freeradius ldap auth sort of working ?
Greetings. I have a problem with freeradius using ldap to auth, here are my system specs: Centos 6 64bit freeradius installed from repo rpm -qa | grep -i freeradius freeradius-ldap-2.1.12-4.el6_3.x86_64 freeradius-2.1.12-4.el6_3.x86_64 freeradius-utils-2.1.12-4.el6_3.x86_64 ldap already up and running, on localhost. everything is local btw, there are no remote services and ldap is (test environment) accepting unsecured connections. rpm -qa | grep -i openld openldap-devel-2.4.23-32.el6_4.1.x86_64 openldap-clients-2.4.23-32.el6_4.1.x86_64 openldap-servers-2.4.23-32.el6_4.1.x86_64 openldap-2.4.23-32.el6_4.1.x86_64 radtest fails radtest testuser_1 letmein_1 localhost 2 testing123 Sending Access-Request of id 214 to 127.0.0.1 port 1812 User-Name = testuser_1 User-Password = letmein_1 NAS-IP-Address = 127.0.0.1 NAS-Port = 2 Message-Authenticator = 0x rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=214, length=20 and this is the output from radius (ran as radiusd -X) http://pastebin.com/MT0txW2c i don't understand. it auths but then it doesn't.. the final result is not successful Thanks in advance, Horatiu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius ldap auth sort of working ?
On 1 Jul 2013, at 12:27, Horatiu Nimigean horatiu.nimig...@ddnet.ro wrote: Greetings. I have a problem with freeradius using ldap to auth, here are my system specs: Centos 6 64bit freeradius installed from repo rpm -qa | grep -i freeradius freeradius-ldap-2.1.12-4.el6_3.x86_64 freeradius-2.1.12-4.el6_3.x86_64 freeradius-utils-2.1.12-4.el6_3.x86_64 ldap already up and running, on localhost. everything is local btw, there are no remote services and ldap is (test environment) accepting unsecured connections. rpm -qa | grep -i openld openldap-devel-2.4.23-32.el6_4.1.x86_64 openldap-clients-2.4.23-32.el6_4.1.x86_64 openldap-servers-2.4.23-32.el6_4.1.x86_64 openldap-2.4.23-32.el6_4.1.x86_64 radtest fails radtest testuser_1 letmein_1 localhost 2 testing123 Sending Access-Request of id 214 to 127.0.0.1 port 1812 User-Name = testuser_1 User-Password = letmein_1 NAS-IP-Address = 127.0.0.1 NAS-Port = 2 Message-Authenticator = 0x rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=214, length=20 and this is the output from radius (ran as radiusd -X) http://pastebin.com/MT0txW2c i don't understand. it auths but then it doesn't.. the final result is not successful Thanks in advance, No. Your admin user managed to bind and retrieve credentials for your user, your user bind never succeeded. Seeing as you have access to the crypt hash of the user's password you should use PAP to do authentication. Set set_auth_type = no in modules/ldap. and make sure 'pap' is listed in authorize. If the password you're using in radtest is correct, this will work. If it isn't then authentication will continue to fail. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius ldap auth sort of working ?
Hi, and this is the output from radius (ran as radiusd -X) http://pastebin.com/MT0txW2c please post to the list - avoids more work at this end. the output shows this: Found Auth-Type = LDAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by testuser_1 with password letmein_1 [ldap] user DN: uid=testuser_1,ou=People,dc=vps03,dc=local [ldap] (re)connect to 127.0.0.1:389, authentication 1 [ldap] bind as uid=testuser_1,ou=People,dc=vps03,dc=local/letmein_1 to 127.0.0.1:389 [ldap] waiting for bind result ... [ldap] Bind failed with invalid credentials ++[ldap] returns reject i don't understand. it auths but then it doesn't.. the final result is not successful it does a SEARCH for authorization. finds some details...then it checks authentication...and doesnt work. verify that you can connect/verify with this user/password combo. LDAP is not an authentication method..its just an oracle of data really alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pptpd+freeradius+ldap: which password encryption can I use?
Hi Everybody, I'm trying to setup a PPTPD server which would authenticate users using my openLDAP user database, in doing so I need freeradius. By now the only setup that actually works is: users in LDAP with clear text password. Obviously I want to use some kind of encryption for passwords and I don't like the solution of using cleartext passwords and the use of a specific user allowed to access to the password attribute, so my question is: which other possibilities I have? Looking to this table http://deployingradius.com/documents/protocols/compatibility.html I understand that I can use pap + sha1 but I can't understand how. Can anyone help me understand what is possible and what not? Many thanks Alberto - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pptpd+freeradius+ldap: which password encryption can I use?
Alberto Aldrigo wrote: I'm trying to setup a PPTPD server which would authenticate users using my openLDAP user database, in doing so I need freeradius. By now the only setup that actually works is: users in LDAP with clear text password. What kind of authentication method is PPTPD using? You can tell by looking at the FreeRADIUS debug log... which is suggested daily on this list. Obviously I want to use some kind of encryption for passwords and I don't like the solution of using cleartext passwords and the use of a specific user allowed to access to the password attribute, so my question is: which other possibilities I have? Looking to this table http://deployingradius.com/documents/protocols/compatibility.html I understand that I can use pap + sha1 but I can't understand how. Can anyone help me understand what is possible and what not? You're really asking the wrong question. If the only thing that works is LDAP with clear-text passwords, then the authentication method doesn't support encrypted passwords. That's why the web page says it's *IMPOSSIBLE*. Because, well, it's impossible. What other conclusion did you reach after reading that page? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pptpd+freeradius+ldap: which password encryption can I use?
On 04/30/2013 06:11 AM, Alberto Aldrigo wrote: Hi Everybody, I'm trying to setup a PPTPD server which would authenticate users using my openLDAP user database, in doing so I need freeradius. By now the only setup that actually works is: users in LDAP with clear text password. Obviously I want to use some kind of encryption for passwords and I don't like the solution of using cleartext passwords and the use of a specific user allowed to access to the password attribute, so my question is: which other possibilities I have? Looking to this table http://deployingradius.com/documents/protocols/compatibility.html I understand that I can use pap + sha1 but I can't understand how. Can anyone help me understand what is possible and what not? Many thanks cleartext passwords should work for most everything as shown in the compatibility table, if it's not you've broken something. You other option is to hash your passwords, refer to the table for what will work, you'll probably need to prefix your password values with a scheme prefix. However hashing is *not* encryption nor is hashing secure. Do not depend on hashing to provide protection! Most hashes can be broken easily, This is especially true if they can be retrieved for offline cracking which is the gift you're giving your attacker if you don't lock down your password attributes. Bottom line, there is no short-cut or excuse not to lock down password attributes with ACL's such that only a select subset of users can see them (e.g. radiusd, root). -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pptpd+freeradius+ldap ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Hi everybody, I'm having some problems with freeradius and ldap authentication. I need to authenticate an user connecting in vpn to my pptpd daemon, which will ask permission to freeradius. I installed freeradius and configured it to use ldap in this way (i stripped comments to shorten the config files): sites-available/default: authorize { ldap preprocess chap mschap digest suffix eap { ok = return } expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp exec } session { radutmp } post-auth { ldap exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } modules/ldap: ldap { server = 10.1.98.50 identity = cn=admin,dc=domain,dc=private password = password basedn = dc=domain,dc=private filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap password_attribute = userPassword edir_account_policy_check = no } radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions= yes extended_expressions= yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/ When I run freeradius -X this is what I get: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 2012 at 17:58:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/otp including configuration file
Re: pptpd+freeradius+ldap ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
On 18 Apr 2013, at 11:43, Alberto Aldrigo aaldr...@ca-tron.com wrote: rad_recv: Access-Request packet from host 10.1.98.52 port 45105, id=139, length=77 Service-Type = Framed-User Framed-Protocol = PPP User-Name = user Calling-Station-Id = 10.1.0.136 NAS-IP-Address = 127.0.1.1 NAS-Port = 0 PPPD isn't sending a password. The hash is being found by LDAP fine, but there is no password in the radius request for it to validate. You need to fix PPPD, then it should work. Thanks, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius +LDAP + Samba integrates to Active Derectory
Thanks. Alan --- 13年4月12日,周五, Alan DeKok al...@deployingradius.com 写道: 发件人: Alan DeKok al...@deployingradius.com 主题: Re: Freeradius +LDAP + Samba integrates to Active Derectory 收件人: FreeRadius users mailing list freeradius-users@lists.freeradius.org 日期: 2013年4月12日,周五,下午9:48 John wrote: We deploy freeradius integrated to Active Directory, but the AD enabled Require signing option (see the attachement). That's really an AD question. net join is OK after we set LDAP SASL wrapping to 'sign'. But LDAP search failed. Is there a way to let LDAP search work? Can someone show me some reference or guide? Look in Microsoft support forums. Once you get LDAP search working, FreeRADIUS will work, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius +LDAP + Samba integrates to Active Derectory
Hi all, We deploy freeradius integrated to Active Directory, but the AD enabled Require signing option (see the attachement). net join is OK after we set LDAP SASL wrapping to 'sign'. But LDAP search failed. Is there a way to let LDAP search work? Can someone show me some reference or guide? Thanks, Johnattachment: LDAP SASL wrapping.JPG- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius +LDAP + Samba integrates to Active Derectory
John wrote: We deploy freeradius integrated to Active Directory, but the AD enabled Require signing option (see the attachement). That's really an AD question. net join is OK after we set LDAP SASL wrapping to 'sign'. But LDAP search failed. Is there a way to let LDAP search work? Can someone show me some reference or guide? Look in Microsoft support forums. Once you get LDAP search working, FreeRADIUS will work, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Freeradius + LDAP
Hello, what exactly ist your problem? a) Do you want to know how to configure a web administration GUI (phpldapadmin) for your LDAP server? Then your problem is purly related to LDAP server, PHP and a web server. Hence, this is Thermometer wrong mailing list to ask for advice. b) Or do you want to know how to use a LDAP directory as a password backend? But then this question has nothing to do with phpldapadmin. You said, that RADIUS is already configured and running. Where are the user credentials stored at the moment? Matthias Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 ICQ: 499797758 Skype: nagmat84Brekler Custodio brekle...@hotmail.com hat geschrieben:Hello guys, i was wondering, anyone knows how to configure an LDAP (phpldapadmin) to work with freeradius ? I search all over the web and couldnt find a tutorial that teachs how to configure a simple DB to work with FR. The FR is configured already, its very simple, but the LDAP i cant handle. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + LDAP
Hello guys, i was wondering, anyone knows how to configure an LDAP (phpldapadmin) to work with freeradius ?I search all over the web and couldnt find a tutorial that teachs how to configure a simple DB to work with FR.The FR is configured already, its very simple, but the LDAP i cant handle. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius LDAP OID Numbering
Peter Lambrechtsen wrote: There is the FR LDAP Schema LDIF file to import FreeRadius related schema into your LDAP directory. Searching around it seems that OID 1.3.6.1.4.1.3317.4.3.1 up to 68 is allocated. http://permalink.gmane.org/gmane.comp.freeradius.devel/6134 Why search the list? The LDIF file is included with the server. Who owns the OID and I could ask to get 69 registered formally? The OID is a private enterprise code. 3317 is some other open source project (I forget which, and don't care to look). It was used because one of the people there contributed the LDIF file. I would like to add the LDAP Attribute radiusFramedPool for Framed-Pool VSA Should I just build a DIFF and submit it to the list, or is there an owner of the OID numbering who I would need to contact? Just add it. We effectively own that space. They're not using it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius LDAP OID Numbering
A question for Alan, or others on the list. There is the FR LDAP Schema LDIF file to import FreeRadius related schema into your LDAP directory. Searching around it seems that OID 1.3.6.1.4.1.3317.4.3.1 up to 68 is allocated. http://permalink.gmane.org/gmane.comp.freeradius.devel/6134 Who owns the OID and I could ask to get 69 registered formally? I would like to add the LDAP Attribute radiusFramedPool for Framed-Pool VSA Should I just build a DIFF and submit it to the list, or is there an owner of the OID numbering who I would need to contact? Cheers Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired 802.1X + FreeRADIUS + LDAP issue
On Mon, Dec 12, 2011 at 6:30 PM, Ryan Garland she...@gmail.com wrote: Thanks for the response, Alan. It turns out part of my issue was certificate related. This has been resolved, but eapol_test continues to fail for a different reason. However, I am having trouble determining a fix. Attached is the eapol_test configuration, debug output, FreeRADIUS configuration debug output. It appears that the relevant portion of the FreeRADIUS debug output is: Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication [eap] Handler failed in EAP/md5 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 EAP-Message = 0x04010004 Message-Authenticator = 0x [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user ryan [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. I am having an even more difficult time deciphering the eapol_test debug output - I just see the EAP failure from the radius server. I have also tried commenting out 'virtual_server = inner-tunnel' in the ttls section of eap.conf to force it to use default (as the documentation inside the default virtual server would seem to imply I should do) and I get the same result. I may be mis-reading it, however. Do you see something glaringly wrong? I appreciate any insight you can provide. Sorry, I should have been more clear. I'm not sure what my options are with regards to Cleartext-Password and using EAP-MD5, if that is indeed what is causing the failure. I am attempting to get eapol_test to work since it sounds like this should be my first priority. The OS X supplicant continues not to respond to the Access-Challenge even though its profile is set up with the corrected ca.der - but, one step at a time. -RG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired 802.1X + FreeRADIUS + LDAP issue
On Tue, Dec 13, 2011 at 9:37 AM, Ryan Garland she...@gmail.com wrote: [eap] EAP/md5 [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication [eap] Handler failed in EAP/md5 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Sorry, I should have been more clear. I'm not sure what my options are with regards to Cleartext-Password and using EAP-MD5, if that is indeed what is causing the failure. Then don't use EAP-MD5. If TTLS-PAP works for wireless, use the same one for wired. There should be an option to select which authentication method to use for wired 802.1x. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired 802.1X + FreeRADIUS + LDAP issue
On Mon, Dec 12, 2011 at 7:12 PM, Fajar A. Nugraha l...@fajar.net wrote: On Tue, Dec 13, 2011 at 9:37 AM, Ryan Garland she...@gmail.com wrote: Sorry, I should have been more clear. I'm not sure what my options are with regards to Cleartext-Password and using EAP-MD5, if that is indeed what is causing the failure. Then don't use EAP-MD5. If TTLS-PAP works for wireless, use the same one for wired. There should be an option to select which authentication method to use for wired 802.1x. Ok, I changed auth type to PAP in the eapol_test configuration and it worked. Thanks, I didn't realize it was as simple as changing the phase2 auth type. However, my original problem persists. My supplicant continues not to respond to the FreeRADIUS Access-Challenge. Keep in mind I am using the same .mobileconfig on my OS X Lion machine and my iPhone 4S (IOS 5) and TTLS+PAP works fine for Wireless. I am not sure how to tell which authentication method the supplicant is using for Wired as I can only see authentication protocols listed under the Wi-Fi section of the profile generated using the iPhone Configuration Utility (I was led to believe that the same profile can work with both Wired and Wireless 802.1X, hence me being stumped). If there is not an issue with FreeRADIUS as far as the experts on this list can tell from the debug output in my original post (the Wired failure attachment), then I may have to look elsewhere for input (Apple support forums perhaps? Ugh :P) Thanks again for your assistance thus far. -RG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired 802.1X + FreeRADIUS + LDAP issue
