Re: RE : Using mschap authentication without EAP
All rightNow authentication works fine.Many thanks to all ones which have given me these useful advicesHave a nice dayThanks AgainGiusy Venezia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Using mschap authentication without EAP
> > Thibault Le Meur wrote: > > rad_recv: Access-Request packet from host 127.0.0.1:32801, > id=0, length=217 > > User-Name = "misterc" > > CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e > > CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986 > > > > > That means that your client is trying MS-CHAP, and MS-CHAP can't be > > used > > with something else than NT-Hash passwords or cleartext > passwords in the > > authorize backend (in your case LDAP). > > No, it does NOT. > > It means his client is trying CHAP. Not MS-CHAP You're right... sorry I was too fast in my reply... ;-) but the conclusion was about the same : use a cleartext password (except for the Nt-hash alternative ;-) ). Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
dn: cn=Vito Cu,ou=utenti,dc=,dc=it
userPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9
This is:
userPassword: {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs=
You MUST have plaintext passwords in your LDAP directory to do CHAP.
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as
User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21
Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP"
Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section
of radiusd.conf
Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 0
Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is
required for authentication. Cannot use "CHAP-Password".
Your NAS submitted a CHAP request. You cannot check CHAP requests by
simple bind to LDAP, only PAP.
You have three choices:
1. Store plaintext passwords in userPassword in LDAP, and use CHAP,
configured like this:
authorize {
preprocess
chap
ldap
}
authenticate {
Auth-Type CHAP {
chap
}
}
2. Store whatever you like in LDAP, configure your NAS to use PAP and
LDAP simple binds, configured like this:
authorize {
preprocess
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
3. Store crypted passwords in userPassword, configure your NAS to use
PAP, and do PAP at the server side. Not recommended.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Thibault Le Meur wrote: rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217 User-Name = "misterc" CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986 That means that your client is trying MS-CHAP, and MS-CHAP can't be used with something else than NT-Hash passwords or cleartext passwords in the authorize backend (in your case LDAP). No, it does NOT. It means his client is trying CHAP. Not MS-CHAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Well, after some changes in OpenLDAP config, this is the result:
So your first issue was openldap related...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as
cn=Manager,dc=,dc=it/PASSWORD to 192.168.1.221:389
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successful
Bind as manager is ok...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in
ou=utenti,dc=,dc=it, with filter (uid=misterc)
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for
misterc is allowed by userPassword
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password
{SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in
directory...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as
Auth-Type, value LDAP & op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as
User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in
directory...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use
remote access
Great rlm_ldap has retreived everything needed.
Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns
ok) for request 0
Now it's time to run the authenticate module
Fri Jul 21 11:15:51 2006 : Debug: rad_check_password: Found Auth-Type
LDAP
Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP"
Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of
radiusd.conf
Ldap module will be used (that is to say a bind with the user's
credential will be attempted, provided that the request contains the
necessary data.
Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 0
Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required
for authentication. Cannot use "CHAP-Password".
Well, it seems that your radius client is trying CHAP and not PAP. You
wrote in a previous mail that the request was:
rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217
User-Name = "misterc"
CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e
CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.2
Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
Called-Station-Id = "AA-AA-AA-AA-DD-AA"
NAS-Identifier = "nas01"
Acct-Session-Id = "44bfd15d"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a
WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff";
That means that your client is trying MS-CHAP, and MS-CHAP can't be
used with something else than NT-Hash passwords or cleartext passwords
in the authorize backend (in your case LDAP).
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
On 7/20/06, Thibault Le Meur <[EMAIL PROTECTED]> wrote:
Well isn't it a pb of rights ? Is the anonymous user able to search theopenldap directory for users entries ?Yes, the anonymous user is able to search.
What is the result of a simple "ldapsearch" with the same ldap filter.ldapsearch -x -b "dc=,dc=it" "(uid=misterc)"# extended LDIF## LDAPv3# base with scope subtree
# filter: (uid=misterc)# requesting: ALL## Vito Cu, utenti, .itdn: cn=Vito Cu,ou=utenti,dc=,dc=ituid: mistercdescription: bel giovinesn: Cucn: newperson
cn: Vito CuuserPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9objectClass: radiusprofileobjectClass: inetOrgPersonradiusA10:21uthType: LDAP# search resultsearch: 2result: 0 Success
10:21# numResponses: 2# numEntries: 1 Have you got ACLs in your openldap directory configuration files ?
