=People,dc=unex,dc=es
  [ldapPerson] (re)connect to x.x.x.x:389, authentication 1
  [ldapPerson] bind as uid=aigallardo,ou=People,dc=unex,dc=es/x to
x.x.x.x:389
  [ldapPerson] waiting for bind result ...
  [ldapPerson] Bind was successful
[ldapPerson] user aigallardo authenticated succesfully
++[ldapPerson] returns ok
} # server test
Sending Access-Accept of id 145 to x.x.x.x port 48259
Nombre-Completo = Ana-Isabel Gallardo Gomez...


I don't know if this is the best way to solve my problem, I someone have
something better, I would like to know.

Thank you very much and sorry for my english.



++ Ana Gallardo Gómez ++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Ana Gallardo]

Hello Josip and thank you again for your response.

This is an orthogonal issue; you don't have to allow anyone to read the
 value of the userPassword attribute, you just have to get the FR ldap
 module to *bind* to the LDAP server with the username and password from
 the request.


Ok, now I know.

This is log output for an anonymous bind in authorize section (bind as /
 to means bind as no user/no password). What is the output for the
 authenticated bind, that happens in the authenticate section?


There is no authenticated bind because Freeradius doesn't set Auth-Type
and...

ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user

Thanks

++ Ana Gallardo Gómez ++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Josip Rodin]

On Thu, Dec 02, 2010 at 02:37:43PM +0100, Ana Gallardo wrote:
 I have read that this is not ok
 
 http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html

OK, and you're not doing that which is described above, so you're fine.

 The configuration that work:
 
 ldap ldapPerson{
set_auth_type = yes
 }

I think this is the catch. I don't have this particular option in my config,
but I see now that it looks like they're all 2.1.8.

 authorize {
   ldapPerson
   update control {
  Auth-Type := LDAP
   }
 }

This seems redundant. If ldapPerson already ran, with the set_auth_type
option, ...

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius + ldap

[Ana Gallardo]

Hello,

I'm using freeradius 2.1.10 and I want to use ldap like a backend in
authorize section to take userPassword attribute (unix crypt) to
authenticate the user.

My problem is: the ldap server don't have public key that an admin user (who
bind) can take. So I have to bind in the authorize section with the user and
password (clear text) in the request.

Is this posible?

What are my posibilities?

Here is my actual configuration in my test:

LDAP MODULE

ldap ldapPerson{
   server = ldap.
   basedn = ou=people,dc=unex,dc=es
   filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
   ldap_connections_number = 5
   timeout = 4
   timelimit = 3
   net_timeout = 1
   tls {
  start_tls = no
   }
   dictionary_mapping = ${confdir}/ldapPerson.attrmap
   edir_account_policy_check = no
   set_auth_type = yes
}

SERVER

server test{

authorize {
  suffix
  files
  ldapPerson
  expiration
  pap
}

authenticate {
  Auth-Type PAP {
pap
  }
}

}


DEBUG

rad_recv: Access-Request packet from host X.X.X.X port 38152, id=201,
length=58
User-Name = aigalla...@unex.es
User-Password = pass
server test {
# Executing section authorize from file /etc/freeradius/sites-enabled/test
+- entering group authorize {...}
[suffix] Looking up realm unex.es for User-Name = aigalla...@unex.es
[suffix] Found realm unex.es
[suffix] Adding Stripped-User-Name = aigallardo
[suffix] Adding Realm = unex.es
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 33
++[files] returns ok
[ldapPerson] performing user authorization for aigallardo
[ldapPerson] expand: %{Stripped-User-Name} - aigallardo
[ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=aigallardo)
[ldapPerson] expand: ou=people,dc=unex,dc=es - ou=people,dc=unex,dc=es
  [ldapPerson] ldap_get_conn: Checking Id: 0
  [ldapPerson] ldap_get_conn: Got Id: 0
  [ldapPerson] attempting LDAP reconnection
  [ldapPerson] (re)connect to X :389, authentication 0
  [ldapPerson] bind as / to  :389
  [ldapPerson] waiting for bind result ...
  [ldapPerson] Bind was successful
  [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter
(uid=aigallardo)
[ldapPerson] No default NMAS login sequence
[ldapPerson] looking for check items in directory...
[ldapPerson] looking for reply items in directory...
  [ldapPerson] gecos - Nombre-Completo = Ana-Isabel Gallardo Gomez
WARNING: No known good password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldapPerson] user aigallardo authorized to use remote access
  [ldapPerson] ldap_release_conn: Release Id: 0
++[ldapPerson] returns ok
++[expiration] returns noop
[pap] WARNING! No known good password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
} # server test



Thank you very much and sorry for my eglish.


++ Ana Gallardo Gómez ++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Josip Rodin]

On Wed, Dec 01, 2010 at 12:48:14PM +0100, Ana Gallardo wrote:
 My problem is: the ldap server don't have public key that an admin user
 (who bind) can take. So I have to bind in the authorize section with the
 user and password (clear text) in the request.

 authenticate {
   Auth-Type PAP {
 pap
   }
 }

Add LDAP into the authenticate section, so that it simply tries to re-bind
with the provided credentials? Like this:

Auth-Type LDAP {
ldapPerson
}

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP auth

[Old Eduardo]

HI Paulo,

Thanks for u reply, see below my authenticate and authorize session.

authorize {
preprocess
mschap
ldap
}

authenticate {
Auth-Type LDAP {
ldap
}
   Auth-Type MS-CHAP {
   mschap
   }
}



2010/11/23 Paulo Maia phc.m...@gmail.com

 Show us your authorize and authenticate session . I had a problem like that
 once

 Regards ,


 On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.com wrote:

 sorry alan, i understand need to read debug.

 But, i see secret in clients and my test radtest user pass ip 0 secret is
 corretly.

 And my other doubt is in auth type = Local, why local if i put auth type
 LDAP in configuration? Only get local ...

 Realy sorry for this, but need u help.

 Regards,


 2010/11/23 Alan DeKok al...@deployingradius.com

 Old Eduardo wrote:
  but i try to configure this in few weeks and no get sucess.

  Ask questions earlier.

  Or, read the debug output.

  Tue Nov 23 07:37:24 2010 : Debug:   WARNING: Unprintable characters in
  the password.Double-check the shared secret on the server and the
 NAS!

  That message seems pretty clear.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Old Eduardo ...

make a difference ...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP auth

[Paulo Maia]

What auth method u're trying to use ?
EAP/PEAP ?

Regards ,


On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.com wrote:

 HI Paulo,

 Thanks for u reply, see below my authenticate and authorize session.

 authorize {
 preprocess
 mschap
 ldap
 }

 authenticate {
 Auth-Type LDAP {
 ldap
 }
Auth-Type MS-CHAP {
mschap
}
 }



 2010/11/23 Paulo Maia phc.m...@gmail.com

 Show us your authorize and authenticate session . I had a problem like that
 once

 Regards ,


 On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.comwrote:

 sorry alan, i understand need to read debug.

 But, i see secret in clients and my test radtest user pass ip 0 secret is
 corretly.

 And my other doubt is in auth type = Local, why local if i put auth type
 LDAP in configuration? Only get local ...

 Realy sorry for this, but need u help.

 Regards,


 2010/11/23 Alan DeKok al...@deployingradius.com

 Old Eduardo wrote:
  but i try to configure this in few weeks and no get sucess.

  Ask questions earlier.

  Or, read the debug output.

  Tue Nov 23 07:37:24 2010 : Debug:   WARNING: Unprintable characters in
  the password.Double-check the shared secret on the server and the
 NAS!

  That message seems pretty clear.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP auth

[Old Eduardo]

where i define this? eap.conf?

sorry, newbie with freeradius.

2010/11/24 Paulo Maia phc.m...@gmail.com

 What auth method u're trying to use ?
 EAP/PEAP ?

 Regards ,



 On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.com wrote:

 HI Paulo,

 Thanks for u reply, see below my authenticate and authorize session.

 authorize {
 preprocess
 mschap
 ldap
 }

 authenticate {
 Auth-Type LDAP {
 ldap
 }
Auth-Type MS-CHAP {
mschap
}
 }



 2010/11/23 Paulo Maia phc.m...@gmail.com

 Show us your authorize and authenticate session . I had a problem like
 that once

 Regards ,


 On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.comwrote:

 sorry alan, i understand need to read debug.

 But, i see secret in clients and my test radtest user pass ip 0 secret
 is corretly.

 And my other doubt is in auth type = Local, why local if i put auth type
 LDAP in configuration? Only get local ...

 Realy sorry for this, but need u help.

 Regards,


 2010/11/23 Alan DeKok al...@deployingradius.com

 Old Eduardo wrote:
  but i try to configure this in few weeks and no get sucess.

  Ask questions earlier.

  Or, read the debug output.

  Tue Nov 23 07:37:24 2010 : Debug:   WARNING: Unprintable characters
 in
  the password.Double-check the shared secret on the server and the
 NAS!