On Tue, Dec 13, 2011 at 11:34 AM, Ryan Garland she...@gmail.com wrote: However, my original problem persists. My supplicant continues not to respond to the FreeRADIUS Access-Challenge. Keep in mind I am using the same .mobileconfig on my OS X Lion machine and my iPhone 4S (IOS 5) and TTLS+PAP works fine for Wireless. I am not sure how to tell which authentication method the supplicant is using for Wired as I can only see authentication protocols listed under the Wi-Fi section of the profile generated using the iPhone Configuration Utility (I was led to believe that the same profile can work with both Wired and Wireless 802.1X, hence me being stumped). Try using something that you know you can configure to use TTLS-PAP. Like Ubuntu. Just to be extra sure. Even using live CD should be enough. If there is not an issue with FreeRADIUS as far as the experts on this list can tell from the debug output in my original post (the Wired failure attachment), Pretty much so. You don't have cleartext password in your LDAP schema, so EAP-MD5 (as well as EAP-PEAP-MSCHAPv2) won't work. then I may have to look elsewhere for input (Apple support forums perhaps? Ugh :P) If Ubuntu works, then it's 100% Apple issue :) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired 802.1X + FreeRADIUS + LDAP issue
Ryan Garland wrote: I get a Warning message from FreeRADIUS indicating that EAP did not complete. The message directs me to a Certificate Compatibility page on the FR wiki, but unfortunately that points a lot of fingers at Windows, which my laptop is not running. Whether it's windows or not, the supplicant is *always* the one who chooses to stop doing EAP. We have also tried creating the certs with the bootstrap program and modifying eap.conf accordingly, to no avail. For reference, eapol_test also fails in the same manner when running locally on the FreeRADIUS box. Uh... then all bets are off. If eapol_test doesn't work, then you broke the FR configuration. FR eapol_test work together. I do this pretty much every day. Post the output from eapol_test. It should produce *many* messages describing exactly what is going wrong, and why. I am sure I am missing something - probably something simple - but I just have not been able to figure it out, and I am clearly not very good at reading the debug output. :-( You read it fine. Something *else* is going on. I have been researching this for quite some time and have found a lot of helpful information from people on this list, so I hope somebody can help me pinpoint the issue. My apologies if I was too wordy. Any help is greatly appreciated. Wordy is better than I tried stuff and it didn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Troubleshooting FreeRadius +LDAP
Greetings list users, I'm trying setup FreeRadius to work with LDAP in a deployment of ClearOS and have followed this How-To http://www.clearfoundation.com/docs/howtos/setting_up_freeradius2_to_use_ldap and this How-To http://deployingradius.com/documents/configuration/pap.html with success, up to the part of the inital radtest with credentials inserted in the users file. But when trying to use credentials from the LDAP directory, the Radius server returns an Access-Reject packet. Below is the output from the debug mode. *** login as: root root@192.168.3.5's password: Last login: Mon Sep 12 13:31:45 2011 from 192.168.3.2 [root@system ~]# service radiusd stop Stopping RADIUS server:[ OK ] [root@system ~]# radiusd -X FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on May 19 2010 at 13:10:59 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clearos-clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/clearos-eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/clearos-inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms
Re: Freeradius Ldap mosule is authenticating with wrong password also
Thanks, Issue has been resolved. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-Ldap-mosule-is-authenticating-with-wrong-password-also-tp4623550p4634082.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Ldap mosule is authenticating with wrong password also
Thanks, Issue has been resolved. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-Ldap-mosule-is-authenticating-with-wrong-password-also-tp4623550p4634084.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Ldap mosule is authenticating with wrong password also
Hi, DEFAULT LDAP-Group == CiscoRWL2Lr, Auth-Type := Accept Reply-Message = Welcome! You have administrative access., Service-Type = NAS-Prompt-User, cisco-avpair = shell:priv-lvl=15 as already said, you've configured your RADIUS server to accept ANYONE who is in the CiscoRW2Lr group - even if their password is 100% wrong. Auth-Type := Accept opens your box to basically not caring about authentication only authorization. remove the auth-type and ensure your authentication is working - which will need some work for AD alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Ldap mosule is authenticating with wrong password also
=Networking,DC=kochar,DC=com, with filter ((cn=CiscoRWL2Lr)(|((objectClass=group)(member=))((objectClass=top)(uniquemember= [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Vijay Singh,OU=ASR,OU=Networking,DC=kochar,DC=com, with filter (objectclass=*) [ldap] performing search in CN=CiscoRWL2Lr,OU=UsersAdminSystem,DC=kochar,DC=com, with filter (cn=CiscoRWL2Lr) rlm_ldap::ldap_groupcmp: User found in group CiscoRWL2Lr [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok [ldap] performing user authorization for vijay.singh [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} - vijay.singh [ldap] expand: ((sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) - ((sAMAccountName=vijay.singh)) [ldap] expand: OU=Networking,DC=kochar,DC=com - OU=Networking,DC=kochar,DC=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in OU=Networking,DC=kochar,DC=com, with filter ((sAMAccountName=vijay.singh)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user vijay.singh authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [vijay.singh] (from client KiplAsrNetwork port 1 cli 172.17.27.9) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 26 to 172.17.3.182 port 1645 Reply-Message = Welcome! You have administrative access. Service-Type = NAS-Prompt-User Cisco-AVPair = shell:priv-lvl=15 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 26 with timestamp +22 Ready to process requests. [root@radiusasr ~]# # -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-Ldap-mosule-is-authenticating-with-wrong-password-also-tp4623550p4625455.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Ldap mosule is authenticating with wrong password also
On Sat, Jul 23, 2011 at 1:25 PM, vijaysingh vijay.si...@kochar.com wrote: Please find below the configuration and logs :- ## /etc/raddb/users ## DEFAULT LDAP-Group == CiscoRWL2Lr, Auth-Type := Accept There you go. That line effectively means if the user is member of CiscoRWL2Lr LDAP group, then accept it. Period. No password check whatsoever. I'd recommend you just remove all Auth-Type := Accept part ... Reply-Message = Welcome! You have administrative access., Service-Type = NAS-Prompt-User, cisco-avpair = shell:priv-lvl=15 DEFAULT LDAP-Group == CiscoROL2Lr, Auth-Type := Accept Reply-Message = Welcome! You have limited access., Service-Type = NAS-Prompt-User, cisco-avpair = shell:priv-lvl=1 DEFAULT Auth-Type := Reject ... and simply use that Auth-Type := Reject to reject users not in the two LDAP groups. But that's only half of the problem. [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? the other half is that you're AD, which does not store plain text password or hand out NT-hashes. For this part try reading active directory guide on FR wiki or deployingradius.com -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Ldap mosule is authenticating with wrong password also
Hi, I have configured freeradius with LDAP authetication with my windows 2008 active directory. Two condition should met to authenticate the user 1.) User password should match 2.) user should be member of cisco group. Freeradius is cheking second condition only and if user enter wrong or blank password it is autheticating the user. Kindly help what can be the issue? I am getting following two errors in logs :- [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] ... expanding second conditional [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? If required I can post full logs and configuration file here. Vijay. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-Ldap-mosule-is-authenticating-with-wrong-password-also-tp4623550p4623550.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Ldap mosule is authenticating with wrong password also
Hi, If required I can post full logs and configuration file here. err, yes. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - LDAP
password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by ldapuser with password MTIxMjEyIA== [ldap] user DN: uid=ldapuser,ou=People,dc=example,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/MTIxMjEyIA== to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[ldap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - ldapuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.5 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 207 to 127.0.0.1 port 36725 Waking up in 4.9 seconds. Cleaning up request 0 ID 207 with timestamp +1224 Ready to process requests. Do you have any idea? I'm not seeing something? Regards, Max -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615111.html To unsubscribe from FreeRadius - LDAP, click here http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=4615085code=bS50b21tYXNpQHB1cnBsZXNybC5jb218NDYxNTA4NXwxMTQ4Njc3MDIx. -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615357.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - LDAP
was successful rlm_ldap: performing search in dc=example,dc=com, with filter (uid=ldapuser) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user ldapuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by ldapuser with password MTIxMjEyIA== [ldap] user DN: uid=ldapuser,ou=People,dc=example,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/MTIxMjEyIA== to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[ldap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - ldapuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.5 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 207 to 127.0.0.1 port 36725 Waking up in 4.9 seconds. Cleaning up request 0 ID 207 with timestamp +1224 Ready to process requests. Do you have any idea? I'm not seeing something? Regards, Max -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615111.html To unsubscribe from FreeRadius - LDAP, click here http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=4615085code=bS50b21tYXNpQHB1cnBsZXNybC5jb218NDYxNTA4NXwxMTQ4Njc3MDIx. -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615357.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - LDAP
{...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } listen { type = control listen { socket = /var/run/radiusd/radiusd.sock } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. --- NOW, when I try the auth: radtest ldapuser 121212 localhost 2 testing123 I get this output on the client side Sending Access-Request of id 207 to 127.0.0.1 port 1812 User-Name = ldapuser User-Password = MTIxMjEyIA== NAS-IP-Address = 127.0.0.1 NAS-Port = 2 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=207, length=20 AND this one on the radius server side: rad_recv: Access-Request packet from host 127.0.0.1 port 36725, id=207, length=60 User-Name = ldapuser User-Password = MTIxMjEyIA== NAS-IP-Address = 127.0.0.1 NAS-Port = 2 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = ldapuser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for ldapuser [ldap] expand: %{Stripped-User-Name} - [ldap] expand: %{User-Name} - ldapuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=ldapuser) [ldap] expand: dc=example,dc=com - dc=example,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example,dc=com, with filter (uid=ldapuser) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user ldapuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by ldapuser with password MTIxMjEyIA== [ldap] user DN: uid=ldapuser,ou=People,dc=example,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/MTIxMjEyIA== to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[ldap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - ldapuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.5 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 207 to 127.0.0.1 port 36725 Waking up in 4.9 seconds. Cleaning up request 0 ID 207 with timestamp +1224 Ready to process requests. Do you have any idea? I'm not seeing something? Regards, Max -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615111.html To unsubscribe from FreeRadius - LDAP, click here http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=4615085code=bS50b21tYXNpQHB1cnBsZXNybC5jb218NDYxNTA4NXwxMTQ4Njc3MDIx. -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615357.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- :: P u r p l e s r l :: security and network :: via Vittorio Veneto 8/B :: i-20091 Bresso - Milano :: web: www.purplesrl.com :: Massimiliano Tommasi :: email: m.tomm...@purplesrl.com :: phone: +39 02 36687280 :: fax: +39 02 700511249 - List info/subscribe/unsubscribe? See http
Re: FreeRadius - LDAP
search in dc=example,dc=com, with filter (uid=ldapuser) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user ldapuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by ldapuser with password MTIxMjEyIA== [ldap] user DN: uid=ldapuser,ou=People,dc=example,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/MTIxMjEyIA== to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[ldap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - ldapuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.5 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 207 to 127.0.0.1 port 36725 Waking up in 4.9 seconds. Cleaning up request 0 ID 207 with timestamp +1224 Ready to process requests. Do you have any idea? I'm not seeing something? Regards, Max -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615111.html To unsubscribe from FreeRadius - LDAP, click here http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=4615085code=bS50b21tYXNpQHB1cnBsZXNybC5jb218NDYxNTA4NXwxMTQ4Njc3MDIx. -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615357.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + Ldap + SSL/TLS
Hi, I install freeradius on Debian machine. I have my user in ldap and I use that directory to authentication.But when I want to use SSL or TLS in connections between radius and ldap, I have that error in radius log. (Freeradius -X) - [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldap.corporate.com:1793, authentication 0 [ldap] setting TLS CACert File to /etc/freradius/certs/RootCA.pem [ldap] setting TLS CACert Directory to /etc/freeradius/certs/ [ldap] setting TLS Cert File to /etc/freeradius/certs/RootCA.crt [ldap] setting TLS Key File to /etc/freeradius/certs/SSLSubCA.pem [ldap] setting TLS Key File to /etc/freeradius/certs/ [ldap] bind as uid=...,dc=...,dc=...,dc=.../pssword to ldap.corporate.com:1793 [ldap] waiting for bind result ... [ldap] ldap_result() [ldap] uid=...,dc=...,dc=...,dc=.../pssword to ldap.corporate.com:1793failed: timeout [ldap] (re)connection attempt failed [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail - i have in ldap.conf : ldap { server = ldap.corporate.com port= 1793 ... tls { # cacertfile= /path/to/cacert.pem # cacertdir = /path/to/certs/ # certfile= /path/to/radius.crt # keyfile= /path/to/radius.key # randfile= /path/to/rnd # require_cert= demand cacertfile= /etc/freradius/certs/RootCA.pem cacertdir= /etc/freeradius/certs/ certfile= /etc/freeradius/certs/RootCA.crt keyfile= /etc/freeradius/certs/SSLSubCA.pem randfile= /etc/freeradius/certs/ require_cert= allow it's an another team who manage this ldap corporate. This team request me to import the Corporate.Root.CA and Corporate.SSL.CA to be able to SSL connections. About them, my radius server don't used SSL connections. I don't know where put them... Sorry for my English, the french replies will be accepted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius+ldap: Invalid DN syntax
