subject:"Freeradius with ldap"

Re: Freeradius with ldap

2012-05-31 Thread g17jimmy

The FAQ gives a *very* basic and less than complete example of using groups.
I found an old maillist entry that might be of help here. -
http://lists.freeradius.org/pipermail/freeradius-users/2007-June/019764.html 

I'm trying to do something similar and I'm having trouble getting radius to
be able to successfully validate a user as part of a group.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Freeradius-with-ldap-tp5713478p5713482.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with ldap

2012-05-31 Thread Alan DeKok

Marlos Alex wrote:
> 
> I'm in trouble and I think that freeradius is, can anyone help me, I
> configured theldap group and created a wireless and want only
> the users of this group to accessmy wifi network?

  Examples of LDAP group checking are in the FAQ.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius with ldap

2012-05-31 Thread Marlos Alex


  
  

I'm in trouble and I think that freeradius is, can anyone help me, I configured theldap group and created a wireless and want only the users of this group to accessmy wifi network?

-- 
  
  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Configuring Freeradius with LDAP

2012-04-19 Thread Wassim Zaarour

Hi,

Actually what was helpful is reading the comments in radiusd.conf .
Location of ldap config changed starting 2.0.0 .

I successfully configured it

Thanks.







Wassim C. Zaarour
Systems & Network Engineer








On 4/18/12 11:12 PM, "Mark Holmes"  wrote:

>I think
>
>http://wiki.freeradius.org/Rlm_ldap
>
>Has what you are after.
>
>Mark
>
>
>
>On 18 Apr 2012, at 18:53, "Wassim Zaarour"
>mailto:wassim.zaar...@navlink.com>> wrote:
>
>Hi List,
>
>I have installed freeradius 2.1.12, and it's working well.
>
>Now I need to configure it to authenticate with LDAP (Sun Directory
>Server) but I can't seem to find which file to configure in raddb, I
>can't find it in radiusd.conf
>
>I appreciated any help on this.
>
>
>
>
>
>
>
>
>
>
>
>
>
>Wassim C. Zaarour
>Systems & Network Engineer
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>
>Nuffield College is a Registered Charity No. 1137506. Registered Office:
>Nuffield College, New Road, Oxford, OX1 1NF
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Configuring Freeradius with LDAP

2012-04-18 Thread Mark Holmes

I think

http://wiki.freeradius.org/Rlm_ldap

Has what you are after.

Mark



On 18 Apr 2012, at 18:53, "Wassim Zaarour" 
mailto:wassim.zaar...@navlink.com>> wrote:

Hi List,

I have installed freeradius 2.1.12, and it's working well.

Now I need to configure it to authenticate with LDAP (Sun Directory Server) but 
I can't seem to find which file to configure in raddb, I can't find it in 
radiusd.conf

I appreciated any help on this.













Wassim C. Zaarour
Systems & Network Engineer

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nuffield College is a Registered Charity No. 1137506. Registered Office: 
Nuffield College, New Road, Oxford, OX1 1NF
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Configuring Freeradius with LDAP

2012-04-18 Thread Tobias Hachmer


Am 18.04.2012 19:47, schrieb Wassim Zaarour:

Now I need to configure it to authenticate with LDAP (Sun Directory
Server) but I can't seem to find which file to configure in raddb, I
can't find it in radiusd.conf


Did you tried google or just the searchbox on wiki.freeradius.org?

http://wiki.freeradius.org/search?q=ldap

Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Configuring Freeradius with LDAP

2012-04-18 Thread Wassim Zaarour

Hi List,

I have installed freeradius 2.1.12, and it's working well.

Now I need to configure it to authenticate with LDAP (Sun Directory Server)
but I can't seem to find which file to configure in raddb, I can't find it
in radiusd.conf

I appreciated any help on this.


























Wassim C. Zaarour
Systems & Network Engineer



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS with LDAP Support

2011-12-08 Thread John Dennis


On 12/08/2011 01:11 PM, Nick Khamis wrote:

Hello Everyone,

I do have libldap2-dev installed however, it seems like openldap in all it's
totality is needed?


What is needed will be listed in the output of configure. Also listed 
will be where configure looked for the dependency. You should read this. 
Usually you'll need the headers and libraries, but they may be located 
in non-standard locations, if so you'll have to tell configure where to 
find them.



--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS with LDAP Support

2011-12-08 Thread Nick Khamis

Hello Everyone,

I do have libldap2-dev installed however, it seems like openldap in all it's
totality is needed?

Thanks in Advnace,

Nick.

On Thu, Dec 8, 2011 at 5:31 AM, Fajar A. Nugraha  wrote:
> On Thu, Dec 8, 2011 at 9:51 AM, Nick Khamis  wrote:
>> Hello Everyone,
>>
>> I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has
>> not been compiled.
>> Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP?
>
> Try libldap2-dev. That's what on "Build-Depends" section on debian/control.
>
> --
> Fajar
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS with LDAP Support

2011-12-08 Thread Fajar A. Nugraha

On Thu, Dec 8, 2011 at 9:51 AM, Nick Khamis  wrote:
> Hello Everyone,
>
> I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has
> not been compiled.
> Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP?

Try libldap2-dev. That's what on "Build-Depends" section on debian/control.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS with LDAP Support

2011-12-08 Thread Alan Buxey

Hi,

> I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has
> not been compiled.
> Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP?

if you read the output of ./configure

eg 

./confogure | grep WARN

you will see what LDAP stuff is required - openldap


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS with LDAP Support

2011-12-07 Thread Nick Khamis

Hello Everyone,

I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has
not been compiled.
Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP?

Thanks in Advance,

Nick.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

2010-07-09 Thread Daniel Gomes



Em 09-07-2010 17:12, Alan DeKok escreveu:

Daniel Gomes wrote:
   

  we are currently and successfully using it to
authenticate other services).\

 

Using PAP passwords.
   

Actually these application are probably just binding with the user's
credentials, but that's not relevant here.
 

  That's what I meant.

   

Well, it doesn't help me much if you say you know the problem and its
solution, but then don't tell me how to fix it.
 

   OpenLDAP has documentation on how to make it return passwords when an
LDAP client asks for them.  We don't tend to copy that documentation here.

   

And I know I'm not the
first one to have these issues, I started from the beginning by saying
that I read everything I could find about it on the Internet, tried to
fix the problem many times and only then I came here, asking for help.
Sorry for wasting your time!... And btw, your aggressive attitude
doesn't really help anyone.
 

   Sorry... but when you ask for help, you shouldn't argue with the
answers.  Especially when it's clear that you're asking for help because
you don't know what's going wrong.

   Education can be a painful process.

   


Mate, I wasn't arguing in the sense of "you're wrong", I was just trying 
to understand why were you saying that LDAP wasn't working, when it 
clearly looked like it was. After you explained the difference between 
PAP and MS-CHAP on the previous email, I could finally understand just 
that. So thanks once again for the explanation!


And yeah, I didn't know what was going on, but that was my reason to 
come here in the first place!



Anyway, after getting it to work with PAP, I followed nf-vale's solution
(adding the ntPassword and lmPassword attributes to LDAP) and now it's
also working with MS-CHAP. Thanks for the great tip!!
 

   That's good to hear.

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   


Thanks for the patience,

--
Daniel Gomes (SysAdmin)
dgo...@ipfn.ist.utl.pt
Ext. 3487 - 218419487

Instituto de Plasmas e Fusão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

2010-07-09 Thread Alan DeKok

Daniel Gomes wrote:
>>>  we are currently and successfully using it to
>>> authenticate other services).\
>>>  
>>Using PAP passwords.  
> 
> Actually these application are probably just binding with the user's
> credentials, but that's not relevant here.

That's what I meant.

> Well, it doesn't help me much if you say you know the problem and its
> solution, but then don't tell me how to fix it.

  OpenLDAP has documentation on how to make it return passwords when an
LDAP client asks for them.  We don't tend to copy that documentation here.

> And I know I'm not the
> first one to have these issues, I started from the beginning by saying
> that I read everything I could find about it on the Internet, tried to
> fix the problem many times and only then I came here, asking for help.
> Sorry for wasting your time!... And btw, your aggressive attitude
> doesn't really help anyone.

  Sorry... but when you ask for help, you shouldn't argue with the
answers.  Especially when it's clear that you're asking for help because
you don't know what's going wrong.

  Education can be a painful process.

> Anyway, after getting it to work with PAP, I followed nf-vale's solution
> (adding the ntPassword and lmPassword attributes to LDAP) and now it's
> also working with MS-CHAP. Thanks for the great tip!!

  That's good to hear.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

2010-07-09 Thread Daniel Gomes


Em 09-07-2010 13:59, Alan DeKok escreveu:

Daniel Gomes wrote:
   

Well, as I mentioned (a couple of times now), the LDAP server was indeed
returning a password to FreeRADIUS, since radtest was always working
fine.
 

   No, it wasn't returning a password to FreeRADIUS.  Go *read* the debug
output.  It will prove this.

   When using PAP, the LDAP module looks for a password.  If it doesn't
get one, it then tries to do "bind as user".  That is, it hands the
username&&  password to the LDAP server, and asks "are these OK"?

   When this happens, you're making your LDAP server do user
authentication.  This is wrong.  LDAP is a database.  RADIUS is an
authentication server.
   


Ok, thanks, now I see the difference. I did read the debug output, and 
again, I understood that FreeRADIUS was having problems getting the 
userPassword, I just couldn't understand why. For a layman such as 
myself, if it worked with radtest it followed that it should work with 
MS-CHAP too. With this explanation, now I understand why it didn't.


   

So the problem wasn't in the LDAP server itself, because it does
"return a password when an LDAP client queries it for a password" (as I
also mentioned it, we are currently and successfully using it to
authenticate other services).\
 

   Using PAP passwords.

   


Actually these application are probably just binding with the user's 
credentials, but that's not relevant here.



The problem was really related to MS-CHAP,
and now that I changed to PAP, it all seems to be working fine...
 

   Yes.  For the reasons outlined above.

   Your situation *isn't* the first time someone has had this issue.
We're familiar with the problem&&  solution, where you are clearly not.

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   


Well, it doesn't help me much if you say you know the problem and its 
solution, but then don't tell me how to fix it. And I know I'm not the 
first one to have these issues, I started from the beginning by saying 
that I read everything I could find about it on the Internet, tried to 
fix the problem many times and only then I came here, asking for help. 
Sorry for wasting your time!... And btw, your aggressive attitude 
doesn't really help anyone.


Anyway, after getting it to work with PAP, I followed nf-vale's solution 
(adding the ntPassword and lmPassword attributes to LDAP) and now it's 
also working with MS-CHAP. Thanks for the great tip!!


Cheers,

--
Daniel Gomes (SysAdmin)
dgo...@ipfn.ist.utl.pt
Ext. 3487 - 218419487

Instituto de Plasmas e Fusão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

2010-07-09 Thread Alan DeKok

Daniel Gomes wrote:
> Well, as I mentioned (a couple of times now), the LDAP server was indeed
> returning a password to FreeRADIUS, since radtest was always working
> fine.

  No, it wasn't returning a password to FreeRADIUS.  Go *read* the debug
output.  It will prove this.

  When using PAP, the LDAP module looks for a password.  If it doesn't
get one, it then tries to do "bind as user".  That is, it hands the
username && password to the LDAP server, and asks "are these OK"?

  When this happens, you're making your LDAP server do user
authentication.  This is wrong.  LDAP is a database.  RADIUS is an
authentication server.

> So the problem wasn't in the LDAP server itself, because it does
> "return a password when an LDAP client queries it for a password" (as I
> also mentioned it, we are currently and successfully using it to
> authenticate other services).\

  Using PAP passwords.

> The problem was really related to MS-CHAP,
> and now that I changed to PAP, it all seems to be working fine...

  Yes.  For the reasons outlined above.

  Your situation *isn't* the first time someone has had this issue.
We're familiar with the problem && solution, where you are clearly not.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

2010-07-09 Thread Daniel Gomes

Well, as I mentioned (a couple of times now), the LDAP server was indeed 
returning a password to FreeRADIUS, since radtest was always working 
fine. So the problem wasn't in the LDAP server itself, because it does 
"return a password when an LDAP client queries it for a password" (as I 
also mentioned it, we are currently and successfully using it to 
authenticate other services). The problem was really related to MS-CHAP, 
and now that I changed to PAP, it all seems to be working fine...


Em 09-07-2010 13:35, Alan DeKok escreveu:

Daniel Gomes wrote:


Wrong guess, i'ts OpenLDAP :)


   Then fix it so that it returns a password to FreeRADIUS.

   It's an LDAP server.  If it doesn't return a password when an LDAP
client queries it for a password, it's broken.

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Daniel Gomes (SysAdmin)
dgo...@ipfn.ist.utl.pt
Ext. 3487 - 218419487

Instituto de Plasmas e Fusão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

2010-07-09 Thread Alan DeKok

Daniel Gomes wrote:
> Wrong guess, i'ts OpenLDAP :)

  Then fix it so that it returns a password to FreeRADIUS.

