RE: LDAP, PEAP, Active Directory issue
It isn't as hard as you are trying to make it...
There are sample configs in the archieve I posted for AJ Grinnell
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ron
Wahler
Sent: Thursday, January 13, 2005 4:40 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
Where is a good place to read the details of how ntlm_auth integrates in
with AD ?
Ron.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Willey
Kurt D
Sent: Thursday, January 13, 2005 3:27 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
Ntlm hashes the password for you
>From radius.conf
ntlm_auth = "/your/install/location/samba/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=
%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ron
Wahler
Sent: Thursday, January 13, 2005 4:25 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
So when you use Samba you can get the password in the clear ? how
Is the mschap hash generated?
Ron.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Willey
Kurt D
Sent: Thursday, January 13, 2005 3:17 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
AD
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ron
Wahler
Sent: Thursday, January 13, 2005 4:13 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
Are you storing the passwords in OpenLDAP or
Active Directory?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Willey
Kurt D
Sent: Thursday, January 13, 2005 12:21 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
yes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Israel
Fabio Alves
Sent: Thursday, January 13, 2005 1:19 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: LDAP, PEAP, Active Directory issue
Hi,
I have a question about the problem bellow.
If in LDAP (openldap) we provide the ntpassword (with samba), it will
work for authenticate Windows XP users with PEAP + mschapv2 ??
Thanks.
Ron Wahler wrote:
> You could still encrypt the passwords in the ldap database it just has
> to be A two way hash so you can get the password in the clear.
>
> Ron.
>
> Ron Wahler
> http://www.positive-logic.net
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Christopher Price
> Sent: Thursday, January 13, 2005 8:58 AM
> To: freeradius-users@lists.freeradius.org
> Subject: Re: LDAP, PEAP, Active Directory issue
>
> I am having the same problem. When you use an EAP type (like PEAP), a
> hash of the password is sent to the radius server. The radius server
is
> able to deal with this if it has the password (such as in a mysql DB
or
> local file). The password can be hashed and compared with the hash
that
> was recieved from the client (WinXP PC in your case). If you use LDAP,
> you must supply a cleartext password (usually over SSL) in order to
> perform PAP authentication. Since you are sending the hash of the
> password to the LDAP server it cannot bind. The only solution that I
> have found is to store cleartext passwords in the LDAP DB, but this
> would defeat the purpose of authentication because than anyone could
> view passwords stored on the LDAP server. I hope this explanation
helps
> (at least it wasn't filled with WTF's and RTFM's like some responses).
> :)
>
>
>>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>>
>
> On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote:
>
>>AJ Grinnell <[EMAIL PROTECTED]> wrote:
>>
>>>Ok, I have peap working with the users file and with mysql, and I
>
> have
>
>>>radius working with ldap also. But I can not get a user to
>>>authenticate against ldap using peap.
>>
>> The server does not authenticate against LDAP for any EAP type.
>
> See
>
>>my previous message to you on this topic.
>>
>>
>>>I have seen that you cant use eap and ldap,
>>
>> You already asked this question, and I already answered it. If
>
> you
>
>>don't remember, read the list archives.
>>
>>
>>>but peap and ldap should work from what I have read.
>>
>> PEAP is a type of EAP.
>>
>>
>>>the debug that I am seeing is very long, s
RE: LDAP, PEAP, Active Directory issue
I sent the sample configs, start there. It isn't as hard as you are trying to make it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AJ Grinnell Sent: Thursday, January 13, 2005 6:28 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue On Thu, 13 Jan 2005 15:40:21 -0700, Ron Wahler <[EMAIL PROTECTED]> wrote: > Where is a good place to read the details of how ntlm_auth integrates in > with AD ? > > Ron. > If you happen to find out, will you please let me know? I will pass the info to you if I find it first. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
Hi, > I have a question about the problem bellow. > > If in LDAP (openldap) we provide the ntpassword (with samba), it will > work for authenticate Windows XP users with PEAP + mschapv2 ?? Note however, that storing&using ntpasswords instead of cleartext passwords offers no advantage at all - as far as security is concerned. Depending on your existing environment, one may be easier to use than the other, but it certainly isn't worth the pain to heavily modify an existing environment to get from one to the other. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
On Thu, 13 Jan 2005 15:40:21 -0700, Ron Wahler <[EMAIL PROTECTED]> wrote: > Where is a good place to read the details of how ntlm_auth integrates in > with AD ? > > Ron. > If you happen to find out, will you please let me know? I will pass the info to you if I find it first. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP, PEAP, Active Directory issue
Where is a good place to read the details of how ntlm_auth integrates in
with AD ?
