RE: LDAP, PEAP, Active Directory issue
It isn't as hard as you are trying to make it... There are sample configs in the archieve I posted for AJ Grinnell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Wahler Sent: Thursday, January 13, 2005 4:40 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue Where is a good place to read the details of how ntlm_auth integrates in with AD ? Ron. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 3:27 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue Ntlm hashes the password for you >From radius.conf ntlm_auth = "/your/install/location/samba/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge= %{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Wahler Sent: Thursday, January 13, 2005 4:25 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue So when you use Samba you can get the password in the clear ? how Is the mschap hash generated? Ron. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 3:17 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue AD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Wahler Sent: Thursday, January 13, 2005 4:13 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue Are you storing the passwords in OpenLDAP or Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 12:21 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Fabio Alves Sent: Thursday, January 13, 2005 1:19 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: > You could still encrypt the passwords in the ldap database it just has > to be A two way hash so you can get the password in the clear. > > Ron. > > Ron Wahler > http://www.positive-logic.net > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Christopher Price > Sent: Thursday, January 13, 2005 8:58 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: LDAP, PEAP, Active Directory issue > > I am having the same problem. When you use an EAP type (like PEAP), a > hash of the password is sent to the radius server. The radius server is > able to deal with this if it has the password (such as in a mysql DB or > local file). The password can be hashed and compared with the hash that > was recieved from the client (WinXP PC in your case). If you use LDAP, > you must supply a cleartext password (usually over SSL) in order to > perform PAP authentication. Since you are sending the hash of the > password to the LDAP server it cannot bind. The only solution that I > have found is to store cleartext passwords in the LDAP DB, but this > would defeat the purpose of authentication because than anyone could > view passwords stored on the LDAP server. I hope this explanation helps > (at least it wasn't filled with WTF's and RTFM's like some responses). > :) > > >>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> > > On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > >>AJ Grinnell <[EMAIL PROTECTED]> wrote: >> >>>Ok, I have peap working with the users file and with mysql, and I > > have > >>>radius working with ldap also. But I can not get a user to >>>authenticate against ldap using peap. >> >> The server does not authenticate against LDAP for any EAP type. > > See > >>my previous message to you on this topic. >> >> >>>I have seen that you cant use eap and ldap, >> >> You already asked this question, and I already answered it. If > > you > >>don't remember, read the list archives. >> >> >>>but peap and ldap should work from what I have read. >> >> PEAP is a type of EAP. >> >> >>>the debug that I am seeing is very long, s
RE: LDAP, PEAP, Active Directory issue
I sent the sample configs, start there. It isn't as hard as you are trying to make it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AJ Grinnell Sent: Thursday, January 13, 2005 6:28 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue On Thu, 13 Jan 2005 15:40:21 -0700, Ron Wahler <[EMAIL PROTECTED]> wrote: > Where is a good place to read the details of how ntlm_auth integrates in > with AD ? > > Ron. > If you happen to find out, will you please let me know? I will pass the info to you if I find it first. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
Hi, > I have a question about the problem bellow. > > If in LDAP (openldap) we provide the ntpassword (with samba), it will > work for authenticate Windows XP users with PEAP + mschapv2 ?? Note however, that storing&using ntpasswords instead of cleartext passwords offers no advantage at all - as far as security is concerned. Depending on your existing environment, one may be easier to use than the other, but it certainly isn't worth the pain to heavily modify an existing environment to get from one to the other. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
On Thu, 13 Jan 2005 15:40:21 -0700, Ron Wahler <[EMAIL PROTECTED]> wrote: > Where is a good place to read the details of how ntlm_auth integrates in > with AD ? > > Ron. > If you happen to find out, will you please let me know? I will pass the info to you if I find it first. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP, PEAP, Active Directory issue
