Re: problem with ldap authentication (epilog)
Alan DeKok wrote: Frank Bonnet wrote: freeradius is used by chillispot on the machine, does your answer means chillispot is sending a CHAP request ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html For information the problem is located in the cgi script called hotspotlogin.cgi that comes with chillispot. Once the problem is corrected users authenticate well, even against our LDAP server. Frank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Alan DeKok wrote: Frank Bonnet wrote: is it possible to use freeradius with NIS instead of LDAP ? thanks Yes. NIS is just a different way of getting users to seem to be in /etc/passwd. So there shouldn't be anything to do. Just install the server, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html you mean uncomment the /etc/passwd in this section in radiusd.conf file right ? # Unix /etc/passwd style authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
is it possible to use freeradius with NIS instead of LDAP ? thanks Yes. NIS is just a different way of getting users to seem to be in /etc/passwd. So there shouldn't be anything to do. Just install the server, and it should work. Alan DeKok. you mean uncomment the /etc/passwd in this section in radiusd.conf file right ? # Unix /etc/passwd style authentication No, exactly what he said - if you install current server version it will work by default. If you made changes from default configuration and commented unix out, uncomment it again. In old server version you needed to force Auth-Type System, now it just works. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Frank Bonnet wrote: Alan DeKok wrote: Frank Bonnet wrote: is it possible to use freeradius with NIS instead of LDAP ? thanks Yes. NIS is just a different way of getting users to seem to be in /etc/passwd. So there shouldn't be anything to do. Just install the server, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html you mean uncomment the /etc/passwd in this section in radiusd.conf file right ? # Unix /etc/passwd style authentication OK now I'm still in trouble ... even after removing LDAP statements here is the log of the session, how to setup the User-password to the right value to use /etc/passwd file ? thanks rad_recv: Access-Request packet from host 127.0.0.1:32817, id=0, length=214 User-Name = bonj CHAP-Challenge = 0xbba7f4f69dfb6cf2342f1cbba4e7e482 CHAP-Password = 0x00f7fbe0aa077445403b77c55ab120f811 NAS-IP-Address = 127.0.0.1 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = 00-15-AF-8E-7C-E4 Called-Station-Id = 00-12-79-90-10-21 NAS-Identifier = nas01 Acct-Session-Id = 49c8b4340030 NAS-Port-Type = Wireless-802.11 NAS-Port = 48 Message-Authenticator = 0x9dfa1ebe41cae3090fd9d919498bb04c WISPr-Logoff-URL = http://192.168.182.1:3990/logoff; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = bonj, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: Attribute User-Password is required for authentication. Cannot use CHAP-Password. modcall[authenticate]: module unix returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
OK now I'm still in trouble ... even after removing LDAP statements here is the log of the session, how to setup the User-password to the right value to use /etc/passwd file ? thanks rad_recv: Access-Request packet from host 127.0.0.1:32817, id=0, length=214 User-Name = bonj CHAP-Challenge = 0xbba7f4f69dfb6cf2342f1cbba4e7e482 CHAP-Password = 0x00f7fbe0aa077445403b77c55ab120f811 OK. Now read what's written in radiusd.conf unix section about using /etc/passwd with chap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
t...@kalik.net wrote: OK now I'm still in trouble ... even after removing LDAP statements here is the log of the session, how to setup the User-password to the right value to use /etc/passwd file ? thanks rad_recv: Access-Request packet from host 127.0.0.1:32817, id=0, length=214 User-Name = bonj CHAP-Challenge = 0xbba7f4f69dfb6cf2342f1cbba4e7e482 CHAP-Password = 0x00f7fbe0aa077445403b77c55ab120f811 OK. Now read what's written in radiusd.conf unix section about using /etc/passwd with chap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hello I KNOW we cannot use /etc/passwd for chap authentication my question is HOW to use /etc/passwd with freeradius ? I only want to use users and /etc/passwd files and NO other source to authenticate my users. Thank you for help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