Ron.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Willey
Kurt D
Sent: Thursday, January 13, 2005 3:27 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
Ntlm hashes the password for you
>From radius.conf
ntlm_auth = "/your/install/location/samba/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=
%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ron
Wahler
Sent: Thursday, January 13, 2005 4:25 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
So when you use Samba you can get the password in the clear ? how
Is the mschap hash generated?
Ron.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Willey
Kurt D
Sent: Thursday, January 13, 2005 3:17 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
AD
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ron
Wahler
Sent: Thursday, January 13, 2005 4:13 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
Are you storing the passwords in OpenLDAP or
Active Directory?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Willey
Kurt D
Sent: Thursday, January 13, 2005 12:21 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
yes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Israel
Fabio Alves
Sent: Thursday, January 13, 2005 1:19 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: LDAP, PEAP, Active Directory issue
Hi,
I have a question about the problem bellow.
If in LDAP (openldap) we provide the ntpassword (with samba), it will
work for authenticate Windows XP users with PEAP + mschapv2 ??
Thanks.
Ron Wahler wrote:
> You could still encrypt the passwords in the ldap database it just has
> to be A two way hash so you can get the password in the clear.
>
> Ron.
>
> Ron Wahler
> http://www.positive-logic.net
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Christopher Price
> Sent: Thursday, January 13, 2005 8:58 AM
> To: freeradius-users@lists.freeradius.org
> Subject: Re: LDAP, PEAP, Active Directory issue
>
> I am having the same problem. When you use an EAP type (like PEAP), a
> hash of the password is sent to the radius server. The radius server
is
> able to deal with this if it has the password (such as in a mysql DB
or
> local file). The password can be hashed and compared with the hash
that
> was recieved from the client (WinXP PC in your case). If you use LDAP,
> you must supply a cleartext password (usually over SSL) in order to
> perform PAP authentication. Since you are sending the hash of the
> password to the LDAP server it cannot bind. The only solution that I
> have found is to store cleartext passwords in the LDAP DB, but this
> would defeat the purpose of authentication because than anyone could
> view passwords stored on the LDAP server. I hope this explanation
helps
> (at least it wasn't filled with WTF's and RTFM's like some responses).
> :)
>
>
>>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>>
>
> On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote:
>
>>AJ Grinnell <[EMAIL PROTECTED]> wrote:
>>
>>>Ok, I have peap working with the users file and with mysql, and I
>
> have
>
>>>radius working with ldap also. But I can not get a user to
>>>authenticate against ldap using peap.
>>
>> The server does not authenticate against LDAP for any EAP type.
>
> See
>
>>my previous message to you on this topic.
>>
>>
>>>I have seen that you cant use eap and ldap,
>>
>> You already asked this question, and I already answered it. If
>
> you
>
>>don't remember, read the list archives.
>>
>>
>>>but peap and ldap should work from what I have read.
>>
>> PEAP is a type of EAP.
>>
>>
>>>the debug that I am seeing is very long, so I have included the
>
> part
>
>>>where I am seeing an obvious error.
>>
>> The part where is says it doesn't have a password?
>>
>>
>>> rlm_mschap: No User-Password configured. Cannot create
>
> LM-Password.
>
>>> rlm_mschap: No User-Password configured. Cannot create
&g
RE: LDAP, PEAP, Active Directory issue
Ntlm hashes the password for you
>From radius.conf
ntlm_auth = "/your/install/location/samba/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=
%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ron
Wahler
Sent: Thursday, January 13, 2005 4:25 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
So when you use Samba you can get the password in the clear ? how
Is the mschap hash generated?
Ron.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Willey
Kurt D
Sent: Thursday, January 13, 2005 3:17 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
AD
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ron
Wahler
Sent: Thursday, January 13, 2005 4:13 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
Are you storing the passwords in OpenLDAP or
Active Directory?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Willey
Kurt D
Sent: Thursday, January 13, 2005 12:21 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
yes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Israel
Fabio Alves
Sent: Thursday, January 13, 2005 1:19 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: LDAP, PEAP, Active Directory issue
Hi,
I have a question about the problem bellow.
If in LDAP (openldap) we provide the ntpassword (with samba), it will
work for authenticate Windows XP users with PEAP + mschapv2 ??
Thanks.
Ron Wahler wrote:
> You could still encrypt the passwords in the ldap database it just has
> to be A two way hash so you can get the password in the clear.
>
> Ron.