Hello. I am using Freeradius 2 with openldap 2.3.43 on my CentOS 5. My OPenldap works grate without freeradius, and freeradius works without ldap. But i cant connect ldap and freeradius. my ldapsearch output: ldapsearch -x # extended LDIF # # LDAPv3 # base dc=my-domain,dc=com (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # my-domain.com dn: dc=my-domain,dc=com objectClass: organization objectClass: dcObject dc: my-domain o: my-domain # People, my-domain.com dn: ou=People,dc=my-domain,dc=com objectClass: organizationalUnit ou: People # group, my-domain.com dn: ou=group,dc=my-domain,dc=com objectClass: organizationalUnit ou: group # machines, my-domain.com dn: ou=machines,dc=my-domain,dc=com objectClass: organizationalUnit ou: machines # office, group, my-domain.com dn: cn=office,ou=group,dc=my-domain,dc=com objectClass: posixGroup description: office group gidNumber: 1 cn: office # gchkhetiani, People, my-domain.com dn: uid=gchkhetiani,ou=People,dc=my-domain,dc=com objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person homeDirectory: /home/gchkhetiani loginShell: /bin/bash uid: gchkhetiani cn:: 4YOS4YOY4YOd4YOg4YOS4YOYIOGDqeGDruGDlOGDouGDmOGDkOGDnOGDmA== uidNumber: 1 gidNumber: 1 sn:: 4YOp4YOu4YOU4YOi4YOY4YOQ4YOc4YOY givenName:: 4YOS4YOY4YOd4YOg4YOS4YOY # search result search: 2 result: 0 Success # numResponses: 7 # numEntries: 6 my /etc/raddb/modules/ldap: ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = server2.**.ge identity = cn=Manager,dc=my-domain,dc=com password = ** basedn = dn=my-domain,dn=com filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) radtest command: radtest gchkhetiani localhost 2 testing123 radiusd -X output: [ldap] performing user authorization for gchkhetiani [ldap] expand: %{Stripped-User-Name} - [ldap] expand: %{User-Name} - gchkhetiani [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=gchkhetiani) [ldap] expand: dn=my-domain,dn=com - dn=my-domain,dn=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to server2.**.ge:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=my-domain,dc=com/** to server2.**.ge:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dn=my-domain,dn=com, with filter (uid=gchkhetiani) rlm_ldap: ldap_search() failed: Invalid DN syntax [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail Invalid user: [gchkhetiani/svani] (from client localhost port 2) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - gchkhetiani attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 218 to 127.0.0.1 port 35291 There is rlm_ldap: ldap_search() failed: Invalid DN syntax error. How can I fix it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+ldap: Invalid DN syntax
On 02/04/2011 18:29, ziko wrote: Hello. I am using Freeradius 2 with openldap 2.3.43 on my CentOS 5. My OPenldap works grate without freeradius, and freeradius works without ldap. But i cant connect ldap and freeradius. my ldapsearch output: ldapsearch -x # extended LDIF # # LDAPv3 # base dc=my-domain,dc=com (default) with scope subtree ..^^...^^ my /etc/raddb/modules/ldap: ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = server2.**.ge identity = cn=Manager,dc=my-domain,dc=com password = ** basedn = dn=my-domain,dn=com ^^...^^ radiusd -X output: . rlm_ldap: performing search in dn=my-domain,dn=com, with filter (uid=gchkhetiani) rlm_ldap: ldap_search() failed: Invalid DN syntax There is rlm_ldap: ldap_search() failed: Invalid DN syntax error. How can I fix it? ...configure the basedn correctly!! wrong: basedn = dn=my-domain,dn=com correct:basedn = dc=my-domain,dc=com -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+ldap: Invalid DN syntax
Thank you very much! I am new to ldap :( thank you it works now! From: James J J Hooper jjj.hoo...@bristol.ac.uk To: freeradius-users@lists.freeradius.org Sent: Sat, April 2, 2011 9:54:26 PM Subject: Re: freeradius+ldap: Invalid DN syntax On 02/04/2011 18:29, ziko wrote: Hello. I am using Freeradius 2 with openldap 2.3.43 on my CentOS 5. My OPenldap works grate without freeradius, and freeradius works without ldap. But i cant connect ldap and freeradius. my ldapsearch output: ldapsearch -x # extended LDIF # # LDAPv3 # base dc=my-domain,dc=com (default) with scope subtree ..^^...^^ my /etc/raddb/modules/ldap: ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = server2.**.ge identity = cn=Manager,dc=my-domain,dc=com password = ** basedn = dn=my-domain,dn=com ^^...^^ radiusd -X output: . rlm_ldap: performing search in dn=my-domain,dn=com, with filter (uid=gchkhetiani) rlm_ldap: ldap_search() failed: Invalid DN syntax There is rlm_ldap: ldap_search() failed: Invalid DN syntax error. How can I fix it? ...configure the basedn correctly!! wrong: basedn = dn=my-domain,dn=com correct:basedn = dc=my-domain,dc=com -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Ldap
Hello everyone, after a long time my freeradius it's working with Ldap. The problem it was because I hasn't Installed the Samba. my aim is to use the freeradius to authencticate my wireless users with EAP-TLS. As I'm using the MSCHAP it's necessary the attributes SambaNTPassword and SambaLMPassword then it's need install Samba and Ldap. I'm using the freeradius version 2.1.7 on the Red-Hat Enterprise 5.6 Thank Joaocdc!! 2011/3/21 Sven Hartge s...@svenhartge.de Usuário do Sistema maico...@ig.com.br wrote: Hello everyone, I'm dificult with freeradius and LDAP. the user autheticate only it's work when I put in the user file User-Password clear text as follow. maicon.pereiraCleartext-Password := meleca Reply-Message = Hello, %{User-Name} however, my integration between Freeradius and Ldap it isn't working. My question is: there is possible to make the intragation?? because I've read that freeradius needs supply to ldap User-Password clear text. it's true ?? That depends. If you want to use _any_ Challenge-Handshake auth method like MSCHAPv2 for wireless LAN you need to supply a cleartext password. If you only want to use PAP, you can keep using ldap_bind() and an encrypted/hashed password. [-- text/html, encoding quoted-printable, charset: ISO-8859-1, 30 lines --] Ugh. Grüße, Sven. -- Sig lost. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Ldap
Hello everyone, I'm dificult with freeradius and LDAP. the user autheticate only it's work when I put in the user file User-Password clear text as follow. maicon.pereiraCleartext-Password := meleca Reply-Message = Hello, %{User-Name} however, my integration between Freeradius and Ldap it isn't working. My question is: there is possible to make the intragation?? because I've read that freeradius needs supply to ldap User-Password clear text. it's true ?? I wish to use the ldap as database authetication. thank! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Ldap
Maicon, como vi o Pereira no seu nome, deduzo que você seja do Brasil, portanto irei responder sua pergunta em português. 1º Sim o freeradius se integra perfeitamente com o LDAP 2º Que base LDAP vc esta utilizando? OpenLDAP, Active Directory??? 3° Como esta a configuração de seu arquivo ldap? isso é onde você define a árvore de pesquisa do LDAP. 4º A partir de onde você esta tentando se autenticar?? Windows, linux, mac, (ou esta testando com os utilitários radtest e epol_test). 5º para ajudar poste aqui a saída de debug do seu freeradius (basta executar o freeradius com o comando freeradius -X) Com essas informações acredito que posso te ajudar. Abraços. Att. Em 21 de março de 2011 18:04, Usuário do Sistema maico...@ig.com.brescreveu: Hello everyone, I'm dificult with freeradius and LDAP. the user autheticate only it's work when I put in the user file User-Password clear text as follow. maicon.pereiraCleartext-Password := meleca Reply-Message = Hello, %{User-Name} however, my integration between Freeradius and Ldap it isn't working. My question is: there is possible to make the intragation?? because I've read that freeradius needs supply to ldap User-Password clear text. it's true ?? I wish to use the ldap as database authetication. thank! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- João Paulo de Lima Barbosa Fone: (45) 9938-8399 Blog: http://joao.us Twitter: @joaocdc O erro dos que tem poder é colocar barreiras para que ninguém os alcance, incentivando-nos a buscar todas as formas que encontramos para alcança-los. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Ldap
Usuário do Sistema maico...@ig.com.br wrote: Hello everyone, I'm dificult with freeradius and LDAP. the user autheticate only it's work when I put in the user file User-Password clear text as follow. maicon.pereiraCleartext-Password := meleca Reply-Message = Hello, %{User-Name} however, my integration between Freeradius and Ldap it isn't working. My question is: there is possible to make the intragation?? because I've read that freeradius needs supply to ldap User-Password clear text. it's true ?? That depends. If you want to use _any_ Challenge-Handshake auth method like MSCHAPv2 for wireless LAN you need to supply a cleartext password. If you only want to use PAP, you can keep using ldap_bind() and an encrypted/hashed password. [-- text/html, encoding quoted-printable, charset: ISO-8859-1, 30 lines --] Ugh. Grüße, Sven. -- Sig lost. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius/LDAP per NAS access
On 7 Mar 2011, at 22:14, Alexander Clouter wrote: Guy g...@britewhite.net wrote: I now have FreeRadius granting access and using LDAP for username and password information. My next challenge, using the same Radius and LDAP server I would like to grant different users access via different NAS clients. eg in LDAP I would have: uid=guy services: VPN services: WiFi If I have the services: VPN then I would be allowed to connect to the VPN server and if I don't have that entry in my LDIF then it would not be allowed to access. Any ideas on how to do this, simply? ...Dear Lazyweb eh? You should really *attempt* to try, or show you have attempted something, Dear Teacher, just like back at school Please show your working.. :) I did spend quite some time searching for the answer, however documentation end-to-end seems to be a little lacking. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59481.html http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.html Now use %{client:keyword} in your LDAP xlat search query... Thanks for the the hints.. I've now got this to work... In modules/ldap I changed filter to: filter = ((uid=%{%{Stripped-User-Name}:-%{User-Name}})(authorizedService=%{client:service})) Then in clients.conf.. just added a an entry to each client: client VPN_Server { secret = ssshhh! shortname = vpn nastype = other service = VPN } And finally for each user in the LDAP database I add the entry: authorsizedService: VPN That's it I can now control access to each client via VPN data. To be honest though, your approach *abuses* LDAP, you should be adding them to a *group*, not bloating-up and overloading the user object; otherwise you might as well use something horrible like SQL... I would argue that point most strongly but this is not the place.. Thanks again for the help --Guy Cheers -- Alexander Clouter .sigmonster says: A woman can never be too rich or too thin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius/LDAP per NAS access
Hi all, I now have FreeRadius granting access and using LDAP for username and password information. My next challenge, using the same Radius and LDAP server I would like to grant different users access via different NAS clients. eg in LDAP I would have: uid=guy services: VPN services: WiFi If I have the services: VPN then I would be allowed to connect to the VPN server and if I don't have that entry in my LDIF then it would not be allowed to access. Any ideas on how to do this, simply? Thanks ---Guy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius/LDAP per NAS access
Guy g...@britewhite.net wrote: I now have FreeRadius granting access and using LDAP for username and password information. My next challenge, using the same Radius and LDAP server I would like to grant different users access via different NAS clients. eg in LDAP I would have: uid=guy services: VPN services: WiFi If I have the services: VPN then I would be allowed to connect to the VPN server and if I don't have that entry in my LDIF then it would not be allowed to access. Any ideas on how to do this, simply? ...Dear Lazyweb eh? You should really *attempt* to try, or show you have attempted something, http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59481.html http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.html Now use %{client:keyword} in your LDAP xlat search query... To be honest though, your approach *abuses* LDAP, you should be adding them to a *group*, not bloating-up and overloading the user object; otherwise you might as well use something horrible like SQL... Cheers -- Alexander Clouter .sigmonster says: A woman can never be too rich or too thin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + LDAP for WPA-Enterprise
Hello to all, I would like to use Freeradius to authenticate my wireless network using OpenWRT and Freeradius + LDAP. What I've done: First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. WORKED! Then I've configured ldap-Modul + added ldap in the authorize- and Auth-Type LDAP { ldap } in the authenticate-section. The test via radtest succeeded. But now the authentication using OpenWRT (EAP-TTLS) like the first try with files - now with ldap did not work. I do noticed the following comment # Note that this means check plain-text password against # the ldap database, which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } but I don't know what to change that it worked like my first try with the difference the users are in LDAP instead of a file. Hope to get any hints Best regards. MS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + LDAP for WPA-Enterprise
I'm barely a novice with FR, so take this with a grain of salt: You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the Auth Type LDAP - for now. You almost never want to set the Auth-Type directly, FR figures it out from the request. For testing and troubleshooting it's OK, and if you really know what the consequences are its OK, but generally speaking don't set the auth type. As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the no clear text password issue. Gary -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 11:06 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius + LDAP for WPA-Enterprise Hello to all, I would like to use Freeradius to authenticate my wireless network using OpenWRT and Freeradius + LDAP. What I've done: First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. WORKED! Then I've configured ldap-Modul + added ldap in the authorize- and Auth-Type LDAP { ldap } in the authenticate-section. The test via radtest succeeded. But now the authentication using OpenWRT (EAP-TTLS) like the first try with files - now with ldap did not work. I do noticed the following comment # Note that this means check plain-text password against # the ldap database, which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } but I don't know what to change that it worked like my first try with the difference the users are in LDAP instead of a file. Hope to get any hints Best regards. MS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP for WPA-Enterprise
Hello, I'm trying to do the same thing, I know I have to use winbind and samba to get it, but in reading the news I found this freeradius 2.1 Added Password-With-Header == userPassword to raddb / ldap.attrmap This Will automaticallyconvert more passwords []'s -- Vinicius Teixeira Coelho Registered Linux User #469313 The Ubuntu Counter Project - user number # 21463 On Fri, Feb 11, 2011 at 3:37 PM, Gary Gatten ggat...@waddell.com wrote: I'm barely a novice with FR, so take this with a grain of salt: You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the Auth Type LDAP - for now. You almost never want to set the Auth-Type directly, FR figures it out from the request. For testing and troubleshooting it's OK, and if you really know what the consequences are its OK, but generally speaking don't set the auth type. As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the no clear text password issue. Gary -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org[mailto: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 11:06 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius + LDAP for WPA-Enterprise Hello to all, I would like to use Freeradius to authenticate my wireless network using OpenWRT and Freeradius + LDAP. What I've done: First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. WORKED! Then I've configured ldap-Modul + added ldap in the authorize- and Auth-Type LDAP { ldap } in the authenticate-section. The test via radtest succeeded. But now the authentication using OpenWRT (EAP-TTLS) like the first try with files - now with ldap did not work. I do noticed the following comment # Note that this means check plain-text password against # the ldap database, which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } but I don't know what to change that it worked like my first try with the difference the users are in LDAP instead of a file. Hope to get any hints Best regards. MS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + LDAP for WPA-Enterprise