I KNOW we cannot use /etc/passwd for chap authentication my question is HOW to use /etc/passwd with freeradius ? Great. So, you are aware it's not going to work with chap. And what do you do: rad_recv: Access-Request packet from host 127.0.0.1:32817, id=0, length=214 User-Name = bonj CHAP-Challenge = 0xbba7f4f69dfb6cf2342f1cbba4e7e482 CHAP-Password = 0x00f7fbe0aa077445403b77c55ab120f811 You send a chap request!!! I only want to use users and /etc/passwd files and NO other source to authenticate my users. You are using it. Send a request it can be used for(not chap, mschap). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
t...@kalik.net wrote: I KNOW we cannot use /etc/passwd for chap authentication my question is HOW to use /etc/passwd with freeradius ? Great. So, you are aware it's not going to work with chap. And what do you do: rad_recv: Access-Request packet from host 127.0.0.1:32817, id=0, length=214 User-Name = bonj CHAP-Challenge = 0xbba7f4f69dfb6cf2342f1cbba4e7e482 CHAP-Password = 0x00f7fbe0aa077445403b77c55ab120f811 You send a chap request!!! Believe me ... if I knew how not to send I would do it My question is how to instruct freeradius et use /etc/passwd in the configuration file thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
rad_recv: Access-Request packet from host 127.0.0.1:32817, id=0, length=214 User-Name = bonj CHAP-Challenge = 0xbba7f4f69dfb6cf2342f1cbba4e7e482 CHAP-Password = 0x00f7fbe0aa077445403b77c55ab120f811 You send a chap request!!! Believe me ... if I knew how not to send I would do it My question is how to instruct freeradius et use /etc/passwd in the configuration file You say: I KNOW we cannot use /etc/passwd for chap authentication It can't be done for a chap request! What part of that sentence don't you understand? If you are going to send chap requests you can't use passwords from /etc/passwd. If you are going to use passwords from /etc/passwd - don't send chap requests. If you don't know how to adjust your NAS - read a manual. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
t...@kalik.net wrote: rad_recv: Access-Request packet from host 127.0.0.1:32817, id=0, length=214 User-Name = bonj CHAP-Challenge = 0xbba7f4f69dfb6cf2342f1cbba4e7e482 CHAP-Password = 0x00f7fbe0aa077445403b77c55ab120f811 You send a chap request!!! Believe me ... if I knew how not to send I would do it My question is how to instruct freeradius et use /etc/passwd in the configuration file You say: I KNOW we cannot use /etc/passwd for chap authentication It can't be done for a chap request! What part of that sentence don't you understand? If you are going to send chap requests you can't use passwords from /etc/passwd. If you are going to use passwords from /etc/passwd - don't send chap requests. If you don't know how to adjust your NAS - read a manual. OK could you give a link to a manual Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Frank Bonnet wrote: Believe me ... if I knew how not to send I would do it Fix the NAS. You bought it, you know what make/model it is, so you can find documentation for it. Maybe try asking the vendor for documentation? My question is how to instruct freeradius et use /etc/passwd in the configuration file Install the server. Put a user in /etc/passwd (or NIS). Send a PAP request to the server. Authentication will work. If it doesn't work, it's because: a) You're sending CHAP, not PAP b) you edited the configuration files, and broke system authentication Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Alan DeKok wrote: Frank Bonnet wrote: Believe me ... if I knew how not to send I would do it Fix the NAS. You bought it, you know what make/model it is, so you can find documentation for it. Maybe try asking the vendor for documentation? My question is how to instruct freeradius et use /etc/passwd in the configuration file Install the server. Put a user in /etc/passwd (or NIS). Send a PAP request to the server. Authentication will work. If it doesn't work, it's because: a) You're sending CHAP, not PAP b) you edited the configuration files, and broke system authentication freeradius is used by chillispot on the machine, does your answer means chillispot is sending a CHAP request ? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Frank Bonnet wrote: freeradius is used by chillispot on the machine, does your answer means chillispot is sending a CHAP request ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Alan DeKok wrote: Frank Bonnet wrote: freeradius is used by chillispot on the machine, does your answer means chillispot is sending a CHAP request ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html OK thanks for your (constructive ;-)) answer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with ldap authentication