Where is a good place to read the details of how ntlm_auth integrates in with AD ? Ron. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 3:27 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue Ntlm hashes the password for you >From radius.conf ntlm_auth = "/your/install/location/samba/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge= %{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Wahler Sent: Thursday, January 13, 2005 4:25 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue So when you use Samba you can get the password in the clear ? how Is the mschap hash generated? Ron. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 3:17 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue AD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Wahler Sent: Thursday, January 13, 2005 4:13 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue Are you storing the passwords in OpenLDAP or Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 12:21 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Fabio Alves Sent: Thursday, January 13, 2005 1:19 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: > You could still encrypt the passwords in the ldap database it just has > to be A two way hash so you can get the password in the clear. > > Ron. > > Ron Wahler > http://www.positive-logic.net > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Christopher Price > Sent: Thursday, January 13, 2005 8:58 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: LDAP, PEAP, Active Directory issue > > I am having the same problem. When you use an EAP type (like PEAP), a > hash of the password is sent to the radius server. The radius server is > able to deal with this if it has the password (such as in a mysql DB or > local file). The password can be hashed and compared with the hash that > was recieved from the client (WinXP PC in your case). If you use LDAP, > you must supply a cleartext password (usually over SSL) in order to > perform PAP authentication. Since you are sending the hash of the > password to the LDAP server it cannot bind. The only solution that I > have found is to store cleartext passwords in the LDAP DB, but this > would defeat the purpose of authentication because than anyone could > view passwords stored on the LDAP server. I hope this explanation helps > (at least it wasn't filled with WTF's and RTFM's like some responses). > :) > > >>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> > > On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > >>AJ Grinnell <[EMAIL PROTECTED]> wrote: >> >>>Ok, I have peap working with the users file and with mysql, and I > > have > >>>radius working with ldap also. But I can not get a user to >>>authenticate against ldap using peap. >> >> The server does not authenticate against LDAP for any EAP type. > > See > >>my previous message to you on this topic. >> >> >>>I have seen that you cant use eap and ldap, >> >> You already asked this question, and I already answered it. If > > you > >>don't remember, read the list archives. >> >> >>>but peap and ldap should work from what I have read. >> >> PEAP is a type of EAP. >> >> >>>the debug that I am seeing is very long, so I have included the > > part > >>>where I am seeing an obvious error. >> >> The part where is says it doesn't have a password? >> >> >>> rlm_mschap: No User-Password configured. Cannot create > > LM-Password. > >>> rlm_mschap: No User-Password configured. Cannot create &g
RE: LDAP, PEAP, Active Directory issue
Ntlm hashes the password for you >From radius.conf ntlm_auth = "/your/install/location/samba/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge= %{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Wahler Sent: Thursday, January 13, 2005 4:25 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue So when you use Samba you can get the password in the clear ? how Is the mschap hash generated? Ron. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 3:17 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue AD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Wahler Sent: Thursday, January 13, 2005 4:13 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue Are you storing the passwords in OpenLDAP or Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 12:21 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Fabio Alves Sent: Thursday, January 13, 2005 1:19 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: > You could still encrypt the passwords in the ldap database it just has > to be A two way hash so you can get the password in the clear. > > Ron. > > Ron Wahler > http://www.positive-logic.net > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Christopher Price > Sent: Thursday, January 13, 2005 8:58 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: LDAP, PEAP, Active Directory issue > > I am having the same problem. When you use an EAP type (like PEAP), a > hash of the password is sent to the radius server. The radius server is > able to deal with this if it has the password (such as in a mysql DB or > local file). The password can be hashed and compared with the hash that > was recieved from the client (WinXP PC in your case). If you use LDAP, > you must supply a cleartext password (usually over SSL) in order to > perform PAP authentication. Since you are sending the hash of the > password to the LDAP server it cannot bind. The only solution that I > have found is to store cleartext passwords in the LDAP DB, but this > would defeat the purpose of authentication because than anyone could > view passwords stored on the LDAP server. I hope this explanation helps > (at least it wasn't filled with WTF's and RTFM's like some responses). > :) > > >>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> > > On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > >>AJ Grinnell <[EMAIL PROTECTED]> wrote: >> >>>Ok, I have peap working with the users file and with mysql, and I > > have > >>>radius working with ldap also. But I can not get a user to >>>authenticate against ldap using peap. >> >> The server does not authenticate against LDAP for any EAP type. > > See > >>my