Re: openlap wireless (WPA-radius with PEAP auth on client) problem
That did it, thanks everyone, Dan On Thu, 2004-11-04 at 12:49, Alan DeKok wrote: > > I uncommented and did appropriate changes (below) to the ldap section of > > the modules area. What else needs done? I am deleting the commented > > lines. > > Un-comment other references to ldap in radiusd.conf. > > At least in the "authorize" section. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
> I uncommented and did appropriate changes (below) to the ldap section of > the modules area. What else needs done? I am deleting the commented > lines. Un-comment other references to ldap in radiusd.conf. At least in the "authorize" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
I uncommented and did appropriate changes (below) to the ldap section of the modules area. What else needs done? I am deleting the commented lines. Dan ldap { server = "lap server's real name" basedn = "ou=People,dc=igb,dc=uiuc,dc=edu" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Daniel Davidson <[EMAIL PROTECTED]> wrote: > Thanks for the info, now we are getting somewhere I just have unchecked > the "validate server certificate" area for now. Now I am getting a > rejection. Any ideas? You said you were storing the passwords in LDAP, but the debug log doesn't show the LDAP module being used: > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 6 > modcall[authorize]: module "preprocess" returns ok for request 6 > modcall[authorize]: module "chap" returns noop for request 6 > modcall[authorize]: module "mschap" returns noop for request 6 > rlm_realm: No '@' in User-Name = "dbdavids", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 6 > rlm_eap: EAP packet type response id 6 length 90 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 6 > users: Matched DEFAULT at 152 > modcall[authorize]: module "files" returns ok for request 6 > modcall: group authorize returns updated for request 6 There's no mention of LDAP, so the server doesn't have the NT password. > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for dbdavids with NT-Password > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Yup. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Thanks for the info, now we are getting somewhere I just have unchecked the "validate server certificate" area for now. Now I am getting a rejection. Any ideas? thanks again for the help, Dan rad_recv: Access-Request packet from host 128.174.124.2:1024, id=0, length=224 User-Name = "dbdavids" NAS-IP-Address = 128.174.124.2 Called-Station-Id = "000f66e4c41c" Calling-Station-Id = "009096b43336" NAS-Identifier = "000f66e4c41c" NAS-Port = 49 Framed-MTU = 1400 State = 0x05d6753b0d1d6b5e153b275d9693ef57 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0206005a1900170301004f8c8a20407e2068158e8d78c30ec38160e43b0f78ff2b701605b5c79b9de8900c48fb91b49db5bf9dcddd5ccabb4790c6ae46fc07f331bd23bbc88023d68b2e78a4ab7763627926a560ed58927beae5 Message-Authenticator = 0xa25e2734559e8d05f9cb602baa181907 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "dbdavids", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 90 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600431a0206003e3164e5402640d5988f1d47d58297a06a95c2571a9c92f4970284a462469ceac06779f68025392ddf8f006462646176696473 PEAP: Setting User-Name to dbdavids PEAP: Adding old state with c7 00 PEAP: Sending tunneled request EAP-Message = 0x020600431a0206003e3164e5402640d5988f1d47d58297a06a95c2571a9c92f4970284a462469ceac06779f68025392ddf8f006462646176696473 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dbdavids" State = 0xc7001f0cb231ff08af3c8015aa53f2fd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "dbdavids", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 6 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dbdavids with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x552ade3c50 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Mes