As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the no clear text password issue. I think he is right ... I know that we had to use the ntlm_auth exec module ... is there a reason you are doing EAP instead of PEAP? PEAP/MSCHAPv2 or PEAP/TTLS work great with Linux hosts ... even MACs (which are nothing more that bastardized Linux boxes) Windows hosts require a bit of configuring on the client to make it work but then they work too. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Friday, February 11, 2011 11:37 AM To: 'FreeRadius users mailing list' Subject: RE: Freeradius + LDAP for WPA-Enterprise I'm barely a novice with FR, so take this with a grain of salt: You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the Auth Type LDAP - for now. You almost never want to set the Auth-Type directly, FR figures it out from the request. For testing and troubleshooting it's OK, and if you really know what the consequences are its OK, but generally speaking don't set the auth type. As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the no clear text password issue. Gary -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 11:06 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius + LDAP for WPA-Enterprise Hello to all, I would like to use Freeradius to authenticate my wireless network using OpenWRT and Freeradius + LDAP. What I've done: First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. WORKED! Then I've configured ldap-Modul + added ldap in the authorize- and Auth-Type LDAP { ldap } in the authenticate-section. The test via radtest succeeded. But now the authentication using OpenWRT (EAP-TTLS) like the first try with files - now with ldap did not work. I do noticed the following comment # Note that this means check plain-text password against # the ldap database, which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } but I don't know what to change that it worked like my first try with the difference the users are in LDAP instead of a file. Hope to get any hints Best regards. MS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + LDAP for WPA-Enterprise
Yeah, but that's SAMBA - not LDAP. (Added Password-With-Header == userPassword to raddb / ldap.attrmap ) sounds interesting! From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Vinicius Teixeira Coelho Sent: Friday, February 11, 2011 12:09 PM To: FreeRadius users mailing list Subject: Re: Freeradius + LDAP for WPA-Enterprise Hello, I'm trying to do the same thing, I know I have to use winbind and samba to get it, but in reading the news I found this freeradius 2.1 Added Password-With-Header == userPassword to raddb / ldap.attrmap This Will automaticallyconvert more passwords []'s -- Vinicius Teixeira Coelho Registered Linux User #469313 The Ubuntu Counter Project - user number # 21463 On Fri, Feb 11, 2011 at 3:37 PM, Gary Gatten ggat...@waddell.commailto:ggat...@waddell.com wrote: I'm barely a novice with FR, so take this with a grain of salt: You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the Auth Type LDAP - for now. You almost never want to set the Auth-Type directly, FR figures it out from the request. For testing and troubleshooting it's OK, and if you really know what the consequences are its OK, but generally speaking don't set the auth type. As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the no clear text password issue. Gary -Original Message- From: freeradius-users-bounces+ggatten=waddell.comhttp://waddell.com@lists.freeradius.orghttp://lists.freeradius.org [mailto:freeradius-users-bounces+ggattenmailto:freeradius-users-bounces%2Bggatten=waddell.comhttp://waddell.com@lists.freeradius.orghttp://lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 11:06 AM To: freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Freeradius + LDAP for WPA-Enterprise Hello to all, I would like to use Freeradius to authenticate my wireless network using OpenWRT and Freeradius + LDAP. What I've done: First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. WORKED! Then I've configured ldap-Modul + added ldap in the authorize- and Auth-Type LDAP { ldap } in the authenticate-section. The test via radtest succeeded. But now the authentication using OpenWRT (EAP-TTLS) like the first try with files - now with ldap did not work. I do noticed the following comment # Note that this means check plain-text password against # the ldap database, which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } but I don't know what to change that it worked like my first try with the difference the users are in LDAP instead of a file. Hope to get any hints Best regards. MS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP for WPA-Enterprise
Yes, but your samba is using the ldap []'s -- Vinicius Teixeira Coelho Registered Linux User #469313 The Ubuntu Counter Project - user number # 21463 On Fri, Feb 11, 2011 at 4:35 PM, Gary Gatten ggat...@waddell.com wrote: Yeah, but that’s SAMBA – not LDAP. (Added Password-With-Header == userPassword to raddb / ldap.attrmap ) sounds interesting! -- *From:* freeradius-users-bounces+ggatten=waddell@lists.freeradius.org[mailto: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] *On Behalf Of *Vinicius Teixeira Coelho *Sent:* Friday, February 11, 2011 12:09 PM *To:* FreeRadius users mailing list *Subject:* Re: Freeradius + LDAP for WPA-Enterprise Hello, I'm trying to do the same thing, I know I have to use winbind and samba to get it, but in reading the news I found this freeradius 2.1 Added Password-With-Header == userPassword to raddb / ldap.attrmap This Will automaticallyconvert more passwords []'s -- Vinicius Teixeira Coelho Registered Linux User #469313 The Ubuntu Counter Project - user number # 21463 On Fri, Feb 11, 2011 at 3:37 PM, Gary Gatten ggat...@waddell.com wrote: I'm barely a novice with FR, so take this with a grain of salt: You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the Auth Type LDAP - for now. You almost never want to set the Auth-Type directly, FR figures it out from the request. For testing and troubleshooting it's OK, and if you really know what the consequences are its OK, but generally speaking don't set the auth type. As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the no clear text password issue. Gary -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org[mailto: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 11:06 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius + LDAP for WPA-Enterprise Hello to all, I would like to use Freeradius to authenticate my wireless network using OpenWRT and Freeradius + LDAP. What I've done: First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. WORKED! Then I've configured ldap-Modul + added ldap in the authorize- and Auth-Type LDAP { ldap } in the authenticate-section. The test via radtest succeeded. But now the authentication using OpenWRT (EAP-TTLS) like the first try with files - now with ldap did not work. I do noticed the following comment # Note that this means check plain-text password against # the ldap database, which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } but I don't know what to change that it worked like my first try with the difference the users are in LDAP instead of a file. Hope to get any hints Best regards. MS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP for WPA-Enterprise
I don't think ntlm_auth makes any ldap calls. From: Vinicius Teixeira Coelho [mailto:vinicius...@gmail.com] Sent: Friday, February 11, 2011 12:41 PM To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Freeradius + LDAP for WPA-Enterprise Yes, but your samba is using the ldap []'s -- Vinicius Teixeira Coelho Registered Linux User #469313 The Ubuntu Counter Project - user number # 21463 On Fri, Feb 11, 2011 at 4:35 PM, Gary Gatten ggat...@waddell.commailto:ggat...@waddell.com wrote: Yeah, but that’s SAMBA – not LDAP. (Added Password-With-Header == userPassword to raddb / ldap.attrmap ) sounds interesting! From: freeradius-users-bounces+ggatten=waddell.comhttp://waddell.com@lists.freeradius.orghttp://lists.freeradius.org [mailto:freeradius-users-bounces+ggattenmailto:freeradius-users-bounces%2Bggatten=waddell.comhttp://waddell.com@lists.freeradius.orghttp://lists.freeradius.org] On Behalf Of Vinicius Teixeira Coelho Sent: Friday, February 11, 2011 12:09 PM To: FreeRadius users mailing list Subject: Re: Freeradius + LDAP for WPA-Enterprise Hello, I'm trying to do the same thing, I know I have to use winbind and samba to get it, but in reading the news I found this freeradius 2.1 Added Password-With-Header == userPassword to raddb / ldap.attrmap This Will automaticallyconvert more passwords []'s -- Vinicius Teixeira Coelho Registered Linux User #469313 The Ubuntu Counter Project - user number # 21463 On Fri, Feb 11, 2011 at 3:37 PM, Gary Gatten ggat...@waddell.commailto:ggat...@waddell.com wrote: I'm barely a novice with FR, so take this with a grain of salt: You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the Auth Type LDAP - for now. You almost never want to set the Auth-Type directly, FR figures it out from the request. For testing and troubleshooting it's OK, and if you really know what the consequences are its OK, but generally speaking don't set the auth type. As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the no clear text password issue. Gary -Original Message- From: freeradius-users-bounces+ggatten=waddell.comhttp://waddell.com@lists.freeradius.orghttp://lists.freeradius.org [mailto:freeradius-users-bounces+ggattenmailto:freeradius-users-bounces%2Bggatten=waddell.comhttp://waddell.com@lists.freeradius.orghttp://lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 11:06 AM To: freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Freeradius + LDAP for WPA-Enterprise Hello to all, I would like to use Freeradius to authenticate my wireless network using OpenWRT and Freeradius + LDAP. What I've done: First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. WORKED! Then I've configured ldap-Modul + added ldap in the authorize- and Auth-Type LDAP { ldap } in the authenticate-section. The test via radtest succeeded. But now the authentication using OpenWRT (EAP-TTLS) like the first try with files - now with ldap did not work. I do noticed the following comment # Note that this means check plain-text password against # the ldap database, which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } but I don't know what to change that it worked like my first try with the difference the users are in LDAP instead of a file. Hope to get any hints Best regards. MS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div
Re: Freeradius + LDAP for WPA-Enterprise
Gary Gatten wrote: You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the Auth Type LDAP - for now. If I remove that the radtest failed for a LDAP-User. It returns a rejected Message. As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the no clear text password issue. How else would you authenticate a WPA(2)-Enterprise with Radius using LDAP-Accounts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + LDAP for WPA-Enterprise
We just started using WPA2-Enterprise. We use SAMBA / ntlm_auth / AD. I honestly don't know if / how you can do it using pure LDAP. Someone else posted something about new LDAP attributes that may work, but that's way over my head. Maybe if you use certs instead of uname/passwords it will work with pure LDAP? Sorry I can't help much G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 2:31 PM To: FreeRadius users mailing list Subject: Re: Freeradius + LDAP for WPA-Enterprise Gary Gatten wrote: You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the Auth Type LDAP - for now. If I remove that the radtest failed for a LDAP-User. It returns a rejected Message. As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the no clear text password issue. How else would you authenticate a WPA(2)-Enterprise with Radius using LDAP-Accounts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + LDAP for WPA-Enterprise
PS: We also use ntlm_auth for 802.1x. All the docs I read and the comments within the various FR files say EAP and LDAP won't work - for Authentication. Authorization should be fine. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 2:31 PM To: FreeRadius users mailing list Subject: Re: Freeradius + LDAP for WPA-Enterprise Gary Gatten wrote: You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the Auth Type LDAP - for now. If I remove that the radtest failed for a LDAP-User. It returns a rejected Message. As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the no clear text password issue. How else would you authenticate a WPA(2)-Enterprise with Radius using LDAP-Accounts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP for WPA-Enterprise
If you want to use ldap as authentication source, either you have plaintext password in ldap or ntPassword hash stored in ldap. You can search the list of my name, I just got both eap/peap against Active Directory w/ ntlm_auth and against ldap w/ ntPassword recently. I posted my configuration on the list. I am using peap because of we don't want to install a third party supplicant. Schilling On Fri, Feb 11, 2011 at 3:44 PM, Gary Gatten ggat...@waddell.com wrote: PS: We also use ntlm_auth for 802.1x. All the docs I read and the comments within the various FR files say EAP and LDAP won't work - for Authentication. Authorization should be fine. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 2:31 PM To: FreeRadius users mailing list Subject: Re: Freeradius + LDAP for WPA-Enterprise Gary Gatten wrote: You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the Auth Type LDAP - for now. If I remove that the radtest failed for a LDAP-User. It returns a rejected Message. As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the no clear text password issue. How else would you authenticate a WPA(2)-Enterprise with Radius using LDAP-Accounts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP for WPA-Enterprise
this is great, i will search. Enviado via iPhone Em 11/02/2011, às 19:04, schilling schilling2...@gmail.com escreveu: If you want to use ldap as authentication source, either you have plaintext password in ldap or ntPassword hash stored in ldap. You can search the list of my name, I just got both eap/peap against Active Directory w/ ntlm_auth and against ldap w/ ntPassword recently. I posted my configuration on the list. I am using peap because of we don't want to install a third party supplicant. Schilling On Fri, Feb 11, 2011 at 3:44 PM, Gary Gatten ggat...@waddell.com wrote: PS: We also use ntlm_auth for 802.1x. All the docs I read and the comments within the various FR files say EAP and LDAP won't work - for Authentication. Authorization should be fine. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 2:31 PM To: FreeRadius users mailing list Subject: Re: Freeradius + LDAP for WPA-Enterprise Gary Gatten wrote: You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the Auth Type LDAP - for now. If I remove that the radtest failed for a LDAP-User. It returns a rejected Message. As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the no clear text password issue. How else would you authenticate a WPA(2)-Enterprise with Radius using LDAP-Accounts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
On Thu, Dec 02, 2010 at 03:48:34PM +0100, Josip Rodin wrote: The configuration that work: ldap ldapPerson{ set_auth_type = yes } I think this is the catch. I don't have this particular option in my config, but I see now that it looks like they're all 2.1.8. I re-checked the documentation and I see now that it had nothing to do with versions, but a simple fact that the LDAP module defers to any other Auth-Type - and you had a PAP handler there. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
Josip, thanks for your response. Add LDAP into the authenticate section, so that it simply tries to re-bind with the provided credentials? Like this: Auth-Type LDAP { ldapPerson } I try this configuration too, but it doesn't work for me. Freeradius doesn't set the value to Auth-Type attribute. I thik that this is because the userPassword attribute is only visible to each particular user when binds. rad_recv: Access-Request packet from host X.X.X.X port 49621, id=130, length=58 User-Name = aigalla...@unex.es User-Password = server test { # Executing section authorize from file /etc/freeradius/sites-enabled/test +- entering group authorize {...} [suffix] Looking up realm unex.es for User-Name = aigalla...@unex.es [suffix] Found realm unex.es [suffix] Adding Stripped-User-Name = aigallardo [suffix] Adding Realm = unex.es [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 33 ++[files] returns ok [ldapPerson] performing user authorization for aigallardo [ldapPerson] expand: %{Stripped-User-Name} - aigallardo [ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=aigallardo) [ldapPerson] expand: ou=people,dc=unex,dc=es - ou=people,dc=unex,dc=es [ldapPerson] ldap_get_conn: Checking Id: 0 [ldapPerson] ldap_get_conn: Got Id: 0 [ldapPerson] attempting LDAP reconnection [ldapPerson] (re)connect to ldap.unex.es:389, authentication 0 [ldapPerson] bind as / to ldap.unex.es:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter (uid=aigallardo) [ldapPerson] No default NMAS login sequence [ldapPerson] looking for check items in directory... [ldapPerson] looking for reply items in directory... [ldapPerson] gecos - Nombre-Completo = Ana-Isabel Gallardo Gomez,Dpto. Tecno. Computadores y Comuni.,, WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldapPerson] user aigallardo authorized to use remote access [ldapPerson] ldap_release_conn: Release Id: 0 ++[ldapPerson] returns ok ++[expiration] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. } # server test Thank you very much and sorry for my english. ++ Ana Gallardo Gómez ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