  That message seems pretty clear.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Old Eduardo ...

make a difference ...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP auth

[Old Eduardo]

ok i found this.

sites-enabled/default

eap auth mode.

2010/11/24 Paulo Maia phc.m...@gmail.com

 What auth method u're trying to use ?
 EAP/PEAP ?

 Regards ,



 On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.com wrote:

 HI Paulo,

 Thanks for u reply, see below my authenticate and authorize session.

 authorize {
 preprocess
 mschap
 ldap
 }

 authenticate {
 Auth-Type LDAP {
 ldap
 }
Auth-Type MS-CHAP {
mschap
}
 }



 2010/11/23 Paulo Maia phc.m...@gmail.com

 Show us your authorize and authenticate session . I had a problem like
 that once

 Regards ,


 On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.comwrote:

 sorry alan, i understand need to read debug.

 But, i see secret in clients and my test radtest user pass ip 0 secret
 is corretly.

 And my other doubt is in auth type = Local, why local if i put auth type
 LDAP in configuration? Only get local ...

 Realy sorry for this, but need u help.

 Regards,


 2010/11/23 Alan DeKok al...@deployingradius.com

 Old Eduardo wrote:
  but i try to configure this in few weeks and no get sucess.

  Ask questions earlier.

  Or, read the debug output.

  Tue Nov 23 07:37:24 2010 : Debug:   WARNING: Unprintable characters
 in
  the password.Double-check the shared secret on the server and the
 NAS!

  That message seems pretty clear.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Old Eduardo ...

make a difference ...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP auth

[Paulo Maia]

yes . but i have to include in your authorize and authenticate sessions .
What kind of auth ure trying to get ?
Regards ,


On Wed, Nov 24, 2010 at 8:43 AM, Old Eduardo oldedua...@gmail.com wrote:

 where i define this? eap.conf?

 sorry, newbie with freeradius.

 2010/11/24 Paulo Maia phc.m...@gmail.com

 What auth method u're trying to use ?
 EAP/PEAP ?

 Regards ,



 On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.comwrote:

 HI Paulo,

 Thanks for u reply, see below my authenticate and authorize session.

 authorize {
 preprocess
 mschap
 ldap
 }

 authenticate {
 Auth-Type LDAP {
 ldap
 }
Auth-Type MS-CHAP {
mschap
}
 }



 2010/11/23 Paulo Maia phc.m...@gmail.com

 Show us your authorize and authenticate session . I had a problem like
 that once

 Regards ,


 On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.comwrote:

 sorry alan, i understand need to read debug.

 But, i see secret in clients and my test radtest user pass ip 0 secret
 is corretly.

 And my other doubt is in auth type = Local, why local if i put auth
 type LDAP in configuration? Only get local ...

 Realy sorry for this, but need u help.

 Regards,


 2010/11/23 Alan DeKok al...@deployingradius.com

 Old Eduardo wrote:
  but i try to configure this in few weeks and no get sucess.

  Ask questions earlier.

  Or, read the debug output.

  Tue Nov 23 07:37:24 2010 : Debug:   WARNING: Unprintable characters
 in
  the password.Double-check the shared secret on the server and
 the NAS!

  That message seems pretty clear.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP auth

[Paulo Maia]

It works ?


On Wed, Nov 24, 2010 at 8:47 AM, Old Eduardo oldedua...@gmail.com wrote:

 ok i found this.

 sites-enabled/default

 eap auth mode.

 2010/11/24 Paulo Maia phc.m...@gmail.com

 What auth method u're trying to use ?
 EAP/PEAP ?

 Regards ,



 On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.comwrote:

 HI Paulo,

 Thanks for u reply, see below my authenticate and authorize session.

 authorize {
 preprocess
 mschap
 ldap
 }

 authenticate {
 Auth-Type LDAP {
 ldap
 }
Auth-Type MS-CHAP {
mschap
}
 }



 2010/11/23 Paulo Maia phc.m...@gmail.com

 Show us your authorize and authenticate session . I had a problem like
 that once

 Regards ,


 On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.comwrote:

 sorry alan, i understand need to read debug.

 But, i see secret in clients and my test radtest user pass ip 0 secret
 is corretly.

 And my other doubt is in auth type = Local, why local if i put auth
 type LDAP in configuration? Only get local ...

 Realy sorry for this, but need u help.

 Regards,


 2010/11/23 Alan DeKok al...@deployingradius.com

 Old Eduardo wrote:
  but i try to configure this in few weeks and no get sucess.

  Ask questions earlier.

  Or, read the debug output.

  Tue Nov 23 07:37:24 2010 : Debug:   WARNING: Unprintable characters
 in
  the password.Double-check the shared secret on the server and
 the NAS!

  That message seems pretty clear.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP auth

[Old Eduardo]

I read in many sites, for get ldap auth need mschap, its true?

i try mschap.

2010/11/24 Paulo Maia phc.m...@gmail.com

 yes . but i have to include in your authorize and authenticate sessions .
 What kind of auth ure trying to get ?
 Regards ,



 On Wed, Nov 24, 2010 at 8:43 AM, Old Eduardo oldedua...@gmail.com wrote:

 where i define this? eap.conf?

 sorry, newbie with freeradius.

 2010/11/24 Paulo Maia phc.m...@gmail.com

 What auth method u're trying to use ?
 EAP/PEAP ?

 Regards ,



 On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.comwrote:

 HI Paulo,

 Thanks for u reply, see below my authenticate and authorize session.

 authorize {
 preprocess
 mschap
 ldap
 }

 authenticate {
 Auth-Type LDAP {
 ldap
 }
Auth-Type MS-CHAP {
mschap
}
 }



 2010/11/23 Paulo Maia phc.m...@gmail.com

 Show us your authorize and authenticate session . I had a problem like
 that once

 Regards ,


 On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.comwrote:

 sorry alan, i understand need to read debug.

 But, i see secret in clients and my test radtest user pass ip 0 secret
 is corretly.

 And my other doubt is in auth type = Local, why local if i put auth
 type LDAP in configuration? Only get local ...

 Realy sorry for this, but need u help.

 Regards,


 2010/11/23 Alan DeKok al...@deployingradius.com

 Old Eduardo wrote:
  but i try to configure this in few weeks and no get sucess.

  Ask questions earlier.

  Or, read the debug output.

  Tue Nov 23 07:37:24 2010 : Debug:   WARNING: Unprintable characters
 in
  the password.Double-check the shared secret on the server and
 the NAS!

  That message seems pretty clear.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Old Eduardo ...

make a difference ...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP auth

[Old Eduardo]

no :(
in debug only appears auth type Local
see:
Wed Nov 24 08:30:54 2010 : Debug: +- entering group authorize
Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 0
Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 0
Wed Nov 24 08:30:54 2010 : Debug: ++[preprocess] returns ok
Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: calling mschap
(rlm_mschap) for request 0
Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: returned from
mschap (rlm_mschap) for request 0
Wed Nov 24 08:30:54 2010 : Debug: ++[mschap] returns noop
Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: calling ldap
(rlm_ldap) for request 0
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: - authorize
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: performing user authorization
for ipe-dp
Wed Nov 24 08:30:54 2010 : Debug: WARNING: Deprecated conditional expansion
:-.  See man unlang for details
Wed Nov 24 08:30:54 2010 : Debug:  expand:
(uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=ipe-dp)
Wed Nov 24 08:30:54 2010 : Debug:  expand:
dc=policiacivil,dc=rs,dc=gov,dc=br - dc=policiacivil,dc=rs,dc=gov,dc=br
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: attempting LDAP reconnection
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: (re)connect to ldap.intra
proxy.intra localhost:389, authentication 0
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: bind as
uid=vpnpptp,ou=sistemas,dc=policiacivil,dc=rs,dc=gov,dc=br/dfjk129!@ to
ldap.intra proxy.intra localhost:389
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: waiting for bind result ...
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: Bind was successful
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: performing search in
dc=policiacivil,dc=rs,dc=gov,dc=br, with filter (uid=ipe-dp)
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: Added User-Password =
{SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl in check items
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: No default NMAS login sequence
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: looking for check items in
directory...
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute userpassword as
RADIUS attribute Cleartext-Password ==
{SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute sambaNtPassword
as RADIUS attribute NT-Password ==
0x3244413944423342333039463632333434374232384536393635374142333642
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute sambaLmPassword
as RADIUS attribute LM-Password ==
0x3845433036323546444141393630353041414433423433354235313430344545
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: looking for reply items in
directory...
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: user ipe-dp authorized to use
remote access
Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: returned from ldap
(rlm_ldap) for request 0
Wed Nov 24 08:30:54 2010 : Debug: ++[ldap] returns ok
Wed Nov 24 08:30:54 2010 : Debug: auth: type Local
Wed Nov 24 08:30:54 2010 : Debug: auth: user supplied User-Password does NOT
match local User-Password
Wed Nov 24 08:30:54 2010 : Debug: auth: Failed to validate the user.
Wed Nov 24 08:30:54 2010 : Auth: Login incorrect:
[ipe-dp/\367ҿb5�?\327H6*c\244:\301\245] (from client localhost port 0)
Wed Nov 24 08:30:54 2010 : Debug:   WARNING: Unprintable characters in the
password.Double-check the shared secret on the server and the NAS!
Wed Nov 24 08:30:54 2010 : Debug: Delaying reject of request 0 for 1 seconds
Wed Nov 24 08:30:54 2010 : Debug: Going to the next request
Wed Nov 24 08:30:54 2010 : Debug: Waking up in 0.9 seconds.
Wed Nov 24 08:30:55 2010 : Debug: Sending delayed reject for request 0
Sending Access-Reject of id 78 to 127.0.0.1 port 58611
Wed Nov 24 08:30:55 2010 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=78,
length=20
rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812
with invalid signature (err=2)!  (Shared secret is incorrect.)
^Cdebian:/etc/freeradius/sites-enabled# Wed Nov 24 08:31:00 2010 : Debug:
Cleaning up request 0 ID 78 with timestamp +5
ty for u help.

