openldap+freeradius+Cisco
Hi,
I'm tryingto authenticate and authorize Cisco routers administrators But not the autorization (privilege level).so not wheni add "aaa authorization exec default group radiusvrf if-authenticated"to the cisco router to be able to manage privileges with radius.
to make it work, i think i need to configure Service-Type and cisco-avpairattributes for each user to get the autorization from the cisco router.
I want to configure this attributs in freeradius, not in openldap.
So, is it possible to add this attributes to a specific user in the raddb/users file after he has been authenticated by ldap ? or i must do it differently ?
in raddb/radiusd.conf:
authorize {
preprocess
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
I tried with a user and a DEFAULT user:
raddb/users:
Robert Service-Type = NAS-Prompt-User
cisco-avpair = "shell:priv-lvl=1"
DEFAULT Service-Type = NAS-Prompt-User
cisco-avpair = "shell:priv-lvl=1"
but this attributs seem not to be send to the routeur. when ldap is authorize in radiusd.conf, the users file is not check anymore ?
Thanks for your help
Thomas-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openldap+freeradius+Cisco
OK it works fine now with this in the users file:
Robert Auth-Type = LDAP
service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=1"
but it is said in radius.conf not to use Auth-Type = LDAP.
so is there an other solution to add this attributes in reply.
Thomas
Message du 27/10/06 à 10h27 De : "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> A : freeradius-users@lists.freeradius.org Copie à : Objet : openldap+freeradius+Cisco
Hi,
I'm tryingto authenticate and authorize Cisco routers administrators But not the autorization (privilege level).so not wheni add "aaa authorization exec default group radiusvrf if-authenticated"to the cisco router to be able to manage privileges with radius.
to make it work, i think i need to configure Service-Type and cisco-avpairattributes for each user to get the autorization from the cisco router.
I want to configure this attributs in freeradius, not in openldap.
So, is it possible to add this attributes to a specific user in the raddb/users file after he has been authenticated by ldap ? or i must do it differently ?
in raddb/radiusd.conf:
authorize {
preprocess
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
I tried with a user and a DEFAULT user:
raddb/users:
Robert Service-Type = NAS-Prompt-User
cisco-avpair = "shell:priv-lvl=1"
DEFAULT Service-Type = NAS-Prompt-User
cisco-avpair = "shell:priv-lvl=1"
but this attributs seem not to be send to the routeur. when ldap is authorize in radiusd.conf, the users file is not check anymore ?
Thanks for your help
Thomas [ (pas de nom de fichier) (0.1 Ko) ]-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SOLVED: OpenLDAP / FreeRADIUS / Cisco 5350 problem
On Wed, 2005-05-11 at 17:28 -0500, Douglas G. Phillips wrote: The problem is this: If I pass the radtest client a clear-text password, authentication is successful. If either I pass the client an encrypted password (copied from the logs) or point the 5350 at the radius server, it doesn't work. I verified that the shared secret is correctly matched with what is in the router. The problem was indeed that the shared secret was incorrect. The secret was stored in the configuration on the router as a HEX value. I had copied that directly into my configuration. When I realized that it was a HEX value, I got the clear-text version in the RADIUS config, and everything worked. Thanks everyone. -- Douglas G. Phillips Distributed Computing Information Technology Services Eastern Illinois University(217) 581-7631 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenLDAP / FreeRADIUS / Cisco 5350 problem
I'm running into an issue here, and I can't seem to find the forest for
the trees. I'm probably overlooking something obvious, and am not
searching correctly for the problem.
Our LDAP server is using crypted passwords at the moment.
The router is a cisco 5350. RADIUS is FreeRADIUS 1.0.1-2 on Debian
Sarge.
The problem is this: If I pass the radtest client a clear-text password,
authentication is successful. If either I pass the client an encrypted
password (copied from the logs) or point the 5350 at the radius server,
it doesn't work. I verified that the shared secret is correctly matched
with what is in the router.
