Re: Can't authenticate using LDAP (ldap+mysql+eap_ttls)

2011-02-07 Thread Edgaras 

> Hi,
>
>> *It says "Found Auth-Type = EAP" although in sites-enabled/inner-tunnel
>> I
>> have uncommented:
>>
>> Auth-Type LDAP {
>> ldap
>> }
>
> but if inner-tunnel is invoked that means its an EAP session being
> used

Of course! How did I miss that!

So I should use EAP-TTLS/PAP? But how do I do that?


>
>> By the way, if I try to autnenticate using same user via radtest server,
>> of course, don't go into the inner-tunnel and so I get authenticated.
>
> if you read the config files you will see that you can directly poke
> the inner-tunnel on the localhost by using the right port - assuming
> you are using a recent version of freeradius.  you should also be using
> the eap testing tools rather than radtest if you want to directly
> simulate the types of packets being sent to your server  (otherwise
> you are comparing apples and oranges...or HTTP to SSH!)
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-- 
Pagarbiai,

Edgaras Lukoševičius
Kauno kolegijos kompiuterių centro administratorius
Pramones 20, Kaunas.
edga...@kauko.lt

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can't authenticate using LDAP (ldap+mysql+eap_ttls)

2011-02-07 Thread Alan Buxey 
Hi,

> *It says "Found Auth-Type = EAP" although in sites-enabled/inner-tunnel I
> have uncommented:
> 
> Auth-Type LDAP {
> ldap
> }

but if inner-tunnel is invoked that means its an EAP session being used

> By the way, if I try to autnenticate using same user via radtest server,
> of course, don't go into the inner-tunnel and so I get authenticated.

if you read the config files you will see that you can directly poke
the inner-tunnel on the localhost by using the right port - assuming
you are using a recent version of freeradius.  you should also be using
the eap testing tools rather than radtest if you want to directly
simulate the types of packets being sent to your server  (otherwise
you are comparing apples and oranges...or HTTP to SSH!)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius AD, LDAP, MYSQL

2006-05-24 Thread fvt3 
Is it possible to configure freeradius to authenticate
off from active directory, ldap and mysql?  I am
looking to configure freeradius to hit active
directory to see if user exist, if not hit ldap and
mysql database for authentication.  Since we can set
it to hit ldap then mysql, I think it is possible for
radius to hit AD then ldap then mysql.  If this is
true, how can I configure it to do so?  Any help would
be appreciate. Thanks.


Ferno

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP & MySQL

2004-02-28 Thread Jan-Piet Mens 
On Sat, 28 Feb 2004, Alan DeKok wrote:

> Jan-Piet Mens <[EMAIL PROTECTED]> wrote:
> > My `radcheck' MySQL table is empty
>
>   That is most likely the problem.  If nothing in the databases
> matches, then the replies aren't added.
>
>   Add an attribute which will always match to the check table, and you
> should see the reply.

Can you give me a hint on what kind of attribute that could be?

Thanks & regards,
-JP



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP & MySQL

2004-02-28 Thread Alan DeKok 
Jan-Piet Mens <[EMAIL PROTECTED]> wrote:
> My `radcheck' MySQL table is empty

  That is most likely the problem.  If nothing in the databases
matches, then the replies aren't added.

  Add an attribute which will always match to the check table, and you
should see the reply.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP & MySQL

2004-02-27 Thread Jan-Piet Mens 
On Fri, 27 Feb 2004, Alan DeKok wrote:

> > the sql module wants me to have a Password == attribute
> > in the SQL table `radcheck', which I'd like to avoid.
>
>   I don't see why.  There's nothing in the module which requires a
> User-Password attribute in the database.
>
>   Would you be willing to post the debug output which leads you to
> that conclusion?

