Re: Freeradius with ldap
The FAQ gives a *very* basic and less than complete example of using groups. I found an old maillist entry that might be of help here. - http://lists.freeradius.org/pipermail/freeradius-users/2007-June/019764.html I'm trying to do something similar and I'm having trouble getting radius to be able to successfully validate a user as part of a group. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-with-ldap-tp5713478p5713482.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with ldap
Marlos Alex wrote: > > I'm in trouble and I think that freeradius is, can anyone help me, I > configured theldap group and created a wireless and want only > the users of this group to accessmy wifi network? Examples of LDAP group checking are in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with ldap
I'm in trouble and I think that freeradius is, can anyone help me, I configured theldap group and created a wireless and want only the users of this group to accessmy wifi network? -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring Freeradius with LDAP
Hi, Actually what was helpful is reading the comments in radiusd.conf . Location of ldap config changed starting 2.0.0 . I successfully configured it Thanks. Wassim C. Zaarour Systems & Network Engineer On 4/18/12 11:12 PM, "Mark Holmes" wrote: >I think > >http://wiki.freeradius.org/Rlm_ldap > >Has what you are after. > >Mark > > > >On 18 Apr 2012, at 18:53, "Wassim Zaarour" >mailto:wassim.zaar...@navlink.com>> wrote: > >Hi List, > >I have installed freeradius 2.1.12, and it's working well. > >Now I need to configure it to authenticate with LDAP (Sun Directory >Server) but I can't seem to find which file to configure in raddb, I >can't find it in radiusd.conf > >I appreciated any help on this. > > > > > > > > > > > > > >Wassim C. Zaarour >Systems & Network Engineer > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > >Nuffield College is a Registered Charity No. 1137506. Registered Office: >Nuffield College, New Road, Oxford, OX1 1NF >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring Freeradius with LDAP
I think http://wiki.freeradius.org/Rlm_ldap Has what you are after. Mark On 18 Apr 2012, at 18:53, "Wassim Zaarour" mailto:wassim.zaar...@navlink.com>> wrote: Hi List, I have installed freeradius 2.1.12, and it's working well. Now I need to configure it to authenticate with LDAP (Sun Directory Server) but I can't seem to find which file to configure in raddb, I can't find it in radiusd.conf I appreciated any help on this. Wassim C. Zaarour Systems & Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring Freeradius with LDAP
Am 18.04.2012 19:47, schrieb Wassim Zaarour: Now I need to configure it to authenticate with LDAP (Sun Directory Server) but I can't seem to find which file to configure in raddb, I can't find it in radiusd.conf Did you tried google or just the searchbox on wiki.freeradius.org? http://wiki.freeradius.org/search?q=ldap Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring Freeradius with LDAP
Hi List, I have installed freeradius 2.1.12, and it's working well. Now I need to configure it to authenticate with LDAP (Sun Directory Server) but I can't seem to find which file to configure in raddb, I can't find it in radiusd.conf I appreciated any help on this. Wassim C. Zaarour Systems & Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP Support
On 12/08/2011 01:11 PM, Nick Khamis wrote: Hello Everyone, I do have libldap2-dev installed however, it seems like openldap in all it's totality is needed? What is needed will be listed in the output of configure. Also listed will be where configure looked for the dependency. You should read this. Usually you'll need the headers and libraries, but they may be located in non-standard locations, if so you'll have to tell configure where to find them. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP Support
Hello Everyone, I do have libldap2-dev installed however, it seems like openldap in all it's totality is needed? Thanks in Advnace, Nick. On Thu, Dec 8, 2011 at 5:31 AM, Fajar A. Nugraha wrote: > On Thu, Dec 8, 2011 at 9:51 AM, Nick Khamis wrote: >> Hello Everyone, >> >> I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has >> not been compiled. >> Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP? > > Try libldap2-dev. That's what on "Build-Depends" section on debian/control. > > -- > Fajar > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP Support
On Thu, Dec 8, 2011 at 9:51 AM, Nick Khamis wrote: > Hello Everyone, > > I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has > not been compiled. > Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP? Try libldap2-dev. That's what on "Build-Depends" section on debian/control. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP Support
Hi, > I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has > not been compiled. > Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP? if you read the output of ./configure eg ./confogure | grep WARN you will see what LDAP stuff is required - openldap alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS with LDAP Support
Hello Everyone, I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has not been compiled. Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP? Thanks in Advance, Nick. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Em 09-07-2010 17:12, Alan DeKok escreveu: Daniel Gomes wrote: we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. That's what I meant. Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. OpenLDAP has documentation on how to make it return passwords when an LDAP client asks for them. We don't tend to copy that documentation here. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Sorry... but when you ask for help, you shouldn't argue with the answers. Especially when it's clear that you're asking for help because you don't know what's going wrong. Education can be a painful process. Mate, I wasn't arguing in the sense of "you're wrong", I was just trying to understand why were you saying that LDAP wasn't working, when it clearly looked like it was. After you explained the difference between PAP and MS-CHAP on the previous email, I could finally understand just that. So thanks once again for the explanation! And yeah, I didn't know what was going on, but that was my reason to come here in the first place! Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! That's good to hear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the patience, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: >>> we are currently and successfully using it to >>> authenticate other services).\ >>> >>Using PAP passwords. > > Actually these application are probably just binding with the user's > credentials, but that's not relevant here. That's what I meant. > Well, it doesn't help me much if you say you know the problem and its > solution, but then don't tell me how to fix it. OpenLDAP has documentation on how to make it return passwords when an LDAP client asks for them. We don't tend to copy that documentation here. > And I know I'm not the > first one to have these issues, I started from the beginning by saying > that I read everything I could find about it on the Internet, tried to > fix the problem many times and only then I came here, asking for help. > Sorry for wasting your time!... And btw, your aggressive attitude > doesn't really help anyone. Sorry... but when you ask for help, you shouldn't argue with the answers. Especially when it's clear that you're asking for help because you don't know what's going wrong. Education can be a painful process. > Anyway, after getting it to work with PAP, I followed nf-vale's solution > (adding the ntPassword and lmPassword attributes to LDAP) and now it's > also working with MS-CHAP. Thanks for the great tip!! That's good to hear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Em 09-07-2010 13:59, Alan DeKok escreveu: Daniel Gomes wrote: Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. No, it wasn't returning a password to FreeRADIUS. Go *read* the debug output. It will prove this. When using PAP, the LDAP module looks for a password. If it doesn't get one, it then tries to do "bind as user". That is, it hands the username&& password to the LDAP server, and asks "are these OK"? When this happens, you're making your LDAP server do user authentication. This is wrong. LDAP is a database. RADIUS is an authentication server. Ok, thanks, now I see the difference. I did read the debug output, and again, I understood that FreeRADIUS was having problems getting the userPassword, I just couldn't understand why. For a layman such as myself, if it worked with radtest it followed that it should work with MS-CHAP too. With this explanation, now I understand why it didn't. So the problem wasn't in the LDAP server itself, because it does "return a password when an LDAP client queries it for a password" (as I also mentioned it, we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Yes. For the reasons outlined above. Your situation *isn't* the first time someone has had this issue. We're familiar with the problem&& solution, where you are clearly not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! Cheers, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: > Well, as I mentioned (a couple of times now), the LDAP server was indeed > returning a password to FreeRADIUS, since radtest was always working > fine. No, it wasn't returning a password to FreeRADIUS. Go *read* the debug output. It will prove this. When using PAP, the LDAP module looks for a password. If it doesn't get one, it then tries to do "bind as user". That is, it hands the username && password to the LDAP server, and asks "are these OK"? When this happens, you're making your LDAP server do user authentication. This is wrong. LDAP is a database. RADIUS is an authentication server. > So the problem wasn't in the LDAP server itself, because it does > "return a password when an LDAP client queries it for a password" (as I > also mentioned it, we are currently and successfully using it to > authenticate other services).\ Using PAP passwords. > The problem was really related to MS-CHAP, > and now that I changed to PAP, it all seems to be working fine... Yes. For the reasons outlined above. Your situation *isn't* the first time someone has had this issue. We're familiar with the problem && solution, where you are clearly not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. So the problem wasn't in the LDAP server itself, because it does "return a password when an LDAP client queries it for a password" (as I also mentioned it, we are currently and successfully using it to authenticate other services). The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Em 09-07-2010 13:35, Alan DeKok escreveu: Daniel Gomes wrote: Wrong guess, i'ts OpenLDAP :) Then fix it so that it returns a password to FreeRADIUS. It's an LDAP server. If it doesn't return a password when an LDAP client queries it for a password, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: > Wrong guess, i'ts OpenLDAP :) Then fix it so that it returns a password to FreeRADIUS. It's an LDAP server. If it doesn't return a password when an LDAP client queries it for a password, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Wrong guess, i'ts OpenLDAP :) Em 09-07-2010 13:04, Alan DeKok escreveu: Daniel Gomes wrote: From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Let me guess: it's Active Directory. Active Directory is *not* a real LDAP server. In order to authenticate users with MS-CHAP, you will need to install Samba. See the Active Directory howto on http://deployingradius.com/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: > From the logs, and as I wrote on my initial cry for help, I could see > that the password wasn't being found, I just couldn't puzzle out why... > And yes, the users do have passwords on LDAP (we are using it to > authenticate many other applications), and as I wrote down, radtest was > working fine, so freeradius was able to authenticate users via LDAP. Let me guess: it's Active Directory. Active Directory is *not* a real LDAP server. In order to authenticate users with MS-CHAP, you will need to install Samba. See the Active Directory howto on http://deployingradius.com/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Hey there, first of all, thanks for all the tips! Commenting them, in the order in which they came: @peter lambrechtsen: I actually