  It's an LDAP server.  If it doesn't return a password when an LDAP
client queries it for a password, it's broken.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

2010-07-09 Thread Daniel Gomes


Wrong guess, i'ts OpenLDAP :)

Em 09-07-2010 13:04, Alan DeKok escreveu:

Daniel Gomes wrote:


 From the logs, and as I wrote on my initial cry for help, I could see
that the password wasn't being found, I just couldn't puzzle out why...
And yes, the users do have passwords on LDAP (we are using it to
authenticate many other applications), and as I wrote down, radtest was
working fine, so freeradius was able to authenticate users via LDAP.


   Let me guess: it's Active Directory.

   Active Directory is *not* a real LDAP server.  In order to
authenticate users with MS-CHAP, you will need to install Samba.

   See the Active Directory howto on http://deployingradius.com/

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Daniel Gomes (SysAdmin)
dgo...@ipfn.ist.utl.pt
Ext. 3487 - 218419487

Instituto de Plasmas e Fusão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

2010-07-09 Thread Alan DeKok

Daniel Gomes wrote:
> From the logs, and as I wrote on my initial cry for help, I could see
> that the password wasn't being found, I just couldn't puzzle out why...
> And yes, the users do have passwords on LDAP (we are using it to
> authenticate many other applications), and as I wrote down, radtest was
> working fine, so freeradius was able to authenticate users via LDAP.

  Let me guess: it's Active Directory.

  Active Directory is *not* a real LDAP server.  In order to
authenticate users with MS-CHAP, you will need to install Samba.

  See the Active Directory howto on http://deployingradius.com/

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

2010-07-09 Thread Daniel Gomes


Hey there,

first of all, thanks for all the tips!

Commenting them, in the order in which they came:

@peter lambrechtsen:

 I actually had tried PAP before, but I gave up then because pptpd was 
refusing clients without even consulting the RADIUS server... But I 
noticed (a couple of minutes ago) that I had the client (ie. Windows) 
configured to try MS-CHAP and not PAP...


@ nf-vale:

nice detailed description on how to fix it, but I ended up using peter's 
solution, as it seemed easier.


@ana dekok (inline comments):

Em 09-07-2010 11:23, Alan DeKok escreveu:

Daniel Gomes wrote:
   

I know this is a question which has been thoroughly asked and answered,
but after spending several days configuring, debugging, searching the
internet, rec-configuring, etc, I still can't get my freeradius server
to properly authenticate users (for a pptd server).
 

   Go read the debug log.  It's not finding the password for the user.
Fix that.

   

So yeah, of you could help me out, I'd appreciate it! All I want is
pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
is not even a requirement for me here, since both services are on the
same machine, so there's not even the need for safe connections. So long
as it works, I really don't care about any particular configuration!
 

   A simple LDAP query for the user is *not* returning a password.
That's the problem.

   Does the user even have a password in LDAP?

   


From the logs, and as I wrote on my initial cry for help, I could see 
that the password wasn't being found, I just couldn't puzzle out why... 
And yes, the users do have passwords on LDAP (we are using it to 
authenticate many other applications), and as I wrote down, radtest was 
working fine, so freeradius was able to authenticate users via LDAP.





   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   


Anyway, once again, thanks for all the tips! It seems to be working fine 
with PAP, so I guess I'll go with it!


Cheers,

--
Daniel Gomes (SysAdmin)
dgo...@ipfn.ist.utl.pt
Ext. 3487 - 218419487

Instituto de Plasmas e Fusão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

2010-07-09 Thread Alan DeKok

Daniel Gomes wrote:
> I know this is a question which has been thoroughly asked and answered,
> but after spending several days configuring, debugging, searching the
> internet, rec-configuring, etc, I still can't get my freeradius server
> to properly authenticate users (for a pptd server).

  Go read the debug log.  It's not finding the password for the user.
Fix that.

> So yeah, of you could help me out, I'd appreciate it! All I want is
> pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
> is not even a requirement for me here, since both services are on the
> same machine, so there's not even the need for safe connections. So long
> as it works, I really don't care about any particular configuration!

  A simple LDAP query for the user is *not* returning a password.
That's the problem.

  Does the user even have a password in LDAP?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

2010-07-09 Thread nf-vale

Hi,

You can add NT / LM pairs to each LDAP user object. You must include the 
samba.schema into the ldap server schemas.

Ex:

sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C
sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE

You can create these passwords using smbencrypt tool (deployed with samba).

This way pptp MSCHAP auth will work.


Nelson Vale


On Monday 05 July 2010 16:59:08 Daniel Gomes wrote:
> Dear list,
> 
> I know this is a question which has been thoroughly asked and answered,
> but after spending several days configuring, debugging, searching the
> internet, rec-configuring, etc, I still can't get my freeradius server
> to properly authenticate users (for a pptd server).
> 
> First of all, on the pptpd server's side (which I know it's not your
> "jurisdiction", so I'll be fast here), I have the require-mschap-v2 and
> require-mppe options enabled.
> 
> As for freeradius itself, a summarized sites-enabled/default reads:
> 
> authorize {
> preprocess
> 
> pap
> 
> mschap
> 
> ldap
> 
> auth_log
> 
> eap {
> ok = return
> }
> 
> expiration
> logintime
> }
> 
> authenticate {
> Auth-Type PAP {
> pap
> }
> 
> Auth-Type MS-CHAP {
> mschap
> }
> 
> Auth-Type LDAP {
> ldap
> }
> 
> eap
> }
> 
> My modules/ldap contains all the necessary information, and my
> modules/mschap has the options use_mppe, require_encryption and
> require_strong enabled, like most tutorials state.
> 
> As for the results, radtest works fine (querying LDAP etc), but through
> pptd it always fails with this error:
> 
> 
> 
> rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
> length=151
>   Service-Type = Framed-User
>   Framed-Protocol = PPP
>   User-Name = "dgomes"
>   MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
>   MS-CHAP2-Response =
> 0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf6
> 8cb9686085635bd3b3083707eb3 Calling-Station-Id = "193.136.136.200"
>   NAS-IP-Address = 193.136.136.40
>   NAS-Port = 0
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> ++[mschap] returns ok
> [ldap] performing user authorization for dgomes
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> details
>   expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=dgomes)
>   expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt ->
> ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
> rlm_ldap: bind as
> cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
> gold.ipfn.ist.utl.pt:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
> with filter (cn=dgomes)
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?
> [ldap] user dgomes authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
>   expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
> %m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
> [auth_log]
> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
> expand: %t -> Thu Jul  8 14:08:34 2010
> ++[auth_log] returns ok
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> Found Auth-Type = MSCHAP
> +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> [mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
> [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
>   expand: %{User-Name} -> dgomes
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> 
> --
> 
> I know that the error should be enough for me to fix it (since it's
> quite explanatory), but after trying many dif

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

2010-07-08 Thread Peter Lambrechtsen

Why not setup your NAS to use PAP, instead of MS-CHAP.

If you use MS-CHAP you will need to have NT Hash'es in your LDAP directory.

It would be far easier to have PAP authentication enabled on your NAS, then
it should work fine.

On Tue, Jul 6, 2010 at 3:59 AM, Daniel Gomes  wrote:

> Dear list,
>
> I know this is a question which has been thoroughly asked and answered,
> but after spending several days configuring, debugging, searching the
> internet, rec-configuring, etc, I still can't get my freeradius server
> to properly authenticate users (for a pptd server).
>
> First of all, on the pptpd server's side (which I know it's not your
> "jurisdiction", so I'll be fast here), I have the require-mschap-v2 and
> require-mppe options enabled.
>
> As for freeradius itself, a summarized sites-enabled/default reads:
>
> authorize {
>preprocess
>
>pap
>
>mschap
>
>ldap
>
>auth_log
>
>eap {
>ok = return
>}
>
>expiration
>logintime
> }
>
> authenticate {
>Auth-Type PAP {
>pap
>}
>
>Auth-Type MS-CHAP {
>mschap
>}
>
>Auth-Type LDAP {
>ldap
>}
>
>eap
> }
>
> My modules/ldap contains all the necessary information, and my
> modules/mschap has the options use_mppe, require_encryption and
> require_strong enabled, like most tutorials state.
>
> As for the results, radtest works fine (querying LDAP etc), but through
> pptd it always fails with this error:
>
> 
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
> length=151
>Service-Type = Framed-User
>Framed-Protocol = PPP
>User-Name = "dgomes"
>MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
>MS-CHAP2-Response =
>
> 0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf68cb9686085635bd3b3083707eb3
>Calling-Station-Id = "193.136.136.200"
>NAS-IP-Address = 193.136.136.40
>NAS-Port = 0
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> ++[mschap] returns ok
> [ldap] performing user authorization for dgomes
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> details
>expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=dgomes)
>expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt ->
> ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
> rlm_ldap: bind as
> cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
> gold.ipfn.ist.utl.pt:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
> with filter (cn=dgomes)
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?
> [ldap] user dgomes authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
>expand:
> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
> %m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
> [auth_log]
> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
> to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
>expand: %t -> Thu Jul  8 14:08:34 2010
> ++[auth_log] returns ok
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> Found Auth-Type = MSCHAP
> +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
> [mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
> [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
>expand: %{User-Name} -> dgomes
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
>
> --
>
> I know that the error should be enough for me to fix it (since it's
> quite explanatory), but after trying many different configurations and
> searching through dozens of old mailing lists posts, I still haven't
> managed it...
>
> So yeah, of you could

Freeradius with LDAP backend for pptpd (via MS-CHAP)

2010-07-08 Thread Daniel Gomes

Dear list,

I know this is a question which has been thoroughly asked and answered,
but after spending several days configuring, debugging, searching the
internet, rec-configuring, etc, I still can't get my freeradius server
to properly authenticate users (for a pptd server).

First of all, on the pptpd server's side (which I know it's not your
"jurisdiction", so I'll be fast here), I have the require-mschap-v2 and
require-mppe options enabled.

As for freeradius itself, a summarized sites-enabled/default reads:

authorize {
preprocess

pap

mschap

ldap

auth_log

eap {
ok = return
}

expiration
logintime
}

authenticate {
Auth-Type PAP {
pap
}

Auth-Type MS-CHAP {
mschap
}

Auth-Type LDAP {
ldap
}

eap
}

My modules/ldap contains all the necessary information, and my
modules/mschap has the options use_mppe, require_encryption and
require_strong enabled, like most tutorials state.

As for the results, radtest works fine (querying LDAP etc), but through
pptd it always fails with this error:



rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
length=151
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "dgomes"
MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
MS-CHAP2-Response =
0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf68cb9686085635bd3b3083707eb3
Calling-Station-Id = "193.136.136.200"
NAS-IP-Address = 193.136.136.40
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[ldap] performing user authorization for dgomes
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=dgomes)
expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt ->
ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
gold.ipfn.ist.utl.pt:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
with filter (cn=dgomes)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?
[ldap] user dgomes authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
expand: %t -> Thu Jul  8 14:08:34 2010
++[auth_log] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} -> dgomes
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request

--

I know that the error should be enough for me to fix it (since it's
quite explanatory), but after trying many different configurations and
searching through dozens of old mailing lists posts, I still haven't
managed it...

So yeah, of you could help me out, I'd appreciate it! All I want is
pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
is not even a requirement for me here, since both services are on the
same machine, so there's not even the need for safe connections. So long
as it works, I really don't care about any particular configuration!

Thanks in advance,
Daniel Gomes

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS with LDAP backend (PAP works but CHAP or any other modules does not work), help please

2009-10-04 Thread Ivan Kalik

> I am glad to say that I was able to setup FreeRADIUS ver. 2.1.7 with LDAP
> (slapd) authentication after a continuous research of a whole week. I can
> authenticate user via LDAP but it only works for PAP, radtest tool works,
> NTRadPing works but only when using PAP (un-checking CHAP).

If you have read the comments in ldap module (raddb/modules/ldap) you
needn't of wasted your time. Ldap authentication works *only* for PAP.

http://deployingradius.com/documents/protocols/oracles.html

> I would appreciate if some of you can help me with that or can guide me to
> the right path

Use ldap as database and not authentication system. Pass the password from
it to freeradius and let freeradius authenticate the user.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS with LDAP backend (PAP works but CHAP or any other modules does not work), help please

2009-10-03 Thread Peter Lambrechtsen

You're password needs to be readable in cleartext by FR for anything other
than PAP to work.

That way FR can hash/encrypt the password out of LDAP on the server side and
compare against the hash it gets passed from the client.

On Sun, Oct 4, 2009 at 6:07 PM, Ryaz Khan  wrote:

>  Hi Guys,
>
>
>
> I am glad to say that I was able to setup *FreeRADIUS ver. 2.1.7* with *LDAP
> (slapd)* authentication after a continuous research of a whole week. I can
> authenticate user via LDAP but it only works for PAP, *radtest* tool
> works, *NTRadPing* works but only when using PAP (un-checking CHAP).
>
>
>
> I tried every possible option/combination I can think of, but unfortunately
> none of them worked.
>
>
>
> I would appreciate if some of you can help me with that or can guide me to
> the right path
>
>
>
> Thx guys
>
>
>
> Ryaz Khan
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS with LDAP backend (PAP works but CHAP or any other modules does not work), help please

2009-10-03 Thread Ryaz Khan

Hi Guys,

 

I am glad to say that I was able to setup FreeRADIUS ver. 2.1.7 with LDAP
(slapd) authentication after a continuous research of a whole week. I can
authenticate user via LDAP but it only works for PAP, radtest tool works,
NTRadPing works but only when using PAP (un-checking CHAP).

