Re: Problems with PEAP
hi, the request gets sent to inner-tunnel (as per standard EAP configuration) but then inner-tunnel cant authenticate the user - ie no authentication method in which your user 'Jens' can be found. check that the requires method is in inner-tunnel alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP
Hello everyone, I know that it is something I have forgot to configure but I cant for my life remember what it is. What I want to do is to authenticate a user from a windows machine using PEAP. Things I´ve have configured in raddb and in raddb/modules is: 1. Added a user called Jens with Cleartext-Password := kaffe No, you haven't: ++[files] returns noop There is no entry for that user in users file. At least not the one server is using. If you have multiple installations make sure that you are configuring fioles belonging to the instance you are running. Have a look at the debug of the server startup - it will tell you where users file is (when files module is instantiated). Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: Problems with PEAP
Message: 6 Date: Mon, 7 Dec 2009 23:00:02 - (UTC) From: t...@kalik.net Subject: Re: Problems with PEAP To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 50214.87.194.16.13.1260226802.squir...@www.kalik.net Content-Type: text/plain;charset=iso-8859-1 Hello everyone, I know that it is something I have forgot to configure but I cant for my life remember what it is. What I want to do is to authenticate a user from a windows machine using PEAP. Things I?ve have configured in raddb and in raddb/modules is: 1. Added a user called Jens with Cleartext-Password := kaffe No, you haven't: ++[files] returns noop There is no entry for that user in users file. At least not the one server is using. If you have multiple installations make sure that you are configuring fioles belonging to the instance you are running. Have a look at the debug of the server startup - it will tell you where users file is (when files module is instantiated). Ivan Kalik Hi Ivan Kalik, Yes I do have an input for Jens with Cleartext-Password := kaffe in the users file. Also I do not have several installations of Freeradius on the same installation of Ubuntu Desktop 9.04. This one was newly installed yesterday so there is only one installation. Also I could login using a different user which was a row above the user Jens. My users file have two users: peter Cleartext-Password := kaffe jens Cleartext-Password := kaffe After I logged in with the user peter I could login using jens. Best regards/ Peter Carlstedt _ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP
pippo metallaro wrote: i use freeradius with eap -peap and MySQL...but the freeradius don't send an access-accept at the end of authentication ...the server send an access-challenge,i don't know what's the problem... Perhaps you could try reading eap.conf, or the FAQ, or other documentation that comes with the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok wrote: pippo metallaro wrote: i use freeradius with eap -peap and MySQL...but the freeradius don't send an access-accept at the end of authentication ...the server send an access-challenge,i don't know what's the problem... Perhaps you could try reading eap.conf, or the FAQ, or other documentation that comes with the server. What Alan points to is in the default eap.conf from the disto: ## # # ! WARNINGS for Windows compatibility ! # ## # # If you see the server send an Access-Challenge, # and the client never sends another Access-Request, # then # # STOP! # # The server certificate has to have special OID's # in it, or else the Microsoft clients will silently # fail. See the scripts/xpextensions file for # details, and the following page: # # http://support.microsoft.com/kb/814394/en-us # # For additional Windows XP SP2 issues, see: # # http://support.microsoft.com/kb/885453/en-us # # Note that we do not necessarily agree with their # explanation... but the fix does appear to work. # ## RTFM! - -- == +-+ Martin Gadbois | Please answer by yes or no.| Sr. SW Designer| Uncooperative user waste precious CPU time | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGQyvZ9Y3/iTTCEDkRAkAmAJ9A7Fk22hZNBtliHlb2dMYs49nYawCgiFxk EQ/1vhPi3RL0h1wuC/vAATc= =Rc9S -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP/MSCHAPv2 and LDAP Server
[EMAIL PROTECTED] wrote: If i understood it right, the Radius Server should do a bind to LDAP Server with DN and Password provided. What password? There's no password in MSCHAPv2, and LDAP doesn't do MSCHAPv2. The success answer from LDAP tells the Radius Server authentication successful finished. LDAP servers are not authentication servers. RADIUS servers are authentication servers. That's the root cause of your confusion. Is it basicaly possible with PEAP/MSCHAPv2 to authenticate at an LDAP directory? No. See any number of posts on this list about this topic. LDAP has to provide a clear-text, or NT password to FreeRADIUS. FreeRADIUS will then do the work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP/MSCHAPv2 and LDAP Server