had tried PAP before, but I gave up then because pptpd was refusing clients without even consulting the RADIUS server... But I noticed (a couple of minutes ago) that I had the client (ie. Windows) configured to try MS-CHAP and not PAP... @ nf-vale: nice detailed description on how to fix it, but I ended up using peter's solution, as it seemed easier. @ana dekok (inline comments): Em 09-07-2010 11:23, Alan DeKok escreveu: Daniel Gomes wrote: I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). Go read the debug log. It's not finding the password for the user. Fix that. So yeah, of you could help me out, I'd appreciate it! All I want is pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP is not even a requirement for me here, since both services are on the same machine, so there's not even the need for safe connections. So long as it works, I really don't care about any particular configuration! A simple LDAP query for the user is *not* returning a password. That's the problem. Does the user even have a password in LDAP? From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Anyway, once again, thanks for all the tips! It seems to be working fine with PAP, so I guess I'll go with it! Cheers, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: > I know this is a question which has been thoroughly asked and answered, > but after spending several days configuring, debugging, searching the > internet, rec-configuring, etc, I still can't get my freeradius server > to properly authenticate users (for a pptd server). Go read the debug log. It's not finding the password for the user. Fix that. > So yeah, of you could help me out, I'd appreciate it! All I want is > pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP > is not even a requirement for me here, since both services are on the > same machine, so there's not even the need for safe connections. So long > as it works, I really don't care about any particular configuration! A simple LDAP query for the user is *not* returning a password. That's the problem. Does the user even have a password in LDAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Hi, You can add NT / LM pairs to each LDAP user object. You must include the samba.schema into the ldap server schemas. Ex: sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE You can create these passwords using smbencrypt tool (deployed with samba). This way pptp MSCHAP auth will work. Nelson Vale On Monday 05 July 2010 16:59:08 Daniel Gomes wrote: > Dear list, > > I know this is a question which has been thoroughly asked and answered, > but after spending several days configuring, debugging, searching the > internet, rec-configuring, etc, I still can't get my freeradius server > to properly authenticate users (for a pptd server). > > First of all, on the pptpd server's side (which I know it's not your > "jurisdiction", so I'll be fast here), I have the require-mschap-v2 and > require-mppe options enabled. > > As for freeradius itself, a summarized sites-enabled/default reads: > > authorize { > preprocess > > pap > > mschap > > ldap > > auth_log > > eap { > ok = return > } > > expiration > logintime > } > > authenticate { > Auth-Type PAP { > pap > } > > Auth-Type MS-CHAP { > mschap > } > > Auth-Type LDAP { > ldap > } > > eap > } > > My modules/ldap contains all the necessary information, and my > modules/mschap has the options use_mppe, require_encryption and > require_strong enabled, like most tutorials state. > > As for the results, radtest works fine (querying LDAP etc), but through > pptd it always fails with this error: > > > > rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75, > length=151 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "dgomes" > MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17 > MS-CHAP2-Response = > 0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf6 > 8cb9686085635bd3b3083707eb3 Calling-Station-Id = "193.136.136.200" > NAS-IP-Address = 193.136.136.40 > NAS-Port = 0 > +- entering group authorize {...} > ++[preprocess] returns ok > [pap] WARNING! No "known good" password found for the user. > Authentication may fail because of this. > ++[pap] returns noop > [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' > ++[mschap] returns ok > [ldap] performing user authorization for dgomes > WARNING: Deprecated conditional expansion ":-". See "man unlang" for > details > expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=dgomes) > expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt -> > ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0 > rlm_ldap: bind as > cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to > gold.ipfn.ist.utl.pt:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt, > with filter (cn=dgomes) > [ldap] No default NMAS login sequence > [ldap] looking for check items in directory... > [ldap] looking for reply items in directory... > WARNING: No "known good" password was found in LDAP. Are you sure that > the user is configured correctly? > [ldap] user dgomes authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > ++[ldap] returns ok > expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y > %m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 > [auth_log] > /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d > expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 > expand: %t -> Thu Jul 8 14:08:34 2010 > ++[auth_log] returns ok > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > ++[expiration] returns noop > ++[logintime] returns noop > Found Auth-Type = MSCHAP > +- entering group MS-CHAP {...} > [mschap] No Cleartext-Password configured. Cannot create LM-Password. > [mschap] No Cleartext-Password configured. Cannot create NT-Password. > [mschap] Told to do MS-CHAPv2 for dgomes with NT-Password > [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. > [mschap] FAILED: MS-CHAP2-Response is incorrect > ++[mschap] returns reject > Failed to authenticate the user. > Using Post-Auth-Type Reject > +- entering group REJECT {...} > expand: %{User-Name} -> dgomes > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 0 for 1 seconds > Going to the next request > > -- > > I know that the error should be enough for me to fix it (since it's > quite explanatory), but after trying many dif
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Why not setup your NAS to use PAP, instead of MS-CHAP. If you use MS-CHAP you will need to have NT Hash'es in your LDAP directory. It would be far easier to have PAP authentication enabled on your NAS, then it should work fine. On Tue, Jul 6, 2010 at 3:59 AM, Daniel Gomes wrote: > Dear list, > > I know this is a question which has been thoroughly asked and answered, > but after spending several days configuring, debugging, searching the > internet, rec-configuring, etc, I still can't get my freeradius server > to properly authenticate users (for a pptd server). > > First of all, on the pptpd server's side (which I know it's not your > "jurisdiction", so I'll be fast here), I have the require-mschap-v2 and > require-mppe options enabled. > > As for freeradius itself, a summarized sites-enabled/default reads: > > authorize { >preprocess > >pap > >mschap > >ldap > >auth_log > >eap { >ok = return >} > >expiration >logintime > } > > authenticate { >Auth-Type PAP { >pap >} > >Auth-Type MS-CHAP { >mschap >} > >Auth-Type LDAP { >ldap >} > >eap > } > > My modules/ldap contains all the necessary information, and my > modules/mschap has the options use_mppe, require_encryption and > require_strong enabled, like most tutorials state. > > As for the results, radtest works fine (querying LDAP etc), but through > pptd it always fails with this error: > > > > rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75, > length=151 >Service-Type = Framed-User >Framed-Protocol = PPP >User-Name = "dgomes" >MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17 >MS-CHAP2-Response = > > 0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf68cb9686085635bd3b3083707eb3 >Calling-Station-Id = "193.136.136.200" >NAS-IP-Address = 193.136.136.40 >NAS-Port = 0 > +- entering group authorize {...} > ++[preprocess] returns ok > [pap] WARNING! No "known good" password found for the user. > Authentication may fail because of this. > ++[pap] returns noop > [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' > ++[mschap] returns ok > [ldap] performing user authorization for dgomes > WARNING: Deprecated conditional expansion ":-". See "man unlang" for > details >expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=dgomes) >expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt -> > ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0 > rlm_ldap: bind as > cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to > gold.ipfn.ist.utl.pt:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt, > with filter (cn=dgomes) > [ldap] No default NMAS login sequence > [ldap] looking for check items in directory... > [ldap] looking for reply items in directory... > WARNING: No "known good" password was found in LDAP. Are you sure that > the user is configured correctly? > [ldap] user dgomes authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > ++[ldap] returns ok >expand: > /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y > %m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 > [auth_log] > /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands > to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 >expand: %t -> Thu Jul 8 14:08:34 2010 > ++[auth_log] returns ok > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > ++[expiration] returns noop > ++[logintime] returns noop > Found Auth-Type = MSCHAP > +- entering group MS-CHAP {...} > [mschap] No Cleartext-Password configured. Cannot create LM-Password. > [mschap] No Cleartext-Password configured. Cannot create NT-Password. > [mschap] Told to do MS-CHAPv2 for dgomes with NT-Password > [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. > [mschap] FAILED: MS-CHAP2-Response is incorrect > ++[mschap] returns reject > Failed to authenticate the user. > Using Post-Auth-Type Reject > +- entering group REJECT {...} >expand: %{User-Name} -> dgomes > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 0 for 1 seconds > Going to the next request > > -- > > I know that the error should be enough for me to fix it (since it's > quite explanatory), but after trying many different configurations and > searching through dozens of old mailing lists posts, I still haven't > managed it... > > So yeah, of you could
Freeradius with LDAP backend for pptpd (via MS-CHAP)
Dear list, I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). First of all, on the pptpd server's side (which I know it's not your "jurisdiction", so I'll be fast here), I have the require-mschap-v2 and require-mppe options enabled. As for freeradius itself, a summarized sites-enabled/default reads: authorize { preprocess pap mschap ldap auth_log eap { ok = return } expiration logintime } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } My modules/ldap contains all the necessary information, and my modules/mschap has the options use_mppe, require_encryption and require_strong enabled, like most tutorials state. As for the results, radtest works fine (querying LDAP etc), but through pptd it always fails with this error: rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75, length=151 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "dgomes" MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17 MS-CHAP2-Response = 0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf68cb9686085635bd3b3083707eb3 Calling-Station-Id = "193.136.136.200" NAS-IP-Address = 193.136.136.40 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [ldap] performing user authorization for dgomes WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=dgomes) expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt -> ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0 rlm_ldap: bind as cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to gold.ipfn.ist.utl.pt:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt, with filter (cn=dgomes) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user dgomes authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y %m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 expand: %t -> Thu Jul 8 14:08:34 2010 ++[auth_log] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for dgomes with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> dgomes attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request -- I know that the error should be enough for me to fix it (since it's quite explanatory), but after trying many different configurations and searching through dozens of old mailing lists posts, I still haven't managed it... So yeah, of you could help me out, I'd appreciate it! All I want is pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP is not even a requirement for me here, since both services are on the same machine, so there's not even the need for safe connections. So long as it works, I really don't care about any particular configuration! Thanks in advance, Daniel Gomes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP backend (PAP works but CHAP or any other modules does not work), help please