>
> Ron Wahler
> http://www.positive-logic.net
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Christopher Price
> Sent: Thursday, January 13, 2005 8:58 AM
> To: freeradius-users@lists.freeradius.org
> Subject: Re: LDAP, PEAP, Active Directory issue
>
> I am having the same problem. When you use an EAP type (like PEAP), a
> hash of the password is sent to the radius server. The radius server
is
> able to deal with this if it has the password (such as in a mysql DB
or
> local file). The password can be hashed and compared with the hash
that
> was recieved from the client (WinXP PC in your case). If you use LDAP,
> you must supply a cleartext password (usually over SSL) in order to
> perform PAP authentication. Since you are sending the hash of the
> password to the LDAP server it cannot bind. The only solution that I
> have found is to store cleartext passwords in the LDAP DB, but this
> would defeat the purpose of authentication because than anyone could
> view passwords stored on the LDAP server. I hope this explanation
helps
> (at least it wasn't filled with WTF's and RTFM's like some responses).
> :)
>
>
>>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>>
>
> On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote:
>
>>AJ Grinnell <[EMAIL PROTECTED]> wrote:
>>
>>>Ok, I have peap working with the users file and with mysql, and I
>
> have
>
>>>radius working with ldap also. But I can not get a user to
>>>authenticate against ldap using peap.
>>
>> The server does not authenticate against LDAP for any EAP type.
>
> See
>
>>my previous message to you on this topic.
>>
>>
>>>I have seen that you cant use eap and ldap,
>>
>> You already asked this question, and I already answered it. If
>
> you
>
>>don't remember, read the list archives.
>>
>>
>>>but peap and ldap should work from what I have read.
>>
>> PEAP is a type of EAP.
>>
>>
>>>the debug that I am seeing is very long, so I have included the
>
> part
>
>>>where I am seeing an obvious error.
>>
>> The part where is says it doesn't have a password?
>>
>>
>>> rlm_mschap: No User-Password configured. Cannot create
>
> LM-Password.
>
>>> rlm_mschap: No User-Password configured. Cannot create
>
> NT-Password.
>
>>> rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password
>>> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform
>
> authentication.
>
>> You haven't told the server what the users password is. How the
>>heck do you expect it to authentic
RE: LDAP, PEAP, Active Directory issue
So when you use Samba you can get the password in the clear ? how Is the mschap hash generated? Ron. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 3:17 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue AD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Wahler Sent: Thursday, January 13, 2005 4:13 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue Are you storing the passwords in OpenLDAP or Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 12:21 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Fabio Alves Sent: Thursday, January 13, 2005 1:19 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: > You could still encrypt the passwords in the ldap database it just has > to be A two way hash so you can get the password in the clear. > > Ron. > > Ron Wahler > http://www.positive-logic.net > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Christopher Price > Sent: Thursday, January 13, 2005 8:58 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: LDAP, PEAP, Active Directory issue > > I am having the same problem. When you use an EAP type (like PEAP), a > hash of the password is sent to the radius server. The radius server is > able to deal with this if it has the password (such as in a mysql DB or > local file). The password can be hashed and compared with the hash that > was recieved from the client (WinXP PC in your case). If you use LDAP, > you must supply a cleartext password (usually over SSL) in order to > perform PAP authentication. Since you are sending the hash of the > password to the LDAP server it cannot bind. The only solution that I > have found is to store cleartext passwords in the LDAP DB, but this > would defeat the purpose of authentication because than anyone could > view passwords stored on the LDAP server. I hope this explanation helps > (at least it wasn't filled with WTF's and RTFM's like some responses). > :) > > >>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> > > On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > >>AJ Grinnell <[EMAIL PROTECTED]> wrote: >> >>>Ok, I have peap working with the users file and with mysql, and I > > have > >>>radius working with ldap also. But I can not get a user to >>>authenticate against ldap using peap. >> >> The server does not authenticate against LDAP for any EAP type. > > See > >>my previous message to you on this topic. >> >> >>>I have seen that you cant use eap and ldap, >> >> You already asked this question, and I already answered it. If > > you > >>don't remember, read the list archives. >> >> >>>but peap and ldap should work from what I have read. >> >> PEAP is a type of EAP. >> >> >>>the debug that I am seeing is very long, so I have included the > > part > >>>where I am seeing an obvious error. >> >> The part where is says it doesn't have a password? >> >> >>> rlm_mschap: No User-Password configured. Cannot create > > LM-Password. > >>> rlm_mschap: No User-Password configured. Cannot create > > NT-Password. > >>> rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password >>> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > > authentication. > >> You haven't told the server what the users password is. How the >>heck do you expect it to authenticate anyone? >> >> Alan DeKok. >> >>- >>List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > Im sorry, I have not seen any replies that you may have given me. The > server has been told what the users password is when they log in over > the wireless, Windows XP asks for a username and password, both of > which are in active directory. I can authenticate against the users > file and a mysql database in t