 

I tried every possible option/combination I can think of, but unfortunately
none of them worked.

 

I would appreciate if some of you can help me with that or can guide me to
the right path

 

Thx guys

 

Ryaz Khan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Configuring Freeradius with Ldap Windows Server 2003

2009-06-02 Thread Alan DeKok

Hari Novferdianto wrote:
> Hi,
> How configuring freeradius with ldap windows server 2003 ?
> I do in my freeradius, when I installed it is
> ./configure --prefix=/usr/local/freeradius --with-modules="rlm-ldap"

  That isn't enough.  You need to have the local LDAP libraries &&
header files on your system.

  FreeRADIUS does *not* implement the LDAP protocol.

> Until I'm configured in radiusd.conf
> It's Still
> radiusd.conf[744] Failed to link to module 'rlm_ldap': rlm_ldap.so:
> cannot open shared object file: No such file or directory
> radiusd.conf[1956] Unknown module "ldap".
> radiusd.conf[1956] Failed to parse "ldap" entry.

  The module doesn't exist because it wasn't built.  It wasn't built
because the things it needs (see above) don't exist.

  Install the LDAP libraries && development header files on your system,
and then re-build FreeRADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Configuring Freeradius with Ldap Windows Server 2003

2009-06-02 Thread Hari Novferdianto

Hi,
How configuring freeradius with ldap windows server 2003 ?
I do in my freeradius, when I installed it is
./configure --prefix=/usr/local/freeradius --with-modules="rlm-ldap"
Until I'm configured in radiusd.conf
It's Still
radiusd.conf[744] Failed to link to module 'rlm_ldap': rlm_ldap.so: cannot
open shared object file: No such file or directory
radiusd.conf[1956] Unknown module "ldap".
radiusd.conf[1956] Failed to parse "ldap" entry.

I'm confused now...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How To Install Freeradius with LDAP - Need Help

2008-09-11 Thread tnt

Freeradius builds with radius support by default. Look up build and
rlm_ldap on freeradius wiki.

Ivan Kalik
Kalik Informatika ISP


Dana 11/9/2008, "niel m" <[EMAIL PROTECTED]> piše:

>Hello Sir/Madam,
>
>Good Evening
>
>Im niel, I was researching about this topic Freeradius with LDAP support for
>authentication.
>I am very pressured because i want to implement such as this one using my AP
>in the office.
>If anyone can help me with this problem. Either some of below;
>
>- URL of a web that states step-by-step procedure on how to implement such
>system
>- or giving me some personal advice.
>
>I appreciate any help I can get to solve this system
>
>
>Thanks,
>Niel
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How To Install Freeradius with LDAP - Need Help

2008-09-11 Thread niel m

Hello Sir/Madam,

Good Evening

Im niel, I was researching about this topic Freeradius with LDAP support for
authentication.
I am very pressured because i want to implement such as this one using my AP
in the office.
If anyone can help me with this problem. Either some of below;

- URL of a web that states step-by-step procedure on how to implement such
system
- or giving me some personal advice.

I appreciate any help I can get to solve this system


Thanks,
Niel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: get problem with freeradius with LDAP authenticate

2008-08-12 Thread Maurizio Cimaschi


chenweiting wrote:

rlm_ldap: (re)connect to ldap.icpdd.neca.nec.com.au:389, authentication 0
ld.so.1: radiusd: fatal: relocation error: file 
/usr/local/lib/rlm_ldap-1.1.7.so: symbol ldap_int_tls_config: referenced 
symbol not found

Killed



Any idea for this issue?


A couple.

Do you have more than one installation of freeradius ?

How did you build the server ?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

get problem with freeradius with LDAP authenticate

2008-08-12 Thread chenweiting


Dear all,

 

I am tying to configure freeradius 1.1.7 on Solaris10 
to authenticate with ldap server. After I configure it, radiusd -X -A running 
well, once I run radtest I got the error as 
below:

 

==

./radiusd 
-X -A
Starting - reading configuration files ...
reread_config:  reading 
radiusd.conf
Config:   including file: 
/usr/local/etc/raddb/proxy.conf
Config:   including file: 
/usr/local/etc/raddb/clients.conf
Config:   including file: 
/usr/local/etc/raddb/snmp.conf
Config:   including file: 
/usr/local/etc/raddb/eap.conf
Config:   including file: 
/usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: 
localstatedir = "/usr/local/var"
 main: logdir = 
"/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: 
radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = 
no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 
5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: 
port = 0
 main: allow_core_dumps = no
 main: lo!
g_stripped_names = 
no
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: 
log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = 
no
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: user = 
"(null)"
 main: group = "(null)"
 main: usercollide = no
 main: 
lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = 
"no"
 main: nospace_pass = "no"
 main: checkrad = 
"/usr/local/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay 
= 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: 
default_fallback = yes
 proxy: dead_time = 120
 proxy: 
post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: 
max_attributes = 200
 security: reject_delay = 1
 security: status_server 
= no
 main: debug_level = 0
read_config!
_files:  reading 
dictionary
read_config_files:  reading n
aslist
Using deprecated 
naslist file.  Support for this will go away soon.
read_config_files:  
reading clients
read_config_files:  reading realms
radiusd:  entering 
modules setup
Module: Library search path is /usr/local/lib
Module: Loaded 
exec 
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = 
"request"
 exec: output_pairs = "(null)"
 exec: packet_type = 
"(null)"
rlm_exec: Wait=yes but no output defined. Did you mean 
output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 

Module: Instantiated expr (expr) 
Module: Loaded LDAP 
 ldap: server = 
"ldap.icpdd.neca.nec.com.au"
 ldap: port = 389
 ldap: net_timeout = 
10
 ldap: timeout = 30
 ldap: timelimit = 3
 ldap: identity = 
""
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = 
"(null)"
 ldap: tls_cacertdir = "(null)"!

 ldap: tls_certfile = 
"(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = 
"(null)"
 ldap: tls_require_cert = "allow"
 ldap: password = ""
 ldap: 
basedn = "ou=people,dc=icpdd,dc=neca,dc=nec,dc=com,dc=au"
 ldap: filter = 
"(uid=%u)"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: 
default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: 
password_header = "(null)"
 ldap: password_attribute = "(null)"
 ldap: 
access_attr = "dialupAccess"
 ldap: groupname_attribute = "cn"
 ldap: 
groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: 
groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = 
"/usr/local/etc/raddb/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: 
ldap_connections_number = 5
&nbs!
p;ldap: compare_check_items = 
no
 ldap: access_attr_used_for_a
llow = yes
 ldap: do_xlat = 
yes
 ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for 
Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: 
reading ldap<->radius mappings from file 
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to 
RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS 
$GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS 
Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS 
Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS 
Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS 
Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS 
LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS 
NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS 
SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS 
Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS 
NAS!
-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS 
Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS 
Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS 
Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS 
Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped t

Re: problem configuring freeradius with ldap user database

2008-06-14 Thread Sambuddho Chakravarty

Hello Ivan
 The solution previously suggested by Alan worked.
Thanks
Sambuddho
On Sat, 2008-06-14 at 18:15 +0100, Ivan Kalik wrote:
> >rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in
> >check items
> 
> Are you sure that's crypt? It looks like MD5 to me.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem configuring freeradius with ldap user database

2008-06-14 Thread Ivan Kalik

>rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in
>check items

Are you sure that's crypt? It looks like MD5 to me.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem configuring freeradius with ldap user database

2008-06-14 Thread Sambuddho Chakravarty

Hello Alan
 Thanks a lot! Ill check this out.
Sambuddho
On Sat, 2008-06-14 at 09:22 +0200, Alan DeKok wrote:
> Sambuddho Chakravarty wrote:
> >  I am experiencing a problem while trying to authenticate the
> > username/password in LDAP through a freeradius server. While a regular
> > telnet/ssh to the edge running a openLdap client / PAM module works fine
> > (It is able to authenticate) but the problem arises when trying to
> > authenticate using the freeradius server . 
> > 
> > This is what the log message looks like :
> > 
> > User-Name = "try"
> > User-Password = "trialanderror"
> > NAS-IP-Address = 127.0.0.1
> ...
> > rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
> > (uid=try)
> > rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in
> > check items
> 
>   If you do NOTHING more than configure "ldap" in the default
> configuration, this should work.
> 
> >   modcall[authorize]: module "ldap" returns ok for request 0
> > modcall: group authorize returns ok for request 0
> 
>   You're not using 2.0, and you've edited the default configuration.  DO
> use a recent version.  DON'T edit the configuration to re-arrange the
> modules in the "authorize" section.
> 
> > Here you can see that the authorization of a user 'try' having password
> > 'trialanderror' works fine but authentication fails. The host running
> > the freeradius server is Fedora Core 5 running linux 2.6.25.
> 
>   The OS doesn't matter.  The version of FreeRADIUS does.
> 
>   It seems you're using 1.1.x.  You should at LEAST upgrade to 1.1.7.
> Then, un-comment the references to LDAP, and configure the LDAP module.
>  The test WILL work.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem configuring freeradius with ldap user database

2008-06-14 Thread Alan DeKok

Sambuddho Chakravarty wrote:
>  I am experiencing a problem while trying to authenticate the
> username/password in LDAP through a freeradius server. While a regular
> telnet/ssh to the edge running a openLdap client / PAM module works fine
> (It is able to authenticate) but the problem arises when trying to
> authenticate using the freeradius server . 
> 
> This is what the log message looks like :
> 
> User-Name = "try"
> User-Password = "trialanderror"
> NAS-IP-Address = 127.0.0.1
...
> rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
> (uid=try)
> rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in
> check items

  If you do NOTHING more than configure "ldap" in the default
configuration, this should work.

>   modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0

  You're not using 2.0, and you've edited the default configuration.  DO
use a recent version.  DON'T edit the configuration to re-arrange the
modules in the "authorize" section.

> Here you can see that the authorization of a user 'try' having password
> 'trialanderror' works fine but authentication fails. The host running
> the freeradius server is Fedora Core 5 running linux 2.6.25.

  The OS doesn't matter.  The version of FreeRADIUS does.

  It seems you're using 1.1.x.  You should at LEAST upgrade to 1.1.7.
Then, un-comment the references to LDAP, and configure the LDAP module.
 The test WILL work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

problem configuring freeradius with ldap user database

2008-06-13 Thread Sambuddho Chakravarty

Hello All

 I am experiencing a problem while trying to authenticate the
username/password in LDAP through a freeradius server. While a regular
telnet/ssh to the edge running a openLdap client / PAM module works fine
(It is able to authenticate) but the problem arises when trying to
authenticate using the freeradius server . 

This is what the log message looks like :

User-Name = "try"
User-Password = "trialanderror"
NAS-IP-Address = 127.0.0.1
NAS-Port = 2
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "try", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 155
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for try
radius_xlat:  '(uid=try)'
radius_xlat:  'ou=People,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
rlm_ldap: bind as / to 30.0.0.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
(uid=try)
rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user try authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "try" with password "trialanderror"
rlm_ldap: user DN: uid=try,ou=People,dc=example,dc=com
rlm_ldap: (re)connect to 30.0.0.2:389, authentication 1
rlm_ldap: bind as uid=try,ou=People,dc=example,dc=com/trialanderror to
30.0.0.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
  modcall[authenticate]: module "ldap" returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...


Here you can see that the authorization of a user 'try' having password
'trialanderror' works fine but authentication fails. The host running
the freeradius server is Fedora Core 5 running linux 2.6.25. Could you
please suggest where we are going wrong. I am sending you a copy of
the /etc/raddb/users file as well.


DEFAULT Auth-Type = System
Fall-Through = 1

DEFAULT Auth-Type := LDAP
Fall-Through = 0



Any help would be gratefully appreciated.

Thanks
Sambuddho



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: howto freeradius with ldap

2008-02-20 Thread shrinivas alageri

A very nice article
   
  http://www.ibm.com/developerworks/linux/library/l-radius/

"Nikolay G. Petrov" <[EMAIL PROTECTED]> wrote:
  I read a included document about freeradius to ldap, but I a forigner
and difficult undersand content. Can we suggest a any content with
example, how can I use group to ldap? 
Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


   
-
 Now you can chat without downloading messenger. Click here to know how.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

howto freeradius with ldap

2008-02-20 Thread Nikolay G. Petrov

I read a included document about freeradius to ldap, but I a forigner
and difficult undersand content. Can we suggest a any content with
example, how can I use group to ldap? 
Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems using freeradius with ldap

2007-09-05 Thread Sergio Belkin

El Monday 03 September 2007 18:12:40 [EMAIL PROTECTED] escribió:
> You are picking up Auth-Type System from the users file. Comment it out.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> Dana 3/9/2007, "Sergio Belkin" <[EMAIL PROTECTED]> piše:
> >I have problem when in Fedora 4 (sadly in my job I cannot change this)
> > using radtest against LDAP
> >
> >Packages version:
> >openldap-servers-2.2.29-1.FC4
> >openldap-clients-2.2.29-1.FC4
> >openldap-2.2.29-1.FC4
> >freeradius-1.0.4-1.FC4.1
> >
> >This  is part of /etc/raddb/radiusd.conf:
> >
> >ldap {
> >server = "localhost"
> >basedn = "ou=people,dc=mydomain,dc=com"
> >filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> >dictionary_mapping = ${raddbdir}/ldap.attrmap
> >ldap_connections_number = 5
> >password_attribute = userPassword
> >(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)
> >(uniquemember=%{Ldap-UserDn})))"
> >timeout = 4
> >timelimit = 3
> >net_timeout = 1
> >}
> >
> >authorize {
> >chap
> >mschap
> >suffix
> >eap
> >files
> >ldap
> >checkval
> >}
> >
> >And this a portion of /etc/raddb/users:
> >DEFAULT  Auth-Type = System
> >   Fall-Through = 1
> >DEFAULT  Auth-Type = LDAP
> >   Fall-Through = 1

Thanks, finally I've did so and it worked out (using original version of FC4)!