2010/11/24 Paulo Maia phc.m...@gmail.com

 It works ?



 On Wed, Nov 24, 2010 at 8:47 AM, Old Eduardo oldedua...@gmail.com wrote:

 ok i found this.

 sites-enabled/default

 eap auth mode.

 2010/11/24 Paulo Maia phc.m...@gmail.com

 What auth method u're trying to use ?
 EAP/PEAP ?

 Regards ,



 On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.comwrote:

 HI Paulo,

 Thanks for u reply, see below my authenticate and authorize session.

 authorize {
 preprocess
 mschap
 ldap
 }

 authenticate {
 Auth-Type LDAP {
 ldap
 }

Re: Freeradius + LDAP auth

[Paulo Maia]

Do u have NT e LM passowrd attributes in ur LDAP database ? coz if u do u
could try to use EAP/PEAP .
Its easier for windows clients .
Regards ,


On Wed, Nov 24, 2010 at 9:26 AM, Old Eduardo oldedua...@gmail.com wrote:

 I read in many sites, for get ldap auth need mschap, its true?

 i try mschap.

 2010/11/24 Paulo Maia phc.m...@gmail.com

 yes . but i have to include in your authorize and authenticate sessions .
 What kind of auth ure trying to get ?
 Regards ,



 On Wed, Nov 24, 2010 at 8:43 AM, Old Eduardo oldedua...@gmail.comwrote:

 where i define this? eap.conf?

 sorry, newbie with freeradius.

 2010/11/24 Paulo Maia phc.m...@gmail.com

 What auth method u're trying to use ?
 EAP/PEAP ?

 Regards ,



 On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.comwrote:

 HI Paulo,

 Thanks for u reply, see below my authenticate and authorize session.

 authorize {
 preprocess
 mschap
 ldap
 }

 authenticate {
 Auth-Type LDAP {
 ldap
 }
Auth-Type MS-CHAP {
mschap
}
 }



 2010/11/23 Paulo Maia phc.m...@gmail.com

 Show us your authorize and authenticate session . I had a problem like
 that once

 Regards ,


 On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.comwrote:

 sorry alan, i understand need to read debug.

 But, i see secret in clients and my test radtest user pass ip 0
 secret is corretly.

 And my other doubt is in auth type = Local, why local if i put auth
 type LDAP in configuration? Only get local ...

 Realy sorry for this, but need u help.

 Regards,


 2010/11/23 Alan DeKok al...@deployingradius.com

 Old Eduardo wrote:
  but i try to configure this in few weeks and no get sucess.

  Ask questions earlier.

  Or, read the debug output.

  Tue Nov 23 07:37:24 2010 : Debug:   WARNING: Unprintable
 characters in
  the password.Double-check the shared secret on the server and
 the NAS!

  That message seems pretty clear.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP auth

[Paulo Maia]

comment everything the users file .
Brasileiro mano ?

On Wed, Nov 24, 2010 at 9:31 AM, Old Eduardo oldedua...@gmail.com wrote:

 no :(
 in debug only appears auth type Local
 see:
 Wed Nov 24 08:30:54 2010 : Debug: +- entering group authorize
 Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: calling
 preprocess (rlm_preprocess) for request 0
 Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: returned from
 preprocess (rlm_preprocess) for request 0
 Wed Nov 24 08:30:54 2010 : Debug: ++[preprocess] returns ok
 Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: calling mschap
 (rlm_mschap) for request 0
 Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: returned from
 mschap (rlm_mschap) for request 0
 Wed Nov 24 08:30:54 2010 : Debug: ++[mschap] returns noop
 Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: calling ldap
 (rlm_ldap) for request 0
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: - authorize
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: performing user authorization
 for ipe-dp
 Wed Nov 24 08:30:54 2010 : Debug: WARNING: Deprecated conditional expansion
 :-.  See man unlang for details
 Wed Nov 24 08:30:54 2010 : Debug:  expand:
 (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=ipe-dp)
 Wed Nov 24 08:30:54 2010 : Debug:  expand:
 dc=policiacivil,dc=rs,dc=gov,dc=br - dc=policiacivil,dc=rs,dc=gov,dc=br
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: attempting LDAP reconnection
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: (re)connect to ldap.intra
 proxy.intra localhost:389, authentication 0
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: bind as
 uid=vpnpptp,ou=sistemas,dc=policiacivil,dc=rs,dc=gov,dc=br/dfjk129!@ to
 ldap.intra proxy.intra localhost:389
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: waiting for bind result ...
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: Bind was successful
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: performing search in
 dc=policiacivil,dc=rs,dc=gov,dc=br, with filter (uid=ipe-dp)
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: Added User-Password =
 {SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl in check items
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: No default NMAS login sequence
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: looking for check items in
 directory...
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute userpassword as
 RADIUS attribute Cleartext-Password ==
 {SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute sambaNtPassword
 as RADIUS attribute NT-Password ==
 0x3244413944423342333039463632333434374232384536393635374142333642
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute sambaLmPassword
 as RADIUS attribute LM-Password ==
 0x3845433036323546444141393630353041414433423433354235313430344545
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: looking for reply items in
 directory...
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: user ipe-dp authorized to use
 remote access
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id:
 0
 Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: returned from
 ldap (rlm_ldap) for request 0
 Wed Nov 24 08:30:54 2010 : Debug: ++[ldap] returns ok
 Wed Nov 24 08:30:54 2010 : Debug: auth: type Local
 Wed Nov 24 08:30:54 2010 : Debug: auth: user supplied User-Password does
 NOT match local User-Password
 Wed Nov 24 08:30:54 2010 : Debug: auth: Failed to validate the user.
 Wed Nov 24 08:30:54 2010 : Auth: Login incorrect:
 [ipe-dp/\367ҿb5�?\327H6*c\244:\301\245] (from client localhost port 0)
 Wed Nov 24 08:30:54 2010 : Debug:   WARNING: Unprintable characters in the
 password.Double-check the shared secret on the server and the NAS!
 Wed Nov 24 08:30:54 2010 : Debug: Delaying reject of request 0 for 1
 seconds
 Wed Nov 24 08:30:54 2010 : Debug: Going to the next request
 Wed Nov 24 08:30:54 2010 : Debug: Waking up in 0.9 seconds.
 Wed Nov 24 08:30:55 2010 : Debug: Sending delayed reject for request 0
 Sending Access-Reject of id 78 to 127.0.0.1 port 58611
 Wed Nov 24 08:30:55 2010 : Debug: Waking up in 4.9 seconds.
 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=78,
 length=20
 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812
 with invalid signature (err=2)!  (Shared secret is incorrect.)
 ^Cdebian:/etc/freeradius/sites-enabled# Wed Nov 24 08:31:00 2010 : Debug:
 Cleaning up request 0 ID 78 with timestamp +5
 ty for u help.

 2010/11/24 Paulo Maia phc.m...@gmail.com

 It works ?



 On Wed, Nov 24, 2010 at 8:47 AM, Old Eduardo oldedua...@gmail.comwrote:

 ok i found this.

 sites-enabled/default

 eap auth mode.

 2010/11/24 Paulo Maia phc.m...@gmail.com

 What auth method u're trying to use ?
 EAP/PEAP ?

 Regards ,



 On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.comwrote:

 HI Paulo,

 Thanks for u 

Re: Freeradius + LDAP auth

[Alan DeKok]

Old Eduardo wrote:
 no :(
 in debug only appears auth type Local

  Stop wasting your time.

  You have NOT configured the server correctly, and you have NOT
followed instructions on this list.

 see:
 Wed Nov 24 08:30:54 2010 : Debug: +- entering group authorize

  You've used radiusd -Xx.  The FAQ, INSTALL, man page, and messages
daily on this list say to use radiusd -X.  This should be easy to do.

 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute userpassword
 as RADIUS attribute Cleartext-Password ==
 {SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl

  This is wrong on many, many, levels.  The password is a SSHA password,
not a Cleartext-Password.  You've edited the ldap.attrmap file to add
the *wrong* information in it.