RE: LDAP, PEAP, Active Directory issue
AD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Wahler Sent: Thursday, January 13, 2005 4:13 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue Are you storing the passwords in OpenLDAP or Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 12:21 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Fabio Alves Sent: Thursday, January 13, 2005 1:19 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: > You could still encrypt the passwords in the ldap database it just has > to be A two way hash so you can get the password in the clear. > > Ron. > > Ron Wahler > http://www.positive-logic.net > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Christopher Price > Sent: Thursday, January 13, 2005 8:58 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: LDAP, PEAP, Active Directory issue > > I am having the same problem. When you use an EAP type (like PEAP), a > hash of the password is sent to the radius server. The radius server is > able to deal with this if it has the password (such as in a mysql DB or > local file). The password can be hashed and compared with the hash that > was recieved from the client (WinXP PC in your case). If you use LDAP, > you must supply a cleartext password (usually over SSL) in order to > perform PAP authentication. Since you are sending the hash of the > password to the LDAP server it cannot bind. The only solution that I > have found is to store cleartext passwords in the LDAP DB, but this > would defeat the purpose of authentication because than anyone could > view passwords stored on the LDAP server. I hope this explanation helps > (at least it wasn't filled with WTF's and RTFM's like some responses). > :) > > >>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> > > On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > >>AJ Grinnell <[EMAIL PROTECTED]> wrote: >> >>>Ok, I have peap working with the users file and with mysql, and I > > have > >>>radius working with ldap also. But I can not get a user to >>>authenticate against ldap using peap. >> >> The server does not authenticate against LDAP for any EAP type. > > See > >>my previous message to you on this topic. >> >> >>>I have seen that you cant use eap and ldap, >> >> You already asked this question, and I already answered it. If > > you > >>don't remember, read the list archives. >> >> >>>but peap and ldap should work from what I have read. >> >> PEAP is a type of EAP. >> >> >>>the debug that I am seeing is very long, so I have included the > > part > >>>where I am seeing an obvious error. >> >> The part where is says it doesn't have a password? >> >> >>> rlm_mschap: No User-Password configured. Cannot create > > LM-Password. > >>> rlm_mschap: No User-Password configured. Cannot create > > NT-Password. > >>> rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password >>> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > > authentication. > >> You haven't told the server what the users password is. How the >>heck do you expect it to authenticate anyone? >> >> Alan DeKok. >> >>- >>List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > Im sorry, I have not seen any replies that you may have given me. The > server has been told what the users password is when they log in over > the wireless, Windows XP asks for a username and password, both of > which are in active directory. I can authenticate against the users > file and a mysql database in the same fashion, why would ldap not > work? Again, Im sorry if this is a basic question. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP, PEAP, Active Directory issue
Are you storing the passwords in OpenLDAP or Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 12:21 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Fabio Alves Sent: Thursday, January 13, 2005 1:19 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: > You could still encrypt the passwords in the ldap database it just has > to be A two way hash so you can get the password in the clear. > > Ron. > > Ron Wahler > http://www.positive-logic.net > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Christopher Price > Sent: Thursday, January 13, 2005 8:58 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: LDAP, PEAP, Active Directory issue > > I am having the same problem. When you use an EAP type (like PEAP), a > hash of the password is sent to the radius server. The radius server is > able to deal with this if it has the password (such as in a mysql DB or > local file). The password can be hashed and compared with the hash that > was recieved from the client (WinXP PC in your case). If you use LDAP, > you must supply a cleartext password (usually over SSL) in order to > perform PAP authentication. Since you are sending the hash of the > password to the LDAP server it cannot bind. The only solution that I > have found is to store cleartext passwords in the LDAP DB, but this > would defeat the purpose of authentication because than anyone could > view passwords stored on the LDAP server. I hope this explanation helps > (at least it wasn't filled with WTF's and RTFM's like some responses). > :) > > >>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> > > On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > >>AJ Grinnell <[EMAIL PROTECTED]> wrote: >> >>>Ok, I have peap working with the users file and with mysql, and I > > have > >>>radius working with ldap