Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard <[EMAIL PROTECTED]> wrote: > When I do not set Auth-Type TTLS/PAP works with users stored in the > "users" files, PEAP/Ms-chap-v2 works with users from LDAP storage, > but TTLS/PAP from LDAP doesn't work And the debug log would tell you why. The FAQ also mentions something about statements like "it doesn't work". Without looking at your configuration, I can tell that you've probably stored the passwords as NT-Passwords, so MS-CHAP works, but PAP doesn't. This isn't an issue for TTLS or PEAP, as it's completely independent of them. The rlm_pap module could be updated to compare PAP passwords from the packet with NT-Passwords retrieved from somewhere else. This could probably go into 1.0.0, as there are a few other issues with building on certain platforms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Here's what I've to put in the "users" file to make it work : DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = no But now PEAP/MSCHAPv2 doesn't work... If you had read the debug log, you would see WHY it doesn't work. Repeat it like a mantra: If you're not sure, DO NOT SET AUTH-TYPE. When I do not set Auth-Type TTLS/PAP works with users stored in the "users" files, PEAP/Ms-chap-v2 works with users from LDAP storage, but TTLS/PAP from LDAP doesn't work The server will figure it out on it's own. Alan DeKok. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard <[EMAIL PROTECTED]> wrote: > Now I've a working TTLS/PAP with LDAP storage configuration ;-) > > Here's what I've to put in the "users" file to make it work : > > DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 > User-Name = `%{User-Name}`, > Fall-Through = no > > But now PEAP/MSCHAPv2 doesn't work... If you had read the debug log, you would see WHY it doesn't work. Repeat it like a mantra: If you're not sure, DO NOT SET AUTH-TYPE. The server will figure it out on it's own. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Rok Papez <[EMAIL PROTECTED]> wrote: > > And you set "Auth-Type = EAP". DON'T DO THAT. > > I do that ;). I prefer to manualy set EAP when user tries to identify as > "[EMAIL PROTECTED]". Users are *NOT* allowed to use any other authentication > method :). That's about the only time you should set it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Try something like this for your check line: DEFAULT Freeradius-Proxied-To == 127.0.0.1, EAP-Message !* "", Auth-Type := PAP --Mike Now it works ! Thanks a lot ! -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Try something like this for your check line: DEFAULT Freeradius-Proxied-To == 127.0.0.1, EAP-Message !* "", Auth-Type := PAP --Mike On Mon, 2004-06-21 at 06:59, Christophe Saillard wrote: > Hi, > > Now I've a working TTLS/PAP with LDAP storage configuration ;-) > > Here's what I've to put in the "users" file to make it work : > > DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 > User-Name = `%{User-Name}`, > Fall-Through = no > > But now PEAP/MSCHAPv2 doesn't work...I've try a lot of combination > (Auth-Type := MSCHAP Fall-Through = yes ...) > but none seem to work...if someone has a clue ;-) > > Thanks for all ! > > Bye. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hi, Now I've a working TTLS/PAP with LDAP storage configuration ;-) Here's what I've to put in the "users" file to make it work : DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = no But now PEAP/MSCHAPv2 doesn't work...I've try a lot of combination (Auth-Type := MSCHAP Fall-Through = yes ...) but none seem to work...if someone has a clue ;-) Thanks for all ! Bye. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hello Christophe. Christophe Saillard pravi: And you set "Auth-Type = EAP". DON'T DO THAT. I do that ;). I prefer to manualy set EAP when user tries to identify as "[EMAIL PROTECTED]". Users are *NOT* allowed to use any other authentication method :). For the moment I've a running freeradius EAP-TTLS/PAP configuration which works fine. Now I'd like to get credentials from an existing LDAP user storage instead of the Freeradius "users" file (I store MD5 hashed password to have PAP compatibility). 1. It would be nice to see relevant parts of the config file 2. The `radiusd -Xxxx 2>&1 | tee logfile` output But there's some particular things I need to know : - how do I have to store password in the LDAP database (because I'd like to use TTLS/PAP) : crypt/MD5 hashed, clear text ? That's an LDAP thingy.. Here is an example of ldap diff entry for userPassword: userPassword: {crypt}$1$dK1Zl.Qp$khF3af1c7Te0cSf2w/tZO0 All you need is a type prefix in {...} and then a password hash. This is a perl code snippet that creates these hashes: my $pass = '{crypt}' . crypt($plaintext_password, '$1$' . join("", ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]) . '$'); The hash is the same kind as used in a /etc/shadow file. Check the crypt() man page for details. = And this is in my radiusd.conf file: modules { pap { encryption_scheme = clear } # this is for the "files", passwords are plaintext there :) ldap { server = "localhost" basedn = "ou=users,dc=org,dc=tld" filter = "(attribWithUserName=%{User-Name})" start_tls = no } ... authenticate { Auth-Type EAP { eap } Auth-Type PAP { pap } Auth-Type LDAP { ldap } } - what do I have to put in the "users" file ? (I know that auth-type := EAP is wrong) ? In contrary to Alans advice O;-), I have this: # User anonymous and [EMAIL PROTECTED] should be allowed # # activate eap for them# DEFAULT User-Name =~ "^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[EMAIL PROTECTED]", Auth-Type := EAP # Users with a NULL realm should be rejected # DEFAULT Realm == NULL, Auth-Type := Reject Fall-Through = No # 1. Accounting fix for AP # # 2. a static username files_test for testing # # 3. LDAP authentication for local users # DEFAULT Realm == org.tld, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = yes files_test Realm == org.tld, User-Password == "" DEFAULT Realm == org.tld, Auth-Type := LDAP, Ldap-UserDN := `attribWithUserName=%{User-Name},ou=users,dc=org,dc=tld`, Freeradius-Pro xied-To == 127.0.0.1 Do notice, that I use the users username/password to bind to LDAP. This is done with the "Ldap-UserDN" item. - if it's