previous message to you on this topic. >> >> >>>I have seen that you cant use eap and ldap, >> >> You already asked this question, and I already answered it. If > > you > >>don't remember, read the list archives. >> >> >>>but peap and ldap should work from what I have read. >> >> PEAP is a type of EAP. >> >> >>>the debug that I am seeing is very long, so I have included the > > part > >>>where I am seeing an obvious error. >> >> The part where is says it doesn't have a password? >> >> >>> rlm_mschap: No User-Password configured. Cannot create > > LM-Password. > >>> rlm_mschap: No User-Password configured. Cannot create > > NT-Password. > >>> rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password >>> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > > authentication. > >> You haven't told the server what the users password is. How the >>heck do you expect it to authentic
RE: LDAP, PEAP, Active Directory issue
So when you use Samba you can get the password in the clear ? how Is the mschap hash generated? Ron. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 3:17 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue AD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Wahler Sent: Thursday, January 13, 2005 4:13 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue Are you storing the passwords in OpenLDAP or Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 12:21 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Fabio Alves Sent: Thursday, January 13, 2005 1:19 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: > You could still encrypt the passwords in the ldap database it just has > to be A two way hash so you can get the password in the clear. > > Ron. > > Ron Wahler > http://www.positive-logic.net > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Christopher Price > Sent: Thursday, January 13, 2005 8:58 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: LDAP, PEAP, Active Directory issue > > I am having the same problem. When you use an EAP type (like PEAP), a > hash of the password is sent to the radius server. The radius server is > able to deal with this if it has the password (such as in a mysql DB or > local file). The password can be hashed and compared with the hash that > was recieved from the client (WinXP PC in your case). If you use LDAP, > you must supply a cleartext password (usually over SSL) in order to > perform PAP authentication. Since you are sending the hash of the > password to the LDAP server it cannot bind. The only solution that I > have found is to store cleartext passwords in the LDAP DB, but this > would defeat the purpose of authentication because than anyone could > view passwords stored on the LDAP server. I hope this explanation helps > (at least it wasn't filled with WTF's and RTFM's like some responses). > :) > > >>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> > > On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > >>AJ Grinnell <[EMAIL PROTECTED]> wrote: >> >>>Ok, I have peap working with the users file and with mysql, and I > > have > >>>radius working with ldap also. But I can not get a user to >>>authenticate against ldap using peap. >> >> The server does not authenticate against LDAP for any EAP type. > > See > >>my previous message to you on this topic. >> >> >>>I have seen that you cant use eap and ldap, >> >> You already asked this question, and I already answered it. If > > you > >>don't remember, read the list archives. >> >> >>>but peap and ldap should work from what I have read. >> >> PEAP is a type of EAP. >> >> >>>the debug that I am seeing is very long, so I have included the > > part > >>>where I am seeing an obvious error. >> >> The part where is says it doesn't have a password? >> >> >>> rlm_mschap: No User-Password configured. Cannot create > > LM-Password. > >>> rlm_mschap: No User-Password configured. Cannot create > > NT-Password. > >>> rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password >>> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > > authentication. > >> You haven't told the server what the users password is. How the >>heck do you expect it to authenticate anyone? >> >> Alan DeKok. >> >>- >>List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > Im sorry, I have not seen any replies that you may have given me. The > server has been told what the users password is when they log in over > the wireless, Windows XP asks for a username and password, both of > which are in active directory. I can authenticate against the users > file and a mysql database in t
RE: LDAP, PEAP, Active Directory issue
AD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Wahler Sent: Thursday, January 13, 2005 4:13 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue Are you storing the passwords in OpenLDAP or Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 12:21 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Fabio Alves Sent: Thursday, January 13, 2005 1:19 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: > You could still encrypt the passwords in the ldap database it just has > to be A two way hash so you can get the password in the clear. > > Ron. > > Ron Wahler > http://www.positive-logic.net > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Christopher Price > Sent: Thursday, January 13, 2005 8:58 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: LDAP, PEAP, Active Directory issue > > I am having the same problem. When you use an EAP type (like PEAP), a > hash of the password is sent to the radius server. The radius server is > able to deal with this if it