Here is a sample of the password that is being passed:
User-Password = \240d\351E\3737\025\022\0227,(rest removed)
Here is the configuration (comments omitted to save space). I have
tried with the password_header both set to {CRYPT} and commented out.
ldap {
server = ***
identity =
password =
basedn = ou=people,dc=eiu,dc=edu
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_header = {CRYPT}
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
preprocess
auth_log
suffix
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
Any ideas?
Thanks.
--
Douglas G. Phillips
Distributed Computing Information Technology Services
Eastern Illinois University(217) 581-7631
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenLDAP / FreeRADIUS / Cisco 5350 problem
Douglas G. Phillips wrote: Here is a sample of the password that is being passed: User-Password = \240d\351E\3737\025\022\0227,(rest removed) This may imply that your shared secret is incorrect. Please verify that RADIUS shared secret on Cisco 5350 and shared secret for that particular IP in clients.conf match. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenLDAP / FreeRADIUS / Cisco 5350 problem
Douglas G. Phillips [EMAIL PROTECTED] wrote:
Our LDAP server is using crypted passwords at the moment.
RADIUS clients can use PAP. Nothing else.
The problem is this: If I pass the radtest client a clear-text password,
authentication is successful. If either I pass the client an encrypted
password (copied from the logs)
That won't work. The server will interpret the User-Password
attribute as the clear-text password, because that's the definition of
User-Password.
There are no provisions in RADIUS for passing crypt'd passwords in a
RADIUS packet.
... or point the 5350 at the radius server, it doesn't work.
I don't see why.
Here is the configuration (comments omitted to save space). I have
tried with the password_header both set to {CRYPT} and commented out.
That tells the LDAP module how to interpret the password it gets
from the LDAP server. It doesn't tell FreeRADIUS to treat
User-Password as a crypt'd password. The documentation for the LDAP
module makes the first point clear.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenLDAP / FreeRADIUS / Cisco 5350 problem
Hello Douglas,
The password that you try to resend is not the encrypted password it s
an ascii representation of your encrypted password.
I assume that you need to activate the chap (or pap with a
encryption_scheme = crypt) module to be able to authenticate this request.
I don't know about LDAP, but I authenticate this kind of encrypted
password with mysql using a scheme like this:
modules {
[...]
pap {
encryption_scheme = crypt
}
[...]
chap {
authtype = CHAP
}
[...]
}
authorize {
preprocess
auth_log
chap
suffix
# I m using MySQL instead of LDAP ...
sql
}
authenticate {
Auth-Type LDAP
{
ldap
}
Auth-Type CHAP
{
chap
}
}
Hope this can help you.
I'm running into an issue here, and I can't seem to find the forest for
the trees. I'm probably overlooking something obvious, and am not
searching correctly for the problem.
Our LDAP server is using crypted passwords at the moment.
The router is a cisco 5350. RADIUS is FreeRADIUS 1.0.1-2 on Debian
Sarge.
The problem is this: If I pass the radtest client a clear-text password,
authentication is successful. If either I pass the client an encrypted
password (copied from the logs) or point the 5350 at the radius server,
it doesn't work. I verified that the shared secret is correctly matched
with what is in the router.
Here is a sample of the password that is being passed:
User-Password = \240d\351E\3737\025\022\0227,(rest removed)
Here is the configuration (comments omitted to save space). I have
tried with the password_header both set to {CRYPT} and commented out.
ldap {
server = ***
identity =
password =
basedn = ou=people,dc=eiu,dc=edu
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_header = {CRYPT}
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
preprocess
auth_log
suffix
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
Any ideas?
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenLDAP / FreeRADIUS / Cisco 5350 problem
On Wed, May 11, 2005 at 05:28:27PM -0500, Douglas G. Phillips wrote: Date: Wed, 11 May 2005 17:28:27 -0500 From: Douglas G. Phillips [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: OpenLDAP / FreeRADIUS / Cisco 5350 problem I'm running into an issue here, and I can't seem to find the forest for the trees. I'm probably overlooking something obvious, and am not searching correctly for the problem. Our LDAP server is using crypted passwords at the moment. ^ In this case only pap authentication will work. For chap/ms-chap etc you need clear text password from DB backend. Best wishes -- Alexei Chetroi Smile... Tomorrow will be worse. (c) Murphy's Law - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