-- 
Sergio Belkin
Comunicación e Internet

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems using freeradius with ldap

2007-09-05 Thread A . L . M . Buxey

Hi,

> Well, I did a workaround running:
> ./configure --prefix=/usr --without-rlm_sql --without-rlm_sqlippool 
> --without-rlm_sqlcounter  --without-rlm_sql_log --without-rlm_sqlhpwippool

working around means not fixing the issue - do you also have the required LDAP
development libraries etc installed?  if you dont check the output
of ./configure then you dont know what it is deciding to drop by itself.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems using freeradius with ldap

2007-09-04 Thread A . L . M . Buxey

Hi,

> OK, I am trying to compile the fresh version, but when I run make, it outputs 
> at the end:
> 
> In file included from rlm_sqlippool.c:37:
> /root/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h: No such 
> file> or directory


ta-dah! thats your answer printed on the screen right there. you dont have
the required libtool development headers installed. depending on the
distro this will be something like:

libtool-ltdl-devel
libtool-ltdl

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems using freeradius with ldap

2007-09-04 Thread Sergio Belkin

El Tuesday 04 September 2007 11:09:33 [EMAIL PROTECTED] escribió:
> Hi,
>
> > OK, I am trying to compile the fresh version, but when I run make, it
> > outputs at the end:
> >
> > In file included from rlm_sqlippool.c:37:
> > /root/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h: No such
> > file> or directory
>
> ta-dah! thats your answer printed on the screen right there. you dont have
> the required libtool development headers installed. depending on the
> distro this will be something like:
>
> libtool-ltdl-devel
> libtool-ltdl
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

Well, I did a workaround running:
./configure --prefix=/usr --without-rlm_sql --without-rlm_sqlippool 
--without-rlm_sqlcounter  --without-rlm_sql_log --without-rlm_sqlhpwippool

But now, after configuring for using ldap and running radiusd -X it complains 
as follows:

Module: Library search path is /usr/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
 pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/usr/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
radiusd.conf[744] Failed to link to module 'rlm_ldap': rlm_ldap.so: cannot 
open shared object file: No such file or directory
radiusd.conf[1960] Unknown module "ldap".
radiusd.conf[1960] Failed to parse "ldap" entry.


Any ideas?
Thanks again!
-- 
Sergio Belkin
Comunicación e Internet

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems using freeradius with ldap

2007-09-04 Thread Sergio Belkin

El Tuesday 04 September 2007 02:24:16 Alan DeKok escribió:
> Sergio Belkin wrote:
> > I have problem when in Fedora 4 (sadly in my job I cannot change this)
> > using radtest against LDAP
>
> ...
>
> > freeradius-1.0.4-1.FC4.1
>
>   I am STRONGLY inclined to tell people using 3-year old versions of the
> server that they can get support from the FC project, not from us.
>
>   And that version has a number of problems.  See
> http://freeradius.org/security.html
>
>   Despite using FC4, you *can* upgrade FreeRADIUS to a sane version by
> installing the "tar" file by hand.

OK, I am trying to compile the fresh version, but when I run make, it outputs 
at the end:

In file included from rlm_sqlippool.c:37:
/root/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h: No such file 
or directory
In file included from rlm_sqlippool.c:37:
/root/freeradius-1.1.7/src/include/modpriv.h:16: error: syntax error 
before 'lt_dlhandle'
/root/freeradius-1.1.7/src/include/modpriv.h:16: warning: no semicolon at end 
of struct or union
/root/freeradius-1.1.7/src/include/modpriv.h:17: warning: type defaults 
to 'int' in declaration of 'module_list_t'
/root/freeradius-1.1.7/src/include/modpriv.h:17: warning: data definition has 
no type or storage class
/root/freeradius-1.1.7/src/include/modpriv.h:27: error: syntax error 
before 'module_list_t'

And a lot of others erros about "rlm_sqlippool.c", how can I fix it?

Thanks in advance

>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 
Sergio Belkin
Comunicación e Internet

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems using freeradius with ldap

2007-09-03 Thread Alan DeKok

Sergio Belkin wrote:
> I have problem when in Fedora 4 (sadly in my job I cannot change this) using 
> radtest against LDAP
...
> freeradius-1.0.4-1.FC4.1

  I am STRONGLY inclined to tell people using 3-year old versions of the
server that they can get support from the FC project, not from us.

  And that version has a number of problems.  See
http://freeradius.org/security.html

  Despite using FC4, you *can* upgrade FreeRADIUS to a sane version by
installing the "tar" file by hand.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems using freeradius with ldap

2007-09-03 Thread tnt

You are picking up Auth-Type System from the users file. Comment it out.

Ivan Kalik
Kalik Informatika ISP


Dana 3/9/2007, "Sergio Belkin" <[EMAIL PROTECTED]> piše:

>I have problem when in Fedora 4 (sadly in my job I cannot change this) using 
>radtest against LDAP
>
>Packages version: 
>openldap-servers-2.2.29-1.FC4
>openldap-clients-2.2.29-1.FC4
>openldap-2.2.29-1.FC4
>freeradius-1.0.4-1.FC4.1
>
>This  is part of /etc/raddb/radiusd.conf:
>
>ldap {
>server = "localhost"
>basedn = "ou=people,dc=mydomain,dc=com"
>filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>dictionary_mapping = ${raddbdir}/ldap.attrmap
>ldap_connections_number = 5
>password_attribute = userPassword
>(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)
>(uniquemember=%{Ldap-UserDn})))"
>timeout = 4
>timelimit = 3
>net_timeout = 1
>}
>
>authorize {
>chap
>mschap
>suffix
>eap
>files
>ldap
>checkval
>}
>
>And this a portion of /etc/raddb/users:
>DEFAULT  Auth-Type = System
>   Fall-Through = 1
>DEFAULT  Auth-Type = LDAP
>   Fall-Through = 1
>
>
>I've appended the schemas in /etc/openldap/slapd.conf:
>/usr/share/doc/freeradius-1.0.4/RADIUS-LDAPv3.schema
>/usr/share/doc/freeradius-1.0.4/RADIUS-LDAP.schema
>
>Well, when I issue radtest in debug mode I get:
>radtest testuser sample  localhost  0  testing123
>Sending Access-Request of id 88 to 127.0.0.1:1812
>User-Name = "testuser"
>User-Password = "sample"
>NAS-IP-Address = host.mydomain.com
>NAS-Port = 0
>rad_recv: Access-Request packet from host 127.0.0.1:42077, id=88, length=58
>User-Name = "testuser"
>User-Password = "sample"
>NAS-IP-Address = 255.255.255.255
>NAS-Port = 0
>  Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 2
>  modcall[authorize]: module "preprocess" returns ok for request 2
>  modcall[authorize]: module "chap" returns noop for request 2
>  modcall[authorize]: module "mschap" returns noop for request 2
>rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
>rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 2
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 2
>users: Matched entry DEFAULT at line 152
>users: Matched entry DEFAULT at line 155
>  modcall[authorize]: module "files" returns ok for request 2
>rlm_ldap: - authorize
>rlm_ldap: performing user authorization for testuser
>radius_xlat:  '(uid=testuser)'
>radius_xlat:  'ou=people,dc=mydomain,dc=com'
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: performing search in ou=people,dc=mydomain,dc=com, with filter 
>(uid=testuser)
>rlm_ldap: Added password sample in check items
>rlm_ldap: looking for check items in directory...
>rlm_ldap: looking for reply items in directory...
>rlm_ldap: user testuser authorized to use remote access
>rlm_ldap: ldap_release_conn: Release Id: 0
>  modcall[authorize]: module "ldap" returns ok for request 2
>modcall: group authorize returns ok for request 2
>  rad_check_password:  Found Auth-Type System
>auth: type "System"
>  Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 2
>  modcall[authenticate]: module "unix" returns notfound for request 2
>modcall: group authenticate returns notfound for request 2
>auth: Failed to validate the user.
>Delaying request 2 for 1 seconds
>Finished request 2
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Sending Access-Reject of id 88 to 127.0.0.1:42077
>Waking up in 4 seconds...
>rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=88, length=20
>17:20:33 [EMAIL PROTECTED] /etc/raddb
>$ --- Walking the entire request list ---
>Cleaning up request 2 ID 88 with timestamp 46dc6c8f
>Nothing to do.  Sleeping until we see a request.
>
>
>Please could you lend me a hand to resolv this issue?
>Thanks in advance!
>-- 
>Sergio Belkin
>Comunicación e Internet
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problems using freeradius with ldap

2007-09-03 Thread Sergio Belkin

I have problem when in Fedora 4 (sadly in my job I cannot change this) using 
radtest against LDAP

Packages version: 
openldap-servers-2.2.29-1.FC4
openldap-clients-2.2.29-1.FC4
openldap-2.2.29-1.FC4
freeradius-1.0.4-1.FC4.1

This  is part of /etc/raddb/radiusd.conf:

ldap {
server = "localhost"
basedn = "ou=people,dc=mydomain,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)
(uniquemember=%{Ldap-UserDn})))"
timeout = 4
timelimit = 3
net_timeout = 1
}

authorize {
chap
mschap
suffix
eap
files
ldap
checkval
}

And this a portion of /etc/raddb/users:
DEFAULT  Auth-Type = System
   Fall-Through = 1
DEFAULT  Auth-Type = LDAP
   Fall-Through = 1


I've appended the schemas in /etc/openldap/slapd.conf:
/usr/share/doc/freeradius-1.0.4/RADIUS-LDAPv3.schema
/usr/share/doc/freeradius-1.0.4/RADIUS-LDAP.schema

Well, when I issue radtest in debug mode I get:
radtest testuser sample  localhost  0  testing123
Sending Access-Request of id 88 to 127.0.0.1:1812
        User-Name = "testuser"
        User-Password = "sample"
        NAS-IP-Address = host.mydomain.com
        NAS-Port = 0
rad_recv: Access-Request packet from host 127.0.0.1:42077, id=88, length=58
        User-Name = "testuser"
        User-Password = "sample"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 2
    users: Matched entry DEFAULT at line 152
    users: Matched entry DEFAULT at line 155
  modcall[authorize]: module "files" returns ok for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat:  '(uid=testuser)'
radius_xlat:  'ou=people,dc=mydomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=mydomain,dc=com, with filter 
(uid=testuser)
rlm_ldap: Added password sample in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
modcall: group authorize returns ok for request 2
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  modcall[authenticate]: module "unix" returns notfound for request 2
modcall: group authenticate returns notfound for request 2
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 88 to 127.0.0.1:42077
Waking up in 4 seconds...
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=88, length=20
17:20:33 [EMAIL PROTECTED] /etc/raddb
$ --- Walking the entire request list ---
Cleaning up request 2 ID 88 with timestamp 46dc6c8f
Nothing to do.  Sleeping until we see a request.


Please could you lend me a hand to resolv this issue?
Thanks in advance!
-- 
Sergio Belkin
Comunicación e Internet

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius with ldap

2007-03-26 Thread Martin Gadbois

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

satish patel wrote:

>   I am going to installed freeradius with ldap but my
> problem is i m confused about ldap and chap  i want impement VPDN and
> users authenticate through ldap so CHAP will work or not how can i
> configure ldif file for users where  i will define attributes is there
> any site regarding ldap with freeradius
> 

Does the LDAP database contains the clear-text password? Unless it does,
ou can't use CHAP for authentication. Use PAP if you don't.

Active Directory allows to do MS-CHAPv2 against the system.

- --
== +-+
Martin Gadbois | "Please answer by yes or no.|
Sr. SW Designer| Uncooperative user waste precious CPU time" |
Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969  |
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGB8Hh9Y3/iTTCEDkRArbyAJwMIzOdiGM1qHOooQdBXYL1ZriFdQCfXcc5
ozhgEpnACt1/C+zQf6cJ5NY=
=mmGa
-END PGP SIGNATURE-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius with ldap

2007-03-24 Thread satish patel

Dear all

  I am going to installed freeradius with ldap but my problem is i 
m confused about ldap and chap  i want impement VPDN and users authenticate 
through ldap so CHAP will work or not how can i configure ldif file for users 
where  i will define attributes is there any site regarding ldap with freeradius


$ cat ~/satish/url.txt

System administrator ( Data Center )

please visit this site

http://linux.tulipit.com   

-
 Heres a new way to find what you're looking for - Yahoo! Answers - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Segmentation fault when usin freeradius with LDAP and fedora core 3

2006-04-15 Thread sukhvinder kumar

Hi,

I'm using Fedora Core 3 , openldap-2.2.13-2 ,
freeradius-1.0.1-1.RHEL3.