also. But I can not get a user to >>>authenticate against ldap using peap. >> >> The server does not authenticate against LDAP for any EAP type. > > See > >>my previous message to you on this topic. >> >> >>>I have seen that you cant use eap and ldap, >> >> You already asked this question, and I already answered it. If > > you > >>don't remember, read the list archives. >> >> >>>but peap and ldap should work from what I have read. >> >> PEAP is a type of EAP. >> >> >>>the debug that I am seeing is very long, so I have included the > > part > >>>where I am seeing an obvious error. >> >> The part where is says it doesn't have a password? >> >> >>> rlm_mschap: No User-Password configured. Cannot create > > LM-Password. > >>> rlm_mschap: No User-Password configured. Cannot create > > NT-Password. > >>> rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password >>> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > > authentication. > >> You haven't told the server what the users password is. How the >>heck do you expect it to authenticate anyone? >> >> Alan DeKok. >> >>- >>List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > Im sorry, I have not seen any replies that you may have given me. The > server has been told what the users password is when they log in over > the wireless, Windows XP asks for a username and password, both of > which are in active directory. I can authenticate against the users > file and a mysql database in the same fashion, why would ldap not > work? Again, Im sorry if this is a basic question. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
Israel Fabio Alves <[EMAIL PROTECTED]> wrote: > If in LDAP (openldap) we provide the ntpassword (with samba), it will > work for authenticate Windows XP users with PEAP + mschapv2 ?? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
AJ Grinnell <[EMAIL PROTECTED]> wrote: > Im sorry, I have not seen any replies that you may have given me. You not only saw, you responded. Please remember the answers you're given on this list. It helps to avoid repetition. http://lists.freeradius.org/pipermail/freeradius-users/2005-January/039604.html > the wireless, Windows XP asks for a username and password, both of > which are in active directory. I can authenticate against the users > file and a mysql database in the same fashion, why would ldap not > work? AD isn't an LDAP server. It's close, but it doesn't supply what FreeRADIUS needs. See "ntlm_auth" in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP, PEAP, Active Directory issue
Point ntlm_auth to your samba install; like:
ntlm_auth = "/your/install/location/samba/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=
%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Israel
Fabio Alves
Sent: Thursday, January 13, 2005 2:25 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: LDAP, PEAP, Active Directory issue
Sorry for the question, but do you have a sample radius.conf to publish
for as.
Because a tried configure this, but always a have the error bellow:
PEAP: Got tunneled reply RADIUS code 3
Service-Type = Login-User
MS-CHAP-Error = "8E=691 R=1"
EAP-Message = 0x04380004
Message-Authenticator = 0x
PEAP: Processing from tunneled session code 0x817f5c8 3
Service-Type = Login-User
MS-CHAP-Error = "8E=691 R=1"
EAP-Message = 0x04380004
Message-Authenticator = 0x
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
Debug file:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/etc/raddb/proxy.conf
Config: including file: /usr/local/radius/etc/raddb/clients.conf
Config: including file: /usr/local/radius/etc/raddb/snmp.conf
Config: including file: /usr/local/radius/etc/raddb/eap.conf
main: prefix = "/usr/local/radius"
main: localstatedir = "/usr/local/radius/var"
main: logdir = "/usr/local/radius/var/log/radius"
main: libdir = "/usr/local/radius/lib"
main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/radius/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/radius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/radius/lib
Module: Loaded PAP
pap: encryption_scheme = "clear"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
ldap: server = "localhost"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=admin,dc=testdomain,dc=com"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "xtopazio"
ldap: basedn = "dc=testdomain,dc=com"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "radiusProfileDn"
ldap: password_header = "{CRYPT}"
ldap: password_attribute = "userPassword"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "radiusGroupName"
ldap: dictionary_mapping = "
Re: LDAP, PEAP, Active Directory issue
# Livingston-style 'users' file
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
}
authorize {
preprocess
#chap
#mschap
#suffix
# ntdomain
eap
#files
# sql
# etc_smbpasswd
ldap
# daily
# checkval
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# digest
# pam
#unix
RE: LDAP, PEAP, Active Directory issue
Softerra ldap browser helped with AD structure
Relevant radiusd.conf
mschap {
with_ntdomain_hack = yes
ntlm_auth = "/usr/local/samba/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=
%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
ldap {
server = "x.x.x.x"
port = 636
identity = "cn=ldapuser,dc=yourdomain,dc=com"
password = yourpassword
basedn = "dc=domain,dc=com"
filter = "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))"
start_tls = no
tls_cacertfile = /usr/local/ssl/certs/server.pem
tls_cacertdir = /usr/local/ssl/certs/
}
eap.conf {
default_eap_type = peap
tls {
private_key_file = /usr/local/ssl/bin/pluto.key
certificate_file = /usr/local/ssl/bin/pluto.crt
CA_file = /usr/local/ssl/certs/sausecure.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
smb.conf -
workgroup = YOURDOMAIN
hosts allow = x.x.x.x. 127.