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Are you sure that you have the CA certificate you're using with FreeRADIUS installed on the XP system you're using as a supplicant? This could be a symptom of XP not recognizing the signer of the certificate presented in the 802.1x conversation and refusing to continue authentication. FYI, here, we're using the ntPassword attribute in LDAP *without* the 0x in front, and its working fine. The code will use it either way. --Mike On Thu, 2004-11-04 at 10:58, Daniel Davidson wrote: > It never gives one with this configuration, it just keeps repeating the > same request over and over again, never accepting or rejecting after the > Access-Challenge is sent back to the access point. > > Dan > > > On Thu, 2004-11-04 at 10:48, Alan DeKok wrote: > > Daniel Davidson <[EMAIL PROTECTED]> wrote: > > > while looking at the radiusd.conf file, I noticed that the ldap area > > > said something about that to use the sambaNTPassword field that it has > > > to start with a 0x. Does this mean that in LDAP that this value must be > > > stored as: > > > > > > sambaNTPassword: 0x01FC5A6BE7BC6929AAD3B435B51404EE > > > > I don't think that's necessary. The MS-CHAP module is the only one > > which interprets that string, and it is forgiving of the format. > > > > The larger issue is that the debug log you posted doesn't finish. > > i.e. It doesn't contain a reject OR a success. Get a debug log with > > an accept or reject, and it will then be possible to tell what's going > > on. > > > > Alan DeKok. > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
It never gives one with this configuration, it just keeps repeating the same request over and over again, never accepting or rejecting after the Access-Challenge is sent back to the access point. Dan On Thu, 2004-11-04 at 10:48, Alan DeKok wrote: > Daniel Davidson <[EMAIL PROTECTED]> wrote: > > while looking at the radiusd.conf file, I noticed that the ldap area > > said something about that to use the sambaNTPassword field that it has > > to start with a 0x. Does this mean that in LDAP that this value must be > > stored as: > > > > sambaNTPassword: 0x01FC5A6BE7BC6929AAD3B435B51404EE > > I don't think that's necessary. The MS-CHAP module is the only one > which interprets that string, and it is forgiving of the format. > > The larger issue is that the debug log you posted doesn't finish. > i.e. It doesn't contain a reject OR a success. Get a debug log with > an accept or reject, and it will then be possible to tell what's going > on. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Daniel Davidson <[EMAIL PROTECTED]> wrote: > while looking at the radiusd.conf file, I noticed that the ldap area > said something about that to use the sambaNTPassword field that it has > to start with a 0x. Does this mean that in LDAP that this value must be > stored as: > > sambaNTPassword: 0x01FC5A6BE7BC6929AAD3B435B51404EE I don't think that's necessary. The MS-CHAP module is the only one which interprets that string, and it is forgiving of the format. The larger issue is that the debug log you posted doesn't finish. i.e. It doesn't contain a reject OR a success. Get a debug log with an accept or reject, and it will then be possible to tell what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
I finally have freeradius to where it looks like Peap is at least trying to auth properly. However it looks like for some reason it is not getting the job done, it just keeps trying to authenticate and never gets the job done. My LDAP database has userPassword to the MD5 salt encrypted verson usually found in the files of my fedora machine, sambaLMPassword and sambaNTPassword contain the 32 digit long hexadecimal string needed to auth samba to ldap, an example from a removed account is below: sambaNTPassword: 01FC5A6BE7BC6929AAD3B435B51404EE while looking at the radiusd.conf file, I noticed that the ldap area said something about that to use the sambaNTPassword field that it has to start with a 0x. Does this mean that in LDAP that this value must be stored as: sambaNTPassword: 0x01FC5A6BE7BC6929AAD3B435B51404EE If this is so, how does everyone with this setup still get samba to work properly with the ldap database and freeraidius? When I change so that the account is like this it breaks the ability to log on with samba. Otherwise, anyone have any ideas on what I am doing wrong? thanks, Dan radiusd.conf changes: NOTE: no auth needed to get password hashes from ldap (this will change after I get this working) ldap { server = "the.server" basedn = "ou=People,dc=igb,dc=uiuc,dc=edu" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } eap.conf changes: see attached file radiusd -xxyz -l stdout Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib64" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib64 Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded Pam pam: pam_auth = "radiusd" Module: Instantiated pam (pam) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: cert