On Thu, Dec 02, 2010 at 09:09:51AM +0100, Ana Gallardo wrote: Add LDAP into the authenticate section, so that it simply tries to re-bind with the provided credentials? Like this: Auth-Type LDAP { ldapPerson } I try this configuration too, but it doesn't work for me. Freeradius doesn't set the value to Auth-Type attribute. I thik that this is because the userPassword attribute is only visible to each particular user when binds. This is an orthogonal issue; you don't have to allow anyone to read the value of the userPassword attribute, you just have to get the FR ldap module to *bind* to the LDAP server with the username and password from the request. Then the LDAP server verifies it against whatever it needs in the background, and you don't care. # Executing section authorize from file /etc/freeradius/sites-enabled/test +- entering group authorize {...} [ldapPerson] bind as / to ldap.unex.es:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful This is log output for an anonymous bind in authorize section (bind as / to means bind as no user/no password). What is the output for the authenticated bind, that happens in the authenticate section? -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
Hello again. Ok, now I can authenticate an user using LDAP. I'm using freeradius 2.1.10 and I want to use ldap like a backend in authorize section to take userPassword attribute (unix crypt) to authenticate the user. My problem is: the ldap server don't have public key that an admin user (who bind) can take. So I have to bind in the authorize section with the user and password (clear text) in the request. Is this posible? I have read that this is not ok http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html What are my posibilities? I think that what I can do is: - in authorize section bind like anonymous user and take the public attributes that I need to authorize the user. - in authenticate section bind like the user who want to access The configuration that work: LDAP MODULE ldap ldapPerson{ server = xxx basedn = ou=people,dc=unex,dc=es filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldapPerson.attrmap edir_account_policy_check = no set_auth_type = yes } SERVER server test{ authorize { suffix files ldapPerson expiration update control { Auth-Type := LDAP } } authenticate { Auth-Type LDAP { ldapPerson } } } DEBUG rad_recv: Access-Request packet from host x.x.x.x port 48259, id=145, length=58 User-Name = aigalla...@unex.es User-Password = server test { # Executing section authorize from file /etc/freeradius/sites-enabled/test +- entering group authorize {...} [suffix] Looking up realm unex.es for User-Name = aigalla...@unex.es [suffix] Found realm unex.es [suffix] Adding Stripped-User-Name = aigallardo [suffix] Adding Realm = unex.es [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 33 ++[files] returns ok [ldapPerson] performing user authorization for aigallardo [ldapPerson] expand: %{Stripped-User-Name} - aigallardo [ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=aigallardo) [ldapPerson] expand: ou=people,dc=unex,dc=es - ou=people,dc=unex,dc=es [ldapPerson] ldap_get_conn: Checking Id: 0 [ldapPerson] ldap_get_conn: Got Id: 0 [ldapPerson] attempting LDAP reconnection [ldapPerson] (re)connect to x.x.x.x:389, authentication 0 [ldapPerson] bind as / to x.x.x.x:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter (uid=aigallardo) [ldapPerson] No default NMAS login sequence [ldapPerson] looking for check items in directory... [ldapPerson] looking for reply items in directory... [ldapPerson] gecos - Nombre-Completo = Ana-Isabel Gallardo Gomez... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldapPerson] user aigallardo authorized to use remote access [ldapPerson] ldap_release_conn: Release Id: 0 ++[ldapPerson] returns ok ++[expiration] returns noop ++[control] returns noop Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/test +- entering group LDAP {...} [ldapPerson] login attempt by aigallardo with password [ldapPerson] user DN: uid=aigallardo,ou=People,dc=unex,dc=es [ldapPerson] (re)connect to x.x.x.x:389, authentication 1 [ldapPerson] bind as uid=aigallardo,ou=People,dc=unex,dc=es/x to x.x.x.x:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] user aigallardo authenticated succesfully ++[ldapPerson] returns ok } # server test Sending Access-Accept of id 145 to x.x.x.x port 48259 Nombre-Completo = Ana-Isabel Gallardo Gomez... I don't know if this is the best way to solve my problem, I someone have something better, I would like to know. Thank you very much and sorry for my english. ++ Ana Gallardo Gómez ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
Hello Josip and thank you again for your response. This is an orthogonal issue; you don't have to allow anyone to read the value of the userPassword attribute, you just have to get the FR ldap module to *bind* to the LDAP server with the username and password from the request. Ok, now I know. This is log output for an anonymous bind in authorize section (bind as / to means bind as no user/no password). What is the output for the authenticated bind, that happens in the authenticate section? There is no authenticated bind because Freeradius doesn't set Auth-Type and... ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Thanks ++ Ana Gallardo Gómez ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
On Thu, Dec 02, 2010 at 02:37:43PM +0100, Ana Gallardo wrote: I have read that this is not ok http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html OK, and you're not doing that which is described above, so you're fine. The configuration that work: ldap ldapPerson{ set_auth_type = yes } I think this is the catch. I don't have this particular option in my config, but I see now that it looks like they're all 2.1.8. authorize { ldapPerson update control { Auth-Type := LDAP } } This seems redundant. If ldapPerson already ran, with the set_auth_type option, ... -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + ldap
Hello, I'm using freeradius 2.1.10 and I want to use ldap like a backend in authorize section to take userPassword attribute (unix crypt) to authenticate the user. My problem is: the ldap server don't have public key that an admin user (who bind) can take. So I have to bind in the authorize section with the user and password (clear text) in the request. Is this posible? What are my posibilities? Here is my actual configuration in my test: LDAP MODULE ldap ldapPerson{ server = ldap. basedn = ou=people,dc=unex,dc=es filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldapPerson.attrmap edir_account_policy_check = no set_auth_type = yes } SERVER server test{ authorize { suffix files ldapPerson expiration pap } authenticate { Auth-Type PAP { pap } } } DEBUG rad_recv: Access-Request packet from host X.X.X.X port 38152, id=201, length=58 User-Name = aigalla...@unex.es User-Password = pass server test { # Executing section authorize from file /etc/freeradius/sites-enabled/test +- entering group authorize {...} [suffix] Looking up realm unex.es for User-Name = aigalla...@unex.es [suffix] Found realm unex.es [suffix] Adding Stripped-User-Name = aigallardo [suffix] Adding Realm = unex.es [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 33 ++[files] returns ok [ldapPerson] performing user authorization for aigallardo [ldapPerson] expand: %{Stripped-User-Name} - aigallardo [ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=aigallardo) [ldapPerson] expand: ou=people,dc=unex,dc=es - ou=people,dc=unex,dc=es [ldapPerson] ldap_get_conn: Checking Id: 0 [ldapPerson] ldap_get_conn: Got Id: 0 [ldapPerson] attempting LDAP reconnection [ldapPerson] (re)connect to X :389, authentication 0 [ldapPerson] bind as / to :389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter (uid=aigallardo) [ldapPerson] No default NMAS login sequence [ldapPerson] looking for check items in directory... [ldapPerson] looking for reply items in directory... [ldapPerson] gecos - Nombre-Completo = Ana-Isabel Gallardo Gomez WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldapPerson] user aigallardo authorized to use remote access [ldapPerson] ldap_release_conn: Release Id: 0 ++[ldapPerson] returns ok ++[expiration] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. } # server test Thank you very much and sorry for my eglish. ++ Ana Gallardo Gómez ++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ldap
On Wed, Dec 01, 2010 at 12:48:14PM +0100, Ana Gallardo wrote: My problem is: the ldap server don't have public key that an admin user (who bind) can take. So I have to bind in the authorize section with the user and password (clear text) in the request. authenticate { Auth-Type PAP { pap } } Add LDAP into the authenticate section, so that it simply tries to re-bind with the provided credentials? Like this: Auth-Type LDAP { ldapPerson } -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP auth
HI Paulo, Thanks for u reply, see below my authenticate and authorize session. authorize { preprocess mschap ldap } authenticate { Auth-Type LDAP { ldap } Auth-Type MS-CHAP { mschap } } 2010/11/23 Paulo Maia phc.m...@gmail.com Show us your authorize and authenticate session . I had a problem like that once Regards , On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.com wrote: sorry alan, i understand need to read debug. But, i see secret in clients and my test radtest user pass ip 0 secret is corretly. And my other doubt is in auth type = Local, why local if i put auth type LDAP in configuration? Only get local ... Realy sorry for this, but need u help. Regards, 2010/11/23 Alan DeKok al...@deployingradius.com Old Eduardo wrote: but i try to configure this in few weeks and no get sucess. Ask questions earlier. Or, read the debug output. Tue Nov 23 07:37:24 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! That message seems pretty clear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP auth
What auth method u're trying to use ? EAP/PEAP ? Regards , On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.com wrote: HI Paulo, Thanks for u reply, see below my authenticate and authorize session. authorize { preprocess mschap ldap } authenticate { Auth-Type LDAP { ldap } Auth-Type MS-CHAP { mschap } } 2010/11/23 Paulo Maia phc.m...@gmail.com Show us your authorize and authenticate session . I had a problem like that once Regards , On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.comwrote: sorry alan, i understand need to read debug. But, i see secret in clients and my test radtest user pass ip 0 secret is corretly. And my other doubt is in auth type = Local, why local if i put auth type LDAP in configuration? Only get local ... Realy sorry for this, but need u help. Regards, 2010/11/23 Alan DeKok al...@deployingradius.com Old Eduardo wrote: but i try to configure this in few weeks and no get sucess. Ask questions earlier. Or, read the debug output. Tue Nov 23 07:37:24 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! That message seems pretty clear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP auth
where i define this? eap.conf? sorry, newbie with freeradius. 2010/11/24 Paulo Maia phc.m...@gmail.com What auth method u're trying to use ? EAP/PEAP ? Regards , On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.com wrote: HI Paulo, Thanks for u reply, see below my authenticate and authorize session. authorize { preprocess mschap ldap } authenticate { Auth-Type LDAP { ldap } Auth-Type MS-CHAP { mschap } } 2010/11/23 Paulo Maia phc.m...@gmail.com Show us your authorize and authenticate session . I had a problem like that once Regards , On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.comwrote: sorry alan, i understand need to read debug. But, i see secret in clients and my test radtest user pass ip 0 secret is corretly. And my other doubt is in auth type = Local, why local if i put auth type LDAP in configuration? Only get local ... Realy sorry for this, but need u help. Regards, 2010/11/23 Alan DeKok al...@deployingradius.com Old Eduardo wrote: but i try to configure this in few weeks and no get sucess. Ask questions earlier. Or, read the debug output. Tue Nov 23 07:37:24 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! That message seems pretty clear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP auth
ok i found this. sites-enabled/default eap auth mode. 2010/11/24 Paulo Maia phc.m...@gmail.com What auth method u're trying to use ? EAP/PEAP ? Regards , On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.com wrote: HI Paulo, Thanks for u reply, see below my authenticate and authorize session. authorize { preprocess mschap ldap } authenticate { Auth-Type LDAP { ldap } Auth-Type MS-CHAP { mschap } } 2010/11/23 Paulo Maia phc.m...@gmail.com Show us your authorize and authenticate session . I had a problem like that once Regards , On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.comwrote: sorry alan, i understand need to read debug. But, i see secret in clients and my test radtest user pass ip 0 secret is corretly. And my other doubt is in auth type = Local, why local if i put auth type LDAP in configuration? Only get local ... Realy sorry for this, but need u help. Regards, 2010/11/23 Alan DeKok al...@deployingradius.com Old Eduardo wrote: but i try to configure this in few weeks and no get sucess. Ask questions earlier. Or, read the debug output. Tue Nov 23 07:37:24 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! That message seems pretty clear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP auth
yes . but i have to include in your authorize and authenticate sessions . What kind of auth ure trying to get ? Regards , On Wed, Nov 24, 2010 at 8:43 AM, Old Eduardo oldedua...@gmail.com wrote: where i define this? eap.conf? sorry, newbie with freeradius. 2010/11/24 Paulo Maia phc.m...@gmail.com What auth method u're trying to use ? EAP/PEAP ? Regards , On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.comwrote: HI Paulo, Thanks for u reply, see below my authenticate and authorize session. authorize { preprocess mschap ldap } authenticate { Auth-Type LDAP { ldap } Auth-Type MS-CHAP { mschap } } 2010/11/23 Paulo Maia phc.m...@gmail.com Show us your authorize and authenticate session . I had a problem like that once Regards , On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.comwrote: sorry alan, i understand need to read debug. But, i see secret in clients and my test radtest user pass ip 0 secret is corretly. And my other doubt is in auth type = Local, why local if i put auth type LDAP in configuration? Only get local ... Realy sorry for this, but need u help. Regards, 2010/11/23 Alan DeKok al...@deployingradius.com Old Eduardo wrote: but i try to configure this in few weeks and no get sucess. Ask questions earlier. Or, read the debug output. Tue Nov 23 07:37:24 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! That message seems pretty clear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP auth
It works ? On Wed, Nov 24, 2010 at 8:47 AM, Old Eduardo oldedua...@gmail.com wrote: ok i found this. sites-enabled/default eap auth mode. 2010/11/24 Paulo Maia phc.m...@gmail.com What auth method u're trying to use ? EAP/PEAP ? Regards , On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.comwrote: HI Paulo, Thanks for u reply, see below my authenticate and authorize session. authorize { preprocess mschap ldap } authenticate { Auth-Type LDAP { ldap } Auth-Type MS-CHAP { mschap } } 2010/11/23 Paulo Maia phc.m...@gmail.com Show us your authorize and authenticate session . I had a problem like that once Regards , On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.comwrote: sorry alan, i understand need to read debug. But, i see secret in clients and my test radtest user pass ip 0 secret is corretly. And my other doubt is in auth type = Local, why local if i put auth type LDAP in configuration? Only get local ... Realy sorry for this, but need u help. Regards, 2010/11/23 Alan DeKok al...@deployingradius.com Old Eduardo wrote: but i try to configure this in few weeks and no get sucess. Ask questions earlier. Or, read the debug output. Tue Nov 23 07:37:24 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! That message seems pretty clear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP auth
I read in many sites, for get ldap auth need mschap, its true? i try mschap. 2010/11/24 Paulo Maia phc.m...@gmail.com yes . but i have to include in your authorize and authenticate sessions . What kind of auth ure trying to get ? Regards , On Wed, Nov 24, 2010 at 8:43 AM, Old Eduardo oldedua...@gmail.com wrote: where i define this? eap.conf? sorry, newbie with freeradius. 2010/11/24 Paulo Maia phc.m...@gmail.com What auth method u're trying to use ? EAP/PEAP ? Regards , On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.comwrote: HI Paulo, Thanks for u reply, see below my authenticate and authorize session. authorize { preprocess mschap ldap } authenticate { Auth-Type LDAP { ldap } Auth-Type MS-CHAP { mschap } } 2010/11/23 Paulo Maia phc.m...@gmail.com Show us your authorize and authenticate session . I had a problem like that once Regards , On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.comwrote: sorry alan, i understand need to read debug. But, i see secret in clients and my test radtest user pass ip 0 secret is corretly. And my other doubt is in auth type = Local, why local if i put auth type LDAP in configuration? Only get local ... Realy sorry for this, but need u help. Regards, 2010/11/23 Alan DeKok al...@deployingradius.com Old Eduardo wrote: but i try to configure this in few weeks and no get sucess. Ask questions earlier. Or, read the debug output. Tue Nov 23 07:37:24 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! That message seems pretty clear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP auth