 Wed Nov 24 08:30:54 2010 : Debug: auth: type Local
 Wed Nov 24 08:30:54 2010 : Debug: auth: user supplied User-Password does
 NOT match local User-Password

  Given your broken configuration, this is to be expected.

 Wed Nov 24 08:30:54 2010 : Debug: auth: Failed to validate the user.
 Wed Nov 24 08:30:54 2010 : Auth: Login incorrect:
 [ipe-dp/\367ҿb5�?\327H6*c\244:\301\245] (from client localhost port 0)
 Wed Nov 24 08:30:54 2010 : Debug:   WARNING: Unprintable characters in
 the password.Double-check the shared secret on the server and the NAS!

  You were told to fix this problem.  Read the error message.  It's not
hard to understand.

  Until you fix your system, authentication will *always* fail.

  The cause of the problem is simple and obvious.  Even worse, you've
been told how to fix it.  So far, you've refused to follow instructions.

  If you're not going to follow the instructions given on this list,
there is *no* reason to ask questions here.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP auth

[Old Eduardo]

yes i have.


2010/11/24 Paulo Maia phc.m...@gmail.com

 Do u have NT e LM passowrd attributes in ur LDAP database ? coz if u do u
 could try to use EAP/PEAP .
 Its easier for windows clients .
 Regards ,



 On Wed, Nov 24, 2010 at 9:26 AM, Old Eduardo oldedua...@gmail.com wrote:

 I read in many sites, for get ldap auth need mschap, its true?

 i try mschap.

   2010/11/24 Paulo Maia phc.m...@gmail.com

 yes . but i have to include in your authorize and authenticate sessions .
 What kind of auth ure trying to get ?
 Regards ,



 On Wed, Nov 24, 2010 at 8:43 AM, Old Eduardo oldedua...@gmail.comwrote:

 where i define this? eap.conf?

 sorry, newbie with freeradius.

 2010/11/24 Paulo Maia phc.m...@gmail.com

 What auth method u're trying to use ?
 EAP/PEAP ?

 Regards ,



 On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.comwrote:

 HI Paulo,

 Thanks for u reply, see below my authenticate and authorize session.

 authorize {
 preprocess
 mschap
 ldap
 }

 authenticate {
 Auth-Type LDAP {
 ldap
 }
Auth-Type MS-CHAP {
mschap
}
 }



 2010/11/23 Paulo Maia phc.m...@gmail.com

 Show us your authorize and authenticate session . I had a problem like
 that once

 Regards ,


 On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo 
 oldedua...@gmail.comwrote:

 sorry alan, i understand need to read debug.

 But, i see secret in clients and my test radtest user pass ip 0
 secret is corretly.

 And my other doubt is in auth type = Local, why local if i put auth
 type LDAP in configuration? Only get local ...

 Realy sorry for this, but need u help.

 Regards,


 2010/11/23 Alan DeKok al...@deployingradius.com

 Old Eduardo wrote:
  but i try to configure this in few weeks and no get sucess.

  Ask questions earlier.

  Or, read the debug output.

  Tue Nov 23 07:37:24 2010 : Debug:   WARNING: Unprintable
 characters in
  the password.Double-check the shared secret on the server and
 the NAS!

  That message seems pretty clear.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Old Eduardo ...

make a difference ...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP auth

[Alan DeKok]

Paulo Maia wrote:
 comment everything the users file .

  Wrong answers make life difficult for everyone.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP auth

[Old Eduardo]

Opa e ae blz?

Vou fazer isso amanha, te mandei para teu email todo o diretorio do
freeradius para voce dar uma olhada nos confs, estou ha 3 semanas tentando
fazer essa implementacao e nao consigo cara.

amanha de manha vou la tentar denovo.

obrigado pela forca.

2010/11/24 Paulo Maia phc.m...@gmail.com

 comment everything the users file .
 Brasileiro mano ?


 On Wed, Nov 24, 2010 at 9:31 AM, Old Eduardo oldedua...@gmail.com wrote:

 no :(
 in debug only appears auth type Local
 see:
 Wed Nov 24 08:30:54 2010 : Debug: +- entering group authorize
 Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: calling
 preprocess (rlm_preprocess) for request 0
 Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: returned from
 preprocess (rlm_preprocess) for request 0
 Wed Nov 24 08:30:54 2010 : Debug: ++[preprocess] returns ok
 Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: calling mschap
 (rlm_mschap) for request 0
 Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: returned from
 mschap (rlm_mschap) for request 0
 Wed Nov 24 08:30:54 2010 : Debug: ++[mschap] returns noop
 Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: calling ldap
 (rlm_ldap) for request 0
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: - authorize
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: performing user authorization
 for ipe-dp
 Wed Nov 24 08:30:54 2010 : Debug: WARNING: Deprecated conditional
 expansion :-.  See man unlang for details
 Wed Nov 24 08:30:54 2010 : Debug:  expand:
 (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=ipe-dp)
 Wed Nov 24 08:30:54 2010 : Debug:  expand:
 dc=policiacivil,dc=rs,dc=gov,dc=br - dc=policiacivil,dc=rs,dc=gov,dc=br
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: attempting LDAP reconnection
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: (re)connect to ldap.intra
 proxy.intra localhost:389, authentication 0
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: bind as
 uid=vpnpptp,ou=sistemas,dc=policiacivil,dc=rs,dc=gov,dc=br/dfjk129!@ to
 ldap.intra proxy.intra localhost:389
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: waiting for bind result ...
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: Bind was successful
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: performing search in
 dc=policiacivil,dc=rs,dc=gov,dc=br, with filter (uid=ipe-dp)
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: Added User-Password =
 {SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl in check items
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: No default NMAS login sequence
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: looking for check items in
 directory...
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute userpassword as
 RADIUS attribute Cleartext-Password ==
 {SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute sambaNtPassword
 as RADIUS attribute NT-Password ==
 0x3244413944423342333039463632333434374232384536393635374142333642
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute sambaLmPassword
 as RADIUS attribute LM-Password ==
 0x3845433036323546444141393630353041414433423433354235313430344545
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: looking for reply items in
 directory...
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: user ipe-dp authorized to use
 remote access
 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id:
 0
 Wed Nov 24 08:30:54 2010 : Debug:   modsingle[authorize]: returned from
 ldap (rlm_ldap) for request 0
 Wed Nov 24 08:30:54 2010 : Debug: ++[ldap] returns ok
 Wed Nov 24 08:30:54 2010 : Debug: auth: type Local
 Wed Nov 24 08:30:54 2010 : Debug: auth: user supplied User-Password does
 NOT match local User-Password
 Wed Nov 24 08:30:54 2010 : Debug: auth: Failed to validate the user.
 Wed Nov 24 08:30:54 2010 : Auth: Login incorrect:
 [ipe-dp/\367ҿb5�?\327H6*c\244:\301\245] (from client localhost port 0)
 Wed Nov 24 08:30:54 2010 : Debug:   WARNING: Unprintable characters in the
 password.Double-check the shared secret on the server and the NAS!
 Wed Nov 24 08:30:54 2010 : Debug: Delaying reject of request 0 for 1
 seconds
 Wed Nov 24 08:30:54 2010 : Debug: Going to the next request
 Wed Nov 24 08:30:54 2010 : Debug: Waking up in 0.9 seconds.
 Wed Nov 24 08:30:55 2010 : Debug: Sending delayed reject for request 0
 Sending Access-Reject of id 78 to 127.0.0.1 port 58611
 Wed Nov 24 08:30:55 2010 : Debug: Waking up in 4.9 seconds.
 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=78,
 length=20
 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812
 with invalid signature (err=2)!  (Shared secret is incorrect.)
 ^Cdebian:/etc/freeradius/sites-enabled# Wed Nov 24 08:31:00 2010 : Debug:
 Cleaning up request 0 ID 78 with timestamp +5
 ty for u help.

   2010/11/24 Paulo Maia phc.m...@gmail.com

 It works ?



