openldap+freeradius+Cisco
Hi, I'm tryingto authenticate and authorize Cisco routers administrators But not the autorization (privilege level).so not wheni add "aaa authorization exec default group radiusvrf if-authenticated"to the cisco router to be able to manage privileges with radius. to make it work, i think i need to configure Service-Type and cisco-avpairattributes for each user to get the autorization from the cisco router. I want to configure this attributs in freeradius, not in openldap. So, is it possible to add this attributes to a specific user in the raddb/users file after he has been authenticated by ldap ? or i must do it differently ? in raddb/radiusd.conf: authorize { preprocess files ldap } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } } I tried with a user and a DEFAULT user: raddb/users: Robert Service-Type = NAS-Prompt-User cisco-avpair = "shell:priv-lvl=1" DEFAULT Service-Type = NAS-Prompt-User cisco-avpair = "shell:priv-lvl=1" but this attributs seem not to be send to the routeur. when ldap is authorize in radiusd.conf, the users file is not check anymore ? Thanks for your help Thomas- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openldap+freeradius+Cisco
OK it works fine now with this in the users file: Robert Auth-Type = LDAP service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=1" but it is said in radius.conf not to use Auth-Type = LDAP. so is there an other solution to add this attributes in reply. Thomas Message du 27/10/06 à 10h27 De : "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> A : freeradius-users@lists.freeradius.org Copie à : Objet : openldap+freeradius+Cisco Hi, I'm tryingto authenticate and authorize Cisco routers administrators But not the autorization (privilege level).so not wheni add "aaa authorization exec default group radiusvrf if-authenticated"to the cisco router to be able to manage privileges with radius. to make it work, i think i need to configure Service-Type and cisco-avpairattributes for each user to get the autorization from the cisco router. I want to configure this attributs in freeradius, not in openldap. So, is it possible to add this attributes to a specific user in the raddb/users file after he has been authenticated by ldap ? or i must do it differently ? in raddb/radiusd.conf: authorize { preprocess files ldap } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } } I tried with a user and a DEFAULT user: raddb/users: Robert Service-Type = NAS-Prompt-User cisco-avpair = "shell:priv-lvl=1" DEFAULT Service-Type = NAS-Prompt-User cisco-avpair = "shell:priv-lvl=1" but this attributs seem not to be send to the routeur. when ldap is authorize in radiusd.conf, the users file is not check anymore ? Thanks for your help Thomas [ (pas de nom de fichier) (0.1 Ko) ]- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SOLVED: OpenLDAP / FreeRADIUS / Cisco 5350 problem
On Wed, 2005-05-11 at 17:28 -0500, Douglas G. Phillips wrote: The problem is this: If I pass the radtest client a clear-text password, authentication is successful. If either I pass the client an encrypted password (copied from the logs) or point the 5350 at the radius server, it doesn't work. I verified that the shared secret is correctly matched with what is in the router. The problem was indeed that the shared secret was incorrect. The secret was stored in the configuration on the router as a HEX value. I had copied that directly into my configuration. When I realized that it was a HEX value, I got the clear-text version in the RADIUS config, and everything worked. Thanks everyone. -- Douglas G. Phillips Distributed Computing Information Technology Services Eastern Illinois University(217) 581-7631 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenLDAP / FreeRADIUS / Cisco 5350 problem
I'm running into an issue here, and I can't seem to find the forest for the trees. I'm probably overlooking something obvious, and am not searching correctly for the problem. Our LDAP server is using crypted passwords at the moment. The router is a cisco 5350. RADIUS is FreeRADIUS 1.0.1-2 on Debian Sarge. The problem is this: If I pass the radtest client a clear-text password, authentication is successful. If either I pass the client an encrypted password (copied from the logs) or point the 5350 at the radius server, it doesn't work. I verified that the shared secret is correctly matched with what is in the router. Here is a sample of the password that is being passed: User-Password = \240d\351E\3737\025\022\0227,(rest removed) Here is the configuration (comments omitted to save space). I have tried with the password_header both set to {CRYPT} and commented out. ldap { server = *** identity = password = basedn = ou=people,dc=eiu,dc=edu filter = (uid=%{Stripped-User-Name:-%{User-Name}}) dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_header = {CRYPT} timeout = 4 timelimit = 3 net_timeout = 1 } authorize { preprocess auth_log suffix ldap } authenticate { Auth-Type LDAP { ldap } } Any ideas? Thanks. -- Douglas G. Phillips Distributed Computing Information Technology Services Eastern Illinois University(217) 581-7631 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenLDAP / FreeRADIUS / Cisco 5350 problem
