Re: RE : Using mschap authentication without EAP
All rightNow authentication works fine.Many thanks to all ones which have given me these useful advicesHave a nice dayThanks AgainGiusy Venezia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Using mschap authentication without EAP
> > Thibault Le Meur wrote: > > rad_recv: Access-Request packet from host 127.0.0.1:32801, > id=0, length=217 > > User-Name = "misterc" > > CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e > > CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986 > > > > > That means that your client is trying MS-CHAP, and MS-CHAP can't be > > used > > with something else than NT-Hash passwords or cleartext > passwords in the > > authorize backend (in your case LDAP). > > No, it does NOT. > > It means his client is trying CHAP. Not MS-CHAP You're right... sorry I was too fast in my reply... ;-) but the conclusion was about the same : use a cleartext password (except for the Nt-hash alternative ;-) ). Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
dn: cn=Vito Cu,ou=utenti,dc=,dc=it userPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9 This is: userPassword: {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= You MUST have plaintext passwords in your LDAP directory to do CHAP. Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21 Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP" Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of radiusd.conf Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0 Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 0 Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot use "CHAP-Password". Your NAS submitted a CHAP request. You cannot check CHAP requests by simple bind to LDAP, only PAP. You have three choices: 1. Store plaintext passwords in userPassword in LDAP, and use CHAP, configured like this: authorize { preprocess chap ldap } authenticate { Auth-Type CHAP { chap } } 2. Store whatever you like in LDAP, configure your NAS to use PAP and LDAP simple binds, configured like this: authorize { preprocess ldap } authenticate { Auth-Type LDAP { ldap } } 3. Store crypted passwords in userPassword, configure your NAS to use PAP, and do PAP at the server side. Not recommended. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Thibault Le Meur wrote: rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217 User-Name = "misterc" CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986 That means that your client is trying MS-CHAP, and MS-CHAP can't be used with something else than NT-Hash passwords or cleartext passwords in the authorize backend (in your case LDAP). No, it does NOT. It means his client is trying CHAP. Not MS-CHAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Well, after some changes in OpenLDAP config, this is the result: So your first issue was openldap related... Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as cn=Manager,dc=,dc=it/PASSWORD to 192.168.1.221:389 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ... Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successful Bind as manager is ok... Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=,dc=it, with filter (uid=misterc) Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for misterc is allowed by userPassword Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in directory... Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in directory... Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use remote access Great rlm_ldap has retreived everything needed. Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns ok) for request 0 Now it's time to run the authenticate module Fri Jul 21 11:15:51 2006 : Debug: rad_check_password: Found Auth-Type LDAP Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP" Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of radiusd.conf Ldap module will be used (that is to say a bind with the user's credential will be attempted, provided that the request contains the necessary data. Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0 Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 0 Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot use "CHAP-Password". Well, it seems that your radius client is trying CHAP and not PAP. You wrote in a previous mail that the request was: rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217 User-Name = "misterc" CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "XX-XX-XX-XX-XX-XX" Called-Station-Id = "AA-AA-AA-AA-DD-AA" NAS-Identifier = "nas01" Acct-Session-Id = "44bfd15d" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"; That means that your client is trying MS-CHAP, and MS-CHAP can't be used with something else than NT-Hash passwords or cleartext passwords in the authorize backend (in your case LDAP). Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