> I am glad to say that I was able to setup FreeRADIUS ver. 2.1.7 with LDAP > (slapd) authentication after a continuous research of a whole week. I can > authenticate user via LDAP but it only works for PAP, radtest tool works, > NTRadPing works but only when using PAP (un-checking CHAP). If you have read the comments in ldap module (raddb/modules/ldap) you needn't of wasted your time. Ldap authentication works *only* for PAP. http://deployingradius.com/documents/protocols/oracles.html > I would appreciate if some of you can help me with that or can guide me to > the right path Use ldap as database and not authentication system. Pass the password from it to freeradius and let freeradius authenticate the user. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP backend (PAP works but CHAP or any other modules does not work), help please
You're password needs to be readable in cleartext by FR for anything other than PAP to work. That way FR can hash/encrypt the password out of LDAP on the server side and compare against the hash it gets passed from the client. On Sun, Oct 4, 2009 at 6:07 PM, Ryaz Khan wrote: > Hi Guys, > > > > I am glad to say that I was able to setup *FreeRADIUS ver. 2.1.7* with *LDAP > (slapd)* authentication after a continuous research of a whole week. I can > authenticate user via LDAP but it only works for PAP, *radtest* tool > works, *NTRadPing* works but only when using PAP (un-checking CHAP). > > > > I tried every possible option/combination I can think of, but unfortunately > none of them worked. > > > > I would appreciate if some of you can help me with that or can guide me to > the right path > > > > Thx guys > > > > Ryaz Khan > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS with LDAP backend (PAP works but CHAP or any other modules does not work), help please
Hi Guys, I am glad to say that I was able to setup FreeRADIUS ver. 2.1.7 with LDAP (slapd) authentication after a continuous research of a whole week. I can authenticate user via LDAP but it only works for PAP, radtest tool works, NTRadPing works but only when using PAP (un-checking CHAP). I tried every possible option/combination I can think of, but unfortunately none of them worked. I would appreciate if some of you can help me with that or can guide me to the right path Thx guys Ryaz Khan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring Freeradius with Ldap Windows Server 2003
Hari Novferdianto wrote: > Hi, > How configuring freeradius with ldap windows server 2003 ? > I do in my freeradius, when I installed it is > ./configure --prefix=/usr/local/freeradius --with-modules="rlm-ldap" That isn't enough. You need to have the local LDAP libraries && header files on your system. FreeRADIUS does *not* implement the LDAP protocol. > Until I'm configured in radiusd.conf > It's Still > radiusd.conf[744] Failed to link to module 'rlm_ldap': rlm_ldap.so: > cannot open shared object file: No such file or directory > radiusd.conf[1956] Unknown module "ldap". > radiusd.conf[1956] Failed to parse "ldap" entry. The module doesn't exist because it wasn't built. It wasn't built because the things it needs (see above) don't exist. Install the LDAP libraries && development header files on your system, and then re-build FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring Freeradius with Ldap Windows Server 2003
Hi, How configuring freeradius with ldap windows server 2003 ? I do in my freeradius, when I installed it is ./configure --prefix=/usr/local/freeradius --with-modules="rlm-ldap" Until I'm configured in radiusd.conf It's Still radiusd.conf[744] Failed to link to module 'rlm_ldap': rlm_ldap.so: cannot open shared object file: No such file or directory radiusd.conf[1956] Unknown module "ldap". radiusd.conf[1956] Failed to parse "ldap" entry. I'm confused now... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How To Install Freeradius with LDAP - Need Help
Freeradius builds with radius support by default. Look up build and rlm_ldap on freeradius wiki. Ivan Kalik Kalik Informatika ISP Dana 11/9/2008, "niel m" <[EMAIL PROTECTED]> piše: >Hello Sir/Madam, > >Good Evening > >Im niel, I was researching about this topic Freeradius with LDAP support for >authentication. >I am very pressured because i want to implement such as this one using my AP >in the office. >If anyone can help me with this problem. Either some of below; > >- URL of a web that states step-by-step procedure on how to implement such >system >- or giving me some personal advice. > >I appreciate any help I can get to solve this system > > >Thanks, >Niel > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How To Install Freeradius with LDAP - Need Help
Hello Sir/Madam, Good Evening Im niel, I was researching about this topic Freeradius with LDAP support for authentication. I am very pressured because i want to implement such as this one using my AP in the office. If anyone can help me with this problem. Either some of below; - URL of a web that states step-by-step procedure on how to implement such system - or giving me some personal advice. I appreciate any help I can get to solve this system Thanks, Niel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: get problem with freeradius with LDAP authenticate
chenweiting wrote: rlm_ldap: (re)connect to ldap.icpdd.neca.nec.com.au:389, authentication 0 ld.so.1: radiusd: fatal: relocation error: file /usr/local/lib/rlm_ldap-1.1.7.so: symbol ldap_int_tls_config: referenced symbol not found Killed Any idea for this issue? A couple. Do you have more than one installation of freeradius ? How did you build the server ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
get problem with freeradius with LDAP authenticate
Dear all, I am tying to configure freeradius 1.1.7 on Solaris10 to authenticate with ldap server. After I configure it, radiusd -X -A running well, once I run radtest I got the error as below: == ./radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: lo! g_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config! _files: reading dictionary read_config_files: reading n aslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded LDAP ldap: server = "ldap.icpdd.neca.nec.com.au" ldap: port = 389 ldap: net_timeout = 10 ldap: timeout = 30 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)"! ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "ou=people,dc=icpdd,dc=neca,dc=nec,dc=com,dc=au" ldap: filter = "(uid=%u)" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "dialupAccess" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 &nbs! p;ldap: compare_check_items = no ldap: access_attr_used_for_a llow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS! -IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped t
Re: problem configuring freeradius with ldap user database
Hello Ivan The solution previously suggested by Alan worked. Thanks Sambuddho On Sat, 2008-06-14 at 18:15 +0100, Ivan Kalik wrote: > >rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in > >check items > > Are you sure that's crypt? It looks like MD5 to me. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem configuring freeradius with ldap user database
>rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in >check items Are you sure that's crypt? It looks like MD5 to me. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem configuring freeradius with ldap user database
Hello Alan Thanks a lot! Ill check this out. Sambuddho On Sat, 2008-06-14 at 09:22 +0200, Alan DeKok wrote: > Sambuddho Chakravarty wrote: > > I am experiencing a problem while trying to authenticate the > > username/password in LDAP through a freeradius server. While a regular > > telnet/ssh to the edge running a openLdap client / PAM module works fine > > (It is able to authenticate) but the problem arises when trying to > > authenticate using the freeradius server . > > > > This is what the log message looks like : > > > > User-Name = "try" > > User-Password = "trialanderror" > > NAS-IP-Address = 127.0.0.1 > ... > > rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter > > (uid=try) > > rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in > > check items > > If you do NOTHING more than configure "ldap" in the default > configuration, this should work. > > > modcall[authorize]: module "ldap" returns ok for request 0 > > modcall: group authorize returns ok for request 0 > > You're not using 2.0, and you've edited the default configuration. DO > use a recent version. DON'T edit the configuration to re-arrange the > modules in the "authorize" section. > > > Here you can see that the authorization of a user 'try' having password > > 'trialanderror' works fine but authentication fails. The host running > > the freeradius server is Fedora Core 5 running linux 2.6.25. > > The OS doesn't matter. The version of FreeRADIUS does. > > It seems you're using 1.1.x. You should at LEAST upgrade to 1.1.7. > Then, un-comment the references to LDAP, and configure the LDAP module. > The test WILL work. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem configuring freeradius with ldap user database
Sambuddho Chakravarty wrote: > I am experiencing a problem while trying to authenticate the > username/password in LDAP through a freeradius server. While a regular > telnet/ssh to the edge running a openLdap client / PAM module works fine > (It is able to authenticate) but the problem arises when trying to > authenticate using the freeradius server . > > This is what the log message looks like : > > User-Name = "try" > User-Password = "trialanderror" > NAS-IP-Address = 127.0.0.1 ... > rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter > (uid=try) > rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in > check items If you do NOTHING more than configure "ldap" in the default configuration, this should work. > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: group authorize returns ok for request 0 You're not using 2.0, and you've edited the default configuration. DO use a recent version. DON'T edit the configuration to re-arrange the modules in the "authorize" section. > Here you can see that the authorization of a user 'try' having password > 'trialanderror' works fine but authentication fails. The host running > the freeradius server is Fedora Core 5 running linux 2.6.25. The OS doesn't matter. The version of FreeRADIUS does. It seems you're using 1.1.x. You should at LEAST upgrade to 1.1.7. Then, un-comment the references to LDAP, and configure the LDAP module. The test WILL work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem configuring freeradius with ldap user database
Hello All I am experiencing a problem while trying to authenticate the username/password in LDAP through a freeradius server. While a regular telnet/ssh to the edge running a openLdap client / PAM module works fine (It is able to authenticate) but the problem arises when trying to authenticate using the freeradius server . This is what the log message looks like : User-Name = "try" User-Password = "trialanderror" NAS-IP-Address = 127.0.0.1 NAS-Port = 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "try", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for try radius_xlat: '(uid=try)' radius_xlat: 'ou=People,dc=example,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0 rlm_ldap: bind as / to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=try) rlm_ldap: Added password {crypt}$1$2Pl0Lm5O$ot8mrXYBaAg12RoBogNDK. in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user try authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "try" with password "trialanderror" rlm_ldap: user DN: uid=try,ou=People,dc=example,dc=com rlm_ldap: (re)connect to 30.0.0.2:389, authentication 1 rlm_ldap: bind as uid=try,ou=People,dc=example,dc=com/trialanderror to 30.0.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module "ldap" returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... Here you can see that the authorization of a user 'try' having password 'trialanderror' works fine but authentication fails. The host running the freeradius server is Fedora Core 5 running linux 2.6.25. Could you please suggest where we are going wrong. I am sending you a copy of the /etc/raddb/users file as well. DEFAULT Auth-Type = System Fall-Through = 1 DEFAULT Auth-Type := LDAP Fall-Through = 0 Any help would be gratefully appreciated. Thanks Sambuddho - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto freeradius with ldap