not possible to have TTLS/PAP authentication what can I do else (PEAP/Mschapv2 ...) ? TTLS/PAP is working :). For MsCHAP you won't be able to use SecureW2 and you'll need to have plaintext passwords in LDAP. I hope my questions are not to stupid. Radius configuration is not simple. The documentation is still lacking and you simply have to "learn as you go" ;). So don't feel like you are asking stupid questions. -- Best regards, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard <[EMAIL PROTECTED]> wrote: > Now I'd like to get credentials from an existing LDAP user storage instead > of the Freeradius "users" file That shouldn't be a problem. > (I store MD5 hashed password to have PAP compatibility). That will make CHAP & MS-CHAP not work. > The Ldap bind is ok and I got correct uid and password when I launch > a 802.1X request from a laptop client. I'm not sure what you mean by that. > But there's some particular things I need to know : > - how do I have to store password in the LDAP database (because I'd like > to use TTLS/PAP) : crypt/MD5 hashed, clear text ? MD5 is fine if you're only doing PAP authentication. > - what do I have to put in the "users" file ? (I know that auth-type := > EAP is wrong) ? Don't put anything in the "users" file. > - if it's not possible to have TTLS/PAP authentication what can I do else > (PEAP/Mschapv2 ...) ? TTLS/PAP is possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard <[EMAIL PROTECTED]> wrote: > Fri Jun 18 14:11:31 2004 : Debug: rad_check_password: Found Auth-Type EAP ... > Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Request not found in the list > Fri Jun 18 14:11:31 2004 : Error: rlm_eap: Either EAP-request timed out > OR EAP-response to an unknown EAP-request ... > I use TTLS/PAP for authentication, And you set "Auth-Type = EAP". DON'T DO THAT. The "eap.conf" file has BIG HUGE COMMENTS saying DON'T DO THAT. It really means DON'T DO THAT. You're doing the exact opposite of what the documentation says, and as a result, it's not working. You might try following the recommendations of the server, which WILL allow it to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard <[EMAIL PROTECTED]> wrote: > For the moment I use Freeradius with EAP-TTLS and it works fine...now > I'd like to get users credentials form an existing LDAP database. > > The LDAP server sends me a valable MD5 hashed password but I think > something failed in my users file configuration. Did you try running it debugging mode, as suggested in the FAQ, README, INSTALL, and daily on this list? > Does someone have such a working configuration ? If so, can you send a > copy ? Since no one knows what you're really trying to do. I doubt anyone will send you a configuration. Follow the documented instructions for running the server and asking questions on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Thanks for your help. I think I'm not far from the end but I still have problems. Here's the debug logs : [...] Fri Jun 18 14:11:17 2004 : Debug: rlm_ldap: performing search in dc=u-strasbg,dc=fr, with filter (uid=csaillard) request 6 done Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: Added password $1$QEnpt.4f$nixixczJ/xu0CnyuvaTLV/ in check items Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for check items in directory... Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for reply items in directory... Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: user csaillard authorized to use remote access Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Fri Jun 18 14:11:31 2004 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall[authorize]: module "ldap" returns ok for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall: group authorize returns updated for request 4 Fri Jun 18 14:11:31 2004 : Debug: rad_check_password: Found Auth-Type EAP Fri Jun 18 14:11:31 2004 : Debug: auth: type "EAP" Fri Jun 18 14:11:31 2004 : Debug: Processing the authenticate section of radiusd.conf Fri Jun 18 14:11:31 2004 : Debug: modcall: entering group Auth-Type for request 4 Fri Jun 18 14:11:31 2004 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Request not found in the list Fri Jun 18 14:11:31 2004 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Failed in handler Fri Jun 18 14:11:31 2004 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall[authenticate]: module "eap" returns invalid for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall: group Auth-Type returns invalid for request 4 Fri Jun 18 14:11:31 2004 : Debug: auth: Failed to validate the user. [...] I use TTLS/PAP for authentication, so you can see that the LDAP server sends MD5 hased password...but I'm not sure that's what I need Could you tell me what kind of EAP method you use, with what type of password's hash ? Thanks for help ! Bye. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hi Christophe. Christophe Saillard pravi: For the moment I use Freeradius with EAP-TTLS and it works fine...now I'd like to get users credentials form an existing LDAP database. The LDAP server sends me a valable MD5 hashed password but I think something failed in my users file configuration. You should run the server in debug mode and check the output. I use this command: radiusd -Xxxx 2>&1 | tee logfile Does someone have such a working configuration ? If so, can you send a copy ? modules { ldap { server = "localhost" basedn = "ou=employees,dc=org,dc=tld" filter = "(PrincipalName=%{User-Name})" start_tls = no } [...] authorize { preprocess auth_log attr_rewrite suffix group { # the files also activates EAP for user anonymous files { notfound = 1 ok = return } ldap } } authenticate { Auth-Type EAP { eap } Auth-Type PAP { pap } Auth-Type LDAP { ldap } } In the users file I have: # User anonymous and [EMAIL PROTECTED] should be allowed # # activate eap for them# anonymous Auth-Type := EAP # Accounting fix for AP# # LDAP authentication for local users # DEFAULT Realm == org.tld, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = yes DEFAULT Realm == org.tld, Auth-Type := LDAP, Ldap-UserDN := `PrincipalName=%{User-Name},ou=employees,dc=org,dc=tld`, Freeradius-Proxied-To == 127.0.0.1 -- Lep pozdrav, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html