 On Wed, Nov 24, 2010 at 8:47 

Freeradius + LDAP auth

[Old Eduardo]

Sorry list,

but i try to configure this in few weeks and no get sucess.
Realy need help for list.

im try to all sites in google, but no get sucess.

i try this:
http://blog.yufeng.net/index.php/2010/07/debian-poptop-freeradius-openldap/
http://wiki.freeradius.org/Rlm_ldap
http://mhoran.wordpress.com/2007/11/25/freeradius-on-freebsd-and-openldap/

my debug only appears:

rad_recv: Access-Request packet from host 10.12.60.32 port 35717, id=31,
length=64
 User-Name = ipe-dp
 User-Password = 7\271D\250yhG'E\361\t{\237\366S\347
 NAS-IP-Address = 127.0.1.1
 NAS-Port = 1812
 Framed-Protocol = PPP
Tue Nov 23 07:37:24 2010 : Debug: +- entering group authorize
Tue Nov 23 07:37:24 2010 : Debug:   modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 0
Tue Nov 23 07:37:24 2010 : Debug:   modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 0
Tue Nov 23 07:37:24 2010 : Debug: ++[preprocess] returns ok
Tue Nov 23 07:37:24 2010 : Debug:   modsingle[authorize]: calling ldap
(rlm_ldap) for request 0
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: - authorize
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: performing user authorization
for ipe-dp
Tue Nov 23 07:37:24 2010 : Debug:  expand: (uid=%u) - (uid=ipe-dp)
Tue Nov 23 07:37:24 2010 : Debug:  expand:
dc=policiacivil,dc=rs,dc=gov,dc=br - dc=policiacivil,dc=rs,dc=gov,dc=br
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: attempting LDAP reconnection
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: (re)connect to ldap.intra
proxy.intra localhost:389, authentication 0
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: bind as
uid=vpnpptp,ou=sistemas,dc=policiacivil,dc=rs,dc=gov,dc=br/dfjk129!@ to
ldap.intra proxy.intra localhost:389
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: waiting for bind result ...
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: Bind was successful
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: performing search in
dc=policiacivil,dc=rs,dc=gov,dc=br, with filter (uid=ipe-dp)
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: Added User-Password =
{SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl in check items
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: No default NMAS login sequence
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: looking for check items in
directory...
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: LDAP attribute sambaNTPassword
as RADIUS attribute NT-Password ==
0x3244413944423342333039463632333434374232384536393635374142333642
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: LDAP attribute sambaLMPassword
as RADIUS attribute LM-Password ==
0x3845433036323546444141393630353041414433423433354235313430344545
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: LDAP attribute cn as RADIUS
attribute Group == ipe-dp
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: looking for reply items in
directory...
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: user ipe-dp authorized to use
remote access
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Tue Nov 23 07:37:24 2010 : Debug:   modsingle[authorize]: returned from ldap
(rlm_ldap) for request 0
Tue Nov 23 07:37:24 2010 : Debug: ++[ldap] returns ok
Tue Nov 23 07:37:24 2010 : Debug:
!!!
Tue Nov 23 07:37:24 2010 : Debug: !!!Replacing User-Password in config
items with Cleartext-Password. !!!
Tue Nov 23 07:37:24 2010 : Debug:
!!!
Tue Nov 23 07:37:24 2010 : Debug: !!! Please update your configuration so
that the known good   !!!
Tue Nov 23 07:37:24 2010 : Debug: !!! clear text password is in
Cleartext-Password, and not in User-Password. !!!
Tue Nov 23 07:37:24 2010 : Debug:
!!!
Tue Nov 23 07:37:24 2010 : Debug: auth: type Local
Tue Nov 23 07:37:24 2010 : Debug: auth: user supplied User-Password does NOT
match local User-Password
Tue Nov 23 07:37:24 2010 : Debug: auth: Failed to validate the user.
Tue Nov 23 07:37:24 2010 : Auth: Login incorrect:
[ipe-dp/7\271D\250yhG'E\361\t{\237\366S\347] (from client BrasilTelecom port
1812)
Tue Nov 23 07:37:24 2010 : Debug:   WARNING: Unprintable characters in the
password.Double-check the shared secret on the server and the NAS!
Tue Nov 23 07:37:24 2010 : Debug: Delaying reject of request 0 for 1 seconds
Tue Nov 23 07:37:24 2010 : Debug: Going to the next request
Tue Nov 23 07:37:24 2010 : Debug: Waking up in 0.9 seconds.
Tue Nov 23 07:37:25 2010 : Debug: Sending delayed reject for request 0
Sending Access-Reject of id 31 to 10.12.60.32 port 35717
Tue Nov 23 07:37:25 2010 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 10.12.60.32 port 1812, id=31,
length=20
rad_verify: Received Access-Reject packet from client 10.12.60.32 port 1812
with invalid 

Re: Freeradius + LDAP auth

[Alan DeKok]

Old Eduardo wrote:
 but i try to configure this in few weeks and no get sucess.

  Ask questions earlier.

  Or, read the debug output.

 Tue Nov 23 07:37:24 2010 : Debug:   WARNING: Unprintable characters in
 the password.Double-check the shared secret on the server and the NAS!

  That message seems pretty clear.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP auth

[Old Eduardo]

sorry alan, i understand need to read debug.

But, i see secret in clients and my test radtest user pass ip 0 secret is
corretly.

And my other doubt is in auth type = Local, why local if i put auth type
LDAP in configuration? Only get local ...

Realy sorry for this, but need u help.

Regards,


2010/11/23 Alan DeKok al...@deployingradius.com

 Old Eduardo wrote:
  but i try to configure this in few weeks and no get sucess.

  Ask questions earlier.

  Or, read the debug output.

  Tue Nov 23 07:37:24 2010 : Debug:   WARNING: Unprintable characters in
  the password.Double-check the shared secret on the server and the
 NAS!

  That message seems pretty clear.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Old Eduardo ...

make a difference ...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP auth

[Paulo Maia]

Show us your authorize and authenticate session . I had a problem like that
once

Regards ,

On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.com wrote:

 sorry alan, i understand need to read debug.

 But, i see secret in clients and my test radtest user pass ip 0 secret is
 corretly.

 And my other doubt is in auth type = Local, why local if i put auth type
 LDAP in configuration? Only get local ...

 Realy sorry for this, but need u help.

 Regards,


 2010/11/23 Alan DeKok al...@deployingradius.com

 Old Eduardo wrote:
  but i try to configure this in few weeks and no get sucess.

  Ask questions earlier.

  Or, read the debug output.

  Tue Nov 23 07:37:24 2010 : Debug:   WARNING: Unprintable characters in
  the password.Double-check the shared secret on the server and the
 NAS!

  That message seems pretty clear.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Old Eduardo ...

 make a difference ...

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + LDAP auth

[Alan DeKok]

Old Eduardo wrote:
 sorry alan, i understand need to read debug.
  
 But, i see secret in clients and my test radtest user pass ip 0 secret
 is corretly.

  That uses a *different* secret, as the packet is coming from a
different IP address.

  i.e. you can either fix the secret as suggested by the message and my
emails, or you can *not* fix the secret, and continue to have problems.

 And my other doubt is in auth type = Local, why local if i put auth type
 LDAP in configuration? Only get local ...

  The debug log should make this clear.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Doubt - Freeradius + Ldap

[Eduardo Moreira]

sorry, but where i checked the shared secret? in clients.conf?

if yes, secret is ok!

thanks for any help.



On 11/04/2010 09:51 AM, eduardo moreira wrote:
SOrry about this mail Josip, but i checked again my clients.conf, and 
i put conf here for u see.


clients.conf
client 127.0.0.1 {
secret  = password
shortname   = localhost
nastype = other # localhost isn't usually a NAS...
}
client 10.12.60.19 {
secret  = password
shortname   = any
nastype = other
}

and i use this command to test connection:
radtest username 123456 10.12.60.19 1812 0 password

And i see log of debug and receive this message:
Mon Nov  1 15:06:16 2010 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 10.12.60.19 port 50105, 
id=100, length=73

User-Name = username
User-Password = c\355W'\021tC\372\177R\232(\007\027n\263
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Framed-Protocol = PPP
Thu Nov  4 09:30:02 2010 : Debug: +- entering group authorize
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: calling 
preprocess (rlm_preprocess) for request 1
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: returned 
from preprocess (rlm_preprocess) for request 1

Thu Nov  4 09:30:02 2010 : Debug: ++[preprocess] returns ok
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: calling 
mschap (rlm_mschap) for request 1
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: returned 
from mschap (rlm_mschap) for request 1

Thu Nov  4 09:30:02 2010 : Debug: ++[mschap] returns noop
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: calling ldap 
(rlm_ldap) for request 1

Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: - authorize
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: performing user 
authorization for username

Thu Nov  4 09:30:02 2010 : Debug: expand: (uid=%u) - (uid=username)
Thu Nov  4 09:30:02 2010 : Debug: expand: dc=a,dc=a,dc=c,dc=b - 
dc=a,dc=a,dc=c,dc=b

Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: performing search in 
dc=a,dc=a,dc=c,dc=b,dc=a,dc=a,dc=c,dc=b, with filter (uid=username)
Thu Nov  4 09:30:02 2010 : Error: rlm_ldap: ldap_search() failed: LDAP 
connection lost.