has the password (such as in a mysql DB or > local file). The password can be hashed and compared with the hash that > was recieved from the client (WinXP PC in your case). If you use LDAP, > you must supply a cleartext password (usually over SSL) in order to > perform PAP authentication. Since you are sending the hash of the > password to the LDAP server it cannot bind. The only solution that I > have found is to store cleartext passwords in the LDAP DB, but this > would defeat the purpose of authentication because than anyone could > view passwords stored on the LDAP server. I hope this explanation helps > (at least it wasn't filled with WTF's and RTFM's like some responses). > :) > > >>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> > > On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > >>AJ Grinnell <[EMAIL PROTECTED]> wrote: >> >>>Ok, I have peap working with the users file and with mysql, and I > > have > >>>radius working with ldap also. But I can not get a user to >>>authenticate against ldap using peap. >> >> The server does not authenticate against LDAP for any EAP type. > > See > >>my previous message to you on this topic. >> >> >>>I have seen that you cant use eap and ldap, >> >> You already asked this question, and I already answered it. If > > you > >>don't remember, read the list archives. >> >> >>>but peap and ldap should work from what I have read. >> >> PEAP is a type of EAP. >> >> >>>the debug that I am seeing is very long, so I have included the > > part > >>>where I am seeing an obvious error. >> >> The part where is says it doesn't have a password? >> >> >>> rlm_mschap: No User-Password configured. Cannot create > > LM-Password. > >>> rlm_mschap: No User-Password configured. Cannot create > > NT-Password. > >>> rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password >>> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > > authentication. > >> You haven't told the server what the users password is. How the >>heck do you expect it to authenticate anyone? >> >> Alan DeKok. >> >>- >>List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > Im sorry, I have not seen any replies that you may have given me. The > server has been told what the users password is when they log in over > the wireless, Windows XP asks for a username and password, both of > which are in active directory. I can authenticate against the users > file and a mysql database in the same fashion, why would ldap not > work? Again, Im sorry if this is a basic question. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP, PEAP, Active Directory issue
Are you storing the passwords in OpenLDAP or Active Directory? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willey Kurt D Sent: Thursday, January 13, 2005 12:21 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP, PEAP, Active Directory issue yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Fabio Alves Sent: Thursday, January 13, 2005 1:19 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: > You could still encrypt the passwords in the ldap database it just has > to be A two way hash so you can get the password in the clear. > > Ron. > > Ron Wahler > http://www.positive-logic.net > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Christopher Price > Sent: Thursday, January 13, 2005 8:58 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: LDAP, PEAP, Active Directory issue > > I am having the same problem. When you use an EAP type (like PEAP), a > hash of the password is sent to the radius server. The radius server is > able to deal with this if it has the password (such as in a mysql DB or > local file). The password can be hashed and compared with the hash that > was recieved from the client (WinXP PC in your case). If you use LDAP, > you must supply a cleartext password (usually over SSL) in order to > perform PAP authentication. Since you are sending the hash of the > password to the LDAP server it cannot bind. The only solution that I > have found is to store cleartext passwords in the LDAP DB, but this > would defeat the purpose of authentication because than anyone could > view passwords stored on the LDAP server. I hope this explanation helps > (at least it wasn't filled with WTF's and RTFM's like some responses). > :) > > >>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> > > On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > >>AJ Grinnell <[EMAIL PROTECTED]> wrote: >> >>>Ok, I have peap working with the users file and with mysql, and I > > have > >>>radius working with ldap also. But I can not get a user to >>>authenticate against ldap using peap. >> >> The server does not authenticate against LDAP for any EAP type. > > See > >>my previous message to you on this topic. >> >> >>>I have seen that you cant use eap and ldap, >> >> You already asked this question, and I already answered it. If > > you > >>don't remember, read the list archives. >> >> >>>but peap and ldap should work from what I have read. >> >> PEAP is a type of EAP. >> >> >>>the debug that I am seeing is very long, so I have included the > > part > >>>where I am seeing an obvious error. >> >> The part where is says it doesn't have a password? >> >> >>> rlm_mschap: No User-Password configured. Cannot create > > LM-Password. > >>> rlm_mschap: No User-Password configured. Cannot create > > NT-Password. > >>> rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password >>> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > > authentication. > >> You haven't told the server what the users password is. How the >>heck do you expect it to authenticate anyone? >> >> Alan DeKok. >> >>- >>List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > Im sorry, I have not seen any replies that you may have given me. The > server has been told what the users password is when they log in over > the wireless, Windows XP asks for a username and password, both of > which are in active directory. I can authenticate against the users > file and a mysql database in the same fashion, why would ldap not > work? Again, Im sorry if this is a basic question. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