On 7/20/06, Thibault Le Meur <[EMAIL PROTECTED]> wrote: Well isn't it a pb of rights ? Is the anonymous user able to search theopenldap directory for users entries ?Yes, the anonymous user is able to search. What is the result of a simple "ldapsearch" with the same ldap filter.ldapsearch -x -b "dc=,dc=it" "(uid=misterc)"# extended LDIF## LDAPv3# base with scope subtree # filter: (uid=misterc)# requesting: ALL## Vito Cu, utenti, .itdn: cn=Vito Cu,ou=utenti,dc=,dc=ituid: mistercdescription: bel giovinesn: Cucn: newperson cn: Vito CuuserPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9objectClass: radiusprofileobjectClass: inetOrgPersonradiusA10:21uthType: LDAP# search resultsearch: 2result: 0 Success 10:21# numResponses: 2# numEntries: 1 Have you got ACLs in your openldap directory configuration files ? All the users have the rights.Well, after some changes in OpenLDAP config, this is the result:Fri Jul 21 11:15:51 2006 : Debug: Processing the authorize section of radiusd.conf Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group authorize for request 0Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0Fri Jul 21 11:15:51 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module "eap" returns noop for request 0Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authorizeFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing user authorization for mistercFri Jul 21 11:15:51 2006 : Debug: radius_xlat: '(uid=misterc)'Fri Jul 21 11:15:51 2006 : Debug: radius_xlat: 'ou=utenti,dc=,dc=it' Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: attempting LDAP reconnection Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: (re)connect to 192.168.1.221:389, authentication 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as cn=Manager,dc=,dc=it/PASSWORD to 192.168.1.221:389Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ...Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successfulFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=,dc=it, with filter (uid=misterc) Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for misterc is allowed by userPasswordFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in directory...Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in directory...Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use remote accessFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module "ldap" returns ok for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns ok) for request 0 Fri Jul 21 11:15:51 2006 : Debug: rad_check_password: Found Auth-Type LDAPFri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP"Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of radiusd.confFri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 0Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot use "CHAP-Password". Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module "pap" returns invalid for request 0 Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling ldap (rlm_ldap) for request 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authenticateFri Jul 21 11:15:51 2006 : Auth: rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module "ldap" returns invalid for request 0 Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group LDAP (returns invalid) for request 0Fri Jul 21 11:15:51 2006 : Debug: auth: Failed to validate the user.Config files are the same of above. Best regards.Giusy Venezia - List inf
Re: Using mschap authentication without EAP
Sorry,"dc=,dc=it" is the correct not "dc=uniroma1,dc=it" as appear in the other configuration file.Giusy VeneziaOn 7/20/06, Giuseppina Venezia <[EMAIL PROTECTED]> wrote: Here is mi slapd.conf## See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.#include /usr/local/etc/openldap/schema/core.schemainclude /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schemainclude /usr/local/etc/openldap/schema/samba.schemainclude /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema# Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org#Aggiungiamo il livello di loggingloglevel 296 pidfile /usr/local/var/run/slapd.pidargsfile /usr/local/var/run/slapd.args#Direttive SSL#TLSCipherSuite HIGH#TLSCertificateFile /usr/local/etc/openldap/slapd-cert.pem#TLSCertificateKeyFile /usr/local/etc/openldap/slapd- key.pem# Load dynamic backend modules:# modulepath /usr/local/libexec/openldap# moduleload back_bdb.la# moduleload back_ldap.la# moduleload back_ldbm.la# moduleload back_passwd.la # moduleload back_shell.la# Sample security restrictions# Require integrity protection (prevent hijacking)# Require 112-bit (3DES or better) encryption for updates# Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64# Sample access control policy:# Root DSE: allow anyone to read it# Subschema (sub)entry DSE: allow anyone to read it# Other DSEs: # Allow self write access# Allow authenticated users read access# Allow anonymous users to authenticate# Directives needed to implement policy:# access to dn.base= "" by * read# access to dn.base="cn=Subschema" by * read# access to *# by self write# by users read# by anonymous auth## if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts# updates to rootdn. (e.g., "access to * by * read")## rootdn can always read and write EVERYTHING!### # BDB database definitions###database bdbsuffix "dc=,dc=it"rootdn "cn=Manager,dc=,dc=it" # Cleartext passwords, especially for the rootdn, should# be avoid. See slappasswd(8) and slapd.conf(5) for details.