All the users have the rights.Well, after some changes in OpenLDAP config, this is the result:Fri Jul 21 11:15:51 2006 : Debug: Processing the authorize section of radiusd.conf
Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group authorize for request 0Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0Fri Jul 21 11:15:51 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module "eap" returns noop for request 0Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authorizeFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing user authorization for mistercFri Jul 21 11:15:51 2006 : Debug: radius_xlat: '(uid=misterc)'Fri Jul 21 11:15:51 2006 : Debug: radius_xlat: 'ou=utenti,dc=,dc=it'
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: attempting LDAP reconnection
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: (re)connect to 192.168.1.221:389, authentication 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as cn=Manager,dc=,dc=it/PASSWORD to
192.168.1.221:389Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ...Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successfulFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=,dc=it, with filter (uid=misterc)
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for misterc is allowed by userPasswordFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in directory...Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in directory...Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use remote accessFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module "ldap" returns ok for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns ok) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rad_check_password: Found Auth-Type LDAPFri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP"Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of
radiusd.confFri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 0Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot use "CHAP-Password".
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module "pap" returns invalid for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling ldap (rlm_ldap) for request 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authenticateFri Jul 21 11:15:51 2006 : Auth: rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password".
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module "ldap" returns invalid for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group LDAP (returns invalid) for request 0Fri Jul 21 11:15:51 2006 : Debug: auth: Failed to validate the user.Config files are the same of above.
Best regards.Giusy Venezia
-
List inf
Re: Using mschap authentication without EAP
Sorry,"dc=,dc=it" is the correct not "dc=uniroma1,dc=it" as appear in the other configuration file.Giusy VeneziaOn 7/20/06,
Giuseppina Venezia <[EMAIL PROTECTED]> wrote:
Here is mi slapd.conf## See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.#include /usr/local/etc/openldap/schema/core.schemainclude /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schemainclude /usr/local/etc/openldap/schema/samba.schemainclude /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org#Aggiungiamo il livello di loggingloglevel 296
pidfile /usr/local/var/run/slapd.pidargsfile /usr/local/var/run/slapd.args#Direttive SSL#TLSCipherSuite HIGH#TLSCertificateFile /usr/local/etc/openldap/slapd-cert.pem#TLSCertificateKeyFile /usr/local/etc/openldap/slapd-
key.pem# Load dynamic backend modules:# modulepath /usr/local/libexec/openldap# moduleload back_bdb.la# moduleload back_ldap.la# moduleload back_ldbm.la# moduleload back_passwd.la
# moduleload back_shell.la# Sample security restrictions# Require integrity protection (prevent hijacking)# Require 112-bit (3DES or better) encryption for updates# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64# Sample access control policy:# Root DSE: allow anyone to read it# Subschema (sub)entry DSE: allow anyone to read it# Other DSEs:
# Allow self write access# Allow authenticated users read access# Allow anonymous users to authenticate# Directives needed to implement policy:# access to dn.base=
"" by * read# access to dn.base="cn=Subschema" by * read# access to *# by self write# by users read# by anonymous auth## if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts# updates to rootdn. (e.g., "access to * by * read")## rootdn can always read and write EVERYTHING!###
# BDB database definitions###database bdbsuffix "dc=,dc=it"rootdn "cn=Manager,dc=,dc=it"
# Cleartext passwords, especially for the rootdn, should# be avoid. See slappasswd(8) and slapd.conf(5) for details.# Use of strong authentication encouraged.rootpw {SSHA}gUlr8Lqr7eYgfSti9+Dl76lbkbgK3fqc
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory /usr/local/var/openldap-data/.itmode 0600
# Indices to maintainindex objectClass eq,presindex cn eq,presindex uid eq,presindex userPassword eq,prescachesize 2000Thanks in advanceGiusy Venezia
On 7/20/06, Thibault Le Meur <
[EMAIL PROTECTED]> wrote:
> rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217
>User-Name = "misterc">CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e
>CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986>NAS-IP-Address =
0.0.0.0>Service-Type = Login-User>Framed-IP-Address =
192.168.182.2>Calling-Station-Id = "XX-XX-XX-XX-XX-XX">Called-Station-Id = "AA-AA-AA-AA-DD-AA">NAS-Identifier = "nas01">Acct-Session-Id = "44bfd15d"
>NAS-Port-Type = Wireless-802.11>NAS-Port = 0>Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a>WISPr-Logoff-URL = "" href="http://192.168.182.1:3990/logoff" title="http://192.168.182.1:3990/logoff" target="_blank" >
http://192.168.182.1:3990/logoff">> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorize> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user authorization> for misterc
> Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: '(uid=misterc)'> Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: 'ou=utenti,dc=,dc=it'Ok rlm_ldap is initialized> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to
192.168.1.221:389> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result ...
> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successfulbind to the directory is Ok
> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in> ou=utenti,dc=,dc=it, with filter (uid=misterc)> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got> ambiguous search result
> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failedAh...Seems that the used bound to the ldap directory can't find uid=mistercin ou=utenti,dc=,dc=it> Thu Jul 20 20:54:51 2006 : Debug: auth: No au
Re: Using mschap authentication without EAP
Here is mi slapd.conf## See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.#include /usr/local/etc/openldap/schema/core.schemainclude /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schemainclude /usr/local/etc/openldap/schema/samba.schemainclude /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org#Aggiungiamo il livello di loggingloglevel 296
pidfile /usr/local/var/run/slapd.pidargsfile /usr/local/var/run/slapd.args#Direttive SSL#TLSCipherSuite HIGH#TLSCertificateFile /usr/local/etc/openldap/slapd-cert.pem#TLSCertificateKeyFile /usr/local/etc/openldap/slapd-
key.pem# Load dynamic backend modules:# modulepath /usr/local/libexec/openldap# moduleload back_bdb.la# moduleload back_ldap.la# moduleload back_ldbm.la# moduleload back_passwd.la
# moduleload back_shell.la# Sample security restrictions# Require integrity protection (prevent hijacking)# Require 112-bit (3DES or better) encryption for updates# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64# Sample access control policy:# Root DSE: allow anyone to read it# Subschema (sub)entry DSE: allow anyone to read it# Other DSEs:
# Allow self write access# Allow authenticated users read access# Allow anonymous users to authenticate# Directives needed to implement policy:# access to dn.base=
"" by * read# access to dn.base="cn=Subschema" by * read# access to *# by self write# by users read# by anonymous auth## if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts# updates to rootdn. (e.g., "access to * by * read")## rootdn can always read and write EVERYTHING!###
# BDB database definitions###database bdbsuffix "dc=uniroma1,dc=it"rootdn "cn=Manager,dc=uniroma1,dc=it"
# Cleartext passwords, especially for the rootdn, should# be avoid. See slappasswd(8) and slapd.conf(5) for details.# Use of strong authentication encouraged.rootpw {SSHA}gUlr8Lqr7eYgfSti9+Dl76lbkbgK3fqc
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory /usr/local/var/openldap-data/uniroma1.itmode 0600
# Indices to maintainindex objectClass eq,presindex cn eq,presindex uid eq,presindex userPassword eq,prescachesize 2000Thanks in advanceGiusy Venezia
On 7/20/06, Thibault Le Meur <[EMAIL PROTECTED]> wrote:
> rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217>User-Name = "misterc">CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e
>CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986>NAS-IP-Address = 0.0.0.0>Service-Type = Login-User>Framed-IP-Address =
192.168.182.2>Calling-Station-Id = "XX-XX-XX-XX-XX-XX">Called-Station-Id = "AA-AA-AA-AA-DD-AA">NAS-Identifier = "nas01">Acct-Session-Id = "44bfd15d"
>NAS-Port-Type = Wireless-802.11>NAS-Port = 0>Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a>WISPr-Logoff-URL = "" href="http://192.168.182.1:3990/logoff">
http://192.168.182.1:3990/logoff">> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorize> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user authorization> for misterc
> Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: '(uid=misterc)'> Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: 'ou=utenti,dc=,dc=it'Ok rlm_ldap is initialized> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to
192.168.1.221:389> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result ...> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successfulbind to the directory is Ok
> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in> ou=utenti,dc=,dc=it, with filter (uid=misterc)> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got> ambiguous search result
> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failedAh...Seems that the used bound to the ldap directory can't find uid=mistercin ou=utenti,dc=,dc=it> Thu Jul 20 20:54:51 2006 : Debug: auth: No authenticate method (Auth-Type)
> configuration found for the request: Rejecting the userSo Auth-Type isn't setted to Ldap> Thu Jul 20 20:54:51 2006 : Debug: auth: Failed to validate the user.This is logical>ldap {
>
Re: Using mschap authentication without EAP
rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217
User-Name = "misterc"
CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e
CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.2
Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
Called-Station-Id = "AA-AA-AA-AA-DD-AA"
NAS-Identifier = "nas01"
Acct-Session-Id = "44bfd15d"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a
WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff";
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorize
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user authorization
for misterc
Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: '(uid=misterc)'
Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: 'ou=utenti,dc=,dc=it'
Ok rlm_ldap is initialized
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to 192.168.1.221:389
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result ...
Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successful
bind to the directory is Ok
Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in
ou=utenti,dc=,dc=it, with filter (uid=misterc)
Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got
ambiguous search result
Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failed
Ah...
Seems that the used bound to the ldap directory can't find uid=misterc
in ou=utenti,dc=,dc=it
Thu Jul 20 20:54:51 2006 : Debug: auth: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
So Auth-Type isn't setted to Ldap
Thu Jul 20 20:54:51 2006 : Debug: auth: Failed to validate the user.
This is logical
ldap {
server="192.168.1.221"
port="389"
basedn="ou=utenti,dc=uniroma1,dc=it"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "uid"
dictionary_mapping = ${raddbdir}/ldap.attrmap
authtype = ldap
ldap_connections_number = 5
password_header = "{SHA}"
password_attribute = userPassword
}
}
Well isn't it a pb of rights ? Is the anonymous user able to search the
openldap directory for users entries ?
What is the result of a simple "ldapsearch" with the same ldap filter.
If you need any other information please ask us; sorry if we are boring you
but we are trying and trying without any significant result.
Thanks.
Have you got ACLs in your openldap directory configuration files ?
Regards,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
We have tried to integrate OpenLDAP and FreeRadius. When we try to authenticate with the clients this is the error message:Thu Jul 20 20:53:45 2006 : Info: Ready to process requests.rad_recv: Access-Request packet from host
127.0.0.1:32801, id=0, length=217 User-Name = "misterc" CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986
NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
Called-Station-Id = "AA-AA-AA-AA-DD-AA" NAS-Identifier = "nas01" Acct-Session-Id = "44bfd15d" NAS-Port-Type = Wireless-802.11 NAS-Port = 0
Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a WISPr-Logoff-URL = "" href="http://192.168.182.1:3990/logoff">http://192.168.182.1:3990/logoff"Thu Jul 20 20:54:50 2006 : Debug: Processing the authorize section of
radiusd.confThu Jul 20 20:54:50 2006 : Debug: modcall: entering group authorize for request 0Thu Jul 20 20:54:50 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0Thu Jul 20 20:54:50 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP
Thu Jul 20 20:54:50 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0Thu Jul 20 20:54:50 2006 : Debug: modcall[authorize]: module "eap" returns noop for request 0Thu Jul 20 20:54:50 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorizeThu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user authorization for mistercThu Jul 20 20:54:50 2006 : Debug: radius_xlat: '(uid=misterc)'Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: 'ou=utenti,dc=,dc=it'
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: attempting LDAP reconnection
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: (re)connect to 192.168.1.221:389, authentication 0Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to
192.168.1.221:389Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result ...Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successfulThu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=,dc=it, with filter (uid=misterc)
Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got ambiguous search resultThu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failedThu Jul 20 20:54:51 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Thu Jul 20 20:54:51 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0Thu Jul 20 20:54:51 2006 : Debug: modcall[authorize]: module "ldap" returns notfound for request 0
Thu Jul 20 20:54:51 2006 : Debug: modcall: leaving group authorize (returns noop) for request 0Thu Jul 20 20:54:51 2006 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Thu Jul 20 20:54:51 2006 : Debug: auth: Failed to validate the user.This is the Radius configuration we are using:my radius.confmodules { pap { encryption_scheme = clear
} ldap { server="192.168.1.221" port="389" basedn="ou=utenti,dc=uniroma1,dc=it"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap
authtype = ldap ldap_connections_number = 5 password_header = "{SHA}" password_attribute = userPassword } }