My `users' file holds:

DEFAULT NAS-IP-Address == 10.37.8.1, Realm == "NL"
Cisco-AVPair = "ip:dns-servers=37.37.37.1 37.37.37.2",
Fall-Through = no

I'm hitting the server with
radclient -f /tmp/n hostname auth secret
where /tmp/n contains:
User-Name = nl/su00
User-Password = ts
Service-Type = Framed-User
NAS-IP-Address = 10.37.8.1
NAS-Port-Type = Async

`radclient' reports:
Received response ID 50, code 2, length = 64
Cisco-AVPair = "ip:dns-servers=37.37.37.1 37.37.37.2"


My `radcheck' MySQL table is empty, and `radreply' holds:

>  select * from radreply where realm = 'NL';
++--+-++---+---+
| id | UserName | Attribute   | op | Value | realm |
++--+-++---+---+
|  6 | su00 | Session-Timeout | := | 3737  | NL|
++--+-++---+---+

[I've added a realm column and adjusted the queries in sql.conf accordingly]

This is the output of radiusd -X:

Listening on IP address 10.0.243.143, ports 1812/udp and 1813/udp, with proxy on 
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.243.143:50261, id=50, length=65
User-Name = "nl/su00"
User-Password = "ts"
Service-Type = Framed-User
NAS-IP-Address = 10.37.8.1
NAS-Port-Type = Async
rad_lowerpair:  User-Name now 'nl/su00'
rad_rmspace_pair:  User-Name now 'nl/su00'
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
rlm_realm: Looking up realm "nl" for User-Name = "nl/su00"
rlm_realm: Found realm "NL"
rlm_realm: Adding Stripped-User-Name = "su00"
rlm_realm: Proxying request from user su00 to realm NL
rlm_realm: Adding Realm = "NL"
rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "realmslash" returns noop for request 0
rlm_realm: Request already proxied.  Ignoring.
  modcall[authorize]: module "realmsuffix" returns noop for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=retail-sc,dc=com'
radius_xlat:  '(uid=su00)'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to m1.intdus.retail-sc.com m2.intdus.retail-sc.com:389, 
authentication 0
rlm_ldap: bind as cn=manager,dc=retail-sc,dc=com/fupdoc to m1.intdus.retail-sc.com 
m2.intdus.retail-sc.co
m:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in dc=retail-sc,dc=com, with filter (uid=su00)
ldap_release_conn: Release Id: 0
radius_xlat:  '(&(uid=su00)(objectclass=radiusProfile))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=retail-sc,dc=com, with filter 
(&(radiusGroupName=disabled)(&(uid=su00)(
objectclass=radiusProfile)))
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group disabled not found or user is not a member.
users: Matched DEFAULT at 13
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for su00
radius_xlat:  '(uid=su00)'
radius_xlat:  'dc=retail-sc,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=retail-sc,dc=com, with filter (uid=su00)
rlm_ldap: Added password ts in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user su00 authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
radius_xlat:  'su00'
rlm_sql (sql): sql_set_user escaped user --> 'su00'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 
'su00' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = 'su00' ORDER
BY id
rlm_sql (sql): User su00 not found in radcheck
^^^
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Valu
e,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'su00' AND 
usergroup.GroupNam
e = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query:  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
eck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 
'su00' AND usergroup.
GroupName = radgrou

Re: LDAP & MySQL

2004-02-27 Thread Alan DeKok 
Jan-Piet Mens <[EMAIL PROTECTED]> wrote:
> the sql module wants me to have a Password == attribute
> in the SQL table `radcheck', which I'd like to avoid.

  I don't see why.  There's nothing in the module which requires a
User-Password attribute in the database.

  Would you be willing to post the debug output which leads you to
that conclusion?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP & MySQL

2004-02-27 Thread Jan-Piet Mens 
Hello,

I'm using freeradius-0.9.3 and I'd like to perform authorization
of my users against our LDAP directory, but the reply items
should be retrieved from an SQL database (MySQL).

I've now got

authorize {
preprocess
chap
realmslash
realmsuffix
files
ldap
sql
}


working, but the sql module wants me to have a Password == attribute
in the SQL table `radcheck', which I'd like to avoid.

Is it possible to do this, and what would I need to change?

Thanks & regards,
-JP


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html