idmap uid = 1-2
idmap gid = 1-2
winbind enum users = yes
winbind nested groups = no
winbind separator = +
winbind trusted domains only = no
winbind use default domain = no
winbind cache time = 10
security = domain
password server = *
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AJ
Grinnell
Sent: Thursday, January 13, 2005 1:19 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: LDAP, PEAP, Active Directory issue
Does anyone have an example of radiusd.conf that will show the
following. I know this can be done.
Windows XP client --> 802.1x/PEAP --> Freeradius 1.0.1 --> Active
Directory
I have tried many different configs, yet I am still getting an error
with the password. I just need an example, please.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP, PEAP, Active Directory issue
yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Fabio Alves Sent: Thursday, January 13, 2005 1:19 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: > You could still encrypt the passwords in the ldap database it just has > to be A two way hash so you can get the password in the clear. > > Ron. > > Ron Wahler > http://www.positive-logic.net > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Christopher Price > Sent: Thursday, January 13, 2005 8:58 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: LDAP, PEAP, Active Directory issue > > I am having the same problem. When you use an EAP type (like PEAP), a > hash of the password is sent to the radius server. The radius server is > able to deal with this if it has the password (such as in a mysql DB or > local file). The password can be hashed and compared with the hash that > was recieved from the client (WinXP PC in your case). If you use LDAP, > you must supply a cleartext password (usually over SSL) in order to > perform PAP authentication. Since you are sending the hash of the > password to the LDAP server it cannot bind. The only solution that I > have found is to store cleartext passwords in the LDAP DB, but this > would defeat the purpose of authentication because than anyone could > view passwords stored on the LDAP server. I hope this explanation helps > (at least it wasn't filled with WTF's and RTFM's like some responses). > :) > > >>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> > > On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > >>AJ Grinnell <[EMAIL PROTECTED]> wrote: >> >>>Ok, I have peap working with the users file and with mysql, and I > > have > >>>radius working with ldap also. But I can not get a user to >>>authenticate against ldap using peap. >> >> The server does not authenticate against LDAP for any EAP type. > > See > >>my previous message to you on this topic. >> >> >>>I have seen that you cant use eap and ldap, >> >> You already asked this question, and I already answered it. If > > you > >>don't remember, read the list archives. >> >> >>>but peap and ldap should work from what I have read. >> >> PEAP is a type of EAP. >> >> >>>the debug that I am seeing is very long, so I have included the > > part > >>>where I am seeing an obvious error. >> >> The part where is says it doesn't have a password? >> >> >>> rlm_mschap: No User-Password configured. Cannot create > > LM-Password. > >>> rlm_mschap: No User-Password configured. Cannot create > > NT-Password. > >>> rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password >>> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > > authentication. > >> You haven't told the server what the users password is. How the >>heck do you expect it to authenticate anyone? >> >> Alan DeKok. >> >>- >>List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > Im sorry, I have not seen any replies that you may have given me. The > server has been told what the users password is when they log in over > the wireless, Windows XP asks for a username and password, both of > which are in active directory. I can authenticate against the users > file and a mysql database in the same fashion, why would ldap not > work? Again, Im sorry if this is a basic question. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: You could still encrypt the passwords in the ldap database it just has to be A two way hash so you can get the password in the clear. Ron. Ron Wahler http://www.positive-logic.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Price Sent: Thursday, January 13, 2005 8:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue I am having the same problem. When you use an EAP type (like PEAP), a hash of the password is sent to the radius server. The radius server is able to deal with this if it has the password (such as in a mysql DB or local file). The password can be hashed and compared with the hash that was recieved from the client (WinXP PC in your case). If you use LDAP, you must supply a cleartext password (usually over SSL) in order to perform PAP authentication. Since you are sending the hash of the password to the LDAP server it cannot bind. The only solution that I have found is to store cleartext passwords in the LDAP DB, but this would defeat the purpose of authentication because than anyone could view passwords stored on the LDAP server. I hope this explanation helps (at least it wasn't filled with WTF's and RTFM's like some responses). :) [EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: AJ Grinnell <[EMAIL PROTECTED]> wrote: Ok, I have peap working with the users file and with mysql, and I have radius working with ldap also. But I can not get a user to authenticate against ldap using peap. The server does not authenticate against LDAP for any EAP type. See my previous message to you on this topic. I have seen that you cant use eap and ldap, You already asked this question, and I already answered it. If you don't remember, read the list archives. but peap and ldap should work from what I have read. PEAP is a type of EAP. the debug that I am seeing is very long, so I have included the part where I am seeing an obvious error. The part where is says it doesn't have a password? rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. You haven't told the server what the users password is. How the heck do you expect it to authenticate anyone? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Im sorry, I have not seen any replies that you may have given me. The server has been told what the users password is when they log in over the wireless, Windows XP asks for a username and password, both of which are in active directory. I can authenticate against the users file and a mysql database in the same fashion, why would ldap not work? Again, Im sorry if this is a basic question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