Douglas G. Phillips wrote: Here is a sample of the password that is being passed: User-Password = \240d\351E\3737\025\022\0227,(rest removed) This may imply that your shared secret is incorrect. Please verify that RADIUS shared secret on Cisco 5350 and shared secret for that particular IP in clients.conf match. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenLDAP / FreeRADIUS / Cisco 5350 problem
Douglas G. Phillips [EMAIL PROTECTED] wrote: Our LDAP server is using crypted passwords at the moment. RADIUS clients can use PAP. Nothing else. The problem is this: If I pass the radtest client a clear-text password, authentication is successful. If either I pass the client an encrypted password (copied from the logs) That won't work. The server will interpret the User-Password attribute as the clear-text password, because that's the definition of User-Password. There are no provisions in RADIUS for passing crypt'd passwords in a RADIUS packet. ... or point the 5350 at the radius server, it doesn't work. I don't see why. Here is the configuration (comments omitted to save space). I have tried with the password_header both set to {CRYPT} and commented out. That tells the LDAP module how to interpret the password it gets from the LDAP server. It doesn't tell FreeRADIUS to treat User-Password as a crypt'd password. The documentation for the LDAP module makes the first point clear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenLDAP / FreeRADIUS / Cisco 5350 problem
Hello Douglas, The password that you try to resend is not the encrypted password it s an ascii representation of your encrypted password. I assume that you need to activate the chap (or pap with a encryption_scheme = crypt) module to be able to authenticate this request. I don't know about LDAP, but I authenticate this kind of encrypted password with mysql using a scheme like this: modules { [...] pap { encryption_scheme = crypt } [...] chap { authtype = CHAP } [...] } authorize { preprocess auth_log chap suffix # I m using MySQL instead of LDAP ... sql } authenticate { Auth-Type LDAP { ldap } Auth-Type CHAP { chap } } Hope this can help you. I'm running into an issue here, and I can't seem to find the forest for the trees. I'm probably overlooking something obvious, and am not searching correctly for the problem. Our LDAP server is using crypted passwords at the moment. The router is a cisco 5350. RADIUS is FreeRADIUS 1.0.1-2 on Debian Sarge. The problem is this: If I pass the radtest client a clear-text password, authentication is successful. If either I pass the client an encrypted password (copied from the logs) or point the 5350 at the radius server, it doesn't work. I verified that the shared secret is correctly matched with what is in the router. Here is a sample of the password that is being passed: User-Password = \240d\351E\3737\025\022\0227,(rest removed) Here is the configuration (comments omitted to save space). I have tried with the password_header both set to {CRYPT} and commented out. ldap { server = *** identity = password = basedn = ou=people,dc=eiu,dc=edu filter = (uid=%{Stripped-User-Name:-%{User-Name}}) dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_header = {CRYPT} timeout = 4 timelimit = 3 net_timeout = 1 } authorize { preprocess auth_log suffix ldap } authenticate { Auth-Type LDAP { ldap } } Any ideas? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenLDAP / FreeRADIUS / Cisco 5350 problem
On Wed, May 11, 2005 at 05:28:27PM -0500, Douglas G. Phillips wrote: Date: Wed, 11 May 2005 17:28:27 -0500 From: Douglas G. Phillips [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: OpenLDAP / FreeRADIUS / Cisco 5350 problem I'm running into an issue here, and I can't seem to find the forest for the trees. I'm probably overlooking something obvious, and am not searching correctly for the problem. Our LDAP server is using crypted passwords at the moment. ^ In this case only pap authentication will work. For chap/ms-chap etc you need clear text password from DB backend. Best wishes -- Alexei Chetroi Smile... Tomorrow will be worse. (c) Murphy's Law - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html