A very nice article http://www.ibm.com/developerworks/linux/library/l-radius/ "Nikolay G. Petrov" <[EMAIL PROTECTED]> wrote: I read a included document about freeradius to ldap, but I a forigner and difficult undersand content. Can we suggest a any content with example, how can I use group to ldap? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Now you can chat without downloading messenger. Click here to know how.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
howto freeradius with ldap
I read a included document about freeradius to ldap, but I a forigner and difficult undersand content. Can we suggest a any content with example, how can I use group to ldap? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using freeradius with ldap
El Monday 03 September 2007 18:12:40 [EMAIL PROTECTED] escribió: > You are picking up Auth-Type System from the users file. Comment it out. > > Ivan Kalik > Kalik Informatika ISP > > Dana 3/9/2007, "Sergio Belkin" <[EMAIL PROTECTED]> piše: > >I have problem when in Fedora 4 (sadly in my job I cannot change this) > > using radtest against LDAP > > > >Packages version: > >openldap-servers-2.2.29-1.FC4 > >openldap-clients-2.2.29-1.FC4 > >openldap-2.2.29-1.FC4 > >freeradius-1.0.4-1.FC4.1 > > > >This is part of /etc/raddb/radiusd.conf: > > > >ldap { > >server = "localhost" > >basedn = "ou=people,dc=mydomain,dc=com" > >filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > >dictionary_mapping = ${raddbdir}/ldap.attrmap > >ldap_connections_number = 5 > >password_attribute = userPassword > >(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames) > >(uniquemember=%{Ldap-UserDn})))" > >timeout = 4 > >timelimit = 3 > >net_timeout = 1 > >} > > > >authorize { > >chap > >mschap > >suffix > >eap > >files > >ldap > >checkval > >} > > > >And this a portion of /etc/raddb/users: > >DEFAULT Auth-Type = System > > Fall-Through = 1 > >DEFAULT Auth-Type = LDAP > > Fall-Through = 1 Thanks, finally I've did so and it worked out (using original version of FC4)! -- Sergio Belkin Comunicación e Internet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using freeradius with ldap
Hi, > Well, I did a workaround running: > ./configure --prefix=/usr --without-rlm_sql --without-rlm_sqlippool > --without-rlm_sqlcounter --without-rlm_sql_log --without-rlm_sqlhpwippool working around means not fixing the issue - do you also have the required LDAP development libraries etc installed? if you dont check the output of ./configure then you dont know what it is deciding to drop by itself. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using freeradius with ldap
Hi, > OK, I am trying to compile the fresh version, but when I run make, it outputs > at the end: > > In file included from rlm_sqlippool.c:37: > /root/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h: No such > file> or directory ta-dah! thats your answer printed on the screen right there. you dont have the required libtool development headers installed. depending on the distro this will be something like: libtool-ltdl-devel libtool-ltdl alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using freeradius with ldap
El Tuesday 04 September 2007 11:09:33 [EMAIL PROTECTED] escribió: > Hi, > > > OK, I am trying to compile the fresh version, but when I run make, it > > outputs at the end: > > > > In file included from rlm_sqlippool.c:37: > > /root/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h: No such > > file> or directory > > ta-dah! thats your answer printed on the screen right there. you dont have > the required libtool development headers installed. depending on the > distro this will be something like: > > libtool-ltdl-devel > libtool-ltdl > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html Well, I did a workaround running: ./configure --prefix=/usr --without-rlm_sql --without-rlm_sqlippool --without-rlm_sqlcounter --without-rlm_sql_log --without-rlm_sqlhpwippool But now, after configuring for using ldap and running radiusd -X it complains as follows: Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) radiusd.conf[744] Failed to link to module 'rlm_ldap': rlm_ldap.so: cannot open shared object file: No such file or directory radiusd.conf[1960] Unknown module "ldap". radiusd.conf[1960] Failed to parse "ldap" entry. Any ideas? Thanks again! -- Sergio Belkin Comunicación e Internet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using freeradius with ldap
El Tuesday 04 September 2007 02:24:16 Alan DeKok escribió: > Sergio Belkin wrote: > > I have problem when in Fedora 4 (sadly in my job I cannot change this) > > using radtest against LDAP > > ... > > > freeradius-1.0.4-1.FC4.1 > > I am STRONGLY inclined to tell people using 3-year old versions of the > server that they can get support from the FC project, not from us. > > And that version has a number of problems. See > http://freeradius.org/security.html > > Despite using FC4, you *can* upgrade FreeRADIUS to a sane version by > installing the "tar" file by hand. OK, I am trying to compile the fresh version, but when I run make, it outputs at the end: In file included from rlm_sqlippool.c:37: /root/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h: No such file or directory In file included from rlm_sqlippool.c:37: /root/freeradius-1.1.7/src/include/modpriv.h:16: error: syntax error before 'lt_dlhandle' /root/freeradius-1.1.7/src/include/modpriv.h:16: warning: no semicolon at end of struct or union /root/freeradius-1.1.7/src/include/modpriv.h:17: warning: type defaults to 'int' in declaration of 'module_list_t' /root/freeradius-1.1.7/src/include/modpriv.h:17: warning: data definition has no type or storage class /root/freeradius-1.1.7/src/include/modpriv.h:27: error: syntax error before 'module_list_t' And a lot of others erros about "rlm_sqlippool.c", how can I fix it? Thanks in advance > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Sergio Belkin Comunicación e Internet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using freeradius with ldap
Sergio Belkin wrote: > I have problem when in Fedora 4 (sadly in my job I cannot change this) using > radtest against LDAP ... > freeradius-1.0.4-1.FC4.1 I am STRONGLY inclined to tell people using 3-year old versions of the server that they can get support from the FC project, not from us. And that version has a number of problems. See http://freeradius.org/security.html Despite using FC4, you *can* upgrade FreeRADIUS to a sane version by installing the "tar" file by hand. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using freeradius with ldap
You are picking up Auth-Type System from the users file. Comment it out. Ivan Kalik Kalik Informatika ISP Dana 3/9/2007, "Sergio Belkin" <[EMAIL PROTECTED]> piše: >I have problem when in Fedora 4 (sadly in my job I cannot change this) using >radtest against LDAP > >Packages version: >openldap-servers-2.2.29-1.FC4 >openldap-clients-2.2.29-1.FC4 >openldap-2.2.29-1.FC4 >freeradius-1.0.4-1.FC4.1 > >This is part of /etc/raddb/radiusd.conf: > >ldap { >server = "localhost" >basedn = "ou=people,dc=mydomain,dc=com" >filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" >dictionary_mapping = ${raddbdir}/ldap.attrmap >ldap_connections_number = 5 >password_attribute = userPassword >(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames) >(uniquemember=%{Ldap-UserDn})))" >timeout = 4 >timelimit = 3 >net_timeout = 1 >} > >authorize { >chap >mschap >suffix >eap >files >ldap >checkval >} > >And this a portion of /etc/raddb/users: >DEFAULT Auth-Type = System > Fall-Through = 1 >DEFAULT Auth-Type = LDAP > Fall-Through = 1 > > >I've appended the schemas in /etc/openldap/slapd.conf: >/usr/share/doc/freeradius-1.0.4/RADIUS-LDAPv3.schema >/usr/share/doc/freeradius-1.0.4/RADIUS-LDAP.schema > >Well, when I issue radtest in debug mode I get: >radtest testuser sample localhost 0 testing123 >Sending Access-Request of id 88 to 127.0.0.1:1812 >User-Name = "testuser" >User-Password = "sample" >NAS-IP-Address = host.mydomain.com >NAS-Port = 0 >rad_recv: Access-Request packet from host 127.0.0.1:42077, id=88, length=58 >User-Name = "testuser" >User-Password = "sample" >NAS-IP-Address = 255.255.255.255 >NAS-Port = 0 > Processing the authorize section of radiusd.conf >modcall: entering group authorize for request 2 > modcall[authorize]: module "preprocess" returns ok for request 2 > modcall[authorize]: module "chap" returns noop for request 2 > modcall[authorize]: module "mschap" returns noop for request 2 >rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL >rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 2 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 2 >users: Matched entry DEFAULT at line 152 >users: Matched entry DEFAULT at line 155 > modcall[authorize]: module "files" returns ok for request 2 >rlm_ldap: - authorize >rlm_ldap: performing user authorization for testuser >radius_xlat: '(uid=testuser)' >radius_xlat: 'ou=people,dc=mydomain,dc=com' >rlm_ldap: ldap_get_conn: Checking Id: 0 >rlm_ldap: ldap_get_conn: Got Id: 0 >rlm_ldap: performing search in ou=people,dc=mydomain,dc=com, with filter >(uid=testuser) >rlm_ldap: Added password sample in check items >rlm_ldap: looking for check items in directory... >rlm_ldap: looking for reply items in directory... >rlm_ldap: user testuser authorized to use remote access >rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 2 >modcall: group authorize returns ok for request 2 > rad_check_password: Found Auth-Type System >auth: type "System" > Processing the authenticate section of radiusd.conf >modcall: entering group authenticate for request 2 > modcall[authenticate]: module "unix" returns notfound for request 2 >modcall: group authenticate returns notfound for request 2 >auth: Failed to validate the user. >Delaying request 2 for 1 seconds >Finished request 2 >Going to the next request >--- Walking the entire request list --- >Waking up in 1 seconds... >--- Walking the entire request list --- >Waking up in 1 seconds... >--- Walking the entire request list --- >Sending Access-Reject of id 88 to 127.0.0.1:42077 >Waking up in 4 seconds... >rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=88, length=20 >17:20:33 [EMAIL PROTECTED] /etc/raddb >$ --- Walking the entire request list --- >Cleaning up request 2 ID 88 with timestamp 46dc6c8f >Nothing to do. Sleeping until we see a request. > > >Please could you lend me a hand to resolv this issue? >Thanks in advance! >-- >Sergio Belkin >Comunicación e Internet > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems using freeradius with ldap