Thu Nov  4 09:30:02 2010 : Info: rlm_ldap: Attempting reconnect
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: attempting LDAP reconnection
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: closing existing LDAP 
connection
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: (re)connect to ldap.intra 
proxy.intra localhost:389, authentication 0
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: bind as 
cn=Administrator,dc=a,dc=c,dc=a,dc=c,dc=b/password to ldap.intra 
proxy.intra localhost:389

Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: waiting for bind result ...
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: Bind was successful
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: performing search in 
dc=a,dc=c,dc=a,dc=a,dc=c,dc=a,dc=c, with filter (uid=username)
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: Added User-Password = 
{crypt}tg/iHj5yM2iXI in check items

Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: No default NMAS login sequence
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: looking for check items in 
directory...
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute 
userPassword as RADIUS attribute Password-With-Header == 
{crypt}tg/iHj5yM2iXI
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute 
sambantPassword as RADIUS attribute NT-Password == 
0x3738463934413643303931413730423936454135373046344341353438304531
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute 
sambalmPassword as RADIUS attribute LM-Password == 
0x3743414142444638393134314430423841414433423433354235313430344545
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute cn as 
RADIUS attribute Group == username
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: looking for reply items in 
directory...
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: user username authorized 
to use remote access
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: ldap_release_conn: Release 
Id: 0
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: returned 
from ldap (rlm_ldap) for request 1

Thu Nov  4 09:30:02 2010 : Debug: ++[ldap] returns ok
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: calling eap 
(rlm_eap) for request 1

Thu Nov  4 09:30:02 2010 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: returned 
from eap (rlm_eap) for request 1

Thu Nov  4 09:30:02 2010 : Debug: ++[eap] returns noop
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: calling chap 
(rlm_chap) for request 1
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: returned 
from chap (rlm_chap) for request 1

Thu Nov  4 09:30:02 2010 : Debug: ++[chap] returns noop
Thu Nov  4 

Re: Doubt - Freeradius + Ldap

[Phil Mayers]

On 11/05/2010 06:47 PM, Eduardo Moreira wrote:

  sorry, but where i checked the shared secret? in clients.conf?


Yes



if yes, secret is ok!


No it isn't; look at the packet:


Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 10.12.60.19 port 50105,
id=100, length=73
User-Name = username
User-Password = c\355W'\021tC\372\177R\232(\007\027n\263
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Framed-Protocol = PPP


The User-Password attribute has clearly been decrypted badly; this means 
you've got the shared secret wrong somewhere.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Doubt - Freeradius + Ldap

[Michael Lecuyer]

There's many a slip 'twixt the cup and the lip

I promise you'll want to kick yourself when you find the simple 
difference after so many messages. Many of us have the grace to go 
through this necessarily humbling exercise in private.


On 2010-11-05 2:47 PM, Eduardo Moreira wrote:

sorry, but where i checked the shared secret? in clients.conf?

if yes, secret is ok!

thanks for any help.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Doubt - Freeradius + Ldap

[John Dennis]

On 11/05/2010 03:06 PM, Phil Mayers wrote:

On 11/05/2010 06:47 PM, Eduardo Moreira wrote:

   sorry, but where i checked the shared secret? in clients.conf?


Yes



if yes, secret is ok!


No it isn't; look at the packet:


Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 10.12.60.19 port 50105,
id=100, length=73
User-Name = username
User-Password = c\355W'\021tC\372\177R\232(\007\027n\263
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Framed-Protocol = PPP


The User-Password attribute has clearly been decrypted badly; this means
you've got the shared secret wrong somewhere.


A common problem for folks who build their own versions of freeradius 
and mix it with a prebuilt version is the root prefix is different. If 
you build yourself the $prefix defaults to /usr/local, but (most?) all 
prebuilt packages use $prefix of /usr. That means you can end up with 
two copies of your config files (and loads of other files).


Carefully look at the debug output of your radiusd -X, it will give you 
the full path of the files it's reading. Make sure the clients.conf 
you're looking at is *exactly* the same one the server is *actually* 
reading. Do this even if you haven't built your own package, just for 
sanity sake.


--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Doubt - Freeradius + Ldap

[Eduardo Moreira]

Thanks john , i install in debian server, default config, apt-get 
install 


Directory is: /etc/freeradius ;

Sorry, im newbie, but before i configure ldap module freeradius work, 
after configure ldap module, no way to connect, certain my problem stays 
with module ldap, authentication ...


But dont see where ...

Thanks for u reply.

On 11/05/2010 05:17 PM, John Dennis wrote:

On 11/05/2010 03:06 PM, Phil Mayers wrote:

On 11/05/2010 06:47 PM, Eduardo Moreira wrote:

   sorry, but where i checked the shared secret? in clients.conf?


Yes



if yes, secret is ok!


No it isn't; look at the packet:


Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 10.12.60.19 port 50105,
id=100, length=73
User-Name = username
User-Password = c\355W'\021tC\372\177R\232(\007\027n\263
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Framed-Protocol = PPP


The User-Password attribute has clearly been decrypted badly; this means
you've got the shared secret wrong somewhere.


A common problem for folks who build their own versions of freeradius 
and mix it with a prebuilt version is the root prefix is different. 
If you build yourself the $prefix defaults to /usr/local, but 
(most?) all prebuilt packages use $prefix of /usr. That means you 
can end up with two copies of your config files (and loads of other 
files).


Carefully look at the debug output of your radiusd -X, it will give 
you the full path of the files it's reading. Make sure the 
clients.conf you're looking at is *exactly* the same one the server is 
*actually* reading. Do this even if you haven't built your own 
package, just for sanity sake.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Doubt - Freeradius + Ldap

[eduardo moreira]

SOrry about this mail Josip, but i checked again my clients.conf, and i put
conf here for u see.

clients.conf
client 127.0.0.1 {
secret  = password
shortname   = localhost
nastype = other # localhost isn't usually a NAS...
}
client 10.12.60.19 {
secret  = password
shortname   = any
nastype = other
}

and i use this command to test connection:
radtest username 123456 10.12.60.19 1812 0 password

And i see log of debug and receive this message:
Mon Nov  1 15:06:16 2010 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100,
length=73
User-Name = username
User-Password = c\355W'\021tC\372\177R\232(\007\027n\263
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Framed-Protocol = PPP
Thu Nov  4 09:30:02 2010 : Debug: +- entering group authorize
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 1
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 1
Thu Nov  4 09:30:02 2010 : Debug: ++[preprocess] returns ok
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: calling mschap
(rlm_mschap) for request 1
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: returned from
mschap (rlm_mschap) for request 1
Thu Nov  4 09:30:02 2010 : Debug: ++[mschap] returns noop
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: calling ldap
(rlm_ldap) for request 1
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: - authorize
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: performing user authorization
for username
Thu Nov  4 09:30:02 2010 : Debug: expand: (uid=%u) - (uid=username)
Thu Nov  4 09:30:02 2010 : Debug: expand: dc=a,dc=a,dc=c,dc=b -
dc=a,dc=a,dc=c,dc=b
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: performing search in
dc=a,dc=a,dc=c,dc=b,dc=a,dc=a,dc=c,dc=b, with filter (uid=username)
Thu Nov  4 09:30:02 2010 : Error: rlm_ldap: ldap_search() failed: LDAP
connection lost.
Thu Nov  4 09:30:02 2010 : Info: rlm_ldap: Attempting reconnect
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: attempting LDAP reconnection
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: closing existing LDAP connection
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: (re)connect to ldap.intra
proxy.intra localhost:389, authentication 0
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: bind as
cn=Administrator,dc=a,dc=c,dc=a,dc=c,dc=b/password to ldap.intra proxy.intra
localhost:389
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: waiting for bind result ...
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: Bind was successful
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: performing search in
dc=a,dc=c,dc=a,dc=a,dc=c,dc=a,dc=c, with filter (uid=username)
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: Added User-Password =
{crypt}tg/iHj5yM2iXI in check items
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: No default NMAS login sequence
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: looking for check items in
directory...
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute userPassword as
RADIUS attribute Password-With-Header == {crypt}tg/iHj5yM2iXI
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute sambantPassword
as RADIUS attribute NT-Password ==
0x3738463934413643303931413730423936454135373046344341353438304531
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute sambalmPassword
as RADIUS attribute LM-Password ==
0x3743414142444638393134314430423841414433423433354235313430344545
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute cn as RADIUS
attribute Group == username
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: looking for reply items in
directory...
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: user username authorized to use
remote access
Thu Nov  4 09:30:02 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: returned from ldap
(rlm_ldap) for request 1
Thu Nov  4 09:30:02 2010 : Debug: ++[ldap] returns ok
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: calling eap
(rlm_eap) for request 1
Thu Nov  4 09:30:02 2010 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: returned from eap
(rlm_eap) for request 1
Thu Nov  4 09:30:02 2010 : Debug: ++[eap] returns noop
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: calling chap
(rlm_chap) for request 1
Thu Nov  4 09:30:02 2010 : Debug:   modsingle[authorize]: returned from chap
(rlm_chap) for request 1
Thu Nov  4 09:30:02 2010 : Debug: ++[chap] returns noop
Thu Nov  4 09:30:02 2010 : Debug:
!!!
Thu Nov  4 09:30:02 2010 : Debug: !!!Replacing User-Password in config
items with Cleartext-Password. 

Re: Doubt - Freeradius + Ldap

[Johan Meiring]

On 2010/11/04 01:51 PM, eduardo moreira wrote:


and i use this command to test connection:
radtest username 123456 10.12.60.19 1812 0 password



man radtest gives me this:
radtest  [-d raddb_directory] user password radius-server nas-port-number 
secret [ppphint] [nasname]


Looking at your command:
radtest username 123456 10.12.60.19 1812 0 password

This maps to:
user=username
password=123456
radius-server=10.12.60.19
nas-port-number=1812
secret=0
ppphint=password







--


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Doubt - Freeradius + Ldap

[eduardo moreira]

hi johan,

thanks for u reply.

i try with your command,

raddtest -d /etc/freeradius username password ip-server port-server secret
but no works.

but thanks.