Does anyone have an example of radiusd.conf that will show the following. I know this can be done. Windows XP client --> 802.1x/PEAP --> Freeradius 1.0.1 --> Active Directory I have tried many different configs, yet I am still getting an error with the password. I just need an example, please. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP, PEAP, Active Directory issue
You could still encrypt the passwords in the ldap database it just has to be A two way hash so you can get the password in the clear. Ron. Ron Wahler http://www.positive-logic.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Price Sent: Thursday, January 13, 2005 8:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue I am having the same problem. When you use an EAP type (like PEAP), a hash of the password is sent to the radius server. The radius server is able to deal with this if it has the password (such as in a mysql DB or local file). The password can be hashed and compared with the hash that was recieved from the client (WinXP PC in your case). If you use LDAP, you must supply a cleartext password (usually over SSL) in order to perform PAP authentication. Since you are sending the hash of the password to the LDAP server it cannot bind. The only solution that I have found is to store cleartext passwords in the LDAP DB, but this would defeat the purpose of authentication because than anyone could view passwords stored on the LDAP server. I hope this explanation helps (at least it wasn't filled with WTF's and RTFM's like some responses). :) >>> [EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > AJ Grinnell <[EMAIL PROTECTED]> wrote: > > Ok, I have peap working with the users file and with mysql, and I have > > radius working with ldap also. But I can not get a user to > > authenticate against ldap using peap. > > The server does not authenticate against LDAP for any EAP type. See > my previous message to you on this topic. > > > I have seen that you cant use eap and ldap, > > You already asked this question, and I already answered it. If you > don't remember, read the list archives. > > > but peap and ldap should work from what I have read. > > PEAP is a type of EAP. > > > the debug that I am seeing is very long, so I have included the part > > where I am seeing an obvious error. > > The part where is says it doesn't have a password? > > > rlm_mschap: No User-Password configured. Cannot create LM-Password. > > rlm_mschap: No User-Password configured. Cannot create NT-Password. > > rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password > > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. > > You haven't told the server what the users password is. How the > heck do you expect it to authenticate anyone? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Im sorry, I have not seen any replies that you may have given me. The server has been told what the users password is when they log in over the wireless, Windows XP asks for a username and password, both of which are in active directory. I can authenticate against the users file and a mysql database in the same fashion, why would ldap not work? Again, Im sorry if this is a basic question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP, PEAP, Active Directory issue
You could still encrypt the passwords in the ldap database it just has to be A two way hash so you can get the password in the clear. Ron. Ron Wahler http://www.postive-logic.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Price Sent: Thursday, January 13, 2005 8:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue I am having the same problem. When you use an EAP type (like PEAP), a hash of the password is sent to the radius server. The radius server is able to deal with this if it has the password (such as in a mysql DB or local file). The password can be hashed and compared with the hash that was recieved from the client (WinXP PC in your case). If you use LDAP, you must supply a cleartext password (usually over SSL) in order to perform PAP authentication. Since you are sending the hash of the password to the LDAP server it cannot bind. The only solution that I have found is to store cleartext passwords in the LDAP DB, but this would defeat the purpose of authentication because than anyone could view passwords stored on the LDAP server. I hope this explanation helps (at least it wasn't filled with WTF's and RTFM's like some responses). :) >>> [EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > AJ Grinnell <[EMAIL PROTECTED]> wrote: > > Ok, I have peap working with the users file and with mysql, and I have > > radius working with ldap also. But I can not get a user to > > authenticate against ldap using peap. > > The server does not authenticate against LDAP for any EAP type. See > my previous message to you on this topic. > > > I have seen that you cant use eap and ldap, > > You already asked this question, and I already answered it. If you > don't remember, read the list archives. > > > but peap and ldap should work from what I have read. > > PEAP is a type of EAP. > > > the debug that I am seeing is very long, so I have included the part > > where I am seeing an obvious error. > > The part where is says it doesn't have a password? > > > rlm_mschap: No User-Password configured. Cannot create LM-Password. > > rlm_mschap: No User-Password configured. Cannot create NT-Password. > > rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password > > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. > > You haven't told the server what the users password is. How the > heck do you expect it to authenticate anyone? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Im sorry, I have not seen any replies that you may have given me. The server has been told what the users password is when they log in over the wireless, Windows XP asks for a username and password, both of which are in active directory. I can authenticate against the users file and a mysql database in the same fashion, why would ldap not work? Again, Im sorry if this is a basic question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