I have problem when in Fedora 4 (sadly in my job I cannot change this) using radtest against LDAP Packages version: openldap-servers-2.2.29-1.FC4 openldap-clients-2.2.29-1.FC4 openldap-2.2.29-1.FC4 freeradius-1.0.4-1.FC4.1 This is part of /etc/raddb/radiusd.conf: ldap { server = "localhost" basedn = "ou=people,dc=mydomain,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword (member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames) (uniquemember=%{Ldap-UserDn})))" timeout = 4 timelimit = 3 net_timeout = 1 } authorize { chap mschap suffix eap files ldap checkval } And this a portion of /etc/raddb/users: DEFAULT Auth-Type = System Fall-Through = 1 DEFAULT Auth-Type = LDAP Fall-Through = 1 I've appended the schemas in /etc/openldap/slapd.conf: /usr/share/doc/freeradius-1.0.4/RADIUS-LDAPv3.schema /usr/share/doc/freeradius-1.0.4/RADIUS-LDAP.schema Well, when I issue radtest in debug mode I get: radtest testuser sample localhost 0 testing123 Sending Access-Request of id 88 to 127.0.0.1:1812 User-Name = "testuser" User-Password = "sample" NAS-IP-Address = host.mydomain.com NAS-Port = 0 rad_recv: Access-Request packet from host 127.0.0.1:42077, id=88, length=58 User-Name = "testuser" User-Password = "sample" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'ou=people,dc=mydomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=mydomain,dc=com, with filter (uid=testuser) rlm_ldap: Added password sample in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 modcall[authenticate]: module "unix" returns notfound for request 2 modcall: group authenticate returns notfound for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 88 to 127.0.0.1:42077 Waking up in 4 seconds... rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=88, length=20 17:20:33 [EMAIL PROTECTED] /etc/raddb $ --- Walking the entire request list --- Cleaning up request 2 ID 88 with timestamp 46dc6c8f Nothing to do. Sleeping until we see a request. Please could you lend me a hand to resolv this issue? Thanks in advance! -- Sergio Belkin Comunicación e Internet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with ldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 satish patel wrote: > I am going to installed freeradius with ldap but my > problem is i m confused about ldap and chap i want impement VPDN and > users authenticate through ldap so CHAP will work or not how can i > configure ldif file for users where i will define attributes is there > any site regarding ldap with freeradius > Does the LDAP database contains the clear-text password? Unless it does, ou can't use CHAP for authentication. Use PAP if you don't. Active Directory allows to do MS-CHAPv2 against the system. - -- == +-+ Martin Gadbois | "Please answer by yes or no.| Sr. SW Designer| Uncooperative user waste precious CPU time" | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGB8Hh9Y3/iTTCEDkRArbyAJwMIzOdiGM1qHOooQdBXYL1ZriFdQCfXcc5 ozhgEpnACt1/C+zQf6cJ5NY= =mmGa -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with ldap
Dear all I am going to installed freeradius with ldap but my problem is i m confused about ldap and chap i want impement VPDN and users authenticate through ldap so CHAP will work or not how can i configure ldif file for users where i will define attributes is there any site regarding ldap with freeradius $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault when usin freeradius with LDAP and fedora core 3
Hi, I'm using Fedora Core 3 , openldap-2.2.13-2 , freeradius-1.0.1-1.RHEL3. When i'm running the radius in debugging mode and trying to authenticate the user using "radtest" command its giving the Segmentation fault like : rad_recv: Access-Request packet from host xx.xx.xx.xx:41523, id=169, length=59 User-Name = "testuser" User-Password = "^'\005#\014\373]\305m\\\311\013\345\373\201\237" NAS-IP-Address = 255.255.255.255 NAS-Port = 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 214 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to xx.xx.xx.xx:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=example/secret to xx.xx.xx.xx:389 Segmentation fault Is anybody having idea abt this error. __ Yahoo! India Matrimony: Find your partner now. Go to http://yahoo.shaadi.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Thursday 01 December 2005 09:19, Christian Poessinger wrote: > Fixed it myself. After removing > > checkItem LM-Password userPassword > checkItem NT-Password userPassword > > from the ldap.attrmap file, and adding > > checkItem userPasswordlmPassword > > instead, it worked. Now i can use RADIUS & LDAP to auth my WLAN clients. > > Good! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WLAN 802.1x FreeRadius with LDAP
Christian Poessinger wrote: > Zoltan Ori wrote: >> >> That's the problem everything is uncommented. Comment out ntlm_auth >> and with_ntdomain_hack. If you have plain text passwords, you aren't >> authenticating to a Windows domain controller, you don't have >> windbindd and nmbd running, you don't need want them in your mschap >> configuration. > > Sorry, my fault :), there was a typo in my last message. I double and > tripplechecked my configs but I don't find the error. Can you please > have a look? I uploaded em to http://helix.mybll.de/raddb > > Thanks, Christian Poessinger Fixed it myself. After removing checkItem LM-Password userPassword checkItem NT-Password userPassword from the ldap.attrmap file, and adding checkItem userPasswordlmPassword instead, it worked. Now i can use RADIUS & LDAP to auth my WLAN clients. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WLAN 802.1x FreeRadius with LDAP
Zoltan Ori wrote: > > That's the problem everything is uncommented. Comment out ntlm_auth > and with_ntdomain_hack. If you have plain text passwords, you aren't > authenticating to a Windows domain controller, you don't have > windbindd and nmbd running, you don't need want them in your mschap > configuration. Sorry, my fault :), there was a typo in my last message. I double and tripplechecked my configs but I don't find the error. Can you please have a look? I uploaded em to http://helix.mybll.de/raddb Thanks, Christian Poessinger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WLAN 802.1x FreeRadius with LDAP
King, Michael wrote: > Christian, That is what he is saying your problem is, everything is > uncommented Sorry, with uncommented i ment that all is commented out. Sorry my fault. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Tuesday 29 November 2005 13:56, Christian Poessinger wrote: > Nope, there is everything uncommented. I also tried to add this to the > ldap.attrmap file: > That's the problem everything is uncommented. Comment out ntlm_auth and with_ntdomain_hack. If you have plain text passwords, you aren't authenticating to a Windows domain controller, you don't have windbindd and nmbd running, you don't need want them in your mschap configuration. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WLAN 802.1x FreeRadius with LDAP
-Original Message- Zoltan Ori wrote: > You have ntlm_auth in your mschap configuration. You don't want that > for LDAP. > You don't need anything NT in that module. The default configuration > had everything commented out but authtype = MS-CHAP. Start with that > and then add what you need. Nope, there is everything uncommented. I also tried to add this to the ldap.attrmap file: Christian, That is what he is saying your problem is, everything is uncommented - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WLAN 802.1x FreeRadius with LDAP
Zoltan Ori wrote: > You have ntlm_auth in your mschap configuration. You don't want that > for LDAP. > You don't need anything NT in that module. The default configuration > had everything commented out but authtype = MS-CHAP. Start with that > and then add what you need. Nope, there is everything uncommented. I also tried to add this to the ldap.attrmap file: checkItem LM-Password userPassword checkItem NT-Password userPassword But this hadn't any effect either. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Tuesday 29 November 2005 11:07, Christian Poessinger wrote: > > You didn't configure a password for the user. > > Yes, I did. I have a userPassword atribute in my LDAP backend, also > it contains a clear text password. I can fully use this account in > the backend for ftp/ssh/http but not with peap/mschapv2 over radius. > You have ntlm_auth in your mschap configuration. You don't want that for LDAP. You don't need anything NT in that module. The default configuration had everything commented out but authtype = MS-CHAP. Start with that and then add what you need. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WLAN 802.1x FreeRadius with LDAP
Michael Griego wrote: > Your problem lies here: > > modcall: entering group Auth-Type for request 6 > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for USERNAME with NT-Password > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect > modcall[authenticate]: module "mschap" returns reject for request 6 > modcall: group Auth-Type returns reject for request 6 > > > You didn't configure a password for the user. Yes, I did. I have a userPassword atribute in my LDAP backend, also it contains a clear text password. I can fully use this account in the backend for ftp/ssh/http but not with peap/mschapv2 over radius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WLAN 802.1x FreeRadius with LDAP
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Christian Poessinger > Sent: Tuesday, November 29, 2005 10:12 AM > To: 'FreeRadius users mailing list' > Subject: RE: WLAN 802.1x FreeRadius with LDAP > > > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 1 > rlm_eap: Request found, released from the list > rlm_eap: EAP/peap > rlm_eap: processing type peap > rlm_eap_peap: Authenticate > rlm_eap_tls: processing TLS > Does PEAP work with LDAP. I think the passwords had to be stored in cleartext? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
Your problem lies here: modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for USERNAME with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: group Auth-Type returns reject for request 6 You didn't configure a password for the user. --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WLAN 802.1x FreeRadius with LDAP
Zoltan Ori wrote: > > Are there any other errors in the log? The actual reason for > rejection may come long before that. > Here is the complete log: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = "localhost" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "ou=people,dc=domain,dc=de" ldap: filter = "(uid=%u)" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "userPassword" ldap: access_attr = "uid" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP userPassword mapped to RADIUS User-Password rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiu
Re: WLAN 802.1x FreeRadius with LDAP
On Tuesday 29 November 2005 08:53, Christian Poessinger wrote: > I requested and installed this fix, but I still get the same error message > on the radius server. > > rlm_eap_peap: EAPTLS_OK > rlm_eap_peap: Session established. Decoding tunneled attributes. > rlm_eap_peap: Received EAP-TLV response. > rlm_eap_peap: Tunneled data is valid. > rlm_eap_peap: Had sent TLV failure, rejecting. > rlm_eap: Handler failed in EAP/peap > rlm_eap: Failed in EAP select > modcall[authenticate]: module "eap" returns invalid for request 7 > modcall: group authenticate returns invalid for request 7 > auth: Failed to validate the user. > > Are there any other errors in the log? The actual reason for rejection may come long before that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WLAN 802.1x FreeRadius with LDAP
Zoltan Ori wrote: > On Monday 28 November 2005 12:32, Christian Poessinger wrote: >> rlm_eap_peap: Had sent TLV failure, rejecting. > > Use the latest available drivers for your wireless adaptor. I've > encountered many strange connectivity issues that are fixed with new > drivers. > > If the supplicant is XP SP2 you may need the Windows KB885453 hot fix. > > http://support.microsoft.com/?kbid=885453 > I requested and installed this fix, but I still get the same error message on the radius server. rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Monday 28 November 2005 12:32, Christian Poessinger wrote: > rlm_eap_peap: Had sent TLV failure, rejecting. Use the latest available drivers for your wireless adaptor. I've encountered many strange connectivity issues that are fixed with new drivers. If the supplicant is XP SP2 you may need the Windows KB885453 hot fix. http://support.microsoft.com/?kbid=885453 You would have to beg Microsoft for it, but fortunately, it is available from many other sources on the Web. KB890937 supposedly includes this fix as well, but I've not used it. The KB893357 WPA2 roll up may also be applied. It doesn't address this problem but does seem to shorten the time taken to get the login prompt and connect. http://support.microsoft.com/?kbid=893357 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WLAN 802.1x FreeRadius with LDAP