2010/11/4 Johan Meiring jmeir...@pcservices.co.za

 On 2010/11/04 01:51 PM, eduardo moreira wrote:


 and i use this command to test connection:
 radtest username 123456 10.12.60.19 1812 0 password


 man radtest gives me this:
 radtest  [-d raddb_directory] user password radius-server nas-port-number
 secret [ppphint] [nasname]

 Looking at your command:

 radtest username 123456 10.12.60.19 1812 0 password

 This maps to:
 user=username
 password=123456
 radius-server=10.12.60.19
 nas-port-number=1812
 secret=0
 ppphint=password







 --


 Johan Meiring
 Cape PC Services CC
 Tel: (021) 883-8271
 Fax: (021) 886-7782


 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Doubt - Freeradius + Ldap

[Johan Meiring]

On 2010/11/04 02:16 PM, eduardo moreira wrote:


raddtest -d /etc/freeradius username password ip-server port-server
secret but no works.



Copy and paste your command.
Do not retype it.

--


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Doubt - Freeradius + Ldap

[eduardo moreira]

sorry

radtest -d /etc/freeradius username 123456 10.12.60.19 1812 password any

2010/11/4 Johan Meiring jmeir...@pcservices.co.za

 On 2010/11/04 02:16 PM, eduardo moreira wrote:


 raddtest -d /etc/freeradius username password ip-server port-server
 secret but no works.


 Copy and paste your command.
 Do not retype it.


 --


 Johan Meiring
 Cape PC Services CC
 Tel: (021) 883-8271
 Fax: (021) 886-7782

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Doubt - Freeradius + Ldap

[Alan DeKok]

eduardo moreira wrote:
 SOrry about this mail Josip, but i checked again my clients.conf, and i
 put conf here for u see.

  The debug log you posted contains the solution to the problem.

  Read it.

  If it's too hard to understand, paste the debug output into this form:

http://networkradius.com/freeradius.html

  And then read the output.  It won't be hard.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Doubt - Freeradius + Ldap

[Johan Meiring]

On 2010/11/04 02:37 PM, eduardo moreira wrote:

sorry

radtest -d /etc/freeradius username 123456 10.12.60.19 1812 password any



That should work.
The any is probably unnecesary.

What does freeradius -X now say?



--


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Doubt - Freeradius + Ldap

[eduardo moreira]

same message, but one message desappears:

Thu Nov  4 09:30:02 2010 : Debug:   WARNING: Unprintable characters in the
password.   Double-check the shared secret on the server and the NAS!

before this message appears this:
Thu Nov  4 10:58:52 2010 : Debug:
!!!
Thu Nov  4 10:58:52 2010 : Debug: !!!Replacing User-Password in config
items with Cleartext-Password. !!!
Thu Nov  4 10:58:52 2010 : Debug:
!!!
Thu Nov  4 10:58:52 2010 : Debug: !!! Please update your configuration so
that the known good   !!!
Thu Nov  4 10:58:52 2010 : Debug: !!! clear text password is in
Cleartext-Password, and not in User-Password. !!!
Thu Nov  4 10:58:52 2010 : Debug:
!!!
Thu Nov  4 10:58:52 2010 : Debug: auth: type Local
Thu Nov  4 10:58:52 2010 : Debug: auth: user supplied User-Password does NOT
match local User-Password
Thu Nov  4 10:58:52 2010 : Debug: auth: Failed to validate the user.
Thu Nov  4 10:58:52 2010 : Auth: Login incorrect: [username/123456] (from
clientany port 1812)
Sending Access-Reject of id 168 to 10.12.60.19 port 53629
Thu Nov  4 10:58:52 2010 : Debug: Finished request 2.
Thu Nov  4 10:58:52 2010 : Debug: Going to the next request
Thu Nov  4 10:58:52 2010 : Debug: Waking up in 4.9 seconds.
Thu Nov  4 10:58:57 2010 : Debug: Cleaning up request 2 ID 168 with
timestamp +98
Thu Nov  4 10:58:57 2010 : Debug: Ready to process requests.

in debug appears:

security {

reject_delay = 0

but still dont work

thanks for help.



2010/11/4 Johan Meiring jmeir...@pcservices.co.za

 On 2010/11/04 02:37 PM, eduardo moreira wrote:

 sorry

 radtest -d /etc/freeradius username 123456 10.12.60.19 1812 password any


 That should work.
 The any is probably unnecesary.

 What does freeradius -X now say?




 --


 Johan Meiring
 Cape PC Services CC
 Tel: (021) 883-8271
 Fax: (021) 886-7782

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Doubt - Freeradius + Ldap

[eduardo moreira]

Hello list,

Im new with freeradius, but read many about this and dont solve my problem.
I have this problem with my implemention.

Only appears this message with freeradius -X -x
Mon Nov  1 15:04:23 2010 : Debug: rlm_eap: Ignoring EAP-Type/tls because we
do not have OpenSSL support.
Mon Nov  1 15:04:23 2010 : Debug: rlm_eap: Ignoring EAP-Type/ttls because we
do not have OpenSSL support.
Mon Nov  1 15:04:23 2010 : Debug: rlm_eap: Ignoring EAP-Type/peap because we
do not have OpenSSL support.

Remaind: i using debian 5.0

And when try to connect, appears this message:

Mon Nov  1 15:06:10 2010 : Debug: rlm_ldap: LDAP attribute cn as RADIUS
attribute Group == eduardo
Mon Nov  1 15:06:10 2010 : Debug: rlm_ldap: looking for reply items in
directory...
Mon Nov  1 15:06:10 2010 : Debug: rlm_ldap: user eduardo authorized to use
remote access
Mon Nov  1 15:06:10 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Mon Nov  1 15:06:10 2010 : Debug:   modsingle[authorize]: returned from ldap
(rlm_ldap) for request 0
Mon Nov  1 15:06:10 2010 : Debug: ++[ldap] returns ok
Mon Nov  1 15:06:10 2010 : Debug:   modsingle[authorize]: calling eap
(rlm_eap) for request 0
Mon Nov  1 15:06:10 2010 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Mon Nov  1 15:06:10 2010 : Debug:   modsingle[authorize]: returned from eap
(rlm_eap) for request 0
Mon Nov  1 15:06:10 2010 : Debug: ++[eap] returns noop
Mon Nov  1 15:06:10 2010 : Debug:   modsingle[authorize]: calling chap
(rlm_chap) for request 0
Mon Nov  1 15:06:10 2010 : Debug:   modsingle[authorize]: returned from chap
(rlm_chap) for request 0
Mon Nov  1 15:06:10 2010 : Debug: ++[chap] returns noop
Mon Nov  1 15:06:10 2010 : Debug:
!!!
Mon Nov  1 15:06:10 2010 : Debug: !!!Replacing User-Password in config
items with Cleartext-Password. !!!
Mon Nov  1 15:06:10 2010 : Debug:
!!!
Mon Nov  1 15:06:10 2010 : Debug: !!! Please update your configuration so
that the known good   !!!
Mon Nov  1 15:06:10 2010 : Debug: !!! clear text password is in
Cleartext-Password, and not in User-Password. !!!
Mon Nov  1 15:06:10 2010 : Debug:
!!!
Mon Nov  1 15:06:10 2010 : Debug: auth: type Local
Mon Nov  1 15:06:10 2010 : Debug: auth: user supplied User-Password does NOT
match local User-Password
Mon Nov  1 15:06:10 2010 : Debug: auth: Failed to validate the user.
Mon Nov  1 15:06:10 2010 : Auth: Login incorrect:
[eduardo/1\320\026\305\020B)\323I\211�?\001\nx\204] (from client
BrasilTelecom port 1812)
Mon Nov  1 15:06:10 2010 : Debug:   WARNING: Unprintable characters in the
password.Double-check the shared secret on the server and the NAS!
Mon Nov  1 15:06:10 2010 : Debug: Delaying reject of request 0 for 1 seconds

I try to reinstall but no sucess.

I need help for advanced.

If anyone have this solution or whatever, please help me.

And sorry for my bad english.

Regards,
Eduardo
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Doubt - Freeradius + Ldap

[Peter Lambrechtsen]

It's probably since you didn't compile OpenLDAP and FreeRadius with OpenSSL
support.

So you will need to recompile OpenLDAP, Cyrus SASL, OpenLDAP and FreeRadius.

On Tue, Nov 2, 2010 at 6:14 AM, eduardo moreira
eduardomoreir...@gmail.comwrote:

 Hello list,

 Im new with freeradius, but read many about this and dont solve my problem.
 I have this problem with my implemention.