no :( in debug only appears auth type Local see: Wed Nov 24 08:30:54 2010 : Debug: +- entering group authorize Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Wed Nov 24 08:30:54 2010 : Debug: ++[preprocess] returns ok Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Wed Nov 24 08:30:54 2010 : Debug: ++[mschap] returns noop Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: - authorize Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: performing user authorization for ipe-dp Wed Nov 24 08:30:54 2010 : Debug: WARNING: Deprecated conditional expansion :-. See man unlang for details Wed Nov 24 08:30:54 2010 : Debug: expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=ipe-dp) Wed Nov 24 08:30:54 2010 : Debug: expand: dc=policiacivil,dc=rs,dc=gov,dc=br - dc=policiacivil,dc=rs,dc=gov,dc=br Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: attempting LDAP reconnection Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: (re)connect to ldap.intra proxy.intra localhost:389, authentication 0 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: bind as uid=vpnpptp,ou=sistemas,dc=policiacivil,dc=rs,dc=gov,dc=br/dfjk129!@ to ldap.intra proxy.intra localhost:389 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: waiting for bind result ... Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: Bind was successful Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: performing search in dc=policiacivil,dc=rs,dc=gov,dc=br, with filter (uid=ipe-dp) Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: Added User-Password = {SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl in check items Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: No default NMAS login sequence Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: looking for check items in directory... Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute userpassword as RADIUS attribute Cleartext-Password == {SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password == 0x3244413944423342333039463632333434374232384536393635374142333642 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password == 0x3845433036323546444141393630353041414433423433354235313430344545 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: looking for reply items in directory... Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: user ipe-dp authorized to use remote access Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 Wed Nov 24 08:30:54 2010 : Debug: ++[ldap] returns ok Wed Nov 24 08:30:54 2010 : Debug: auth: type Local Wed Nov 24 08:30:54 2010 : Debug: auth: user supplied User-Password does NOT match local User-Password Wed Nov 24 08:30:54 2010 : Debug: auth: Failed to validate the user. Wed Nov 24 08:30:54 2010 : Auth: Login incorrect: [ipe-dp/\367ҿb5�?\327H6*c\244:\301\245] (from client localhost port 0) Wed Nov 24 08:30:54 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Wed Nov 24 08:30:54 2010 : Debug: Delaying reject of request 0 for 1 seconds Wed Nov 24 08:30:54 2010 : Debug: Going to the next request Wed Nov 24 08:30:54 2010 : Debug: Waking up in 0.9 seconds. Wed Nov 24 08:30:55 2010 : Debug: Sending delayed reject for request 0 Sending Access-Reject of id 78 to 127.0.0.1 port 58611 Wed Nov 24 08:30:55 2010 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=78, length=20 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) ^Cdebian:/etc/freeradius/sites-enabled# Wed Nov 24 08:31:00 2010 : Debug: Cleaning up request 0 ID 78 with timestamp +5 ty for u help. 2010/11/24 Paulo Maia phc.m...@gmail.com It works ? On Wed, Nov 24, 2010 at 8:47 AM, Old Eduardo oldedua...@gmail.com wrote: ok i found this. sites-enabled/default eap auth mode. 2010/11/24 Paulo Maia phc.m...@gmail.com What auth method u're trying to use ? EAP/PEAP ? Regards , On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.comwrote: HI Paulo, Thanks for u reply, see below my authenticate and authorize session. authorize { preprocess mschap ldap } authenticate { Auth-Type LDAP { ldap }
Re: Freeradius + LDAP auth
Do u have NT e LM passowrd attributes in ur LDAP database ? coz if u do u could try to use EAP/PEAP . Its easier for windows clients . Regards , On Wed, Nov 24, 2010 at 9:26 AM, Old Eduardo oldedua...@gmail.com wrote: I read in many sites, for get ldap auth need mschap, its true? i try mschap. 2010/11/24 Paulo Maia phc.m...@gmail.com yes . but i have to include in your authorize and authenticate sessions . What kind of auth ure trying to get ? Regards , On Wed, Nov 24, 2010 at 8:43 AM, Old Eduardo oldedua...@gmail.comwrote: where i define this? eap.conf? sorry, newbie with freeradius. 2010/11/24 Paulo Maia phc.m...@gmail.com What auth method u're trying to use ? EAP/PEAP ? Regards , On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.comwrote: HI Paulo, Thanks for u reply, see below my authenticate and authorize session. authorize { preprocess mschap ldap } authenticate { Auth-Type LDAP { ldap } Auth-Type MS-CHAP { mschap } } 2010/11/23 Paulo Maia phc.m...@gmail.com Show us your authorize and authenticate session . I had a problem like that once Regards , On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.comwrote: sorry alan, i understand need to read debug. But, i see secret in clients and my test radtest user pass ip 0 secret is corretly. And my other doubt is in auth type = Local, why local if i put auth type LDAP in configuration? Only get local ... Realy sorry for this, but need u help. Regards, 2010/11/23 Alan DeKok al...@deployingradius.com Old Eduardo wrote: but i try to configure this in few weeks and no get sucess. Ask questions earlier. Or, read the debug output. Tue Nov 23 07:37:24 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! That message seems pretty clear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP auth
comment everything the users file . Brasileiro mano ? On Wed, Nov 24, 2010 at 9:31 AM, Old Eduardo oldedua...@gmail.com wrote: no :( in debug only appears auth type Local see: Wed Nov 24 08:30:54 2010 : Debug: +- entering group authorize Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Wed Nov 24 08:30:54 2010 : Debug: ++[preprocess] returns ok Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Wed Nov 24 08:30:54 2010 : Debug: ++[mschap] returns noop Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: - authorize Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: performing user authorization for ipe-dp Wed Nov 24 08:30:54 2010 : Debug: WARNING: Deprecated conditional expansion :-. See man unlang for details Wed Nov 24 08:30:54 2010 : Debug: expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=ipe-dp) Wed Nov 24 08:30:54 2010 : Debug: expand: dc=policiacivil,dc=rs,dc=gov,dc=br - dc=policiacivil,dc=rs,dc=gov,dc=br Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: attempting LDAP reconnection Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: (re)connect to ldap.intra proxy.intra localhost:389, authentication 0 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: bind as uid=vpnpptp,ou=sistemas,dc=policiacivil,dc=rs,dc=gov,dc=br/dfjk129!@ to ldap.intra proxy.intra localhost:389 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: waiting for bind result ... Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: Bind was successful Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: performing search in dc=policiacivil,dc=rs,dc=gov,dc=br, with filter (uid=ipe-dp) Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: Added User-Password = {SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl in check items Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: No default NMAS login sequence Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: looking for check items in directory... Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute userpassword as RADIUS attribute Cleartext-Password == {SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password == 0x3244413944423342333039463632333434374232384536393635374142333642 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password == 0x3845433036323546444141393630353041414433423433354235313430344545 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: looking for reply items in directory... Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: user ipe-dp authorized to use remote access Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 Wed Nov 24 08:30:54 2010 : Debug: ++[ldap] returns ok Wed Nov 24 08:30:54 2010 : Debug: auth: type Local Wed Nov 24 08:30:54 2010 : Debug: auth: user supplied User-Password does NOT match local User-Password Wed Nov 24 08:30:54 2010 : Debug: auth: Failed to validate the user. Wed Nov 24 08:30:54 2010 : Auth: Login incorrect: [ipe-dp/\367ҿb5�?\327H6*c\244:\301\245] (from client localhost port 0) Wed Nov 24 08:30:54 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Wed Nov 24 08:30:54 2010 : Debug: Delaying reject of request 0 for 1 seconds Wed Nov 24 08:30:54 2010 : Debug: Going to the next request Wed Nov 24 08:30:54 2010 : Debug: Waking up in 0.9 seconds. Wed Nov 24 08:30:55 2010 : Debug: Sending delayed reject for request 0 Sending Access-Reject of id 78 to 127.0.0.1 port 58611 Wed Nov 24 08:30:55 2010 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=78, length=20 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) ^Cdebian:/etc/freeradius/sites-enabled# Wed Nov 24 08:31:00 2010 : Debug: Cleaning up request 0 ID 78 with timestamp +5 ty for u help. 2010/11/24 Paulo Maia phc.m...@gmail.com It works ? On Wed, Nov 24, 2010 at 8:47 AM, Old Eduardo oldedua...@gmail.comwrote: ok i found this. sites-enabled/default eap auth mode. 2010/11/24 Paulo Maia phc.m...@gmail.com What auth method u're trying to use ? EAP/PEAP ? Regards , On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.comwrote: HI Paulo, Thanks for u
Re: Freeradius + LDAP auth
Old Eduardo wrote: no :( in debug only appears auth type Local Stop wasting your time. You have NOT configured the server correctly, and you have NOT followed instructions on this list. see: Wed Nov 24 08:30:54 2010 : Debug: +- entering group authorize You've used radiusd -Xx. The FAQ, INSTALL, man page, and messages daily on this list say to use radiusd -X. This should be easy to do. Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute userpassword as RADIUS attribute Cleartext-Password == {SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl This is wrong on many, many, levels. The password is a SSHA password, not a Cleartext-Password. You've edited the ldap.attrmap file to add the *wrong* information in it. Wed Nov 24 08:30:54 2010 : Debug: auth: type Local Wed Nov 24 08:30:54 2010 : Debug: auth: user supplied User-Password does NOT match local User-Password Given your broken configuration, this is to be expected. Wed Nov 24 08:30:54 2010 : Debug: auth: Failed to validate the user. Wed Nov 24 08:30:54 2010 : Auth: Login incorrect: [ipe-dp/\367ҿb5�?\327H6*c\244:\301\245] (from client localhost port 0) Wed Nov 24 08:30:54 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! You were told to fix this problem. Read the error message. It's not hard to understand. Until you fix your system, authentication will *always* fail. The cause of the problem is simple and obvious. Even worse, you've been told how to fix it. So far, you've refused to follow instructions. If you're not going to follow the instructions given on this list, there is *no* reason to ask questions here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP auth
yes i have. 2010/11/24 Paulo Maia phc.m...@gmail.com Do u have NT e LM passowrd attributes in ur LDAP database ? coz if u do u could try to use EAP/PEAP . Its easier for windows clients . Regards , On Wed, Nov 24, 2010 at 9:26 AM, Old Eduardo oldedua...@gmail.com wrote: I read in many sites, for get ldap auth need mschap, its true? i try mschap. 2010/11/24 Paulo Maia phc.m...@gmail.com yes . but i have to include in your authorize and authenticate sessions . What kind of auth ure trying to get ? Regards , On Wed, Nov 24, 2010 at 8:43 AM, Old Eduardo oldedua...@gmail.comwrote: where i define this? eap.conf? sorry, newbie with freeradius. 2010/11/24 Paulo Maia phc.m...@gmail.com What auth method u're trying to use ? EAP/PEAP ? Regards , On Wed, Nov 24, 2010 at 7:52 AM, Old Eduardo oldedua...@gmail.comwrote: HI Paulo, Thanks for u reply, see below my authenticate and authorize session. authorize { preprocess mschap ldap } authenticate { Auth-Type LDAP { ldap } Auth-Type MS-CHAP { mschap } } 2010/11/23 Paulo Maia phc.m...@gmail.com Show us your authorize and authenticate session . I had a problem like that once Regards , On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.comwrote: sorry alan, i understand need to read debug. But, i see secret in clients and my test radtest user pass ip 0 secret is corretly. And my other doubt is in auth type = Local, why local if i put auth type LDAP in configuration? Only get local ... Realy sorry for this, but need u help. Regards, 2010/11/23 Alan DeKok al...@deployingradius.com Old Eduardo wrote: but i try to configure this in few weeks and no get sucess. Ask questions earlier. Or, read the debug output. Tue Nov 23 07:37:24 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! That message seems pretty clear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP auth
Paulo Maia wrote: comment everything the users file . Wrong answers make life difficult for everyone. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP auth
Opa e ae blz? Vou fazer isso amanha, te mandei para teu email todo o diretorio do freeradius para voce dar uma olhada nos confs, estou ha 3 semanas tentando fazer essa implementacao e nao consigo cara. amanha de manha vou la tentar denovo. obrigado pela forca. 2010/11/24 Paulo Maia phc.m...@gmail.com comment everything the users file . Brasileiro mano ? On Wed, Nov 24, 2010 at 9:31 AM, Old Eduardo oldedua...@gmail.com wrote: no :( in debug only appears auth type Local see: Wed Nov 24 08:30:54 2010 : Debug: +- entering group authorize Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Wed Nov 24 08:30:54 2010 : Debug: ++[preprocess] returns ok Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Wed Nov 24 08:30:54 2010 : Debug: ++[mschap] returns noop Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: - authorize Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: performing user authorization for ipe-dp Wed Nov 24 08:30:54 2010 : Debug: WARNING: Deprecated conditional expansion :-. See man unlang for details Wed Nov 24 08:30:54 2010 : Debug: expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=ipe-dp) Wed Nov 24 08:30:54 2010 : Debug: expand: dc=policiacivil,dc=rs,dc=gov,dc=br - dc=policiacivil,dc=rs,dc=gov,dc=br Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: attempting LDAP reconnection Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: (re)connect to ldap.intra proxy.intra localhost:389, authentication 0 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: bind as uid=vpnpptp,ou=sistemas,dc=policiacivil,dc=rs,dc=gov,dc=br/dfjk129!@ to ldap.intra proxy.intra localhost:389 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: waiting for bind result ... Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: Bind was successful Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: performing search in dc=policiacivil,dc=rs,dc=gov,dc=br, with filter (uid=ipe-dp) Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: Added User-Password = {SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl in check items Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: No default NMAS login sequence Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: looking for check items in directory... Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute userpassword as RADIUS attribute Cleartext-Password == {SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password == 0x3244413944423342333039463632333434374232384536393635374142333642 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password == 0x3845433036323546444141393630353041414433423433354235313430344545 Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: looking for reply items in directory... Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: user ipe-dp authorized to use remote access Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Nov 24 08:30:54 2010 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 Wed Nov 24 08:30:54 2010 : Debug: ++[ldap] returns ok Wed Nov 24 08:30:54 2010 : Debug: auth: type Local Wed Nov 24 08:30:54 2010 : Debug: auth: user supplied User-Password does NOT match local User-Password Wed Nov 24 08:30:54 2010 : Debug: auth: Failed to validate the user. Wed Nov 24 08:30:54 2010 : Auth: Login incorrect: [ipe-dp/\367ҿb5�?\327H6*c\244:\301\245] (from client localhost port 0) Wed Nov 24 08:30:54 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Wed Nov 24 08:30:54 2010 : Debug: Delaying reject of request 0 for 1 seconds Wed Nov 24 08:30:54 2010 : Debug: Going to the next request Wed Nov 24 08:30:54 2010 : Debug: Waking up in 0.9 seconds. Wed Nov 24 08:30:55 2010 : Debug: Sending delayed reject for request 0 Sending Access-Reject of id 78 to 127.0.0.1 port 58611 Wed Nov 24 08:30:55 2010 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=78, length=20 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) ^Cdebian:/etc/freeradius/sites-enabled# Wed Nov 24 08:31:00 2010 : Debug: Cleaning up request 0 ID 78 with timestamp +5 ty for u help. 2010/11/24 Paulo Maia phc.m...@gmail.com It works ? On Wed, Nov 24, 2010 at 8:47
Freeradius + LDAP auth