Zoltan A. Ori wrote: > On Sunday 27 November 2005 06:52, Christian Poessinger wrote: >> >> Yes, I'm trying to use PEAP, I have configured MS-CHAPv1 as >> described in many Howtos. >> > > MS-CHAP V2 is in the Howtos of PEAP that I have read. In any case, > there is no mschap info in the tunnel which is indicated in the error > message: > > rlm_eap_peap: Session established. Decoding tunneled attributes. > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied > TLS Alert read:fatal:access denied > rlm_eap_peap: No data inside of the tunnel. > > The error messages in FreeRADIUS are very informative and always > right on the money in the cases I've experienced. > > At this point, I would check to see what my supplicant was configured > to send and then check my eap.conf to make sure that RADIUS was > configured to receive it. OK, i redesigned my CA. I haven't done that xpextensions stuff now i don't recieve the error above anymore. But now i get a new one :/ Any new ideas? rlm_ldap: user XXX authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 35 modcall: group authorize returns updated for request 35 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 35 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 35 modcall: group authenticate returns invalid for request 35 auth: Failed to validate the user. Delaying request 35 for 1 seconds Finished request 35 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.109:6001, id=36, length=166 Sending Access-Reject of id 36 to xxx.xxx.xxx.109:6001 EAP-Message = 0x04080004 Message-Authenticator = 0x --- Walking the entire request list --- Waking up in 2 seconds... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
Konne <[EMAIL PROTECTED]> wrote: > ca somebody post a howto what describe the configuration: > > - peap/mschapv2 with ldap and freeradius > - client configuration (M$ Windows XP, SecureW2) http://www.freeradius.org/doc/ contains multiple howto's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Monday 28 November 2005 04:31, Konne wrote: > hi > > ca somebody post a howto what describe the configuration: > > - peap/mschapv2 with ldap and freeradius > - client configuration (M$ Windows XP, SecureW2) > > thx There are many howtos available that can be found searching the mail archives or googling. Before you spend a lot of time on them, read the documentation that comes with FreeRADIUS and study the .conf files so that you might understand what's really going on. Many want to do a quick configuration based on a howto that doesn't always fit their case. When things go wrong, they don't know what to do and the howto can't help. See /doc in your FreeRADIUS sources for ldap documentation. The comments in eap.conf tell you how to do peap/mschapv2. As far as I know, SecureW2 does not do PEAP. You will have to use the XP's native supplicant. The configuration is straight forward but depends on what you are trying to do. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
hi ca somebody post a howto what describe the configuration: - peap/mschapv2 with ldap and freeradius - client configuration (M$ Windows XP, SecureW2) thx Zoltan A. Ori schrieb: On Sunday 27 November 2005 06:52, Christian Poessinger wrote: Yes, I'm trying to use PEAP, I have configured MS-CHAPv1 as described in many Howtos. MS-CHAP V2 is in the Howtos of PEAP that I have read. In any case, there is no mschap info in the tunnel which is indicated in the error message: rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. The error messages in FreeRADIUS are very informative and always right on the money in the cases I've experienced. At this point, I would check to see what my supplicant was configured to send and then check my eap.conf to make sure that RADIUS was configured to receive it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Sunday 27 November 2005 06:52, Christian Poessinger wrote: > > Yes, I'm trying to use PEAP, I have configured MS-CHAPv1 as described > in many Howtos. > MS-CHAP V2 is in the Howtos of PEAP that I have read. In any case, there is no mschap info in the tunnel which is indicated in the error message: rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. The error messages in FreeRADIUS are very informative and always right on the money in the cases I've experienced. At this point, I would check to see what my supplicant was configured to send and then check my eap.conf to make sure that RADIUS was configured to receive it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WLAN 802.1x FreeRadius with LDAP
Zoltan A. Ori wrote: > > Are you trying to use PEAP/MSCHAP-V2? I don't see any mschapv2 in > your logs. > Yes, I'm trying to use PEAP, I have configured MS-CHAPv1 as described in many Howtos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
"Christian Poessinger" <[EMAIL PROTECTED]> wrote: > I tripplechecked the configs and found nothing. As i said, radtest works > fine. Ist this EAP thing. You haven't said what supplicant you're using. Also, it doesn't help that radtest works. radtest doesn't do EAP, so it's testing a completely different code path. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Saturday 26 November 2005 13:58, Christian Poessinger wrote: > Zoltan A. Ori wrote: > > I'm not an expert and am often wrong, but I don't think FreeRADIUS is > > the problem here. Everything is working up to that point. Does it > > break at the same place every time? Double check the NAS and > > supplicant configurations. > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > I tripplechecked the configs and found nothing. As i said, radtest works > fine. Ist this EAP thing. > Are you trying to use PEAP/MSCHAP-V2? I don't see any mschapv2 in your logs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WLAN 802.1x FreeRadius with LDAP
Zoltan A. Ori wrote: > I'm not an expert and am often wrong, but I don't think FreeRADIUS is > the problem here. Everything is working up to that point. Does it > break at the same place every time? Double check the NAS and > supplicant configurations. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html I tripplechecked the configs and found nothing. As i said, radtest works fine. Ist this EAP thing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Saturday 26 November 2005 12:27, Christian Poessinger wrote: > Zoltan A. Ori wrote: > > On Saturday 26 November 2005 08:50, Christian Poessinger wrote: > >> rlm_eap_peap: Session established. Decoding tunneled attributes. > >> rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied > >> TLS Alert read:fatal:access denied > >> rlm_eap_peap: No data inside of the tunnel. > >> rlm_eap: Handler failed in EAP/peap > >> rlm_eap: Failed in EAP select > >> modcall[authenticate]: module "eap" returns invalid for request 5 > >> modcall: group authenticate returns invalid for request 5 > >> auth: Failed to validate the user. > > > > The lines just before the reject hold the clue. > > > > Zoltan Ori > > What to do? Im running the latest version out of the FreeBSD portage tree. > I can't find anything on google. > I'm not an expert and am often wrong, but I don't think FreeRADIUS is the problem here. Everything is working up to that point. Does it break at the same place every time? Double check the NAS and supplicant configurations. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WLAN 802.1x FreeRadius with LDAP
Zoltan A. Ori wrote: > On Saturday 26 November 2005 08:50, Christian Poessinger wrote: > >> rlm_eap_peap: Session established. Decoding tunneled attributes. >> rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied >> TLS Alert read:fatal:access denied >> rlm_eap_peap: No data inside of the tunnel. >> rlm_eap: Handler failed in EAP/peap >> rlm_eap: Failed in EAP select >> modcall[authenticate]: module "eap" returns invalid for request 5 >> modcall: group authenticate returns invalid for request 5 >> auth: Failed to validate the user. > > The lines just before the reject hold the clue. > > Zoltan Ori What to do? Im running the latest version out of the FreeBSD portage tree. I can't find anything on google. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WLAN 802.1x FreeRadius with LDAP
On Saturday 26 November 2005 08:50, Christian Poessinger wrote: > rlm_eap_peap: Session established. Decoding tunneled attributes. > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied > TLS Alert read:fatal:access denied > rlm_eap_peap: No data inside of the tunnel. > rlm_eap: Handler failed in EAP/peap > rlm_eap: Failed in EAP select > modcall[authenticate]: module "eap" returns invalid for request 5 > modcall: group authenticate returns invalid for request 5 > auth: Failed to validate the user. The lines just before the reject hold the clue. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WLAN 802.1x FreeRadius with LDAP
Hello folks, I want to do a setup with a HP Procurve 520wl Access Point, OpenLDAP and FreeRadius with 802.1x and users in my LDAP backend. LDAP and Radius works fine, when i do a radtest user pass radius.domain.tld 0 secret i get an access accept package back. Now i configured my AP to use the Radius server for 802.1x auth, when i want to logon into the WLAN I enter my user and pass that just worked with radtest but I recieve an acces reject package. This is really strange cause the Radius debug mode tells me LDAP connection successfull. I use clear passwords in the backend, so there should be no problem. Anyone has an idea for my problem? Here is the Radius debug message with the access reject packet: rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(uid=user)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=user) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 11 to xxx.xxx.164.26:6001 EAP-Message = 0x0105040619407c917840ad1cf254e5ca549ca9b1053de4de1e704dc6eb9cec86a35eafabe5 2f60e8ee1a9697a755a713be14acd2db7f3402acb70864e3139ef470c900d024f2fd0f455b94 028c87d7a170ce86f302e35c4e658d09f17016227f0003cf308203cb30820334a00302010202 0900927540ab5d693004300d06092a864886f70d01010405003081a0310b3009060355040613 0244453110300e06035504081307426176617269613112301006035504071309577565727a62 75726731163014060355040a130d4765466f656b6f4d20652e562e31193017060355040b1310 4765466f656b6f4d20652e562e20434131193017060355040313 EAP-Message = 0x104765466f656b6f4d20652e562e204341311d301b06092a864886f70d010901160e636140 6765666f656b6f6d2e6465301e170d3035303531363137313832335a170d3036303531363137 313832335a3081a0310b30090603550406130244453110300e06035504081307426176617269 613112301006035504071309577565727a6275726731163014060355040a130d4765466f656b 6f4d20652e562e31193017060355040b13104765466f656b6f4d20652e562e20434131193017 060355040313104765466f656b6f4d20652e562e204341311d301b06092a864886f70d010901 160e6361406765666f656b6f6d2e646530819f300d06092a8648 EAP-Message = 0x86f70d010101050003818d0030818902818100c8124b32b761710b8c576a5b8f566a1dd8cc 97c423dfd8901cd58b9e90960328233879b3a09ebda855dbaa4376c00318ebc1767173051ae1 5995a1d41c9a6289707d5f7dd1e608ca5071e2aeb99092204f9386789c9ec8d5f754a26e9940 297ffbe547b5d0cf5ee16566abcc7578e25ac6a3b5e57befee43f2828174d27db19f02030100 01a382010930820105301d0603551d0e04160414ac6e4891d5a749d6548d7eda627ca2d64d12 d2693081d50603551d230481cd3081ca8014ac6e4891d5a749d6548d7eda627ca2d64d12d269 a181a6a481a33081a0310b30090603550406130244453110300e EAP-Message = 0x06035504081307426176617269613112301006035504071309577565727a62757267311630 14060355040a130d4765466f656b6f4d20652e562e31193017060355040b13104765466f656b 6f4d20652e562e20434131193017060355040313104765466f656b6f4d20652e562e20434131 1d301b06092a864886f70d010901160e6361406765666f656b6f6d2e6465820900927540ab5d 693004300c0603551d13040530030101ff300d06092a864886f70d0101040500038181004a36 34f23e46d180ec87122ee39ba0c6757d22a23ec39a38e3f282e82efb7428b83d04f665e28b00 e99a88217803c1abb4a0bc90fe6a51a37eec1c1868853a5436d5 EAP-Message = 0x9035f217c35ab4d53d6f1e3d11cdeabc9f77 Message-Authenticator = 0x State = 0xc479631c6d6d413371d8af0ebf14ac4f Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host xxx.xxx.164.26:6001, id=12, length=155 User-Name = "user" NAS-IP-Address = xxx.xxx.1.66 Called-Station-Id = "00-08-88-12-2e-3f" Calling-Station-Id = "00-0d-37-ab-2f-c7" NAS-Identifier = "ORiNOCO-AP-2000-00-02-00" State = 0xc479631c6d6d413371d8af0ebf14ac4f Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 Message-Authenticator = 0xb07e446b64197c49b0ebaca6e799dc53 Processing the authorize section of
freeRadius with LDAP for MSCHAP & mac auth