Israel Fabio Alves <[EMAIL PROTECTED]> wrote: > If in LDAP (openldap) we provide the ntpassword (with samba), it will > work for authenticate Windows XP users with PEAP + mschapv2 ?? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
AJ Grinnell <[EMAIL PROTECTED]> wrote: > Im sorry, I have not seen any replies that you may have given me. You not only saw, you responded. Please remember the answers you're given on this list. It helps to avoid repetition. http://lists.freeradius.org/pipermail/freeradius-users/2005-January/039604.html > the wireless, Windows XP asks for a username and password, both of > which are in active directory. I can authenticate against the users > file and a mysql database in the same fashion, why would ldap not > work? AD isn't an LDAP server. It's close, but it doesn't supply what FreeRADIUS needs. See "ntlm_auth" in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP, PEAP, Active Directory issue
Point ntlm_auth to your samba install; like: ntlm_auth = "/your/install/location/samba/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge= %{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Fabio Alves Sent: Thursday, January 13, 2005 2:25 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue Sorry for the question, but do you have a sample radius.conf to publish for as. Because a tried configure this, but always a have the error bellow: PEAP: Got tunneled reply RADIUS code 3 Service-Type = Login-User MS-CHAP-Error = "8E=691 R=1" EAP-Message = 0x04380004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x817f5c8 3 Service-Type = Login-User MS-CHAP-Error = "8E=691 R=1" EAP-Message = 0x04380004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE Debug file: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded PAP pap: encryption_scheme = "clear" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = "localhost" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=admin,dc=testdomain,dc=com" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "xtopazio" ldap: basedn = "dc=testdomain,dc=com" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "radiusProfileDn" ldap: password_header = "{CRYPT}" ldap: password_attribute = "userPassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "radiusGroupName" ldap: dictionary_mapping = "
Re: LDAP, PEAP, Active Directory issue
# Livingston-style 'users' file files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } # The "always" module is here for debugging purposes. Each # instance simply returns the same result, always, without # doing anything. always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } } authorize { preprocess #chap #mschap #suffix # ntdomain eap #files # sql # etc_smbpasswd ldap # daily # checkval } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # digest # pam #unix
RE: LDAP, PEAP, Active Directory issue
Softerra ldap browser helped with AD structure Relevant radiusd.conf mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/local/samba/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge= %{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } ldap { server = "x.x.x.x" port = 636 identity = "cn=ldapuser,dc=yourdomain,dc=com" password = yourpassword basedn = "dc=domain,dc=com" filter = "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))" start_tls = no tls_cacertfile = /usr/local/ssl/certs/server.pem tls_cacertdir = /usr/local/ssl/certs/ } eap.conf { default_eap_type = peap tls { private_key_file = /usr/local/ssl/bin/pluto.key certificate_file = /usr/local/ssl/bin/pluto.crt CA_file = /usr/local/ssl/certs/sausecure.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } peap { default_eap_type = mschapv2 } mschapv2 { } } smb.conf - workgroup = YOURDOMAIN hosts allow = x.x.x.x. 127. idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind nested groups = no winbind separator = + winbind trusted domains only = no winbind use default domain = no winbind cache time = 10 security = domain password server = * -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AJ Grinnell Sent: Thursday, January 13, 2005 1:19 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue Does anyone have an example of radiusd.conf that will show the following. I know this can be done. Windows XP client --> 802.1x/PEAP --> Freeradius 1.0.1 --> Active Directory I have tried many different configs, yet I am still getting an error with the password. I just need an example, please. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP, PEAP, Active Directory issue
yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Fabio Alves Sent: Thursday, January 13, 2005 1:19 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: > You could still encrypt the passwords in the ldap database it just has > to be A two way hash so you can get the password in the clear. > > Ron. > > Ron Wahler > http://www.positive-logic.net > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Christopher Price > Sent: Thursday, January 13, 2005 8:58 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: LDAP, PEAP, Active Directory issue > > I am having the same problem. When you use an EAP type (like PEAP), a > hash of the password is sent to the radius server. The radius server is > able to deal with this if it has the password (such as in a mysql DB or > local file). The password can be hashed and compared with the hash that > was recieved from the client (WinXP PC in your case). If you use LDAP, > you must supply a cleartext password (usually over SSL) in order to > perform PAP authentication. Since you are sending the hash of the > password to the LDAP server it cannot bind. The only solution that I > have found is to store cleartext passwords in the LDAP DB, but this > would defeat the purpose of authentication because than anyone could > view passwords stored on the LDAP server. I hope this explanation helps > (at least it wasn't filled with WTF's and RTFM's like some responses). > :) > > >>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> > > On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > >>AJ Grinnell <[EMAIL PROTECTED]> wrote: >> >>>Ok, I have peap working with the users file and with mysql, and I > > have > >>>radius working with ldap also. But I can not get a user to >>>authenticate against ldap using peap. >> >> The server does not authenticate against LDAP for any EAP type. > > See > >>my previous message to you on this topic. >> >> >>>I have seen that you cant use eap and ldap, >> >> You already asked this question, and I already answered it. If > > you > >>don't remember, read the list archives. >> >> >>>but peap and ldap should work from what I have read. >> >> PEAP is a type of EAP. >> >> >>>the debug that I am seeing is very long, so I have included the > > part > >>>where I am seeing an obvious error. >> >> The part where is says it doesn't have a password? >> >> >>> rlm_mschap: No User-Password configured. Cannot create > > LM-Password. > >>> rlm_mschap: No User-Password configured. Cannot create > > NT-Password. > >>> rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password >>> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > > authentication. > >> You haven't told the server what the users password is. How the >>heck do you expect it to authenticate anyone? >> >> Alan DeKok. >> >>- >>List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > Im sorry, I have not seen any replies that you may have given me. The > server has been told what the users password is when they log in over > the wireless, Windows XP asks for a username and password, both of > which are in active directory. I can authenticate against the users > file and a mysql database in the same fashion, why would ldap not > work? Again, Im sorry if this is a basic question. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
Hi, I have a question about the problem bellow. If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ?? Thanks. Ron Wahler wrote: You could still encrypt the passwords in the ldap database it just has to be A two way hash so you can get the password in the clear. Ron. Ron Wahler http://www.positive-logic.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Price Sent: Thursday, January 13, 2005 8:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue I am having the same problem. When you use an EAP type (like PEAP), a hash of the password is sent to the radius server. The radius server is able to deal with this if it has the password (such as in a mysql DB or local file). The password can be hashed and compared with the hash that was recieved from the client (WinXP PC in your case). If you use LDAP, you must supply a cleartext password (usually over SSL) in order to perform PAP authentication. Since you are sending the hash of the password to the LDAP server it cannot bind. The only solution that I have found is to store cleartext passwords in the LDAP DB, but this would defeat the purpose of authentication because than anyone could view passwords stored on the LDAP server. I hope this explanation helps (at least it wasn't filled with WTF's and RTFM's like some responses). :) [EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: AJ Grinnell <[EMAIL PROTECTED]> wrote: Ok, I have peap working with the users file and with mysql, and I have radius working with ldap also. But I can not get a user to authenticate against ldap using peap. The server does not authenticate against LDAP for any EAP type. See my previous message to you on this topic. I have seen that you cant use eap and ldap, You already asked this question, and I already answered it. If you don't remember, read the list archives. but peap and ldap should work from what I have read. PEAP is a type of EAP. the debug that I am seeing is very long, so I have included the part where I am seeing an obvious error. The part where is says it doesn't have a password? rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. You haven't told the server what the users password is. How the heck do you expect it to authenticate anyone? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Im sorry, I have not seen any replies that you may have given me. The server has been told what the users password is when they log in over the wireless, Windows XP asks for a username and password, both of which are in active directory. I can authenticate against the users file and a mysql database in the same fashion, why would ldap not work? Again, Im sorry if this is a basic question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