Sorry list, but i try to configure this in few weeks and no get sucess. Realy need help for list. im try to all sites in google, but no get sucess. i try this: http://blog.yufeng.net/index.php/2010/07/debian-poptop-freeradius-openldap/ http://wiki.freeradius.org/Rlm_ldap http://mhoran.wordpress.com/2007/11/25/freeradius-on-freebsd-and-openldap/ my debug only appears: rad_recv: Access-Request packet from host 10.12.60.32 port 35717, id=31, length=64 User-Name = ipe-dp User-Password = 7\271D\250yhG'E\361\t{\237\366S\347 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Framed-Protocol = PPP Tue Nov 23 07:37:24 2010 : Debug: +- entering group authorize Tue Nov 23 07:37:24 2010 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Tue Nov 23 07:37:24 2010 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Tue Nov 23 07:37:24 2010 : Debug: ++[preprocess] returns ok Tue Nov 23 07:37:24 2010 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: - authorize Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: performing user authorization for ipe-dp Tue Nov 23 07:37:24 2010 : Debug: expand: (uid=%u) - (uid=ipe-dp) Tue Nov 23 07:37:24 2010 : Debug: expand: dc=policiacivil,dc=rs,dc=gov,dc=br - dc=policiacivil,dc=rs,dc=gov,dc=br Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: attempting LDAP reconnection Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: (re)connect to ldap.intra proxy.intra localhost:389, authentication 0 Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: bind as uid=vpnpptp,ou=sistemas,dc=policiacivil,dc=rs,dc=gov,dc=br/dfjk129!@ to ldap.intra proxy.intra localhost:389 Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: waiting for bind result ... Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: Bind was successful Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: performing search in dc=policiacivil,dc=rs,dc=gov,dc=br, with filter (uid=ipe-dp) Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: Added User-Password = {SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl in check items Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: No default NMAS login sequence Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: looking for check items in directory... Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: LDAP attribute sambaNTPassword as RADIUS attribute NT-Password == 0x3244413944423342333039463632333434374232384536393635374142333642 Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: LDAP attribute sambaLMPassword as RADIUS attribute LM-Password == 0x3845433036323546444141393630353041414433423433354235313430344545 Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: LDAP attribute cn as RADIUS attribute Group == ipe-dp Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: looking for reply items in directory... Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: user ipe-dp authorized to use remote access Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Nov 23 07:37:24 2010 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 Tue Nov 23 07:37:24 2010 : Debug: ++[ldap] returns ok Tue Nov 23 07:37:24 2010 : Debug: !!! Tue Nov 23 07:37:24 2010 : Debug: !!!Replacing User-Password in config items with Cleartext-Password. !!! Tue Nov 23 07:37:24 2010 : Debug: !!! Tue Nov 23 07:37:24 2010 : Debug: !!! Please update your configuration so that the known good !!! Tue Nov 23 07:37:24 2010 : Debug: !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Tue Nov 23 07:37:24 2010 : Debug: !!! Tue Nov 23 07:37:24 2010 : Debug: auth: type Local Tue Nov 23 07:37:24 2010 : Debug: auth: user supplied User-Password does NOT match local User-Password Tue Nov 23 07:37:24 2010 : Debug: auth: Failed to validate the user. Tue Nov 23 07:37:24 2010 : Auth: Login incorrect: [ipe-dp/7\271D\250yhG'E\361\t{\237\366S\347] (from client BrasilTelecom port 1812) Tue Nov 23 07:37:24 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Tue Nov 23 07:37:24 2010 : Debug: Delaying reject of request 0 for 1 seconds Tue Nov 23 07:37:24 2010 : Debug: Going to the next request Tue Nov 23 07:37:24 2010 : Debug: Waking up in 0.9 seconds. Tue Nov 23 07:37:25 2010 : Debug: Sending delayed reject for request 0 Sending Access-Reject of id 31 to 10.12.60.32 port 35717 Tue Nov 23 07:37:25 2010 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 10.12.60.32 port 1812, id=31, length=20 rad_verify: Received Access-Reject packet from client 10.12.60.32 port 1812 with invalid
Re: Freeradius + LDAP auth
Old Eduardo wrote: but i try to configure this in few weeks and no get sucess. Ask questions earlier. Or, read the debug output. Tue Nov 23 07:37:24 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! That message seems pretty clear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP auth
sorry alan, i understand need to read debug. But, i see secret in clients and my test radtest user pass ip 0 secret is corretly. And my other doubt is in auth type = Local, why local if i put auth type LDAP in configuration? Only get local ... Realy sorry for this, but need u help. Regards, 2010/11/23 Alan DeKok al...@deployingradius.com Old Eduardo wrote: but i try to configure this in few weeks and no get sucess. Ask questions earlier. Or, read the debug output. Tue Nov 23 07:37:24 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! That message seems pretty clear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP auth
Show us your authorize and authenticate session . I had a problem like that once Regards , On Tue, Nov 23, 2010 at 9:49 AM, Old Eduardo oldedua...@gmail.com wrote: sorry alan, i understand need to read debug. But, i see secret in clients and my test radtest user pass ip 0 secret is corretly. And my other doubt is in auth type = Local, why local if i put auth type LDAP in configuration? Only get local ... Realy sorry for this, but need u help. Regards, 2010/11/23 Alan DeKok al...@deployingradius.com Old Eduardo wrote: but i try to configure this in few weeks and no get sucess. Ask questions earlier. Or, read the debug output. Tue Nov 23 07:37:24 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! That message seems pretty clear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Old Eduardo ... make a difference ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP auth
Old Eduardo wrote: sorry alan, i understand need to read debug. But, i see secret in clients and my test radtest user pass ip 0 secret is corretly. That uses a *different* secret, as the packet is coming from a different IP address. i.e. you can either fix the secret as suggested by the message and my emails, or you can *not* fix the secret, and continue to have problems. And my other doubt is in auth type = Local, why local if i put auth type LDAP in configuration? Only get local ... The debug log should make this clear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
sorry, but where i checked the shared secret? in clients.conf? if yes, secret is ok! thanks for any help. On 11/04/2010 09:51 AM, eduardo moreira wrote: SOrry about this mail Josip, but i checked again my clients.conf, and i put conf here for u see. clients.conf client 127.0.0.1 { secret = password shortname = localhost nastype = other # localhost isn't usually a NAS... } client 10.12.60.19 { secret = password shortname = any nastype = other } and i use this command to test connection: radtest username 123456 10.12.60.19 1812 0 password And i see log of debug and receive this message: Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100, length=73 User-Name = username User-Password = c\355W'\021tC\372\177R\232(\007\027n\263 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Framed-Protocol = PPP Thu Nov 4 09:30:02 2010 : Debug: +- entering group authorize Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[preprocess] returns ok Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[mschap] returns noop Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: - authorize Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing user authorization for username Thu Nov 4 09:30:02 2010 : Debug: expand: (uid=%u) - (uid=username) Thu Nov 4 09:30:02 2010 : Debug: expand: dc=a,dc=a,dc=c,dc=b - dc=a,dc=a,dc=c,dc=b Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in dc=a,dc=a,dc=c,dc=b,dc=a,dc=a,dc=c,dc=b, with filter (uid=username) Thu Nov 4 09:30:02 2010 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Nov 4 09:30:02 2010 : Info: rlm_ldap: Attempting reconnect Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: attempting LDAP reconnection Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: closing existing LDAP connection Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: (re)connect to ldap.intra proxy.intra localhost:389, authentication 0 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: bind as cn=Administrator,dc=a,dc=c,dc=a,dc=c,dc=b/password to ldap.intra proxy.intra localhost:389 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: waiting for bind result ... Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: Bind was successful Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in dc=a,dc=c,dc=a,dc=a,dc=c,dc=a,dc=c, with filter (uid=username) Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: Added User-Password = {crypt}tg/iHj5yM2iXI in check items Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: No default NMAS login sequence Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for check items in directory... Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute userPassword as RADIUS attribute Password-With-Header == {crypt}tg/iHj5yM2iXI Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute sambantPassword as RADIUS attribute NT-Password == 0x3738463934413643303931413730423936454135373046344341353438304531 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute sambalmPassword as RADIUS attribute LM-Password == 0x3743414142444638393134314430423841414433423433354235313430344545 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute cn as RADIUS attribute Group == username Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for reply items in directory... Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: user username authorized to use remote access Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[ldap] returns ok Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: rlm_eap: No EAP-Message, not doing EAP Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[eap] returns noop Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[chap] returns noop Thu Nov 4
Re: Doubt - Freeradius + Ldap
On 11/05/2010 06:47 PM, Eduardo Moreira wrote: sorry, but where i checked the shared secret? in clients.conf? Yes if yes, secret is ok! No it isn't; look at the packet: Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100, length=73 User-Name = username User-Password = c\355W'\021tC\372\177R\232(\007\027n\263 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Framed-Protocol = PPP The User-Password attribute has clearly been decrypted badly; this means you've got the shared secret wrong somewhere. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
There's many a slip 'twixt the cup and the lip I promise you'll want to kick yourself when you find the simple difference after so many messages. Many of us have the grace to go through this necessarily humbling exercise in private. On 2010-11-05 2:47 PM, Eduardo Moreira wrote: sorry, but where i checked the shared secret? in clients.conf? if yes, secret is ok! thanks for any help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
On 11/05/2010 03:06 PM, Phil Mayers wrote: On 11/05/2010 06:47 PM, Eduardo Moreira wrote: sorry, but where i checked the shared secret? in clients.conf? Yes if yes, secret is ok! No it isn't; look at the packet: Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100, length=73 User-Name = username User-Password = c\355W'\021tC\372\177R\232(\007\027n\263 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Framed-Protocol = PPP The User-Password attribute has clearly been decrypted badly; this means you've got the shared secret wrong somewhere. A common problem for folks who build their own versions of freeradius and mix it with a prebuilt version is the root prefix is different. If you build yourself the $prefix defaults to /usr/local, but (most?) all prebuilt packages use $prefix of /usr. That means you can end up with two copies of your config files (and loads of other files). Carefully look at the debug output of your radiusd -X, it will give you the full path of the files it's reading. Make sure the clients.conf you're looking at is *exactly* the same one the server is *actually* reading. Do this even if you haven't built your own package, just for sanity sake. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
Thanks john , i install in debian server, default config, apt-get install Directory is: /etc/freeradius ; Sorry, im newbie, but before i configure ldap module freeradius work, after configure ldap module, no way to connect, certain my problem stays with module ldap, authentication ... But dont see where ... Thanks for u reply. On 11/05/2010 05:17 PM, John Dennis wrote: On 11/05/2010 03:06 PM, Phil Mayers wrote: On 11/05/2010 06:47 PM, Eduardo Moreira wrote: sorry, but where i checked the shared secret? in clients.conf? Yes if yes, secret is ok! No it isn't; look at the packet: Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100, length=73 User-Name = username User-Password = c\355W'\021tC\372\177R\232(\007\027n\263 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Framed-Protocol = PPP The User-Password attribute has clearly been decrypted badly; this means you've got the shared secret wrong somewhere. A common problem for folks who build their own versions of freeradius and mix it with a prebuilt version is the root prefix is different. If you build yourself the $prefix defaults to /usr/local, but (most?) all prebuilt packages use $prefix of /usr. That means you can end up with two copies of your config files (and loads of other files). Carefully look at the debug output of your radiusd -X, it will give you the full path of the files it's reading. Make sure the clients.conf you're looking at is *exactly* the same one the server is *actually* reading. Do this even if you haven't built your own package, just for sanity sake. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
SOrry about this mail Josip, but i checked again my clients.conf, and i put conf here for u see. clients.conf client 127.0.0.1 { secret = password shortname = localhost nastype = other # localhost isn't usually a NAS... } client 10.12.60.19 { secret = password shortname = any nastype = other } and i use this command to test connection: radtest username 123456 10.12.60.19 1812 0 password And i see log of debug and receive this message: Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100, length=73 User-Name = username User-Password = c\355W'\021tC\372\177R\232(\007\027n\263 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Framed-Protocol = PPP Thu Nov 4 09:30:02 2010 : Debug: +- entering group authorize Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[preprocess] returns ok Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[mschap] returns noop Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: - authorize Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing user authorization for username Thu Nov 4 09:30:02 2010 : Debug: expand: (uid=%u) - (uid=username) Thu Nov 4 09:30:02 2010 : Debug: expand: dc=a,dc=a,dc=c,dc=b - dc=a,dc=a,dc=c,dc=b Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in dc=a,dc=a,dc=c,dc=b,dc=a,dc=a,dc=c,dc=b, with filter (uid=username) Thu Nov 4 09:30:02 2010 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Nov 4 09:30:02 2010 : Info: rlm_ldap: Attempting reconnect Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: attempting LDAP reconnection Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: closing existing LDAP connection Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: (re)connect to ldap.intra proxy.intra localhost:389, authentication 0 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: bind as cn=Administrator,dc=a,dc=c,dc=a,dc=c,dc=b/password to ldap.intra proxy.intra localhost:389 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: waiting for bind result ... Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: Bind was successful Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in dc=a,dc=c,dc=a,dc=a,dc=c,dc=a,dc=c, with filter (uid=username) Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: Added User-Password = {crypt}tg/iHj5yM2iXI in check items Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: No default NMAS login sequence Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for check items in directory... Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute userPassword as RADIUS attribute Password-With-Header == {crypt}tg/iHj5yM2iXI Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute sambantPassword as RADIUS attribute NT-Password == 0x3738463934413643303931413730423936454135373046344341353438304531 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute sambalmPassword as RADIUS attribute LM-Password == 0x3743414142444638393134314430423841414433423433354235313430344545 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute cn as RADIUS attribute Group == username Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for reply items in directory... Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: user username authorized to use remote access Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[ldap] returns ok Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: rlm_eap: No EAP-Message, not doing EAP Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[eap] returns noop Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[chap] returns noop Thu Nov 4 09:30:02 2010 : Debug: !!! Thu Nov 4 09:30:02 2010 : Debug: !!!Replacing User-Password in config items with Cleartext-Password.