When i'm running the radius in debugging mode and
trying to authenticate the user using "radtest"
command its giving the Segmentation fault like  :


rad_recv: Access-Request packet from host
xx.xx.xx.xx:41523, id=169, length=59
User-Name = "testuser"
User-Password =
"^'\005#\014\373]\305m\\\311\013\345\373\201\237"
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_realm: No '@' in User-Name = "testuser",
looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for
request 0
users: Matched DEFAULT at 214
  modcall[authorize]: module "files" returns ok for
request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat:  '(uid=testuser)'
radius_xlat:  'dc=example'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to xx.xx.xx.xx:389,
authentication 0
rlm_ldap: bind as cn=Manager,dc=example/secret to
xx.xx.xx.xx:389
Segmentation fault


Is anybody having idea abt this error.




__ 
Yahoo! India Matrimony: Find your partner now. Go to http://yahoo.shaadi.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WLAN 802.1x FreeRadius with LDAP

2005-12-01 Thread Zoltan Ori

On Thursday 01 December 2005 09:19, Christian Poessinger wrote:

> Fixed it myself. After removing
>
> checkItem  LM-Password userPassword
> checkItem  NT-Password userPassword
>
> from the ldap.attrmap file, and adding
>
> checkItem   userPasswordlmPassword
>
> instead, it worked. Now i can use RADIUS & LDAP to auth my WLAN clients.
>
>

Good!



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: WLAN 802.1x FreeRadius with LDAP

2005-12-01 Thread Christian Poessinger

Christian Poessinger wrote:
> Zoltan Ori wrote:
>>
>> That's the problem everything is uncommented. Comment out ntlm_auth
>> and with_ntdomain_hack. If you have plain text passwords, you aren't
>> authenticating to a Windows domain controller, you don't have
>> windbindd and nmbd running, you don't need want them in your mschap
>> configuration.
>
> Sorry, my fault :), there was a typo in my last message. I double and
> tripplechecked my configs but I don't find the error. Can you please
> have a look? I uploaded em to http://helix.mybll.de/raddb
>
> Thanks, Christian Poessinger

Fixed it myself. After removing

checkItem  LM-Password userPassword
checkItem  NT-Password userPassword

from the ldap.attrmap file, and adding

checkItem   userPasswordlmPassword

instead, it worked. Now i can use RADIUS & LDAP to auth my WLAN clients.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: WLAN 802.1x FreeRadius with LDAP

2005-11-30 Thread Christian Poessinger

Zoltan Ori wrote:
>
> That's the problem everything is uncommented. Comment out ntlm_auth
> and with_ntdomain_hack. If you have plain text passwords, you aren't
> authenticating to a Windows domain controller, you don't have
> windbindd and nmbd running, you don't need want them in your mschap
> configuration.

Sorry, my fault :), there was a typo in my last message. I double and
tripplechecked my configs but I don't find the error. Can you please
have a look? I uploaded em to http://helix.mybll.de/raddb

Thanks, Christian Poessinger

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: WLAN 802.1x FreeRadius with LDAP

2005-11-29 Thread Christian Poessinger

King, Michael wrote:
> Christian,  That is what he is saying your problem is, everything is
> uncommented

Sorry, with uncommented i ment that all is commented out. Sorry my fault.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WLAN 802.1x FreeRadius with LDAP

2005-11-29 Thread Zoltan Ori

On Tuesday 29 November 2005 13:56, Christian Poessinger wrote:

> Nope, there is everything uncommented. I also tried to add this to the
> ldap.attrmap file:
>

That's the problem everything is uncommented. Comment out ntlm_auth and 
with_ntdomain_hack. If you have plain text passwords, you aren't 
authenticating to a Windows domain controller, you don't have windbindd and 
nmbd running, you don't need want them in your mschap configuration.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: WLAN 802.1x FreeRadius with LDAP

2005-11-29 Thread King, Michael

 

-Original Message-
Zoltan Ori wrote:
> You have ntlm_auth in your mschap configuration. You don't want that 
> for LDAP.
> You don't need anything NT in that module. The default configuration 
> had everything commented out but authtype = MS-CHAP. Start with that 
> and then add what you need.

Nope, there is everything uncommented. I also tried to add this to the
ldap.attrmap file:



Christian,  That is what he is saying your problem is, everything is
uncommented

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: WLAN 802.1x FreeRadius with LDAP

2005-11-29 Thread Christian Poessinger

Zoltan Ori wrote:
> You have ntlm_auth in your mschap configuration. You don't want that
> for LDAP.
> You don't need anything NT in that module. The default configuration
> had everything commented out but authtype = MS-CHAP. Start with that
> and then add what you need.

Nope, there is everything uncommented. I also tried to add this to the
ldap.attrmap file:

checkItem   LM-Password userPassword
checkItem   NT-Password userPassword

But this hadn't any effect either.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WLAN 802.1x FreeRadius with LDAP

2005-11-29 Thread Zoltan Ori

On Tuesday 29 November 2005 11:07, Christian Poessinger wrote:

> > You didn't configure a password for the user.
>
> Yes, I did. I have a userPassword atribute in my LDAP backend, also
> it contains a clear text password. I can fully use this account in
> the backend for ftp/ssh/http but not with peap/mschapv2 over radius.
>

You have ntlm_auth in your mschap configuration. You don't want that for LDAP. 
You don't need anything NT in that module. The default configuration had 
everything commented out but authtype = MS-CHAP. Start with that and then add 
what you need.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: WLAN 802.1x FreeRadius with LDAP

2005-11-29 Thread Christian Poessinger

Michael Griego wrote:
> Your problem lies here:
>
> modcall: entering group Auth-Type for request 6
>   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
>   rlm_mschap: No User-Password configured.  Cannot create NT-Password.
>   rlm_mschap: Told to do MS-CHAPv2 for USERNAME with NT-Password
>   rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform
>   authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>   modcall[authenticate]: module "mschap" returns reject for request 6
> modcall: group Auth-Type returns reject for request 6
>
>
> You didn't configure a password for the user.

Yes, I did. I have a userPassword atribute in my LDAP backend, also
it contains a clear text password. I can fully use this account in
the backend for ftp/ssh/http but not with peap/mschapv2 over radius.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: WLAN 802.1x FreeRadius with LDAP

2005-11-29 Thread King, Michael

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Christian Poessinger
> Sent: Tuesday, November 29, 2005 10:12 AM
> To: 'FreeRadius users mailing list'
> Subject: RE: WLAN 802.1x FreeRadius with LDAP
> 
> 
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/peap
>   rlm_eap: processing type peap
>   rlm_eap_peap: Authenticate
>   rlm_eap_tls: processing TLS
>



Does PEAP work with LDAP.  I think the passwords had to be stored in
cleartext?

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WLAN 802.1x FreeRadius with LDAP

2005-11-29 Thread Michael Griego


Your problem lies here:

modcall: entering group Auth-Type for request 6
 rlm_mschap: No User-Password configured.  Cannot create LM-Password.
 rlm_mschap: No User-Password configured.  Cannot create NT-Password.
 rlm_mschap: Told to do MS-CHAPv2 for USERNAME with NT-Password
 rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
 rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
 modcall[authenticate]: module "mschap" returns reject for request 6
modcall: group Auth-Type returns reject for request 6


You didn't configure a password for the user.

--Mike
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: WLAN 802.1x FreeRadius with LDAP

2005-11-29 Thread Christian Poessinger

Zoltan Ori wrote:
>
> Are there any other errors in the log? The actual reason for
> rejection may come long before that.
>
Here is the complete log:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/eap.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/var"
 main: logdir = "/var/log"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/var/log/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = yes
 mschap: require_strong = yes
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
 ldap: server = "localhost"
 ldap: port = 389
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = ""
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "(null)"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "allow"
 ldap: password = ""
 ldap: basedn = "ou=people,dc=domain,dc=de"
 ldap: filter = "(uid=%u)"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "userPassword"
 ldap: access_attr = "uid"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiu

Re: WLAN 802.1x FreeRadius with LDAP

2005-11-29 Thread Zoltan Ori

On Tuesday 29 November 2005 08:53, Christian Poessinger wrote:

> I requested and installed this fix, but I still get the same error message
> on the radius server.
>
>   rlm_eap_peap: EAPTLS_OK
>   rlm_eap_peap: Session established.  Decoding tunneled attributes.
>   rlm_eap_peap: Received EAP-TLV response.
>   rlm_eap_peap: Tunneled data is valid.
>   rlm_eap_peap:  Had sent TLV failure, rejecting.
>  rlm_eap: Handler failed in EAP/peap
>   rlm_eap: Failed in EAP select
>   modcall[authenticate]: module "eap" returns invalid for request 7
> modcall: group authenticate returns invalid for request 7
> auth: Failed to validate the user.
>
>

Are there any other errors in the log? The actual reason for rejection may 
come long before that. 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: WLAN 802.1x FreeRadius with LDAP

2005-11-29 Thread Christian Poessinger

Zoltan Ori wrote:
> On Monday 28 November 2005 12:32, Christian Poessinger wrote:
>> rlm_eap_peap:  Had sent TLV failure, rejecting.
>
> Use the latest available drivers for your wireless adaptor. I've
> encountered many strange connectivity issues that are fixed with new
> drivers.
>
> If the supplicant is XP SP2 you may need the Windows KB885453 hot fix.
>
> http://support.microsoft.com/?kbid=885453
>

I requested and installed this fix, but I still get the same error message
on the radius server.

  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap:  Had sent TLV failure, rejecting.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 7
modcall: group authenticate returns invalid for request 7
auth: Failed to validate the user.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WLAN 802.1x FreeRadius with LDAP

2005-11-28 Thread Zoltan Ori

On Monday 28 November 2005 12:32, Christian Poessinger wrote:
> rlm_eap_peap:  Had sent TLV failure, rejecting.

Use the latest available drivers for your wireless adaptor. I've encountered 
many strange connectivity issues that are fixed with new drivers.

If the supplicant is XP SP2 you may need the Windows KB885453 hot fix.

http://support.microsoft.com/?kbid=885453

You would have to beg Microsoft for it, but fortunately, it is available from 
many other sources on the Web. KB890937 supposedly includes this fix as well, 
but I've not used it.

The KB893357 WPA2 roll up may also be applied. It doesn't address this problem 
but does seem to shorten the time taken to get the login prompt and connect. 

http://support.microsoft.com/?kbid=893357



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: WLAN 802.1x FreeRadius with LDAP

2005-11-28 Thread Christian Poessinger

Zoltan A. Ori wrote:
> On Sunday 27 November 2005 06:52, Christian Poessinger wrote:
>>
>> Yes, I'm trying to use PEAP, I have configured MS-CHAPv1 as
>> described in many Howtos.
>>
>
> MS-CHAP V2 is in the Howtos of PEAP that I have read. In any case,
> there is no mschap info in the tunnel which is indicated in the error
> message:
>
>   rlm_eap_peap: Session established.  Decoding tunneled attributes.
>   rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
> TLS Alert read:fatal:access denied
> rlm_eap_peap: No data inside of the tunnel.
>
> The error messages in FreeRADIUS are very informative and always
> right on the money in the cases I've experienced.
>
> At this point, I would check to see what my supplicant was configured
> to send and then check my eap.conf to make sure that RADIUS was
> configured to receive it.

OK, i redesigned my CA. I haven't done that xpextensions stuff now i don't
recieve the error above anymore. But now i get a new one :/ Any new ideas?

rlm_ldap: user XXX authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 35
modcall: group authorize returns updated for request 35
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 35
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap:  Had sent TLV failure, rejecting.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 35
modcall: group authenticate returns invalid for request 35
auth: Failed to validate the user.
Delaying request 35 for 1 seconds
Finished request 35
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host xxx.xxx.xxx.109:6001, id=36,
length=166
Sending Access-Reject of id 36 to xxx.xxx.xxx.109:6001
EAP-Message = 0x04080004
Message-Authenticator = 0x
--- Walking the entire request list ---
Waking up in 2 seconds...


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WLAN 802.1x FreeRadius with LDAP

2005-11-28 Thread Alan DeKok

Konne <[EMAIL PROTECTED]> wrote:
> ca somebody post a howto what describe the configuration:
> 
> - peap/mschapv2 with ldap and freeradius
> - client configuration (M$ Windows XP, SecureW2)

  http://www.freeradius.org/doc/  contains multiple howto's.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WLAN 802.1x FreeRadius with LDAP

2005-11-28 Thread Zoltan Ori

On Monday 28 November 2005 04:31, Konne wrote:
> hi
>
> ca somebody post a howto what describe the configuration:
>
> - peap/mschapv2 with ldap and freeradius
> - client configuration (M$ Windows XP, SecureW2)
>
> thx

There are many howtos available that can be found searching the mail archives 
or googling. Before you spend a lot of time on them, read the documentation 
that comes with FreeRADIUS and study the .conf files so that you might 
understand what's really going on. Many want to do a quick configuration 
based on a howto that doesn't always fit their case. When things go wrong, 
they don't know what to do and the howto can't help.

See /doc in your FreeRADIUS sources for ldap documentation.