Thanks for the fast answer! The person who is responsible for the LDAP Server told me that our LDAP does not send a Password out, for security reasons, but accepts bindings with password (see log with radtest,down). That means if the LDAP Server would be somehow configured to send out the Attribute UserPassword in cleartext, it would work with MSCHAP? Is there definitely at use of MSCHAP no chance to get it work by Radius Server sends a bind message to LDAP Directory like i did successful in the log with radtest? rad_recv: Access-Request packet from host X:32768, id=71, length=58 User-Name = XX User-Password = XXX NAS-IP-Address = 255.255.255.255 NAS-Port = Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 radius_xlat: '/var/log/radius/radacct/X/auth-detail-20050125' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct//auth-detail-20050125 modcall[authorize]: module auth_log returns ok for request 8 modcall[authorize]: module chap returns noop for request 8 modcall[authorize]: module mschap returns noop for request 8 rlm_realm: No '@' in User-Name = XX, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 8 users: Matched DEFAULT at 158 users: Matched DEFAULT at 160 modcall[authorize]: module files returns ok for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for XXX radius_xlat: '(cn=XX)' radius_xlat: 'cn=X,dc=XXX,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=X,dc=,dc=de, with filter (cn=XX) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user XX authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 8 modcall: group authorize returns ok for request 8 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 8 rlm_ldap: - authenticate rlm_ldap: login attempt by XX with password XX rlm_ldap: user DN: cn=XX,cn=X, dc=,dc=de rlm_ldap: (re)connect to .X.XX.de:389, authentication 1 rlm_ldap: bind as cn=XXX,cn=XXX, dc=XXX,dc=de/XPasswordX to XX.X..de:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user XX authenticated succesfully modcall[authenticate]: module ldap returns ok for request 8 modcall: group Auth-Type returns ok for request 8 Sending Access-Accept of id 71 to :32768 Finished request 8 [EMAIL PROTECTED] wrote: If i understood it right, the Radius Server should do a bind to LDAP Server with DN and Password provided. What password? There's no password in MSCHAPv2, and LDAP doesn't do MSCHAPv2. The success answer from LDAP tells the Radius Server authentication successful finished. LDAP servers are not authentication servers. RADIUS servers are authentication servers. That's the root cause of your confusion. Is it basicaly possible with PEAP/MSCHAPv2 to authenticate at an LDAP directory? No. See any number of posts on this list about this topic. LDAP has to provide a clear-text, or NT password to FreeRADIUS. FreeRADIUS will then do the work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP/MSCHAPv2 and LDAP Server
[EMAIL PROTECTED] schrieb: That means if the LDAP Server would be somehow configured to send out the Attribute UserPassword in cleartext, it would work with MSCHAP? Yes. If Radius gets the cleartext password from somewhere, it can check if the MSCHAP stuff which the user did send is correct. If it doesn't get the cleartext password, no check is possible. Is there definitely at use of MSCHAP no chance to get it work by Radius Server sends a bind message to LDAP Directory like i did successful in the log with radtest? Binding to LDAP requires that the person/program sending the bind message knows the cleartext password. You can't obtain that from MSCHAP information, so there's no way this can work. HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP/MSCHAPv2 and LDAP Server
You need to check the archives. But I'll answer anyway. Here's an explanation from one of Novell's forums. It's talking about Novells' Edirectory, but would apply to any other LDAP server. quote You are correct that the FreeRADIUS LDAP module cannot authenticate a MS-CHAP password against eDirectory. This is because the RADIUS server receives only a hash of the password from the client. To verify the password, the server must lookup a clear-text version of the password, then compute a hash using the clear-text password with a nonce provided in the access-request packet. If the server generated hash matches the hash provided by the client, then authentication is accepted. unquote The password is not sent, therefore is not available to the Radius server to use for a bind against the LDAP server. Mearl [EMAIL PROTECTED] 02/03 11:53 AM Thanks for the fast answer! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html