Does anyone have an example of radiusd.conf that will show the following. I know this can be done. Windows XP client --> 802.1x/PEAP --> Freeradius 1.0.1 --> Active Directory I have tried many different configs, yet I am still getting an error with the password. I just need an example, please. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP, PEAP, Active Directory issue
You could still encrypt the passwords in the ldap database it just has to be A two way hash so you can get the password in the clear. Ron. Ron Wahler http://www.positive-logic.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Price Sent: Thursday, January 13, 2005 8:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue I am having the same problem. When you use an EAP type (like PEAP), a hash of the password is sent to the radius server. The radius server is able to deal with this if it has the password (such as in a mysql DB or local file). The password can be hashed and compared with the hash that was recieved from the client (WinXP PC in your case). If you use LDAP, you must supply a cleartext password (usually over SSL) in order to perform PAP authentication. Since you are sending the hash of the password to the LDAP server it cannot bind. The only solution that I have found is to store cleartext passwords in the LDAP DB, but this would defeat the purpose of authentication because than anyone could view passwords stored on the LDAP server. I hope this explanation helps (at least it wasn't filled with WTF's and RTFM's like some responses). :) >>> [EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > AJ Grinnell <[EMAIL PROTECTED]> wrote: > > Ok, I have peap working with the users file and with mysql, and I have > > radius working with ldap also. But I can not get a user to > > authenticate against ldap using peap. > > The server does not authenticate against LDAP for any EAP type. See > my previous message to you on this topic. > > > I have seen that you cant use eap and ldap, > > You already asked this question, and I already answered it. If you > don't remember, read the list archives. > > > but peap and ldap should work from what I have read. > > PEAP is a type of EAP. > > > the debug that I am seeing is very long, so I have included the part > > where I am seeing an obvious error. > > The part where is says it doesn't have a password? > > > rlm_mschap: No User-Password configured. Cannot create LM-Password. > > rlm_mschap: No User-Password configured. Cannot create NT-Password. > > rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password > > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. > > You haven't told the server what the users password is. How the > heck do you expect it to authenticate anyone? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Im sorry, I have not seen any replies that you may have given me. The server has been told what the users password is when they log in over the wireless, Windows XP asks for a username and password, both of which are in active directory. I can authenticate against the users file and a mysql database in the same fashion, why would ldap not work? Again, Im sorry if this is a basic question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP, PEAP, Active Directory issue
You could still encrypt the passwords in the ldap database it just has to be A two way hash so you can get the password in the clear. Ron. Ron Wahler http://www.postive-logic.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Price Sent: Thursday, January 13, 2005 8:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue I am having the same problem. When you use an EAP type (like PEAP), a hash of the password is sent to the radius server. The radius server is able to deal with this if it has the password (such as in a mysql DB or local file). The password can be hashed and compared with the hash that was recieved from the client (WinXP PC in your case). If you use LDAP, you must supply a cleartext password (usually over SSL) in order to perform PAP authentication. Since you are sending the hash of the password to the LDAP server it cannot bind. The only solution that I have found is to store cleartext passwords in the LDAP DB, but this would defeat the purpose of authentication because than anyone could view passwords stored on the LDAP server. I hope this explanation helps (at least it wasn't filled with WTF's and RTFM's like some responses). :) >>> [EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > AJ Grinnell <[EMAIL PROTECTED]> wrote: > > Ok, I have peap working with the users file and with mysql, and I have > > radius working with ldap also. But I can not get a user to > > authenticate against ldap using peap. > > The server does not authenticate against LDAP for any EAP type. See > my previous message to you on this topic. > > > I have seen that you cant use eap and ldap, > > You already asked this question, and I already answered it. If you > don't remember, read the list archives. > > > but peap and ldap should work from what I have read. > > PEAP is a type of EAP. > > > the debug that I am seeing is very long, so I have included the part > > where I am seeing an obvious error. > > The part where is says it doesn't have a password? > > > rlm_mschap: No User-Password configured. Cannot create LM-Password. > > rlm_mschap: No User-Password configured. Cannot create NT-Password. > > rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password > > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. > > You haven't told the server what the users password is. How the > heck do you expect it to authenticate anyone? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Im sorry, I have not seen any replies that you may have given me. The server has been told what the users password is when they log in over the wireless, Windows XP asks for a username and password, both of which are in active directory. I can authenticate against the users file and a mysql database in the same fashion, why would ldap not work? Again, Im sorry if this is a basic question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