The comments in eap.conf tell you how to do peap/mschapv2. 

As far as I know, SecureW2 does not do PEAP.  You will have to use the XP's 
native supplicant. The configuration is straight forward but depends on what 
you are trying to do. 

Zoltan Ori

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WLAN 802.1x FreeRadius with LDAP

2005-11-28 Thread Konne


hi

ca somebody post a howto what describe the configuration:

- peap/mschapv2 with ldap and freeradius
- client configuration (M$ Windows XP, SecureW2)

thx


Zoltan A. Ori schrieb:


On Sunday 27 November 2005 06:52, Christian Poessinger wrote:
 


Yes, I'm trying to use PEAP, I have configured MS-CHAPv1 as described
in many Howtos.

   



MS-CHAP V2 is in the Howtos of PEAP that I have read. In any case, there is no 
mschap info in the tunnel which is indicated in the error message:


 rlm_eap_peap: Session established.  Decoding tunneled attributes.
 rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
rlm_eap_peap: No data inside of the tunnel.

The error messages in FreeRADIUS are very informative and always right on the 
money in the cases I've experienced.


At this point, I would check to see what my supplicant was configured to send 
and then check my eap.conf to make sure that RADIUS was configured to receive 
it.




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WLAN 802.1x FreeRadius with LDAP

2005-11-27 Thread Zoltan A. Ori

On Sunday 27 November 2005 06:52, Christian Poessinger wrote:
>
> Yes, I'm trying to use PEAP, I have configured MS-CHAPv1 as described
> in many Howtos.
>

MS-CHAP V2 is in the Howtos of PEAP that I have read. In any case, there is no 
mschap info in the tunnel which is indicated in the error message:

  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
rlm_eap_peap: No data inside of the tunnel.

The error messages in FreeRADIUS are very informative and always right on the 
money in the cases I've experienced.

At this point, I would check to see what my supplicant was configured to send 
and then check my eap.conf to make sure that RADIUS was configured to receive 
it.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: WLAN 802.1x FreeRadius with LDAP

2005-11-27 Thread Christian Poessinger

Zoltan A. Ori wrote:
>
> Are you trying to use PEAP/MSCHAP-V2? I don't see any mschapv2 in
> your logs.
>
Yes, I'm trying to use PEAP, I have configured MS-CHAPv1 as described
in many Howtos.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WLAN 802.1x FreeRadius with LDAP

2005-11-26 Thread Alan DeKok

"Christian Poessinger" <[EMAIL PROTECTED]> wrote:
> I tripplechecked the configs and found nothing. As i said, radtest works
> fine. Ist this EAP thing.

  You haven't said what supplicant you're using.

  Also, it doesn't help that radtest works.  radtest doesn't do EAP,
so it's testing a completely different code path.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WLAN 802.1x FreeRadius with LDAP

2005-11-26 Thread Zoltan A. Ori

On Saturday 26 November 2005 13:58, Christian Poessinger wrote:
> Zoltan A. Ori wrote:
> > I'm not an expert and am often wrong, but I don't think FreeRADIUS is
> > the problem here.  Everything is working up to that point. Does it
> > break at the same place every time? Double check the NAS and
> > supplicant configurations.
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> I tripplechecked the configs and found nothing. As i said, radtest works
> fine. Ist this EAP thing.
>

Are you trying to use PEAP/MSCHAP-V2? I don't see any mschapv2 in your logs.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: WLAN 802.1x FreeRadius with LDAP

2005-11-26 Thread Christian Poessinger

Zoltan A. Ori wrote:
> I'm not an expert and am often wrong, but I don't think FreeRADIUS is
> the problem here.  Everything is working up to that point. Does it
> break at the same place every time? Double check the NAS and
> supplicant configurations.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

I tripplechecked the configs and found nothing. As i said, radtest works
fine. Ist this EAP thing.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WLAN 802.1x FreeRadius with LDAP

2005-11-26 Thread Zoltan A. Ori

On Saturday 26 November 2005 12:27, Christian Poessinger wrote:
> Zoltan A. Ori wrote:
> > On Saturday 26 November 2005 08:50, Christian Poessinger wrote:
> >>   rlm_eap_peap: Session established.  Decoding tunneled attributes.
> >>   rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
> >> TLS Alert read:fatal:access denied
> >> rlm_eap_peap: No data inside of the tunnel.
> >>  rlm_eap: Handler failed in EAP/peap
> >>   rlm_eap: Failed in EAP select
> >>   modcall[authenticate]: module "eap" returns invalid for request 5
> >> modcall: group authenticate returns invalid for request 5
> >> auth: Failed to validate the user.
> >
> > The lines just before the reject hold the clue.
> >
> > Zoltan Ori
>
> What to do? Im running the latest version out of the FreeBSD portage tree.
> I can't find anything on google.
>

I'm not an expert and am often wrong, but I don't think FreeRADIUS is the 
problem here.  Everything is working up to that point. Does it break at the 
same place every time? Double check the NAS and supplicant configurations.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: WLAN 802.1x FreeRadius with LDAP

2005-11-26 Thread Christian Poessinger

Zoltan A. Ori wrote:
> On Saturday 26 November 2005 08:50, Christian Poessinger wrote:
>
>>   rlm_eap_peap: Session established.  Decoding tunneled attributes.
>>   rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
>> TLS Alert read:fatal:access denied
>> rlm_eap_peap: No data inside of the tunnel.
>>  rlm_eap: Handler failed in EAP/peap
>>   rlm_eap: Failed in EAP select
>>   modcall[authenticate]: module "eap" returns invalid for request 5
>> modcall: group authenticate returns invalid for request 5
>> auth: Failed to validate the user.
>
> The lines just before the reject hold the clue.
>
> Zoltan Ori

What to do? Im running the latest version out of the FreeBSD portage tree.
I can't find anything on google.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WLAN 802.1x FreeRadius with LDAP

2005-11-26 Thread Zoltan A. Ori

On Saturday 26 November 2005 08:50, Christian Poessinger wrote:

>   rlm_eap_peap: Session established.  Decoding tunneled attributes.
>   rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
> TLS Alert read:fatal:access denied
> rlm_eap_peap: No data inside of the tunnel.
>  rlm_eap: Handler failed in EAP/peap
>   rlm_eap: Failed in EAP select
>   modcall[authenticate]: module "eap" returns invalid for request 5
> modcall: group authenticate returns invalid for request 5
> auth: Failed to validate the user.

The lines just before the reject hold the clue.

Zoltan Ori


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

WLAN 802.1x FreeRadius with LDAP

2005-11-26 Thread Christian Poessinger

Hello folks, I want to do a setup with a HP Procurve 520wl
Access Point, OpenLDAP and FreeRadius with 802.1x and users
in my LDAP backend. LDAP and Radius works fine, when i do a

radtest user pass radius.domain.tld 0 secret

i get an access accept package back. Now i configured my AP to
use the Radius server for 802.1x auth, when i want to logon
into the WLAN I enter my user and pass that just worked with
radtest but I recieve an acces reject package. This is really
strange cause the Radius debug mode tells me LDAP connection
successfull. I use clear passwords in the backend, so there
should be no problem.

Anyone has an idea for my problem?

Here is the Radius debug message with the access reject packet:

rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
radius_xlat:  '(uid=user)'
radius_xlat:  'ou=people,dc=domain,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter
(uid=user)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
modcall: group authorize returns updated for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 11 to xxx.xxx.164.26:6001
EAP-Message =
0x0105040619407c917840ad1cf254e5ca549ca9b1053de4de1e704dc6eb9cec86a35eafabe5
2f60e8ee1a9697a755a713be14acd2db7f3402acb70864e3139ef470c900d024f2fd0f455b94
028c87d7a170ce86f302e35c4e658d09f17016227f0003cf308203cb30820334a00302010202
0900927540ab5d693004300d06092a864886f70d01010405003081a0310b3009060355040613
0244453110300e06035504081307426176617269613112301006035504071309577565727a62
75726731163014060355040a130d4765466f656b6f4d20652e562e31193017060355040b1310
4765466f656b6f4d20652e562e20434131193017060355040313
EAP-Message =
0x104765466f656b6f4d20652e562e204341311d301b06092a864886f70d010901160e636140
6765666f656b6f6d2e6465301e170d3035303531363137313832335a170d3036303531363137
313832335a3081a0310b30090603550406130244453110300e06035504081307426176617269
613112301006035504071309577565727a6275726731163014060355040a130d4765466f656b
6f4d20652e562e31193017060355040b13104765466f656b6f4d20652e562e20434131193017
060355040313104765466f656b6f4d20652e562e204341311d301b06092a864886f70d010901
160e6361406765666f656b6f6d2e646530819f300d06092a8648
EAP-Message =
0x86f70d010101050003818d0030818902818100c8124b32b761710b8c576a5b8f566a1dd8cc
97c423dfd8901cd58b9e90960328233879b3a09ebda855dbaa4376c00318ebc1767173051ae1
5995a1d41c9a6289707d5f7dd1e608ca5071e2aeb99092204f9386789c9ec8d5f754a26e9940
297ffbe547b5d0cf5ee16566abcc7578e25ac6a3b5e57befee43f2828174d27db19f02030100
01a382010930820105301d0603551d0e04160414ac6e4891d5a749d6548d7eda627ca2d64d12
d2693081d50603551d230481cd3081ca8014ac6e4891d5a749d6548d7eda627ca2d64d12d269
a181a6a481a33081a0310b30090603550406130244453110300e
EAP-Message =
0x06035504081307426176617269613112301006035504071309577565727a62757267311630
14060355040a130d4765466f656b6f4d20652e562e31193017060355040b13104765466f656b
6f4d20652e562e20434131193017060355040313104765466f656b6f4d20652e562e20434131
1d301b06092a864886f70d010901160e6361406765666f656b6f6d2e6465820900927540ab5d
693004300c0603551d13040530030101ff300d06092a864886f70d0101040500038181004a36
34f23e46d180ec87122ee39ba0c6757d22a23ec39a38e3f282e82efb7428b83d04f665e28b00
e99a88217803c1abb4a0bc90fe6a51a37eec1c1868853a5436d5
EAP-Message = 0x9035f217c35ab4d53d6f1e3d11cdeabc9f77
Message-Authenticator = 0x
State = 0xc479631c6d6d413371d8af0ebf14ac4f
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 4 seconds...
rad_recv: Access-Request packet from host xxx.xxx.164.26:6001, id=12,
length=155
User-Name = "user"
NAS-IP-Address = xxx.xxx.1.66
Called-Station-Id = "00-08-88-12-2e-3f"
Calling-Station-Id = "00-0d-37-ab-2f-c7"
NAS-Identifier = "ORiNOCO-AP-2000-00-02-00"
State = 0xc479631c6d6d413371d8af0ebf14ac4f
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061900
Message-Authenticator = 0xb07e446b64197c49b0ebaca6e799dc53
  Processing the authorize section of

freeRadius with LDAP for MSCHAP & mac auth

2005-09-23 Thread Seferovic Edvin

Hello everyone...

Ive set up a freeradius server with LDAP backend for MSCHAP, but now I have
to set up a mac based auth on the same server also with the same LDAP
backend ( but the mac info is found in another subtree ). So I have made two
ldap instances under modules including MSCHAP...

modules {

mschap {
 authtype = MS-CHAP
 use_mppe = yes
 require_encryption = yes
 require_strong = yes
}

ldap ldap_users 
{
server = "81.yyy.xxx.xxx"
basedn = "ou=People,dc=xxx,dc=xxx"
filter = "(&(objectClass=posixAccount)(uid=%u))"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
timeout = 4
timelimit = 3
net_timeout = 1
}

ldap ldap_mac 
{
server = "81.xxx.xxx.xxx"
  basedn = "ou=Hosts,dc=xxx,dc=xxx"
  filter = "(&(objectClass=ipHost)(ipHostNumber=%u))"
  start_tls = no
  dictionary_mapping = ${raddbdir}/ldap.attrmap
  ldap_connections_number = 10
  timeout = 4
  timelimit = 3
  net_timeout = 1
}
... } // modules end

instantiate {
weekly_traffic // just a counter
}

authorize {
mschap
ldap_users
ldap_mac
weekly_traffic
}
 
authenticate {
#  MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
  
Auth-Type LDAP {
ldap_mac
ldap_users
}
}

So what I actually need is - when my vpn server sends Access-Request packets
with MS-CHAP attributes, I would like mschap module to use the "ldap_users"
part. And when an Access-Request packet with the mac address is recieved I
would like to use ldap_mac ONLY ! here is a part of my log file... 