# Use of strong authentication encouraged.rootpw {SSHA}gUlr8Lqr7eYgfSti9+Dl76lbkbgK3fqc # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory /usr/local/var/openldap-data/.itmode 0600 # Indices to maintainindex objectClass eq,presindex cn eq,presindex uid eq,presindex userPassword eq,prescachesize 2000Thanks in advanceGiusy Venezia On 7/20/06, Thibault Le Meur < [EMAIL PROTECTED]> wrote: > rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217 >User-Name = "misterc">CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e >CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986>NAS-IP-Address = 0.0.0.0>Service-Type = Login-User>Framed-IP-Address = 192.168.182.2>Calling-Station-Id = "XX-XX-XX-XX-XX-XX">Called-Station-Id = "AA-AA-AA-AA-DD-AA">NAS-Identifier = "nas01">Acct-Session-Id = "44bfd15d" >NAS-Port-Type = Wireless-802.11>NAS-Port = 0>Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a>WISPr-Logoff-URL = "" href="http://192.168.182.1:3990/logoff" title="http://192.168.182.1:3990/logoff" target="_blank" > http://192.168.182.1:3990/logoff">> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorize> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user authorization> for misterc > Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: '(uid=misterc)'> Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: 'ou=utenti,dc=,dc=it'Ok rlm_ldap is initialized> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to 192.168.1.221:389> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result ... > Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successfulbind to the directory is Ok > Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in> ou=utenti,dc=,dc=it, with filter (uid=misterc)> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got> ambiguous search result > Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failedAh...Seems that the used bound to the ldap directory can't find uid=mistercin ou=utenti,dc=,dc=it> Thu Jul 20 20:54:51 2006 : Debug: auth: No au
Re: Using mschap authentication without EAP
Here is mi slapd.conf## See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.#include /usr/local/etc/openldap/schema/core.schemainclude /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schemainclude /usr/local/etc/openldap/schema/samba.schemainclude /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema# Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org#Aggiungiamo il livello di loggingloglevel 296 pidfile /usr/local/var/run/slapd.pidargsfile /usr/local/var/run/slapd.args#Direttive SSL#TLSCipherSuite HIGH#TLSCertificateFile /usr/local/etc/openldap/slapd-cert.pem#TLSCertificateKeyFile /usr/local/etc/openldap/slapd- key.pem# Load dynamic backend modules:# modulepath /usr/local/libexec/openldap# moduleload back_bdb.la# moduleload back_ldap.la# moduleload back_ldbm.la# moduleload back_passwd.la # moduleload back_shell.la# Sample security restrictions# Require integrity protection (prevent hijacking)# Require 112-bit (3DES or better) encryption for updates# Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64# Sample access control policy:# Root DSE: allow anyone to read it# Subschema (sub)entry DSE: allow anyone to read it# Other DSEs: # Allow self write access# Allow authenticated users read access# Allow anonymous users to authenticate# Directives needed to implement policy:# access to dn.base= "" by * read# access to dn.base="cn=Subschema" by * read# access to *# by self write# by users read# by anonymous auth## if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts# updates to rootdn. (e.g., "access to * by * read")## rootdn can always read and write EVERYTHING!### # BDB database definitions###database bdbsuffix "dc=uniroma1,dc=it"rootdn "cn=Manager,dc=uniroma1,dc=it" # Cleartext passwords, especially for the rootdn, should# be avoid. See slappasswd(8) and slapd.conf(5) for details.# Use of strong authentication encouraged.rootpw {SSHA}gUlr8Lqr7eYgfSti9+Dl76lbkbgK3fqc # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory /usr/local/var/openldap-data/uniroma1.itmode 0600 # Indices to maintainindex objectClass eq,presindex cn eq,presindex uid eq,presindex userPassword eq,prescachesize 2000Thanks in advanceGiusy Venezia On 7/20/06, Thibault Le Meur <[EMAIL PROTECTED]> wrote: > rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217>User-Name = "misterc">CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e >CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986>NAS-IP-Address = 0.0.0.0>Service-Type = Login-User>Framed-IP-Address = 192.168.182.2>Calling-Station-Id = "XX-XX-XX-XX-XX-XX">Called-Station-Id = "AA-AA-AA-AA-DD-AA">NAS-Identifier = "nas01">Acct-Session-Id = "44bfd15d" >NAS-Port-Type = Wireless-802.11>NAS-Port = 0>Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a>WISPr-Logoff-URL = "" href="http://192.168.182.1:3990/logoff"> http://192.168.182.1:3990/logoff">> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorize> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user authorization> for misterc > Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: '(uid=misterc)'> Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: 'ou=utenti,dc=,dc=it'Ok rlm_ldap is initialized> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to 192.168.1.221:389> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result ...> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successfulbind to the directory is Ok > Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in> ou=utenti,dc=,dc=it, with filter (uid=misterc)> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got> ambiguous search result > Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failedAh...Seems that the used bound to the ldap directory can't find uid=mistercin ou=utenti,dc=,dc=it> Thu Jul 20 20:54:51 2006 : Debug: auth: No authenticate method (Auth-Type) > configuration found for the request: Rejecting the userSo Auth-Type isn't setted to Ldap> Thu Jul 20 20:54:51 2006 : Debug: auth: Failed to validate the user.This is logical>ldap { >
Re: Using mschap authentication without EAP
rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217 User-Name = "misterc" CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "XX-XX-XX-XX-XX-XX" Called-Station-Id = "AA-AA-AA-AA-DD-AA" NAS-Identifier = "nas01" Acct-Session-Id = "44bfd15d" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"; Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorize Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user authorization for misterc Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: '(uid=misterc)' Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: 'ou=utenti,dc=,dc=it' Ok rlm_ldap is initialized Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to 192.168.1.221:389 Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result ... Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successful bind to the directory is Ok Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=,dc=it, with filter (uid=misterc) Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got ambiguous search result Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failed Ah... Seems that the used bound to the ldap directory can't find uid=misterc in ou=utenti,dc=,dc=it Thu Jul 20 20:54:51 2006 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user So Auth-Type isn't setted to Ldap Thu Jul 20 20:54:51 2006 : Debug: auth: Failed to validate the user. This is logical ldap { server="192.168.1.221" port="389" basedn="ou=utenti,dc=uniroma1,dc=it" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap authtype = ldap ldap_connections_number = 5 password_header = "{SHA}" password_attribute = userPassword } } Well isn't it a pb of rights ? Is the anonymous user able to search the openldap directory for users entries ? What is the result of a simple "ldapsearch" with the same ldap filter. If you need any other information please ask us; sorry if we are boring you but we are trying and trying without any significant result. Thanks. Have you got ACLs in your openldap directory configuration files ? Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
We have tried to integrate OpenLDAP and FreeRadius. When we try to authenticate with the clients this is the error message:Thu Jul 20 20:53:45 2006 : Info: Ready to process requests.rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217 User-Name = "misterc" CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "XX-XX-XX-XX-XX-XX" Called-Station-Id = "AA-AA-AA-AA-DD-AA" NAS-Identifier = "nas01" Acct-Session-Id = "44bfd15d" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a WISPr-Logoff-URL = "" href="http://192.168.182.1:3990/logoff">http://192.168.182.1:3990/logoff"Thu Jul 20 20:54:50 2006 : Debug: Processing the authorize section of radiusd.confThu Jul 20 20:54:50 2006 : Debug: modcall: entering group authorize for request 0Thu Jul 20 20:54:50 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0Thu Jul 20 20:54:50 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Thu Jul 20 20:54:50 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0Thu Jul 20 20:54:50 2006 : Debug: modcall[authorize]: module "eap" returns noop for request 0Thu Jul 20 20:54:50 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorizeThu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user authorization for mistercThu Jul 20 20:54:50 2006 : Debug: radius_xlat: '(uid=misterc)'Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: 'ou=utenti,dc=,dc=it' Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: attempting LDAP reconnection Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: (re)connect to 192.168.1.221:389, authentication 0Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to 192.168.1.221:389Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result ...Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successfulThu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=,dc=it, with filter (uid=misterc) Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got ambiguous search resultThu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failedThu Jul 20 20:54:51 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Thu Jul 20 20:54:51 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0Thu Jul 20 20:54:51 2006 : Debug: modcall[authorize]: module "ldap" returns notfound for request 0 Thu Jul 20 20:54:51 2006 : Debug: modcall: leaving group authorize (returns noop) for request 0Thu Jul 20 20:54:51 2006 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Thu Jul 20 20:54:51 2006 : Debug: auth: Failed to validate the user.This is the Radius configuration we are using:my radius.confmodules { pap { encryption_scheme = clear } ldap { server="192.168.1.221" port="389" basedn="ou=utenti,dc=uniroma1,dc=it" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap authtype = ldap ldap_connections_number = 5 password_header = "{SHA}" password_attribute = userPassword } } authorize { eap ldap }authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap }}And this is the my OpenLDAP directory (maybe can be useful):My LDAP directory treedn: dc=,dc=itdc: objectClass: dcObjectobjectClass: organizationalUnit ou: uniromaProjectstructuralObjectClass: organizationalUnitentryUUID: 8344c65e-aa07-102a-869a-1bfd23c6a14fcreatorsName: cn=Manager,dc=,dc=itmodifiersName: cn=Manager,dc=,dc=itcreateTimestamp: 20060717174334Z modifyTimestamp: 20060717174334ZentryCSN: 20060717174334Z#00#00#00dn: dc=,dc=itdc: objectClass: dcObjectobjectClass: organizationalUnitou: uniromaProjectstructuralObjectClass: organizationalUnit entryUUID: 8344c65e-aa07-102a-869a-1bfd23c6a14fcreatorsName: cn=Manager,dc=,dc=itmodifiersName: cn=Manager,dc=,dc=itcreateTimestamp: 20060717174334ZmodifyTimestamp: 20060717174334ZentryCSN: 20060717174334Z#00#00#00 dn: cn=Luca Ricci,ou=utenti,dc=,dc=ituid: mistercdescription: bel giovinesn: Riccicn: newpersoncn: Luca RiccistructuralObjectClass: inetOrgPerso
Re: Using mschap authentication without EAP
"Giuseppina Venezia" <[EMAIL PROTECTED]> wrote: > We need an exclusively web-based authentication for clients, avoiding the > installation of external programs to check access like Xsupplicant. The > implementation works fine with a MySQL Database, but the question is if is > possible realize the same implementation using OpenLDAP instead of MySQL > keeping for clients the same web-based login criterions. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Sorry but my english is not so good, we need to implement a web-based login (Chillispot + Apache) connected to FreeRadius. FreeRadius needs to read informations on users using OpenLDAP. We need an exclusively web-based authentication for clients, avoiding the installation of external programs to check access like Xsupplicant. The implementation works fine with a MySQL Database, but the question is if is possible realize the same implementation using OpenLDAP instead of MySQL keeping for clients the same web-based login criterions. Thanks for your attention On 7/20/06, Phil Mayers <[EMAIL PROTECTED]> wrote: Giuseppina Venezia wrote:> Hi, i'm using freeradius-1.1.2 with openldap for storing users account,> for authenticate a WI-FI LAN.> I need of a transparent authentication method since for the clients are > heterogeneous so i can't use any type of EAP* authentication because I> cannot install Xsupplicant on every Client.If you mean 802.1x authentication, I don't think you understand how itworks. All 802.1x (link layer) authentication methods use EAP, so allclients must have SOME kind of supplicant.Non-802.1x authentication is normally done via some kind of web-basedlogin. Google for "captive portal" or "walled garden". The auth types you can use with a captive portal depend on the captive portal. See thedocs for your portal.> Can I use mschap authentication for this and there are some specific> documentation ?,i've searched a lot but i haven't found exhaustive > documentation.> And if I cannot use mschap, are there others solution for wi-fi> authentication via LDAP?I'm afraid this doesn't make sense to me. Can you describe in moredetail what you're trying to do? -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Giuseppina Venezia wrote: Hi, i'm using freeradius-1.1.2 with openldap for storing users account, for authenticate a WI-FI LAN. I need of a transparent authentication method since for the clients are heterogeneous so i can't use any type of EAP* authentication because I cannot install Xsupplicant on every Client. If you mean 802.1x authentication, I don't think you understand how it works. All 802.1x (link layer) authentication methods use EAP, so all clients must have SOME kind of supplicant. Non-802.1x authentication is normally done via some kind of web-based login. Google for "captive portal" or "walled garden". The auth types you can use with a captive portal depend on the captive portal. See the docs for your portal. Can I use mschap authentication for this and there are some specific documentation ?,i've searched a lot but i haven't found exhaustive documentation. And if I cannot use mschap, are there others solution for wi-fi authentication via LDAP? I'm afraid this doesn't make sense to me. Can you describe in more detail what you're trying to do? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html