 Only appears this message with freeradius -X -x
 Mon Nov  1 15:04:23 2010 : Debug: rlm_eap: Ignoring EAP-Type/tls because we
 do not have OpenSSL support.
 Mon Nov  1 15:04:23 2010 : Debug: rlm_eap: Ignoring EAP-Type/ttls because
 we do not have OpenSSL support.
 Mon Nov  1 15:04:23 2010 : Debug: rlm_eap: Ignoring EAP-Type/peap because
 we do not have OpenSSL support.

 Remaind: i using debian 5.0

 And when try to connect, appears this message:

 Mon Nov  1 15:06:10 2010 : Debug: rlm_ldap: LDAP attribute cn as RADIUS
 attribute Group == eduardo
 Mon Nov  1 15:06:10 2010 : Debug: rlm_ldap: looking for reply items in
 directory...
 Mon Nov  1 15:06:10 2010 : Debug: rlm_ldap: user eduardo authorized to use
 remote access
 Mon Nov  1 15:06:10 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id:
 0
 Mon Nov  1 15:06:10 2010 : Debug:   modsingle[authorize]: returned from
 ldap (rlm_ldap) for request 0
 Mon Nov  1 15:06:10 2010 : Debug: ++[ldap] returns ok
 Mon Nov  1 15:06:10 2010 : Debug:   modsingle[authorize]: calling eap
 (rlm_eap) for request 0
 Mon Nov  1 15:06:10 2010 : Debug:   rlm_eap: No EAP-Message, not doing EAP
 Mon Nov  1 15:06:10 2010 : Debug:   modsingle[authorize]: returned from eap
 (rlm_eap) for request 0
 Mon Nov  1 15:06:10 2010 : Debug: ++[eap] returns noop
 Mon Nov  1 15:06:10 2010 : Debug:   modsingle[authorize]: calling chap
 (rlm_chap) for request 0
 Mon Nov  1 15:06:10 2010 : Debug:   modsingle[authorize]: returned from
 chap (rlm_chap) for request 0
 Mon Nov  1 15:06:10 2010 : Debug: ++[chap] returns noop
 Mon Nov  1 15:06:10 2010 : Debug:
 !!!
 Mon Nov  1 15:06:10 2010 : Debug: !!!Replacing User-Password in config
 items with Cleartext-Password. !!!
 Mon Nov  1 15:06:10 2010 : Debug:
 !!!
 Mon Nov  1 15:06:10 2010 : Debug: !!! Please update your configuration so
 that the known good   !!!
 Mon Nov  1 15:06:10 2010 : Debug: !!! clear text password is in
 Cleartext-Password, and not in User-Password. !!!
 Mon Nov  1 15:06:10 2010 : Debug:
 !!!
 Mon Nov  1 15:06:10 2010 : Debug: auth: type Local
 Mon Nov  1 15:06:10 2010 : Debug: auth: user supplied User-Password does
 NOT match local User-Password
 Mon Nov  1 15:06:10 2010 : Debug: auth: Failed to validate the user.
 Mon Nov  1 15:06:10 2010 : Auth: Login incorrect:
 [eduardo/1\320\026\305\020B)\323I\211�?\001\nx\204] (from client
 BrasilTelecom port 1812)
 Mon Nov  1 15:06:10 2010 : Debug:   WARNING: Unprintable characters in the
 password.Double-check the shared secret on the server and the NAS!
 Mon Nov  1 15:06:10 2010 : Debug: Delaying reject of request 0 for 1
 seconds

 I try to reinstall but no sucess.

 I need help for advanced.

 If anyone have this solution or whatever, please help me.

 And sorry for my bad english.

 Regards,
 Eduardo



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Doubt - Freeradius + Ldap

[Josip Rodin]

On Tue, Nov 02, 2010 at 07:30:23AM +1300, Peter Lambrechtsen wrote:
 It's probably since you didn't compile OpenLDAP and FreeRadius with OpenSSL
 support.
 
 So you will need to recompile OpenLDAP, Cyrus SASL, OpenLDAP and FreeRadius.

No, no, no, and no. sigh

If you want to read random debug messages, don't pick just any.

Yes, he doesn't have SSL support, but the log also says pretty clearly:

  Mon Nov  1 15:06:10 2010 : Debug:   rlm_eap: No EAP-Message, not doing EAP

When the client does not use EAP, it's completely irrelevant that the server
doesn't have support for SSL-using EAP methods.

And there's clearly no reason to recompile even FR, let alone three other
different pieces of software. (For the former, just use lenny-backports.)

The final error state is:

  Mon Nov  1 15:06:10 2010 : Auth: Login incorrect:
  [eduardo/1\320\026\305\020B)\323I\211\001\nx\204] (from client
  BrasilTelecom port 1812)
  Mon Nov  1 15:06:10 2010 : Debug:   WARNING: Unprintable characters in the
  password.Double-check the shared secret on the server and the NAS!

So, have you double-checked the shared secret?

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Doubt - Freeradius + Ldap

[eduardo moreira]

Yes, i checke shared secred in clients.

And i try to reinstall with apt-get but dont works.

ty for help.

2010/11/1 Josip Rodin j...@entuzijast.net

 On Tue, Nov 02, 2010 at 07:30:23AM +1300, Peter Lambrechtsen wrote:
  It's probably since you didn't compile OpenLDAP and FreeRadius with
 OpenSSL
  support.
 
  So you will need to recompile OpenLDAP, Cyrus SASL, OpenLDAP and
 FreeRadius.

 No, no, no, and no. sigh

 If you want to read random debug messages, don't pick just any.

 Yes, he doesn't have SSL support, but the log also says pretty clearly:

   Mon Nov  1 15:06:10 2010 : Debug:   rlm_eap: No EAP-Message, not doing
 EAP

 When the client does not use EAP, it's completely irrelevant that the
 server
 doesn't have support for SSL-using EAP methods.

 And there's clearly no reason to recompile even FR, let alone three other
 different pieces of software. (For the former, just use lenny-backports.)

 The final error state is:

   Mon Nov  1 15:06:10 2010 : Auth: Login incorrect:
   [eduardo/1\320\026\305\020B)\323I\211\001\nx\204] (from client
   BrasilTelecom port 1812)
   Mon Nov  1 15:06:10 2010 : Debug:   WARNING: Unprintable characters in
 the
   password.Double-check the shared secret on the server and the NAS!

 So, have you double-checked the shared secret?

 --
 2. That which causes joy or happiness.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + LDAP Group check

[Douglas Caro]

Hello!

I'm trying to modify a working configuration to add one more 
authentication service in FreeRadius.


I already have one configuration to authenticate users in ldap to use 
wireless network. See the radiusd.conf:



radiusd.conf

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
pidfile = /var/run/freeradius/freeradius.pid
user = freerad
group = freerad

listen {
 ipaddr = *
 port = 0
 type = auth
}

listen {
 ipaddr = *
 port = 0
 type = acct
}

thread pool {
 start_servers = 1
 max_servers = 4
 min_spare_servers = 1
 max_spare_servers = 3
 max_requests_per_server = 0
}

$INCLUDE ${confdir}/clients.conf

modules {
 pap {
encryption_scheme = clear
 }
 chap {
authtype = CHAP
 }
 $INCLUDE ${confdir}/eap.conf
 mschap {
authtype = MS-CHAP
with_ntdomain_hack = yes
 }
 mschapv2 {
 }
 files {
usersfile = ${confdir}/users
compat = no
 }
  ldap ldap_1x {
  server = 127.0.0.1
  identity = cn=Manager,dc=company,dc=com,dc=br
  password = XX
  basedn = ou=Users,dc=company,dc=com,dc=br
  start_tls = no
  access_attr = uid
  dictionary_mapping = ${raddbdir}/ldap.attrmap
  authtype = ldap
  ldap_connections_number = 5
  timeout = 4
  timelimit = 3
  net_timeout = 1
  }
}
authorize {
 pap
 files
 mschap
 ldap_1x
 eap
}
authenticate {
  Auth-Type PAP {
  pap
  }
  Auth-Type MS-CHAP {
  mschap
  }
  Auth-Type PPP {
  ldap_1x
  }

  eap
}
log {
  destination = files
  file = /var/log/freeradius/radius.log
  syslog_facility = daemon
  stripped_names = no
  auth = yes
  auth_badpass = no
  auth_goodpass = no
}


and, the users file:

users

DEFAULT Auth-Type := MS-CHAP

DEFAULT Hint == CSLIP
  Framed-Protocol = SLIP,
  Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == SLIP
  Framed-Protocol = SLIP


This is enough to provide access to users in wireless network.

I need to add a Radius Auth in Ldap to Switches devices with Group Check.
The users are in cn=TacAdm,ou=Groups,dc=company,dc=com,dc=br

I already tryed to add a new module called

ldap ldap_switch {
...
}

and many instances like groupmembership_filter, groupname_attribute, 
filter, base_filter, access_attr, groupmembership_attribute, but nothing 
do the group check in ldap!


What do I need to this checking group works and maintain the wireless 
configuration working well?


Thanks!
Douglas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html