I am having the same problem. When you use an EAP type (like PEAP), a hash of the password is sent to the radius server. The radius server is able to deal with this if it has the password (such as in a mysql DB or local file). The password can be hashed and compared with the hash that was recieved from the client (WinXP PC in your case). If you use LDAP, you must supply a cleartext password (usually over SSL) in order to perform PAP authentication. Since you are sending the hash of the password to the LDAP server it cannot bind. The only solution that I have found is to store cleartext passwords in the LDAP DB, but this would defeat the purpose of authentication because than anyone could view passwords stored on the LDAP server. I hope this explanation helps (at least it wasn't filled with WTF's and RTFM's like some responses). :) >>> [EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > AJ Grinnell <[EMAIL PROTECTED]> wrote: > > Ok, I have peap working with the users file and with mysql, and I have > > radius working with ldap also. But I can not get a user to > > authenticate against ldap using peap. > > The server does not authenticate against LDAP for any EAP type. See > my previous message to you on this topic. > > > I have seen that you cant use eap and ldap, > > You already asked this question, and I already answered it. If you > don't remember, read the list archives. > > > but peap and ldap should work from what I have read. > > PEAP is a type of EAP. > > > the debug that I am seeing is very long, so I have included the part > > where I am seeing an obvious error. > > The part where is says it doesn't have a password? > > > rlm_mschap: No User-Password configured. Cannot create LM-Password. > > rlm_mschap: No User-Password configured. Cannot create NT-Password. > > rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password > > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. > > You haven't told the server what the users password is. How the > heck do you expect it to authenticate anyone? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Im sorry, I have not seen any replies that you may have given me. The server has been told what the users password is when they log in over the wireless, Windows XP asks for a username and password, both of which are in active directory. I can authenticate against the users file and a mysql database in the same fashion, why would ldap not work? Again, Im sorry if this is a basic question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > AJ Grinnell <[EMAIL PROTECTED]> wrote: > > Ok, I have peap working with the users file and with mysql, and I have > > radius working with ldap also. But I can not get a user to > > authenticate against ldap using peap. > > The server does not authenticate against LDAP for any EAP type. See > my previous message to you on this topic. > > > I have seen that you cant use eap and ldap, > > You already asked this question, and I already answered it. If you > don't remember, read the list archives. > > > but peap and ldap should work from what I have read. > > PEAP is a type of EAP. > > > the debug that I am seeing is very long, so I have included the part > > where I am seeing an obvious error. > > The part where is says it doesn't have a password? > > > rlm_mschap: No User-Password configured. Cannot create LM-Password. > > rlm_mschap: No User-Password configured. Cannot create NT-Password. > > rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password > > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. > > You haven't told the server what the users password is. How the > heck do you expect it to authenticate anyone? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Im sorry, I have not seen any replies that you may have given me. The server has been told what the users password is when they log in over the wireless, Windows XP asks for a username and password, both of which are in active directory. I can authenticate against the users file and a mysql database in the same fashion, why would ldap not work? Again, Im sorry if this is a basic question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
AJ Grinnell <[EMAIL PROTECTED]> wrote: > Ok, I have peap working with the users file and with mysql, and I have > radius working with ldap also. But I can not get a user to > authenticate against ldap using peap. The server does not authenticate against LDAP for any EAP type. See my previous message to you on this topic. > I have seen that you cant use eap and ldap, You already asked this question, and I already answered it. If you don't remember, read the list archives. > but peap and ldap should work from what I have read. PEAP is a type of EAP. > the debug that I am seeing is very long, so I have included the part > where I am seeing an obvious error. The part where is says it doesn't have a password? > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. You haven't told the server what the users password is. How the heck do you expect it to authenticate anyone? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