rad_recv: Access-Request packet from host 172.19.10.2:1024, id=22,
length=193
Framed-MTU = 1480
NAS-IP-Address = 172.19.10.2
NAS-Identifier = "HP2626-Verwaltung"
User-Name = "00:0a:e4:22:c5:9d"
Service-Type = Administrative-User
Framed-Protocol = PPP
NAS-Port = 10
NAS-Port-Type = Ethernet
NAS-Port-Id = "10"
Called-Station-Id = "00-14-38-2e-2c-76"
Calling-Station-Id = "00-0a-e4-22-c5-9d"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
CHAP-Password = 0x1525d56e4e21bbbc83d5e49fa3be8173a5
Debug:   Processing the authorize section of radiusd.conf
Debug: modcall: entering group authorize for request 0
Debug:   modsingle[authorize]: calling mschap (rlm_mschap) for request 0
Debug:   modsingle[authorize]: returned from mschap (rlm_mschap) for request
0
Debug:   modcall[authorize]: module "mschap" returns noop for request 0
Debug:   modsingle[authorize]: calling ldap_users (rlm_ldap) for request 0
Debug: rlm_ldap: - authorize
Debug: rlm_ldap: performing user authorization for 00:0a:e4:22:c5:9d
Debug: radius_xlat:  '(&(objectClass=posixAccount)(uid=00:0a:e4:22:c5:9d))'
Debug: radius_xlat:  'ou=People,dc=kolp,dc=at'
Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Debug: rlm_ldap: attempting LDAP reconnection
Debug: rlm_ldap: (re)connect to 81.189.101.10:389, authentication 0
Debug: rlm_ldap: bind as / to 81.189.101.10:389
Debug: rlm_ldap: waiting for bind result ...
Debug: rlm_ldap: Bind was successful
Debug: rlm_ldap: performing search in ou=People,dc=kolp,dc=at, with filter
(&(objectClass=posixAccount)(uid=00:0a:e4:22:c5:9d))
Debug: rlm_ldap: object not found or got ambiguous search result
Debug: rlm_ldap: search failed
Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Debug:   modsingle[authorize]: returned from ldap_users (rlm_ldap) for
request 0
Debug:   modcall[authorize]: module "ldap_users" returns notfound for
request 0
Debug:   modsingle[authorize]: calling ldap_mac (rlm_ldap) for request 0
Debug: rlm_ldap: - authorize
Debug: rlm_ldap: performing user authorization for 00:0a:e4:22:c5:9d
Debug: radius_xlat:
'(&(objectClass=ipHost)(ipHostNumber=00:0a:e4:22:c5:9d))'
Debug: radius_xlat:  'ou=Hosts,dc=kolp,dc=at'
Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Debug: rlm_ldap: attempting LDAP reconnection
Debug: rlm_ldap: (re)connect to 81.189.101.10:389, authentication 0
Debug: rlm_ldap: bind as / to 81.189.101.10:389
Debug: rlm_ldap: waiting for bind result ...
Debug: rlm_ldap: Bind was successful
Debug: rlm_ldap: performing search in ou=Hosts,dc=kolp,dc=at, with filter
(&(objectClass=ipHost)(ipHostNumber=00:0a:e4:22:c5:9d))
Debug: rlm_ldap: looking for check items in directory...
Debug: rlm_ldap: looking for reply items in directory...
Debug: rlm_ldap: Adding description as vid, value 20 & op=11
Debug: rlm_ldap: user 00:0a:e4:22:c5:9d authorized to use remote access
Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Debug:   modsingle[authorize]: returned from ldap_mac (rlm_ldap) for request
0
Debug:   modcall[authorize]: module "ldap_mac" returns ok for request 0
Debug:   modsingle[

RE: FreeRadius with LDAP

2005-02-18 Thread Sébastien Cantos

Rlm_ldap needs some openldap libraries to compile well on solaris. One
solution is to install OpenLDAP even if you use Sun LDAP. This way the
module will compile.

Regards,
--
Sebastien Cantos <[EMAIL PROTECTED]>
Network / System Manager
Neopost DIVA 

> -Message d'origine-
> De : [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] De la 
> part de Michael Mitchell
> Envoyé : vendredi 18 février 2005 13:30
> À : freeradius-users@lists.freeradius.org
> Objet : Re: FreeRadius with LDAP
> 
> dbx is your friend...
> 
> But check to see that the ldap module actually built... unless you've 
> got things installed in the default places, it can take a 
> little work to 
> get the ldap module to compile on Solaris...
> 
> 
> 
> 
> José Berenguer wrote:
> > Hello!
> > 
> >   We are trying to authenticate the last version of 
> freeradius (1.0.1) 
> > in Solaris 9 against LDAP and we are always getting the 
> same error when 
> > we try to start radius with the command:
> > 
> >/usr/local/sbin/radiusd -S -X
> > 
> >   You can view the "radiusd.conf" and "users" files, and 
> the error we 
> > get is this:
> > 
> > Module: Loaded exec
> > exec: wait = yes
> > exec: program = "(null)"
> > exec: input_pairs = "request"
> > exec: output_pairs = "(null)"
> > exec: packet_type = "(null)"
> > rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> > Module: Instantiated exec (exec)
> > Module: Loaded expr
> > Module: Instantiated expr (expr)
> > Module: Loaded PAP
> > pap: encryption_scheme = "crypt"
> > Module: Instantiated pap (pap)
> > Module: Loaded CHAP
> > Module: Instantiated chap (chap)
> > Segmentation Fault
> > 
> >   Anyone can help us?
> > 
> >   Thanks very much!
> > 
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with LDAP

2005-02-18 Thread Michael Mitchell

dbx is your friend...
But check to see that the ldap module actually built... unless you've 
got things installed in the default places, it can take a little work to 
get the ldap module to compile on Solaris...


José Berenguer wrote:
Hello!
  We are trying to authenticate the last version of freeradius (1.0.1) 
in Solaris 9 against LDAP and we are always getting the same error when 
we try to start radius with the command:

   /usr/local/sbin/radiusd -S -X
  You can view the "radiusd.conf" and "users" files, and the error we 
get is this:

Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Segmentation Fault
  Anyone can help us?
  Thanks very much!

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius with LDAP

2005-02-18 Thread José Berenguer

Hello!
  We are trying to authenticate the last version of freeradius (1.0.1) 
in Solaris 9 against LDAP and we are always getting the same error when 
we try to start radius with the command:

   /usr/local/sbin/radiusd -S -X
  You can view the "radiusd.conf" and "users" files, and the error we 
get is this:

Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Segmentation Fault
  Anyone can help us?
  Thanks very much!
--
**
José Berenguer Giménez
Área de Comunicaciones-Servicio de Informática
UNIVERSIDAD DE ALMERÍA
  Crta. de Sacramento s/n, 04120 - Almería
  Tlf.: 950014014 E-mail: [EMAIL PROTECTED]
**
.
.
.

# MODULE CONFIGURATION
#
#  The names and configuration of each module is located in this section.
#
#  After the modules are defined here, they may be referred to by name,
#  in other sections of this configuration file.
#
modules {
#
#  Each module has a configuration as follows:
#
#   name [ instance ] {
#   config_item = value
#   ...
#   }
#
#  The 'name' is used to load the 'rlm_name' library
#  which implements the functionality of the module.
#
#  The 'instance' is optional.  To have two different instances
#  of a module, it first must be referred to by 'name'.
#  The different copies of the module are then created by
#  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
#
#  The instance names can then be used in later configuration
#  INSTEAD of the original 'name'.  See the 'radutmp' configuration
#  below for an example.
#

# PAP module to authenticate users based on their stored password
#
#  Supports multiple encryption schemes
#  clear: Clear text
#  crypt: Unix crypt
#md5: MD5 ecnryption
#   sha1: SHA1 encryption.
#  DEFAULT: crypt
pap {
encryption_scheme = crypt
}

# CHAP module
#
#  To authenticate requests containing a CHAP-Password attribute.
#
chap {
authtype = CHAP
}

# Pluggable Authentication Modules
#
#  For Linux, see:
#   http://www.kernel.org/pub/linux/libs/pam/index.html
#
#  WARNING: On many systems, the system PAM libraries have
#   memory leaks!  We STRONGLY SUGGEST that you do not
#   use PAM for authentication, due to those memory leaks.
#
pam {
#
#  The name to use for PAM authentication.
#  PAM looks in /etc/pam.d/${pam_auth_name}
#  for it's configuration.  See 'redhat/radiusd-pam'
#  for a sample PAM configuration file.
#
#  Note that any Pam-Auth attribute set in the 'authorize'
#  section will over-ride this one.
#
pam_auth = radiusd
}

# Unix /etc/passwd style authentication
#
unix {
#
#  Cache /etc/passwd, /etc/shadow, and /etc/group
#
#  The default is to NOT cache them.
#
#  For FreeBSD and NetBSD, you do NOT want to enable
#  the cache, as it's password lookups are done via a
#  database, so set this value to 'no'.
#
#  Some systems (e.g. RedHat Linux with pam_pwbd) can
#  take *seconds* to check a password, when th passwd
#  file containing 1000's of entries.  For those systems,
#  you should set the cache value to 'yes', and set
#  the locations of the 'passwd', 'shadow', and 'group'
#  files, below.
#
# allowed values: {no, yes}
cache = no

# Reload the cache every 600 seconds (10mins). 0 to disable.
cache_reload = 600

#
#  Define the locations of the normal passwd, shadow, and
#  group files.
#
#  'shadow' is commented out by default, because not all
#  systems have shadow passwords.
#

FreeRadius with LDAP

2005-01-04 Thread Anderson Alves de Albuquerque


 Now, I am using Freeradius with LDAP.
 My system GNUGK make authentication in the FreeRadius, after Freeradius 
look in tne LDAP server. My authentication is Okay, but Free Radius need 
to send to GNUGK the ALIAS. This ALIAS is telephone Number E.164.

 In debug option in Freeraius with "-X" I look:
- FreeRadius --
rlm_ldap: bind as cn=root,dc=mydomain,dc=com/teste to 146.164.247.236:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with 
filter (&(uid=ufrj4)(objectclass=radiusprofile))
rlm_ldap: Added password teste in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusAuthType as Auth-Type, value CHAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding CISCO-AVPair as Service-Type, value 
h323-ivr-in=terminal-alias:ufrj4,025980003; & op=11
rlm_ldap: Adding CISCO-AV-Pair as Service-Type, value 
h323-ivr-in=terminal-alias:ufrj4,025980003; & op=11
rlm_ldap: Adding h323-ivr-out as Service-Type, value 
terminal-alias:ufrj4,025980002; & op=11
rlm_ldap: Adding h323-ivr-in as Service-Type, value 
terminal-alias:ufrj4,025980001; & op=11
rlm_ldap: user ufrj4 authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
modcall: entering group authtype for request 0
  rlm_chap: login attempt by "ufrj4" with CHAP password
  rlm_chap: Using clear text password teste for user ufrj4 authentication.
  rlm_chap: chap user ufrj4 authenticated succesfully
  modcall[authenticate]: module "chap" returns ok for request 0
modcall: group authtype returns ok for request 0
Sending Access-Accept of id 146 to 146.164.247.235:10061
Finished request 0
Going to the next request
--- end ---
 

 I have other Freeradis tha make authentication in SQL server, in this 
Freeradius there is line with "sending". After this line radius send 
string "Cisco-AV-Pair".
- Cisco-AV-Pair ---
Sending Access-Accept of id 23 to 146.164.247.196:10201
Cisco-AVPair = "h323-ivr-in=terminal-alias:mauricio,02598"
---


I don´t know how I can talk to freeradius send this string to GNUGK.





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-22 Thread Alan DeKok

Christophe Saillard <[EMAIL PROTECTED]> wrote:
> When I do not set Auth-Type TTLS/PAP works with users stored in the
> "users" files, PEAP/Ms-chap-v2 works with users from LDAP storage,
> but TTLS/PAP from LDAP doesn't work

  And the debug log would tell you why.  The FAQ also mentions
something about statements like "it doesn't work".

  Without looking at your configuration, I can tell that you've
probably stored the passwords as NT-Passwords, so MS-CHAP works, but
PAP doesn't.  This isn't an issue for TTLS or PEAP, as it's
completely independent of them.

  The rlm_pap module could be updated to compare PAP passwords from
the packet with NT-Passwords retrieved from somewhere else.  This
could probably go into 1.0.0, as there are a few other issues with
building on certain platforms.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-21 Thread Christophe Saillard


Here's what I've to put in the "users" file to make it work :
DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = no
But now PEAP/MSCHAPv2 doesn't work...
 


  If you had read the debug log, you would see WHY it doesn't work.
  Repeat it like a mantra: If you're not sure, DO NOT SET AUTH-TYPE.
When I do not set Auth-Type TTLS/PAP works with users stored in the "users" files,
PEAP/Ms-chap-v2 works with users from LDAP storage, but TTLS/PAP from LDAP doesn't 
work
  The server will figure it out on it's own.
  Alan DeKok.


--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-21 Thread Alan DeKok

Christophe Saillard <[EMAIL PROTECTED]> wrote:
> Now I've a working TTLS/PAP with LDAP storage configuration ;-)
> 
> Here's what I've to put in the "users" file to make it work :
> 
> DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
> User-Name = `%{User-Name}`,
> Fall-Through = no
> 
> But now PEAP/MSCHAPv2 doesn't work...

  If you had read the debug log, you would see WHY it doesn't work.

  Repeat it like a mantra: If you're not sure, DO NOT SET AUTH-TYPE.

  The server will figure it out on it's own.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-21 Thread Alan DeKok

Rok Papez <[EMAIL PROTECTED]> wrote:
> > And you set "Auth-Type = EAP".  DON'T DO THAT.
> 
> I do that ;). I prefer to manualy set EAP when user tries to identify as
> "[EMAIL PROTECTED]". Users are *NOT* allowed to use any other authentication
> method :).