authorize { eap ldap }authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap
}}And this is the my OpenLDAP directory (maybe can be useful):My LDAP directory treedn: dc=,dc=itdc: objectClass: dcObjectobjectClass: organizationalUnit
ou: uniromaProjectstructuralObjectClass: organizationalUnitentryUUID: 8344c65e-aa07-102a-869a-1bfd23c6a14fcreatorsName: cn=Manager,dc=,dc=itmodifiersName: cn=Manager,dc=,dc=itcreateTimestamp: 20060717174334Z
modifyTimestamp: 20060717174334ZentryCSN: 20060717174334Z#00#00#00dn: dc=,dc=itdc: objectClass: dcObjectobjectClass: organizationalUnitou: uniromaProjectstructuralObjectClass: organizationalUnit
entryUUID: 8344c65e-aa07-102a-869a-1bfd23c6a14fcreatorsName: cn=Manager,dc=,dc=itmodifiersName: cn=Manager,dc=,dc=itcreateTimestamp: 20060717174334ZmodifyTimestamp: 20060717174334ZentryCSN: 20060717174334Z#00#00#00
dn: cn=Luca Ricci,ou=utenti,dc=,dc=ituid: mistercdescription: bel giovinesn: Riccicn: newpersoncn: Luca RiccistructuralObjectClass: inetOrgPerso
Re: Using mschap authentication without EAP
"Giuseppina Venezia" <[EMAIL PROTECTED]> wrote: > We need an exclusively web-based authentication for clients, avoiding the > installation of external programs to check access like Xsupplicant. The > implementation works fine with a MySQL Database, but the question is if is > possible realize the same implementation using OpenLDAP instead of MySQL > keeping for clients the same web-based login criterions. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Sorry but my english is not so good, we need to implement a web-based login (Chillispot + Apache) connected to FreeRadius. FreeRadius needs to read informations on users using OpenLDAP. We need an exclusively web-based authentication for clients, avoiding the installation of external programs to check access like Xsupplicant. The implementation works fine with a MySQL Database, but the question is if is possible realize the same implementation using OpenLDAP instead of MySQL keeping for clients the same web-based login criterions. Thanks for your attention On 7/20/06, Phil Mayers <[EMAIL PROTECTED]> wrote: Giuseppina Venezia wrote:> Hi, i'm using freeradius-1.1.2 with openldap for storing users account,> for authenticate a WI-FI LAN.> I need of a transparent authentication method since for the clients are > heterogeneous so i can't use any type of EAP* authentication because I> cannot install Xsupplicant on every Client.If you mean 802.1x authentication, I don't think you understand how itworks. All 802.1x (link layer) authentication methods use EAP, so allclients must have SOME kind of supplicant.Non-802.1x authentication is normally done via some kind of web-basedlogin. Google for "captive portal" or "walled garden". The auth types you can use with a captive portal depend on the captive portal. See thedocs for your portal.> Can I use mschap authentication for this and there are some specific> documentation ?,i've searched a lot but i haven't found exhaustive > documentation.> And if I cannot use mschap, are there others solution for wi-fi> authentication via LDAP?I'm afraid this doesn't make sense to me. Can you describe in moredetail what you're trying to do? -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Giuseppina Venezia wrote: Hi, i'm using freeradius-1.1.2 with openldap for storing users account, for authenticate a WI-FI LAN. I need of a transparent authentication method since for the clients are heterogeneous so i can't use any type of EAP* authentication because I cannot install Xsupplicant on every Client. If you mean 802.1x authentication, I don't think you understand how it works. All 802.1x (link layer) authentication methods use EAP, so all clients must have SOME kind of supplicant. Non-802.1x authentication is normally done via some kind of web-based login. Google for "captive portal" or "walled garden". The auth types you can use with a captive portal depend on the captive portal. See the docs for your portal. Can I use mschap authentication for this and there are some specific documentation ?,i've searched a lot but i haven't found exhaustive documentation. And if I cannot use mschap, are there others solution for wi-fi authentication via LDAP? I'm afraid this doesn't make sense to me. Can you describe in more detail what you're trying to do? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