I am having the same problem. When you use an EAP type (like PEAP), a hash of the password is sent to the radius server. The radius server is able to deal with this if it has the password (such as in a mysql DB or local file). The password can be hashed and compared with the hash that was recieved from the client (WinXP PC in your case). If you use LDAP, you must supply a cleartext password (usually over SSL) in order to perform PAP authentication. Since you are sending the hash of the password to the LDAP server it cannot bind. The only solution that I have found is to store cleartext passwords in the LDAP DB, but this would defeat the purpose of authentication because than anyone could view passwords stored on the LDAP server. I hope this explanation helps (at least it wasn't filled with WTF's and RTFM's like some responses). :) >>> [EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > AJ Grinnell <[EMAIL PROTECTED]> wrote: > > Ok, I have peap working with the users file and with mysql, and I have > > radius working with ldap also. But I can not get a user to > > authenticate against ldap using peap. > > The server does not authenticate against LDAP for any EAP type. See > my previous message to you on this topic. > > > I have seen that you cant use eap and ldap, > > You already asked this question, and I already answered it. If you > don't remember, read the list archives. > > > but peap and ldap should work from what I have read. > > PEAP is a type of EAP. > > > the debug that I am seeing is very long, so I have included the part > > where I am seeing an obvious error. > > The part where is says it doesn't have a password? > > > rlm_mschap: No User-Password configured. Cannot create LM-Password. > > rlm_mschap: No User-Password configured. Cannot create NT-Password. > > rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password > > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. > > You haven't told the server what the users password is. How the > heck do you expect it to authenticate anyone? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Im sorry, I have not seen any replies that you may have given me. The server has been told what the users password is when they log in over the wireless, Windows XP asks for a username and password, both of which are in active directory. I can authenticate against the users file and a mysql database in the same fashion, why would ldap not work? Again, Im sorry if this is a basic question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > AJ Grinnell <[EMAIL PROTECTED]> wrote: > > Ok, I have peap working with the users file and with mysql, and I have > > radius working with ldap also. But I can not get a user to > > authenticate against ldap using peap. > > The server does not authenticate against LDAP for any EAP type. See > my previous message to you on this topic. > > > I have seen that you cant use eap and ldap, > > You already asked this question, and I already answered it. If you > don't remember, read the list archives. > > > but peap and ldap should work from what I have read. > > PEAP is a type of EAP. > > > the debug that I am seeing is very long, so I have included the part > > where I am seeing an obvious error. > > The part where is says it doesn't have a password? > > > rlm_mschap: No User-Password configured. Cannot create LM-Password. > > rlm_mschap: No User-Password configured. Cannot create NT-Password. > > rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password > > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. > > You haven't told the server what the users password is. How the > heck do you expect it to authenticate anyone? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Im sorry, I have not seen any replies that you may have given me. The server has been told what the users password is when they log in over the wireless, Windows XP asks for a username and password, both of which are in active directory. I can authenticate against the users file and a mysql database in the same fashion, why would ldap not work? Again, Im sorry if this is a basic question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, PEAP, Active Directory issue
AJ Grinnell <[EMAIL PROTECTED]> wrote: > Ok, I have peap working with the users file and with mysql, and I have > radius working with ldap also. But I can not get a user to > authenticate against ldap using peap. The server does not authenticate against LDAP for any EAP type. See my previous message to you on this topic. > I have seen that you cant use eap and ldap, You already asked this question, and I already answered it. If you don't remember, read the list archives. > but peap and ldap should work from what I have read. PEAP is a type of EAP. > the debug that I am seeing is very long, so I have included the part > where I am seeing an obvious error. The part where is says it doesn't have a password? > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. You haven't told the server what the users password is. How the heck do you expect it to authenticate anyone? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html