  That's about the only time you should set it.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-21 Thread Christophe Saillard

Try something like this for your check line:
DEFAULT Freeradius-Proxied-To == 127.0.0.1, EAP-Message !* "",
Auth-Type := PAP
--Mike
Now it works !
Thanks a lot !
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-21 Thread Michael Griego

Try something like this for your check line:

DEFAULT Freeradius-Proxied-To == 127.0.0.1, EAP-Message !* "",
Auth-Type := PAP

--Mike


On Mon, 2004-06-21 at 06:59, Christophe Saillard wrote:
> Hi,
> 
> Now I've a working TTLS/PAP with LDAP storage configuration ;-)
> 
> Here's what I've to put in the "users" file to make it work :
> 
> DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
> User-Name = `%{User-Name}`,
> Fall-Through = no
> 
> But now PEAP/MSCHAPv2 doesn't work...I've try a lot of combination 
> (Auth-Type := MSCHAP Fall-Through = yes ...)
> but none seem to work...if someone has a clue ;-)
> 
> Thanks for all !
> 
> Bye.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-21 Thread Christophe Saillard

Hi,
Now I've a working TTLS/PAP with LDAP storage configuration ;-)
Here's what I've to put in the "users" file to make it work :
DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
   User-Name = `%{User-Name}`,
   Fall-Through = no
But now PEAP/MSCHAPv2 doesn't work...I've try a lot of combination 
(Auth-Type := MSCHAP Fall-Through = yes ...)
but none seem to work...if someone has a clue ;-)

Thanks for all !
Bye.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-20 Thread Rok Papez

Hello Christophe.
Christophe Saillard pravi:
And you set "Auth-Type = EAP".  DON'T DO THAT.
I do that ;). I prefer to manualy set EAP when user tries to identify as
"[EMAIL PROTECTED]". Users are *NOT* allowed to use any other authentication
method :).
For the moment I've a running freeradius EAP-TTLS/PAP configuration 
which works fine.

Now I'd like to get credentials from an existing LDAP user storage 
instead of the Freeradius "users" file (I store MD5 hashed password to 
have PAP compatibility).
1. It would be nice to see relevant parts of the config file
2. The `radiusd -Xxxx 2>&1 | tee logfile` output
But there's some particular things I need to know :
- how do I have to store password in the LDAP database (because I'd like 
to use TTLS/PAP) : crypt/MD5 hashed, clear text ?
That's an LDAP thingy.. Here is an example of ldap diff entry for userPassword:
userPassword: {crypt}$1$dK1Zl.Qp$khF3af1c7Te0cSf2w/tZO0
All you need is a type prefix in {...} and then a password hash. This is a perl
code snippet that creates these hashes:
my $pass = '{crypt}' . crypt($plaintext_password, '$1$' . join("", ('.', '/', 0..9, 
'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]) . 
'$');
The hash is the same kind as used in a /etc/shadow file. Check the crypt() man page
for details.
=
And this is in my radiusd.conf file:
modules {
   pap {
   encryption_scheme = clear
   }
# this is for the "files", passwords are plaintext there :)
   ldap {
   server = "localhost"
   basedn = "ou=users,dc=org,dc=tld"
   filter = "(attribWithUserName=%{User-Name})"
   start_tls = no
   }
...
authenticate {
   Auth-Type EAP {
   eap
   }
   Auth-Type PAP {
   pap
   }
   Auth-Type LDAP {
   ldap
   }
}

- what do I have to put in the "users" file ? (I know that auth-type := 
EAP is wrong) ?
In contrary to Alans advice O;-), I have this:

# User anonymous and [EMAIL PROTECTED] should be allowed #
# activate eap for them#
DEFAULT User-Name =~ "^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[EMAIL 
PROTECTED]", Auth-Type := EAP

# Users with a NULL realm should be rejected   #
DEFAULT Realm == NULL, Auth-Type := Reject
   Fall-Through = No

# 1. Accounting fix for AP #
# 2. a static username files_test for testing  #
# 3. LDAP authentication for local users   #
DEFAULT Realm == org.tld, Freeradius-Proxied-To == 127.0.0.1
   User-Name = `%{User-Name}`,
   Fall-Through = yes
files_test  Realm == org.tld, User-Password == ""
DEFAULT Realm == org.tld, Auth-Type := LDAP, Ldap-UserDN := 
`attribWithUserName=%{User-Name},ou=users,dc=org,dc=tld`, Freeradius-Pro
xied-To == 127.0.0.1
Do notice, that I use the users username/password to bind to LDAP. This is done with the 
"Ldap-UserDN" item.
- if it's not possible to have TTLS/PAP authentication what can I do 
else (PEAP/Mschapv2 ...) ?
TTLS/PAP is working :). For MsCHAP you won't be able to use SecureW2 and
you'll need to have plaintext passwords in LDAP.
I hope my questions are not to stupid.
Radius configuration is not simple. The documentation is still lacking and
you simply have to "learn as you go" ;). So don't feel like you are asking
stupid questions.
--
Best regards,
Rok Papez.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-18 Thread Alan DeKok

Christophe Saillard <[EMAIL PROTECTED]> wrote:
> Now I'd like to get credentials from an existing LDAP user storage instead
> of the Freeradius "users" file

  That shouldn't be a problem.

> (I store MD5 hashed password to have PAP compatibility).

  That will make CHAP & MS-CHAP not work.

> The Ldap bind is ok and I got correct uid and password when I launch
> a 802.1X request from a laptop client.

  I'm not sure what you mean by that.

> But there's some particular things I need to know :
> - how do I have to store password in the LDAP database (because I'd like
> to use TTLS/PAP) : crypt/MD5 hashed, clear text ?

  MD5 is fine if you're only doing PAP authentication.

> - what do I have to put in the "users" file ? (I know that auth-type :=
>  EAP is wrong) ?

  Don't put anything in the "users" file.

> - if it's not possible to have TTLS/PAP authentication what can I do else
>  (PEAP/Mschapv2 ...) ?

  TTLS/PAP is possible.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-18 Thread Christophe Saillard

And you set "Auth-Type = EAP".  DON'T DO THAT.
 The "eap.conf" file has BIG HUGE COMMENTS saying DON'T DO THAT.  It
really means DON'T DO THAT.
 You're doing the exact opposite of what the documentation says, and
as a result, it's not working.  You might try following the
recommendations of the server, which WILL allow it to work.
 Alan DeKok.
Ok. Sorry for being such a fool...
Here's what I want to do :
For the moment I've a running freeradius EAP-TTLS/PAP configuration which works fine.
Now I'd like to get credentials from an existing LDAP user storage instead of the Freeradius "users" file 
(I store MD5 hashed password to have PAP compatibility).

The Ldap bind is ok and I got correct uid and password when I launch a 802.1X request 
from
a laptop client.
But there's some particular things I need to know :
- how do I have to store password in the LDAP database (because I'd like to use 
TTLS/PAP) : crypt/MD5 hashed, clear text ?
- what do I have to put in the "users" file ? (I know that auth-type := EAP is wrong) ?
- if it's not possible to have TTLS/PAP authentication what can I do else 
(PEAP/Mschapv2 ...) ?
I hope my questions are not to stupid.
Thanks.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-18 Thread Alan DeKok

Christophe Saillard <[EMAIL PROTECTED]> wrote:
> Fri Jun 18 14:11:31 2004 : Debug:   rad_check_password:  Found Auth-Type EAP
...
> Fri Jun 18 14:11:31 2004 : Debug:   rlm_eap: Request not found in the list
> Fri Jun 18 14:11:31 2004 : Error: rlm_eap: Either EAP-request timed out
> OR EAP-response to an unknown EAP-request
...
> I use TTLS/PAP for authentication,

  And you set "Auth-Type = EAP".  DON'T DO THAT.

  The "eap.conf" file has BIG HUGE COMMENTS saying DON'T DO THAT.  It
really means DON'T DO THAT.

  You're doing the exact opposite of what the documentation says, and
as a result, it's not working.  You might try following the
recommendations of the server, which WILL allow it to work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-18 Thread Alan DeKok

Christophe Saillard <[EMAIL PROTECTED]> wrote:
> For the moment I use Freeradius with EAP-TTLS and it works fine...now
> I'd like to get users credentials form an existing LDAP database.
> 
> The LDAP server sends me a valable MD5 hashed password but I think
> something failed in my users file configuration.

  Did you try running it debugging mode, as suggested in the FAQ,
README, INSTALL, and daily on this list?

> Does someone have such a working configuration ? If so, can you send a
> copy ?

  Since no one knows what you're really trying to do. I doubt anyone
will send you a configuration.

  Follow the documented instructions for running the server and asking
questions on this list.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-18 Thread Christophe Saillard

Thanks for your help.
I think I'm not far from the end but I still have problems.
Here's the debug logs :
[...]
Fri Jun 18 14:11:17 2004 : Debug: rlm_ldap: performing search in 
dc=u-strasbg,dc=fr, with filter (uid=csaillard)
request 6 done
Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: Added password 
$1$QEnpt.4f$nixixczJ/xu0CnyuvaTLV/ in check items
Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for check items in 
directory...
Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for reply items in 
directory...
Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: user csaillard authorized to 
use remote access
Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Fri Jun 18 14:11:31 2004 : Debug:   modsingle[authorize]: returned from 
ldap (rlm_ldap) for request 4
Fri Jun 18 14:11:31 2004 : Debug:   modcall[authorize]: module "ldap" 
returns ok for request 4
Fri Jun 18 14:11:31 2004 : Debug: modcall: group authorize returns 
updated for request 4
Fri Jun 18 14:11:31 2004 : Debug:   rad_check_password:  Found Auth-Type EAP
Fri Jun 18 14:11:31 2004 : Debug: auth: type "EAP"
Fri Jun 18 14:11:31 2004 : Debug:   Processing the authenticate section 
of radiusd.conf
Fri Jun 18 14:11:31 2004 : Debug: modcall: entering group Auth-Type for 
request 4
Fri Jun 18 14:11:31 2004 : Debug:   modsingle[authenticate]: calling eap 
(rlm_eap) for request 4
Fri Jun 18 14:11:31 2004 : Debug:   rlm_eap: Request not found in the list
Fri Jun 18 14:11:31 2004 : Error: rlm_eap: Either EAP-request timed out 
OR EAP-response to an unknown EAP-request
Fri Jun 18 14:11:31 2004 : Debug:   rlm_eap: Failed in handler
Fri Jun 18 14:11:31 2004 : Debug:   modsingle[authenticate]: returned 
from eap (rlm_eap) for request 4
Fri Jun 18 14:11:31 2004 : Debug:   modcall[authenticate]: module "eap" 
returns invalid for request 4
Fri Jun 18 14:11:31 2004 : Debug: modcall: group Auth-Type returns 
invalid for request 4
Fri Jun 18 14:11:31 2004 : Debug: auth: Failed to validate the user.
[...]

I use TTLS/PAP for authentication, so you can see that the LDAP server 
sends MD5 hased password...but I'm not sure that's what I need
Could you tell me what kind of EAP method you use, with what type of 
password's hash ?

Thanks for help !
Bye.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-18 Thread Rok Papez

Hi Christophe.
Christophe Saillard pravi:
For the moment I use Freeradius with EAP-TTLS and it works fine...now 
I'd like to get users credentials form an existing LDAP database.

The LDAP server sends me a valable MD5 hashed password but I think 
something failed in my users file configuration.
You should run the server in debug mode and check the output. I use this
command:
radiusd -Xxxx 2>&1 | tee logfile
Does someone have such a working configuration ? If so, can you send a 
copy ?
modules {
   ldap {
   server = "localhost"
   basedn = "ou=employees,dc=org,dc=tld"
   filter = "(PrincipalName=%{User-Name})"
   start_tls = no
   }
[...]
authorize {
   preprocess
   auth_log
   attr_rewrite
   suffix
   group {
   # the files also activates EAP for user anonymous
   files {
   notfound = 1
   ok = return
   }
   ldap
   }
}
authenticate {
   Auth-Type EAP {
   eap
   }
   Auth-Type PAP {
   pap
   }
   Auth-Type LDAP {
   ldap
   }
}

In the users file I have:

# User anonymous and [EMAIL PROTECTED] should be allowed #
# activate eap for them#

anonymous   Auth-Type := EAP

# Accounting fix for AP#
# LDAP authentication for local users  #

DEFAULT Realm == org.tld, Freeradius-Proxied-To == 127.0.0.1
   User-Name = `%{User-Name}`,
   Fall-Through = yes
DEFAULT Realm == org.tld, Auth-Type := LDAP, Ldap-UserDN := 
`PrincipalName=%{User-Name},ou=employees,dc=org,dc=tld`, Freeradius-Proxied-To == 
127.0.0.1

--
Lep pozdrav,
Rok Papez.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Using Freeradius with LDAP storage and EAP-TTLS authentication

2004-06-18 Thread Christophe Saillard

Hello,
For the moment I use Freeradius with EAP-TTLS and it works fine...now 
I'd like to get users credentials form an existing LDAP database.

The LDAP server sends me a valable MD5 hashed password but I think 
something failed in my users file configuration.

Does someone have such a working configuration ? If so, can you send a 
copy ?

Thanks.
Bye.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

1 2 >

100 matches

Mail list logo