Re: Doubt - Freeradius + Ldap
On 2010/11/04 01:51 PM, eduardo moreira wrote: and i use this command to test connection: radtest username 123456 10.12.60.19 1812 0 password man radtest gives me this: radtest [-d raddb_directory] user password radius-server nas-port-number secret [ppphint] [nasname] Looking at your command: radtest username 123456 10.12.60.19 1812 0 password This maps to: user=username password=123456 radius-server=10.12.60.19 nas-port-number=1812 secret=0 ppphint=password -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
hi johan, thanks for u reply. i try with your command, raddtest -d /etc/freeradius username password ip-server port-server secret but no works. but thanks. 2010/11/4 Johan Meiring jmeir...@pcservices.co.za On 2010/11/04 01:51 PM, eduardo moreira wrote: and i use this command to test connection: radtest username 123456 10.12.60.19 1812 0 password man radtest gives me this: radtest [-d raddb_directory] user password radius-server nas-port-number secret [ppphint] [nasname] Looking at your command: radtest username 123456 10.12.60.19 1812 0 password This maps to: user=username password=123456 radius-server=10.12.60.19 nas-port-number=1812 secret=0 ppphint=password -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
On 2010/11/04 02:16 PM, eduardo moreira wrote: raddtest -d /etc/freeradius username password ip-server port-server secret but no works. Copy and paste your command. Do not retype it. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
sorry radtest -d /etc/freeradius username 123456 10.12.60.19 1812 password any 2010/11/4 Johan Meiring jmeir...@pcservices.co.za On 2010/11/04 02:16 PM, eduardo moreira wrote: raddtest -d /etc/freeradius username password ip-server port-server secret but no works. Copy and paste your command. Do not retype it. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
eduardo moreira wrote: SOrry about this mail Josip, but i checked again my clients.conf, and i put conf here for u see. The debug log you posted contains the solution to the problem. Read it. If it's too hard to understand, paste the debug output into this form: http://networkradius.com/freeradius.html And then read the output. It won't be hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
On 2010/11/04 02:37 PM, eduardo moreira wrote: sorry radtest -d /etc/freeradius username 123456 10.12.60.19 1812 password any That should work. The any is probably unnecesary. What does freeradius -X now say? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
same message, but one message desappears: Thu Nov 4 09:30:02 2010 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! before this message appears this: Thu Nov 4 10:58:52 2010 : Debug: !!! Thu Nov 4 10:58:52 2010 : Debug: !!!Replacing User-Password in config items with Cleartext-Password. !!! Thu Nov 4 10:58:52 2010 : Debug: !!! Thu Nov 4 10:58:52 2010 : Debug: !!! Please update your configuration so that the known good !!! Thu Nov 4 10:58:52 2010 : Debug: !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Thu Nov 4 10:58:52 2010 : Debug: !!! Thu Nov 4 10:58:52 2010 : Debug: auth: type Local Thu Nov 4 10:58:52 2010 : Debug: auth: user supplied User-Password does NOT match local User-Password Thu Nov 4 10:58:52 2010 : Debug: auth: Failed to validate the user. Thu Nov 4 10:58:52 2010 : Auth: Login incorrect: [username/123456] (from clientany port 1812) Sending Access-Reject of id 168 to 10.12.60.19 port 53629 Thu Nov 4 10:58:52 2010 : Debug: Finished request 2. Thu Nov 4 10:58:52 2010 : Debug: Going to the next request Thu Nov 4 10:58:52 2010 : Debug: Waking up in 4.9 seconds. Thu Nov 4 10:58:57 2010 : Debug: Cleaning up request 2 ID 168 with timestamp +98 Thu Nov 4 10:58:57 2010 : Debug: Ready to process requests. in debug appears: security { reject_delay = 0 but still dont work thanks for help. 2010/11/4 Johan Meiring jmeir...@pcservices.co.za On 2010/11/04 02:37 PM, eduardo moreira wrote: sorry radtest -d /etc/freeradius username 123456 10.12.60.19 1812 password any That should work. The any is probably unnecesary. What does freeradius -X now say? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Doubt - Freeradius + Ldap
Hello list, Im new with freeradius, but read many about this and dont solve my problem. I have this problem with my implemention. Only appears this message with freeradius -X -x Mon Nov 1 15:04:23 2010 : Debug: rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support. Mon Nov 1 15:04:23 2010 : Debug: rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support. Mon Nov 1 15:04:23 2010 : Debug: rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support. Remaind: i using debian 5.0 And when try to connect, appears this message: Mon Nov 1 15:06:10 2010 : Debug: rlm_ldap: LDAP attribute cn as RADIUS attribute Group == eduardo Mon Nov 1 15:06:10 2010 : Debug: rlm_ldap: looking for reply items in directory... Mon Nov 1 15:06:10 2010 : Debug: rlm_ldap: user eduardo authorized to use remote access Mon Nov 1 15:06:10 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Nov 1 15:06:10 2010 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 Mon Nov 1 15:06:10 2010 : Debug: ++[ldap] returns ok Mon Nov 1 15:06:10 2010 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Mon Nov 1 15:06:10 2010 : Debug: rlm_eap: No EAP-Message, not doing EAP Mon Nov 1 15:06:10 2010 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Mon Nov 1 15:06:10 2010 : Debug: ++[eap] returns noop Mon Nov 1 15:06:10 2010 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Mon Nov 1 15:06:10 2010 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Mon Nov 1 15:06:10 2010 : Debug: ++[chap] returns noop Mon Nov 1 15:06:10 2010 : Debug: !!! Mon Nov 1 15:06:10 2010 : Debug: !!!Replacing User-Password in config items with Cleartext-Password. !!! Mon Nov 1 15:06:10 2010 : Debug: !!! Mon Nov 1 15:06:10 2010 : Debug: !!! Please update your configuration so that the known good !!! Mon Nov 1 15:06:10 2010 : Debug: !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Mon Nov 1 15:06:10 2010 : Debug: !!! Mon Nov 1 15:06:10 2010 : Debug: auth: type Local Mon Nov 1 15:06:10 2010 : Debug: auth: user supplied User-Password does NOT match local User-Password Mon Nov 1 15:06:10 2010 : Debug: auth: Failed to validate the user. Mon Nov 1 15:06:10 2010 : Auth: Login incorrect: [eduardo/1\320\026\305\020B)\323I\211�?\001\nx\204] (from client BrasilTelecom port 1812) Mon Nov 1 15:06:10 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Mon Nov 1 15:06:10 2010 : Debug: Delaying reject of request 0 for 1 seconds I try to reinstall but no sucess. I need help for advanced. If anyone have this solution or whatever, please help me. And sorry for my bad english. Regards, Eduardo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
It's probably since you didn't compile OpenLDAP and FreeRadius with OpenSSL support. So you will need to recompile OpenLDAP, Cyrus SASL, OpenLDAP and FreeRadius. On Tue, Nov 2, 2010 at 6:14 AM, eduardo moreira eduardomoreir...@gmail.comwrote: Hello list, Im new with freeradius, but read many about this and dont solve my problem. I have this problem with my implemention. Only appears this message with freeradius -X -x Mon Nov 1 15:04:23 2010 : Debug: rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support. Mon Nov 1 15:04:23 2010 : Debug: rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support. Mon Nov 1 15:04:23 2010 : Debug: rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support. Remaind: i using debian 5.0 And when try to connect, appears this message: Mon Nov 1 15:06:10 2010 : Debug: rlm_ldap: LDAP attribute cn as RADIUS attribute Group == eduardo Mon Nov 1 15:06:10 2010 : Debug: rlm_ldap: looking for reply items in directory... Mon Nov 1 15:06:10 2010 : Debug: rlm_ldap: user eduardo authorized to use remote access Mon Nov 1 15:06:10 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Nov 1 15:06:10 2010 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 Mon Nov 1 15:06:10 2010 : Debug: ++[ldap] returns ok Mon Nov 1 15:06:10 2010 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Mon Nov 1 15:06:10 2010 : Debug: rlm_eap: No EAP-Message, not doing EAP Mon Nov 1 15:06:10 2010 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Mon Nov 1 15:06:10 2010 : Debug: ++[eap] returns noop Mon Nov 1 15:06:10 2010 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Mon Nov 1 15:06:10 2010 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Mon Nov 1 15:06:10 2010 : Debug: ++[chap] returns noop Mon Nov 1 15:06:10 2010 : Debug: !!! Mon Nov 1 15:06:10 2010 : Debug: !!!Replacing User-Password in config items with Cleartext-Password. !!! Mon Nov 1 15:06:10 2010 : Debug: !!! Mon Nov 1 15:06:10 2010 : Debug: !!! Please update your configuration so that the known good !!! Mon Nov 1 15:06:10 2010 : Debug: !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Mon Nov 1 15:06:10 2010 : Debug: !!! Mon Nov 1 15:06:10 2010 : Debug: auth: type Local Mon Nov 1 15:06:10 2010 : Debug: auth: user supplied User-Password does NOT match local User-Password Mon Nov 1 15:06:10 2010 : Debug: auth: Failed to validate the user. Mon Nov 1 15:06:10 2010 : Auth: Login incorrect: [eduardo/1\320\026\305\020B)\323I\211�?\001\nx\204] (from client BrasilTelecom port 1812) Mon Nov 1 15:06:10 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Mon Nov 1 15:06:10 2010 : Debug: Delaying reject of request 0 for 1 seconds I try to reinstall but no sucess. I need help for advanced. If anyone have this solution or whatever, please help me. And sorry for my bad english. Regards, Eduardo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
On Tue, Nov 02, 2010 at 07:30:23AM +1300, Peter Lambrechtsen wrote: It's probably since you didn't compile OpenLDAP and FreeRadius with OpenSSL support. So you will need to recompile OpenLDAP, Cyrus SASL, OpenLDAP and FreeRadius. No, no, no, and no. sigh If you want to read random debug messages, don't pick just any. Yes, he doesn't have SSL support, but the log also says pretty clearly: Mon Nov 1 15:06:10 2010 : Debug: rlm_eap: No EAP-Message, not doing EAP When the client does not use EAP, it's completely irrelevant that the server doesn't have support for SSL-using EAP methods. And there's clearly no reason to recompile even FR, let alone three other different pieces of software. (For the former, just use lenny-backports.) The final error state is: Mon Nov 1 15:06:10 2010 : Auth: Login incorrect: [eduardo/1\320\026\305\020B)\323I\211\001\nx\204] (from client BrasilTelecom port 1812) Mon Nov 1 15:06:10 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! So, have you double-checked the shared secret? -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
Yes, i checke shared secred in clients. And i try to reinstall with apt-get but dont works. ty for help. 2010/11/1 Josip Rodin j...@entuzijast.net On Tue, Nov 02, 2010 at 07:30:23AM +1300, Peter Lambrechtsen wrote: It's probably since you didn't compile OpenLDAP and FreeRadius with OpenSSL support. So you will need to recompile OpenLDAP, Cyrus SASL, OpenLDAP and FreeRadius. No, no, no, and no. sigh If you want to read random debug messages, don't pick just any. Yes, he doesn't have SSL support, but the log also says pretty clearly: Mon Nov 1 15:06:10 2010 : Debug: rlm_eap: No EAP-Message, not doing EAP When the client does not use EAP, it's completely irrelevant that the server doesn't have support for SSL-using EAP methods. And there's clearly no reason to recompile even FR, let alone three other different pieces of software. (For the former, just use lenny-backports.) The final error state is: Mon Nov 1 15:06:10 2010 : Auth: Login incorrect: [eduardo/1\320\026\305\020B)\323I\211\001\nx\204] (from client BrasilTelecom port 1812) Mon Nov 1 15:06:10 2010 : Debug: WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! So, have you double-checked the shared secret? -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + LDAP Group check
Hello! I'm trying to modify a working configuration to add one more authentication service in FreeRadius. I already have one configuration to authenticate users in ldap to use wireless network. See the radiusd.conf: radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run pidfile = /var/run/freeradius/freeradius.pid user = freerad group = freerad listen { ipaddr = * port = 0 type = auth } listen { ipaddr = * port = 0 type = acct } thread pool { start_servers = 1 max_servers = 4 min_spare_servers = 1 max_spare_servers = 3 max_requests_per_server = 0 } $INCLUDE ${confdir}/clients.conf modules { pap { encryption_scheme = clear } chap { authtype = CHAP } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP with_ntdomain_hack = yes } mschapv2 { } files { usersfile = ${confdir}/users compat = no } ldap ldap_1x { server = 127.0.0.1 identity = cn=Manager,dc=company,dc=com,dc=br password = XX basedn = ou=Users,dc=company,dc=com,dc=br start_tls = no access_attr = uid dictionary_mapping = ${raddbdir}/ldap.attrmap authtype = ldap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } } authorize { pap files mschap ldap_1x eap } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } Auth-Type PPP { ldap_1x } eap } log { destination = files file = /var/log/freeradius/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } and, the users file: users DEFAULT Auth-Type := MS-CHAP DEFAULT Hint == CSLIP Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == SLIP Framed-Protocol = SLIP This is enough to provide access to users in wireless network. I need to add a Radius Auth in Ldap to Switches devices with Group Check. The users are in cn=TacAdm,ou=Groups,dc=company,dc=com,dc=br I already tryed to add a new module called ldap ldap_switch { ... } and many instances like groupmembership_filter, groupname_attribute, filter, base_filter, access_attr, groupmembership_attribute, but nothing do the group check in ldap! What do I need to this checking group works and maintain the wireless configuration working well? Thanks! Douglas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html