Re: Can't authenticate using LDAP (ldap+mysql+eap_ttls)
> Hi, > >> *It says "Found Auth-Type = EAP" although in sites-enabled/inner-tunnel >> I >> have uncommented: >> >> Auth-Type LDAP { >> ldap >> } > > but if inner-tunnel is invoked that means its an EAP session being > used Of course! How did I miss that! So I should use EAP-TTLS/PAP? But how do I do that? > >> By the way, if I try to autnenticate using same user via radtest server, >> of course, don't go into the inner-tunnel and so I get authenticated. > > if you read the config files you will see that you can directly poke > the inner-tunnel on the localhost by using the right port - assuming > you are using a recent version of freeradius. you should also be using > the eap testing tools rather than radtest if you want to directly > simulate the types of packets being sent to your server (otherwise > you are comparing apples and oranges...or HTTP to SSH!) > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Pagarbiai, Edgaras Lukoševičius Kauno kolegijos kompiuterių centro administratorius Pramones 20, Kaunas. edga...@kauko.lt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't authenticate using LDAP (ldap+mysql+eap_ttls)
Hi, > *It says "Found Auth-Type = EAP" although in sites-enabled/inner-tunnel I > have uncommented: > > Auth-Type LDAP { > ldap > } but if inner-tunnel is invoked that means its an EAP session being used > By the way, if I try to autnenticate using same user via radtest server, > of course, don't go into the inner-tunnel and so I get authenticated. if you read the config files you will see that you can directly poke the inner-tunnel on the localhost by using the right port - assuming you are using a recent version of freeradius. you should also be using the eap testing tools rather than radtest if you want to directly simulate the types of packets being sent to your server (otherwise you are comparing apples and oranges...or HTTP to SSH!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius AD, LDAP, MYSQL
Is it possible to configure freeradius to authenticate off from active directory, ldap and mysql? I am looking to configure freeradius to hit active directory to see if user exist, if not hit ldap and mysql database for authentication. Since we can set it to hit ldap then mysql, I think it is possible for radius to hit AD then ldap then mysql. If this is true, how can I configure it to do so? Any help would be appreciate. Thanks. Ferno __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MySQL
On Sat, 28 Feb 2004, Alan DeKok wrote: > Jan-Piet Mens <[EMAIL PROTECTED]> wrote: > > My `radcheck' MySQL table is empty > > That is most likely the problem. If nothing in the databases > matches, then the replies aren't added. > > Add an attribute which will always match to the check table, and you > should see the reply. Can you give me a hint on what kind of attribute that could be? Thanks & regards, -JP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MySQL
Jan-Piet Mens <[EMAIL PROTECTED]> wrote: > My `radcheck' MySQL table is empty That is most likely the problem. If nothing in the databases matches, then the replies aren't added. Add an attribute which will always match to the check table, and you should see the reply. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP & MySQL
On Fri, 27 Feb 2004, Alan DeKok wrote: > > the sql module wants me to have a Password == attribute > > in the SQL table `radcheck', which I'd like to avoid. > > I don't see why. There's nothing in the module which requires a > User-Password attribute in the database. > > Would you be willing to post the debug output which leads you to > that conclusion? My `users' file holds: DEFAULT NAS-IP-Address == 10.37.8.1, Realm == "NL" Cisco-AVPair = "ip:dns-servers=37.37.37.1 37.37.37.2", Fall-Through = no I'm hitting the server with radclient -f /tmp/n hostname auth secret where /tmp/n contains: User-Name = nl/su00 User-Password = ts Service-Type = Framed-User NAS-IP-Address = 10.37.8.1 NAS-Port-Type = Async `radclient' reports: Received response ID 50, code 2, length = 64 Cisco-AVPair = "ip:dns-servers=37.37.37.1 37.37.37.2" My `radcheck' MySQL table is empty, and `radreply' holds: > select * from radreply where realm = 'NL'; ++--+-++---+---+ | id | UserName | Attribute | op | Value | realm | ++--+-++---+---+ | 6 | su00 | Session-Timeout | := | 3737 | NL| ++--+-++---+---+ [I've added a realm column and adjusted the queries in sql.conf accordingly] This is the output of radiusd -X: Listening on IP address 10.0.243.143, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 10.0.243.143:50261, id=50, length=65 User-Name = "nl/su00" User-Password = "ts" Service-Type = Framed-User NAS-IP-Address = 10.37.8.1 NAS-Port-Type = Async rad_lowerpair: User-Name now 'nl/su00' rad_rmspace_pair: User-Name now 'nl/su00' modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: Looking up realm "nl" for User-Name = "nl/su00" rlm_realm: Found realm "NL" rlm_realm: Adding Stripped-User-Name = "su00" rlm_realm: Proxying request from user su00 to realm NL rlm_realm: Adding Realm = "NL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "realmslash" returns noop for request 0 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "realmsuffix" returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=retail-sc,dc=com' radius_xlat: '(uid=su00)' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to m1.intdus.retail-sc.com m2.intdus.retail-sc.com:389, authentication 0 rlm_ldap: bind as cn=manager,dc=retail-sc,dc=com/fupdoc to m1.intdus.retail-sc.com m2.intdus.retail-sc.co m:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in dc=retail-sc,dc=com, with filter (uid=su00) ldap_release_conn: Release Id: 0 radius_xlat: '(&(uid=su00)(objectclass=radiusProfile))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=retail-sc,dc=com, with filter (&(radiusGroupName=disabled)(&(uid=su00)( objectclass=radiusProfile))) rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group disabled not found or user is not a member. users: Matched DEFAULT at 13 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for su00 radius_xlat: '(uid=su00)' radius_xlat: 'dc=retail-sc,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=retail-sc,dc=com, with filter (uid=su00) rlm_ldap: Added password ts in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user su00 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 radius_xlat: 'su00' rlm_sql (sql): sql_set_user escaped user --> 'su00' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'su00' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'su00' ORDER BY id rlm_sql (sql): User su00 not found in radcheck ^^^ radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Valu e,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'su00' AND usergroup.GroupNam e = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'su00' AND usergroup. GroupName = radgrou
Re: LDAP & MySQL
Jan-Piet Mens <[EMAIL PROTECTED]> wrote: > the sql module wants me to have a Password == attribute > in the SQL table `radcheck', which I'd like to avoid. I don't see why. There's nothing in the module which requires a User-Password attribute in the database. Would you be willing to post the debug output which leads you to that conclusion? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP & MySQL
Hello, I'm using freeradius-0.9.3 and I'd like to perform authorization of my users against our LDAP directory, but the reply items should be retrieved from an SQL database (MySQL). I've now got authorize { preprocess chap realmslash realmsuffix files ldap sql } working, but the sql module wants me to have a Password == attribute in the SQL table `radcheck', which I'd like to avoid. Is it possible to do this, and what would I need to change? Thanks & regards, -JP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html