Hello everyone... Ive set up a freeradius server with LDAP backend for MSCHAP, but now I have to set up a mac based auth on the same server also with the same LDAP backend ( but the mac info is found in another subtree ). So I have made two ldap instances under modules including MSCHAP... modules { mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } ldap ldap_users { server = "81.yyy.xxx.xxx" basedn = "ou=People,dc=xxx,dc=xxx" filter = "(&(objectClass=posixAccount)(uid=%u))" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 timeout = 4 timelimit = 3 net_timeout = 1 } ldap ldap_mac { server = "81.xxx.xxx.xxx" basedn = "ou=Hosts,dc=xxx,dc=xxx" filter = "(&(objectClass=ipHost)(ipHostNumber=%u))" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 timeout = 4 timelimit = 3 net_timeout = 1 } ... } // modules end instantiate { weekly_traffic // just a counter } authorize { mschap ldap_users ldap_mac weekly_traffic } authenticate { # MSCHAP authentication. Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap_mac ldap_users } } So what I actually need is - when my vpn server sends Access-Request packets with MS-CHAP attributes, I would like mschap module to use the "ldap_users" part. And when an Access-Request packet with the mac address is recieved I would like to use ldap_mac ONLY ! here is a part of my log file... rad_recv: Access-Request packet from host 172.19.10.2:1024, id=22, length=193 Framed-MTU = 1480 NAS-IP-Address = 172.19.10.2 NAS-Identifier = "HP2626-Verwaltung" User-Name = "00:0a:e4:22:c5:9d" Service-Type = Administrative-User Framed-Protocol = PPP NAS-Port = 10 NAS-Port-Type = Ethernet NAS-Port-Id = "10" Called-Station-Id = "00-14-38-2e-2c-76" Calling-Station-Id = "00-0a-e4-22-c5-9d" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" CHAP-Password = 0x1525d56e4e21bbbc83d5e49fa3be8173a5 Debug: Processing the authorize section of radiusd.conf Debug: modcall: entering group authorize for request 0 Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Debug: modcall[authorize]: module "mschap" returns noop for request 0 Debug: modsingle[authorize]: calling ldap_users (rlm_ldap) for request 0 Debug: rlm_ldap: - authorize Debug: rlm_ldap: performing user authorization for 00:0a:e4:22:c5:9d Debug: radius_xlat: '(&(objectClass=posixAccount)(uid=00:0a:e4:22:c5:9d))' Debug: radius_xlat: 'ou=People,dc=kolp,dc=at' Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Debug: rlm_ldap: attempting LDAP reconnection Debug: rlm_ldap: (re)connect to 81.189.101.10:389, authentication 0 Debug: rlm_ldap: bind as / to 81.189.101.10:389 Debug: rlm_ldap: waiting for bind result ... Debug: rlm_ldap: Bind was successful Debug: rlm_ldap: performing search in ou=People,dc=kolp,dc=at, with filter (&(objectClass=posixAccount)(uid=00:0a:e4:22:c5:9d)) Debug: rlm_ldap: object not found or got ambiguous search result Debug: rlm_ldap: search failed Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Debug: modsingle[authorize]: returned from ldap_users (rlm_ldap) for request 0 Debug: modcall[authorize]: module "ldap_users" returns notfound for request 0 Debug: modsingle[authorize]: calling ldap_mac (rlm_ldap) for request 0 Debug: rlm_ldap: - authorize Debug: rlm_ldap: performing user authorization for 00:0a:e4:22:c5:9d Debug: radius_xlat: '(&(objectClass=ipHost)(ipHostNumber=00:0a:e4:22:c5:9d))' Debug: radius_xlat: 'ou=Hosts,dc=kolp,dc=at' Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Debug: rlm_ldap: attempting LDAP reconnection Debug: rlm_ldap: (re)connect to 81.189.101.10:389, authentication 0 Debug: rlm_ldap: bind as / to 81.189.101.10:389 Debug: rlm_ldap: waiting for bind result ... Debug: rlm_ldap: Bind was successful Debug: rlm_ldap: performing search in ou=Hosts,dc=kolp,dc=at, with filter (&(objectClass=ipHost)(ipHostNumber=00:0a:e4:22:c5:9d)) Debug: rlm_ldap: looking for check items in directory... Debug: rlm_ldap: looking for reply items in directory... Debug: rlm_ldap: Adding description as vid, value 20 & op=11 Debug: rlm_ldap: user 00:0a:e4:22:c5:9d authorized to use remote access Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Debug: modsingle[authorize]: returned from ldap_mac (rlm_ldap) for request 0 Debug: modcall[authorize]: module "ldap_mac" returns ok for request 0 Debug: modsingle[
RE: FreeRadius with LDAP
Rlm_ldap needs some openldap libraries to compile well on solaris. One solution is to install OpenLDAP even if you use Sun LDAP. This way the module will compile. Regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de Michael Mitchell > Envoyé : vendredi 18 février 2005 13:30 > À : freeradius-users@lists.freeradius.org > Objet : Re: FreeRadius with LDAP > > dbx is your friend... > > But check to see that the ldap module actually built... unless you've > got things installed in the default places, it can take a > little work to > get the ldap module to compile on Solaris... > > > > > José Berenguer wrote: > > Hello! > > > > We are trying to authenticate the last version of > freeradius (1.0.1) > > in Solaris 9 against LDAP and we are always getting the > same error when > > we try to start radius with the command: > > > >/usr/local/sbin/radiusd -S -X > > > > You can view the "radiusd.conf" and "users" files, and > the error we > > get is this: > > > > Module: Loaded exec > > exec: wait = yes > > exec: program = "(null)" > > exec: input_pairs = "request" > > exec: output_pairs = "(null)" > > exec: packet_type = "(null)" > > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > > Module: Instantiated exec (exec) > > Module: Loaded expr > > Module: Instantiated expr (expr) > > Module: Loaded PAP > > pap: encryption_scheme = "crypt" > > Module: Instantiated pap (pap) > > Module: Loaded CHAP > > Module: Instantiated chap (chap) > > Segmentation Fault > > > > Anyone can help us? > > > > Thanks very much! > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with LDAP
dbx is your friend... But check to see that the ldap module actually built... unless you've got things installed in the default places, it can take a little work to get the ldap module to compile on Solaris... José Berenguer wrote: Hello! We are trying to authenticate the last version of freeradius (1.0.1) in Solaris 9 against LDAP and we are always getting the same error when we try to start radius with the command: /usr/local/sbin/radiusd -S -X You can view the "radiusd.conf" and "users" files, and the error we get is this: Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Segmentation Fault Anyone can help us? Thanks very much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius with LDAP
Hello! We are trying to authenticate the last version of freeradius (1.0.1) in Solaris 9 against LDAP and we are always getting the same error when we try to start radius with the command: /usr/local/sbin/radiusd -S -X You can view the "radiusd.conf" and "users" files, and the error we get is this: Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Segmentation Fault Anyone can help us? Thanks very much! -- ** José Berenguer Giménez Área de Comunicaciones-Servicio de Informática UNIVERSIDAD DE ALMERÍA Crta. de Sacramento s/n, 04120 - Almería Tlf.: 950014014 E-mail: [EMAIL PROTECTED] ** . . . # MODULE CONFIGURATION # # The names and configuration of each module is located in this section. # # After the modules are defined here, they may be referred to by name, # in other sections of this configuration file. # modules { # # Each module has a configuration as follows: # # name [ instance ] { # config_item = value # ... # } # # The 'name' is used to load the 'rlm_name' library # which implements the functionality of the module. # # The 'instance' is optional. To have two different instances # of a module, it first must be referred to by 'name'. # The different copies of the module are then created by # inventing two 'instance' names, e.g. 'instance1' and 'instance2' # # The instance names can then be used in later configuration # INSTEAD of the original 'name'. See the 'radutmp' configuration # below for an example. # # PAP module to authenticate users based on their stored password # # Supports multiple encryption schemes # clear: Clear text # crypt: Unix crypt #md5: MD5 ecnryption # sha1: SHA1 encryption. # DEFAULT: crypt pap { encryption_scheme = crypt } # CHAP module # # To authenticate requests containing a CHAP-Password attribute. # chap { authtype = CHAP } # Pluggable Authentication Modules # # For Linux, see: # http://www.kernel.org/pub/linux/libs/pam/index.html # # WARNING: On many systems, the system PAM libraries have # memory leaks! We STRONGLY SUGGEST that you do not # use PAM for authentication, due to those memory leaks. # pam { # # The name to use for PAM authentication. # PAM looks in /etc/pam.d/${pam_auth_name} # for it's configuration. See 'redhat/radiusd-pam' # for a sample PAM configuration file. # # Note that any Pam-Auth attribute set in the 'authorize' # section will over-ride this one. # pam_auth = radiusd } # Unix /etc/passwd style authentication # unix { # # Cache /etc/passwd, /etc/shadow, and /etc/group # # The default is to NOT cache them. # # For FreeBSD and NetBSD, you do NOT want to enable # the cache, as it's password lookups are done via a # database, so set this value to 'no'. # # Some systems (e.g. RedHat Linux with pam_pwbd) can # take *seconds* to check a password, when th passwd # file containing 1000's of entries. For those systems, # you should set the cache value to 'yes', and set # the locations of the 'passwd', 'shadow', and 'group' # files, below. # # allowed values: {no, yes} cache = no # Reload the cache every 600 seconds (10mins). 0 to disable. cache_reload = 600 # # Define the locations of the normal passwd, shadow, and # group files. # # 'shadow' is commented out by default, because not all # systems have shadow passwords. #
FreeRadius with LDAP
Now, I am using Freeradius with LDAP. My system GNUGK make authentication in the FreeRadius, after Freeradius look in tne LDAP server. My authentication is Okay, but Free Radius need to send to GNUGK the ALIAS. This ALIAS is telephone Number E.164. In debug option in Freeraius with "-X" I look: - FreeRadius -- rlm_ldap: bind as cn=root,dc=mydomain,dc=com/teste to 146.164.247.236:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with filter (&(uid=ufrj4)(objectclass=radiusprofile)) rlm_ldap: Added password teste in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusAuthType as Auth-Type, value CHAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding CISCO-AVPair as Service-Type, value h323-ivr-in=terminal-alias:ufrj4,025980003; & op=11 rlm_ldap: Adding CISCO-AV-Pair as Service-Type, value h323-ivr-in=terminal-alias:ufrj4,025980003; & op=11 rlm_ldap: Adding h323-ivr-out as Service-Type, value terminal-alias:ufrj4,025980002; & op=11 rlm_ldap: Adding h323-ivr-in as Service-Type, value terminal-alias:ufrj4,025980001; & op=11 rlm_ldap: user ufrj4 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" modcall: entering group authtype for request 0 rlm_chap: login attempt by "ufrj4" with CHAP password rlm_chap: Using clear text password teste for user ufrj4 authentication. rlm_chap: chap user ufrj4 authenticated succesfully modcall[authenticate]: module "chap" returns ok for request 0 modcall: group authtype returns ok for request 0 Sending Access-Accept of id 146 to 146.164.247.235:10061 Finished request 0 Going to the next request --- end --- I have other Freeradis tha make authentication in SQL server, in this Freeradius there is line with "sending". After this line radius send string "Cisco-AV-Pair". - Cisco-AV-Pair --- Sending Access-Accept of id 23 to 146.164.247.196:10201 Cisco-AVPair = "h323-ivr-in=terminal-alias:mauricio,02598" --- I don´t know how I can talk to freeradius send this string to GNUGK. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard <[EMAIL PROTECTED]> wrote: > When I do not set Auth-Type TTLS/PAP works with users stored in the > "users" files, PEAP/Ms-chap-v2 works with users from LDAP storage, > but TTLS/PAP from LDAP doesn't work And the debug log would tell you why. The FAQ also mentions something about statements like "it doesn't work". Without looking at your configuration, I can tell that you've probably stored the passwords as NT-Passwords, so MS-CHAP works, but PAP doesn't. This isn't an issue for TTLS or PEAP, as it's completely independent of them. The rlm_pap module could be updated to compare PAP passwords from the packet with NT-Passwords retrieved from somewhere else. This could probably go into 1.0.0, as there are a few other issues with building on certain platforms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Here's what I've to put in the "users" file to make it work : DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = no But now PEAP/MSCHAPv2 doesn't work... If you had read the debug log, you would see WHY it doesn't work. Repeat it like a mantra: If you're not sure, DO NOT SET AUTH-TYPE. When I do not set Auth-Type TTLS/PAP works with users stored in the "users" files, PEAP/Ms-chap-v2 works with users from LDAP storage, but TTLS/PAP from LDAP doesn't work The server will figure it out on it's own. Alan DeKok. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard <[EMAIL PROTECTED]> wrote: > Now I've a working TTLS/PAP with LDAP storage configuration ;-) > > Here's what I've to put in the "users" file to make it work : > > DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 > User-Name = `%{User-Name}`, > Fall-Through = no > > But now PEAP/MSCHAPv2 doesn't work... If you had read the debug log, you would see WHY it doesn't work. Repeat it like a mantra: If you're not sure, DO NOT SET AUTH-TYPE. The server will figure it out on it's own. