Re: Problem TTLS-LDAP

2005-06-15 Thread Vladimir Vuksan 

alfonso celestino wrote:


Thanks very much Alan,
Now, I have a doubt.


I am using EAP-TTLS to authenticate users 802.11, I
need to add my users in the users file like that:

"User1" User-Password == "passwd1"

"User2" User-Password == "passwd2"

But instead of storing in users file I would like to
do to LDAP, it is possible to do it? Without stopping
using EAP-TTLS.
 



Check this out

http://vuksan.com/linux/dot1x/802-1x-LDAP.html

Let me know if you have any other questions.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem TTLS-LDAP

2005-06-15 Thread Alan DeKok 
alfonso celestino <[EMAIL PROTECTED]> wrote:
> But instead of storing in users file I would like to
> do to LDAP, it is possible to do it? Without stopping
> using EAP-TTLS.

  Yes.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem TTLS-LDAP

2005-06-15 Thread alfonso celestino 

Thanks very much Alan,
Now, I have a doubt.


I am using EAP-TTLS to authenticate users 802.11, I
need to add my users in the users file like that:

"User1" User-Password == "passwd1"

"User2" User-Password == "passwd2"

But instead of storing in users file I would like to
do to LDAP, it is possible to do it? Without stopping
using EAP-TTLS.

Regards!!!

 --- Alan DeKok <[EMAIL PROTECTED]> escribió:

> alfonso celestino <[EMAIL PROTECTED]> wrote:
> > rlm_ldap: Attribute "User-Password" is required
> for
> > authentication.
> ...
> > users file:
> > 
> > DEFAULT Auth-Type := LDAP
> >  Fall-Through = No
> 
>   Don't do that.  Read eap.conf.
> 
>   LDAP servers don't do EAP authentication.
> 
>   Alan DeKok.
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 






___ 
Do You Yahoo!? 
La mejor conexión a Internet y 2GB extra a tu correo por $100 al mes. 
http://net.yahoo.com.mx 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem TTLS-LDAP

2005-06-14 Thread Alan DeKok 
alfonso celestino <[EMAIL PROTECTED]> wrote:
> rlm_ldap: Attribute "User-Password" is required for
> authentication.
...
> users file:
> 
> DEFAULT Auth-Type := LDAP
>  Fall-Through = No

  Don't do that.  Read eap.conf.

  LDAP servers don't do EAP authentication.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem TTLS-LDAP

2005-06-14 Thread alfonso celestino 
Hi, everybody!

I have a problem on having tried to use TTLS with
LDAP. I have seen solutions to this problem in this
mailing list, but I have not had success.

In the following line it seems that ldap realizes
correctly the comparison:

rlm_ldap: user prueba authorized to use remote access


 but after that error  comes:

rlm_ldap: Attribute "User-Password" is required for
authentication.
  modcall[authenticate]: module "ldap" returns invalid
for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.


Please, if someone have an idea to solve it, I will be
grateful  very much.

I attach my configuration files and the complete
result of the execution.

Thanks 
Alfonso Celestino
DGSCA, UNAM





___ 
Do You Yahoo!? 
La mejor conexión a Internet y 2GB extra a tu correo por $100 al mes. 
http://net.yahoo.com.mx 

Radius.conf File:


authenticate {


Auth-Type PAP {
pap
}

   
Auth-Type CHAP {
chap
}   

   
Auth-Type MS-CHAP {
mschap
}


Auth-Type LDAP {
ldap
}

unix
eap
}



authorize {

preprocess
chap
mschap
suffix
eap
files
ldap

}



ldap {

   server = "xxx.xxx.xxx.xxx"
   identity = "cn=redes,ou=admins,ou=radius,dc=mydomain,dc=com"
   password = secret
   basedn = "ou=users,ou=radius,dc=mydomain,dc=com"
   filter = 
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"

   password_attribute = "userPassword"
   ssword_attribute = "userPassword"
   authtype = ldap
   start_tls = no

 tls_cacertfile = 
/usr/local/radius/etc/raddb/certs/demoCA/cacert.pem
 tls_cacertdir  = /usr/local/radius/etc/raddb/certs
 tls_certfile   = 
/usr/local/radius/etc/raddb/certs/server.pem
 tls_keyfile= 
/usr/local/radius/etc/raddb/certs/demoCA/private/cakey.pem
 tls_randfile   = 
/usr/local/radius/etc/raddb/certs/random
 tls_require_cert   = "demand"

dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1

}


eap.conf file

 eap {

default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no

 tls {

private_key_password = secretpasswd
private_key_file = ${raddbdir}/certs/server.pem
certificate_file = ${raddbdir}/certs/server.pem
CA_file = ${raddbdir}/certs/root.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes

  
 }

ttls {

default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
 }

 mschapv2 {
}
  }



users file:


DEFAULT Auth-Type := LDAP
 Fall-Through = No

And I add to ldap.attrmap file the next:

checkItem   User-Password   userPassword
checkItem   LM-Password sambaLMPassword
checkItem   NT-Password sambaNTPassword





Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/radius/etc/raddb/proxy.conf
Config:   including file: /usr/local/radius/etc/raddb/clients.conf
Config:   including file: /usr/local/radius/etc/raddb/snmp.conf
Config:   including file: /usr/local/radius/etc/raddb/eap.conf
Config:   including file: /usr/local/radius/etc/raddb/sql.conf
 main: prefix = "/usr/local/radius"
 main: localstatedir = "/usr/local/radius/var"
 main: logdir = "/usr/local/radius/var/log/radius"
 main: libdir = "/usr/local/radius/lib"
 main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/radius/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 mai