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Daniel Davidson <[EMAIL PROTECTED]> wrote: > What should default Auth-type be set to then? Right now I am getting a: > > auth: No authenticate method (Auth-Type) configuration found for the > request: Rejecting the user > > error message from the daemon. Then you've edited the default "radiusd.conf" so that the server can no longer figure it out. The default "radiusd.conf" is designed specifically so that the server can figure out most situations, and so that you have to change as little as possible to get it to work. You said the clients were doing EAP, and that you were using an LDAP database to store user information. Use the default "radiusd.conf", and make as few changes as possible to it. Uncomment "ldap" from a few places, and configure the "ldap" module. If you have clear-text passwords in LDAP, it WILL work. The only way you get the above error message when the client is using EAP is if you deleted "eap" from the "authorize" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
What should default Auth-type be set to then? Right now I am getting a: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user error message from the daemon. thanks again, Dan On Tue, 2004-11-02 at 17:10, Alan DeKok wrote: > Daniel Davidson <[EMAIL PROTECTED]> wrote: > > Probably a stupid question, but I assume you mean that in the users file > > I do not set it to: > > > > DEFAULT Auth-type := LDAP > > > > and in the authenticate {} area of radiusd.conf the ldap areas should be > > commented out. > > Yes. > > > Is this correct and what should the proper settings be to get this done? > > Do what you said. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Daniel Davidson <[EMAIL PROTECTED]> wrote: > Probably a stupid question, but I assume you mean that in the users file > I do not set it to: > > DEFAULT Auth-type := LDAP > > and in the authenticate {} area of radiusd.conf the ldap areas should be > commented out. Yes. > Is this correct and what should the proper settings be to get this done? Do what you said. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Probably a stupid question, but I assume you mean that in the users file I do not set it to: DEFAULT Auth-type := LDAP and in the authenticate {} area of radiusd.conf the ldap areas should be commented out. Is this correct and what should the proper settings be to get this done? thanks, Dan On Tue, 2004-11-02 at 11:43, Alan DeKok wrote: > Daniel Davidson <[EMAIL PROTECTED]> wrote: > > So is there a way to have users authorize themselves with an LDAP > > server, and what is the process for doing that? Use PAM and set the > > system up to have PAM auth against LDAP? > > No. You already have authorization being done via LDAP. > > What I said was "Don't set Auth-Type LDAP, and it will work". > > Try that. Now. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Daniel Davidson <[EMAIL PROTECTED]> wrote: > So is there a way to have users authorize themselves with an LDAP > server, and what is the process for doing that? Use PAM and set the > system up to have PAM auth against LDAP? No. You already have authorization being done via LDAP. What I said was "Don't set Auth-Type LDAP, and it will work". Try that. Now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
So is there a way to have users authorize themselves with an LDAP server, and what is the process for doing that? Use PAM and set the system up to have PAM auth against LDAP? Dan On Tue, 2004-11-02 at 09:40, Alan DeKok wrote: > Daniel Davidson <[EMAIL PROTECTED]> wrote: > > I am sure this has been answered many times, but I cannot find it. I > > keep getting "Login incorrect: [danield/]" > > errors and I cannot figure out where the problem is I realize there is > > some stuff I can take out, but I Here is the log. > ... > > rad_check_password: Found Auth-Type LDAP > > Why? > > > rlm_ldap: Attribute "User-Password" is required for authentication. > > modcall[authenticate]: module "ldap" returns invalid for request 4 > > Exactly. LDAP doesn't do EAP. Search the list archives for long > threads explaining why. > > Don't set "Auth-Type = LDAP", and it will work. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Daniel Davidson <[EMAIL PROTECTED]> wrote: > I am sure this has been answered many times, but I cannot find it. I > keep getting "Login incorrect: [danield/]" > errors and I cannot figure out where the problem is I realize there is > some stuff I can take out, but I Here is the log. ... > rad_check_password: Found Auth-Type LDAP Why? > rlm_ldap: Attribute "User-Password" is required for authentication. > modcall[authenticate]: module "ldap" returns invalid for request 4 Exactly. LDAP doesn't do EAP. Search the list archives for long threads explaining why. Don't set "Auth-Type = LDAP", and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html