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Rok Papez <[EMAIL PROTECTED]> wrote: > > And you set "Auth-Type = EAP". DON'T DO THAT. > > I do that ;). I prefer to manualy set EAP when user tries to identify as > "[EMAIL PROTECTED]". Users are *NOT* allowed to use any other authentication > method :). That's about the only time you should set it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Try something like this for your check line: DEFAULT Freeradius-Proxied-To == 127.0.0.1, EAP-Message !* "", Auth-Type := PAP --Mike Now it works ! Thanks a lot ! -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Try something like this for your check line: DEFAULT Freeradius-Proxied-To == 127.0.0.1, EAP-Message !* "", Auth-Type := PAP --Mike On Mon, 2004-06-21 at 06:59, Christophe Saillard wrote: > Hi, > > Now I've a working TTLS/PAP with LDAP storage configuration ;-) > > Here's what I've to put in the "users" file to make it work : > > DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 > User-Name = `%{User-Name}`, > Fall-Through = no > > But now PEAP/MSCHAPv2 doesn't work...I've try a lot of combination > (Auth-Type := MSCHAP Fall-Through = yes ...) > but none seem to work...if someone has a clue ;-) > > Thanks for all ! > > Bye. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hi, Now I've a working TTLS/PAP with LDAP storage configuration ;-) Here's what I've to put in the "users" file to make it work : DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = no But now PEAP/MSCHAPv2 doesn't work...I've try a lot of combination (Auth-Type := MSCHAP Fall-Through = yes ...) but none seem to work...if someone has a clue ;-) Thanks for all ! Bye. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hello Christophe. Christophe Saillard pravi: And you set "Auth-Type = EAP". DON'T DO THAT. I do that ;). I prefer to manualy set EAP when user tries to identify as "[EMAIL PROTECTED]". Users are *NOT* allowed to use any other authentication method :). For the moment I've a running freeradius EAP-TTLS/PAP configuration which works fine. Now I'd like to get credentials from an existing LDAP user storage instead of the Freeradius "users" file (I store MD5 hashed password to have PAP compatibility). 1. It would be nice to see relevant parts of the config file 2. The `radiusd -Xxxx 2>&1 | tee logfile` output But there's some particular things I need to know : - how do I have to store password in the LDAP database (because I'd like to use TTLS/PAP) : crypt/MD5 hashed, clear text ? That's an LDAP thingy.. Here is an example of ldap diff entry for userPassword: userPassword: {crypt}$1$dK1Zl.Qp$khF3af1c7Te0cSf2w/tZO0 All you need is a type prefix in {...} and then a password hash. This is a perl code snippet that creates these hashes: my $pass = '{crypt}' . crypt($plaintext_password, '$1$' . join("", ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]) . '$'); The hash is the same kind as used in a /etc/shadow file. Check the crypt() man page for details. = And this is in my radiusd.conf file: modules { pap { encryption_scheme = clear } # this is for the "files", passwords are plaintext there :) ldap { server = "localhost" basedn = "ou=users,dc=org,dc=tld" filter = "(attribWithUserName=%{User-Name})" start_tls = no } ... authenticate { Auth-Type EAP { eap } Auth-Type PAP { pap } Auth-Type LDAP { ldap } } - what do I have to put in the "users" file ? (I know that auth-type := EAP is wrong) ? In contrary to Alans advice O;-), I have this: # User anonymous and [EMAIL PROTECTED] should be allowed # # activate eap for them# DEFAULT User-Name =~ "^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[EMAIL PROTECTED]", Auth-Type := EAP # Users with a NULL realm should be rejected # DEFAULT Realm == NULL, Auth-Type := Reject Fall-Through = No # 1. Accounting fix for AP # # 2. a static username files_test for testing # # 3. LDAP authentication for local users # DEFAULT Realm == org.tld, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = yes files_test Realm == org.tld, User-Password == "" DEFAULT Realm == org.tld, Auth-Type := LDAP, Ldap-UserDN := `attribWithUserName=%{User-Name},ou=users,dc=org,dc=tld`, Freeradius-Pro xied-To == 127.0.0.1 Do notice, that I use the users username/password to bind to LDAP. This is done with the "Ldap-UserDN" item. - if it's not possible to have TTLS/PAP authentication what can I do else (PEAP/Mschapv2 ...) ? TTLS/PAP is working :). For MsCHAP you won't be able to use SecureW2 and you'll need to have plaintext passwords in LDAP. I hope my questions are not to stupid. Radius configuration is not simple. The documentation is still lacking and you simply have to "learn as you go" ;). So don't feel like you are asking stupid questions. -- Best regards, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard <[EMAIL PROTECTED]> wrote: > Now I'd like to get credentials from an existing LDAP user storage instead > of the Freeradius "users" file That shouldn't be a problem. > (I store MD5 hashed password to have PAP compatibility). That will make CHAP & MS-CHAP not work. > The Ldap bind is ok and I got correct uid and password when I launch > a 802.1X request from a laptop client. I'm not sure what you mean by that. > But there's some particular things I need to know : > - how do I have to store password in the LDAP database (because I'd like > to use TTLS/PAP) : crypt/MD5 hashed, clear text ? MD5 is fine if you're only doing PAP authentication. > - what do I have to put in the "users" file ? (I know that auth-type := > EAP is wrong) ? Don't put anything in the "users" file. > - if it's not possible to have TTLS/PAP authentication what can I do else > (PEAP/Mschapv2 ...) ? TTLS/PAP is possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Freeradius with LDAP storage and EAP-TTLS authentication
And you set "Auth-Type = EAP". DON'T DO THAT. The "eap.conf" file has BIG HUGE COMMENTS saying DON'T DO THAT. It really means DON'T DO THAT. You're doing the exact opposite of what the documentation says, and as a result, it's not working. You might try following the recommendations of the server, which WILL allow it to work. Alan DeKok. Ok. Sorry for being such a fool... Here's what I want to do : For the moment I've a running freeradius EAP-TTLS/PAP configuration which works fine. Now I'd like to get credentials from an existing LDAP user storage instead of the Freeradius "users" file (I store MD5 hashed password to have PAP compatibility). The Ldap bind is ok and I got correct uid and password when I launch a 802.1X request from a laptop client. But there's some particular things I need to know : - how do I have to store password in the LDAP database (because I'd like to use TTLS/PAP) : crypt/MD5 hashed, clear text ? - what do I have to put in the "users" file ? (I know that auth-type := EAP is wrong) ? - if it's not possible to have TTLS/PAP authentication what can I do else (PEAP/Mschapv2 ...) ? I hope my questions are not to stupid. Thanks. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard <[EMAIL PROTECTED]> wrote: > Fri Jun 18 14:11:31 2004 : Debug: rad_check_password: Found Auth-Type EAP ... > Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Request not found in the list > Fri Jun 18 14:11:31 2004 : Error: rlm_eap: Either EAP-request timed out > OR EAP-response to an unknown EAP-request ... > I use TTLS/PAP for authentication, And you set "Auth-Type = EAP". DON'T DO THAT. The "eap.conf" file has BIG HUGE COMMENTS saying DON'T DO THAT. It really means DON'T DO THAT. You're doing the exact opposite of what the documentation says, and as a result, it's not working. You might try following the recommendations of the server, which WILL allow it to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard <[EMAIL PROTECTED]> wrote: > For the moment I use Freeradius with EAP-TTLS and it works fine...now > I'd like to get users credentials form an existing LDAP database. > > The LDAP server sends me a valable MD5 hashed password but I think > something failed in my users file configuration. Did you try running it debugging mode, as suggested in the FAQ, README, INSTALL, and daily on this list? > Does someone have such a working configuration ? If so, can you send a > copy ? Since no one knows what you're really trying to do. I doubt anyone will send you a configuration. Follow the documented instructions for running the server and asking questions on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Thanks for your help. I think I'm not far from the end but I still have problems. Here's the debug logs : [...] Fri Jun 18 14:11:17 2004 : Debug: rlm_ldap: performing search in dc=u-strasbg,dc=fr, with filter (uid=csaillard) request 6 done Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: Added password $1$QEnpt.4f$nixixczJ/xu0CnyuvaTLV/ in check items Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for check items in directory... Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for reply items in directory... Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: user csaillard authorized to use remote access Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Fri Jun 18 14:11:31 2004 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall[authorize]: module "ldap" returns ok for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall: group authorize returns updated for request 4 Fri Jun 18 14:11:31 2004 : Debug: rad_check_password: Found Auth-Type EAP Fri Jun 18 14:11:31 2004 : Debug: auth: type "EAP" Fri Jun 18 14:11:31 2004 : Debug: Processing the authenticate section of radiusd.conf Fri Jun 18 14:11:31 2004 : Debug: modcall: entering group Auth-Type for request 4 Fri Jun 18 14:11:31 2004 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Request not found in the list Fri Jun 18 14:11:31 2004 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Failed in handler Fri Jun 18 14:11:31 2004 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall[authenticate]: module "eap" returns invalid for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall: group Auth-Type returns invalid for request 4 Fri Jun 18 14:11:31 2004 : Debug: auth: Failed to validate the user. [...] I use TTLS/PAP for authentication, so you can see that the LDAP server sends MD5 hased password...but I'm not sure that's what I need Could you tell me what kind of EAP method you use, with what type of password's hash ? Thanks for help ! Bye. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hi Christophe. Christophe Saillard pravi: For the moment I use Freeradius with EAP-TTLS and it works fine...now I'd like to get users credentials form an existing LDAP database. The LDAP server sends me a valable MD5 hashed password but I think something failed in my users file configuration. You should run the server in debug mode and check the output. I use this command: radiusd -Xxxx 2>&1 | tee logfile Does someone have such a working configuration ? If so, can you send a copy ? modules { ldap { server = "localhost" basedn = "ou=employees,dc=org,dc=tld" filter = "(PrincipalName=%{User-Name})" start_tls = no } [...] authorize { preprocess auth_log attr_rewrite suffix group { # the files also activates EAP for user anonymous files { notfound = 1 ok = return } ldap } } authenticate { Auth-Type EAP { eap } Auth-Type PAP { pap } Auth-Type LDAP { ldap } } In the users file I have: # User anonymous and [EMAIL PROTECTED] should be allowed # # activate eap for them# anonymous Auth-Type := EAP # Accounting fix for AP# # LDAP authentication for local users # DEFAULT Realm == org.tld, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = yes DEFAULT Realm == org.tld, Auth-Type := LDAP, Ldap-UserDN := `PrincipalName=%{User-Name},ou=employees,dc=org,dc=tld`, Freeradius-Proxied-To == 127.0.0.1 -- Lep pozdrav, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Freeradius with LDAP storage and EAP-TTLS authentication
Hello, For the moment I use Freeradius with EAP-TTLS and it works fine...now I'd like to get users credentials form an existing LDAP database. The LDAP server sends me a valable MD5 hashed password but I think something failed in my users file configuration. Does someone have such a working configuration ? If so, can you send a copy ? Thanks. Bye. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html