hello I'm in trouble with a debian version of freeradius I've installed chillispot and freeradius packages but it won't work for LDAP users it fails with such error messages : Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: [/CHAP-Password] (from client localhost port 31 cli 00-13-02-AE-F1-01) Any help/idea welcome Thanks you . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Am 23.03.2009 um 16:46 schrieb Frank Bonnet: hello I'm in trouble with a debian version of freeradius I've installed chillispot and freeradius packages but it won't work for LDAP users it fails with such error messages : Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: [/CHAP- Password] (from client localhost port 31 cli 00-13-02-AE-F1-01) Any help/idea welcome Be sure to assign passwords ( := ) and not to compare ( == ) passwords. Also check that the shared secret is really the same. Otherwise, I suppose that you will be asked to give the output of radiusd -X Thanks you . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Frank Bonnet wrote: I'm in trouble with a debian version of freeradius I've installed chillispot and freeradius packages but it won't work for LDAP users it fails with such error messages : Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: [/CHAP-Password] (from client localhost port 31 cli 00-13-02-AE-F1-01) Is there any reason you're not running it in debugging mode, as suggested in the FAQ, README, INSTALL, man page, and nearly daily on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
I want to know what to configure in order to use ldap as freeradius database of users 2009/3/23, Alan DeKok al...@deployingradius.com: Frank Bonnet wrote: I'm in trouble with a debian version of freeradius I've installed chillispot and freeradius packages but it won't work for LDAP users it fails with such error messages : Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: [/CHAP-Password] (from client localhost port 31 cli 00-13-02-AE-F1-01) Is there any reason you're not running it in debugging mode, as suggested in the FAQ, README, INSTALL, man page, and nearly daily on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Alan DeKok wrote: Frank Bonnet wrote: I'm in trouble with a debian version of freeradius I've installed chillispot and freeradius packages but it won't work for LDAP users it fails with such error messages : Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: [/CHAP-Password] (from client localhost port 31 cli 00-13-02-AE-F1-01) Is there any reason you're not running it in debugging mode, as suggested in the FAQ, README, INSTALL, man page, and nearly daily on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html OK here is the debug of one failed session thanks for your help Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:33076, id=0, length=217 User-Name = xxx CHAP-Challenge = 0x01464b2728f172473bf5dd5d64d71539 CHAP-Password = 0x00443c19722da8b5ac9799a1a5d39bc1af NAS-IP-Address = 127.0.0.1 Service-Type = Login-User Framed-IP-Address = 192.168.182.54 Calling-Station-Id = 00-19-D2-78-56-4D Called-Station-Id = 00-12-79-90-10-21 NAS-Identifier = nas01 Acct-Session-Id = 49c7b8940034 NAS-Port-Type = Wireless-802.11 NAS-Port = 52 Message-Authenticator = 0x64d387cd750288b284dc8182e4f2dec6 WISPr-Logoff-URL = http://192.168.182.1:3990/logoff; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = xxx, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 363 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for xxx radius_xlat: '(uid=)' radius_xlat: 'dc=esiee,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.esiee.fr:389, authentication 0 rlm_ldap: bind as / to ldap.esiee.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=esiee,dc=fr, with filter (uid=xxx) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type CHAP auth: type CHAP ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [xxx/CHAP-Password] (from client localhost port 52 cli 00-19-D2-78-56-4D) Delaying request 0 for 1 seconds - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Frank Bonnet wrote: OK here is the debug of one failed session ... rlm_ldap: performing search in dc=esiee,dc=fr, with filter (uid=xxx) rlm_ldap: object not found or got ambiguous search result Well, that's relatively clear. There's no such user, OR it got multiple responses. You need to fix the LDAP configuration so that it can find the user's clear-text password in LDAP. This can be awkward... and I'm not an LDAP expert. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
David N'DAKPAZE wrote: I want to know what to configure in order to use ldap as freeradius database of users Read raddb/modules/ldap The O'Reilly OpenLDAP book also has a good description of how to configure FreeRADIUS to use LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Thank you iwill try it 2009/3/23, Alan DeKok al...@deployingradius.com: Frank Bonnet wrote: OK here is the debug of one failed session ... rlm_ldap: performing search in dc=esiee,dc=fr, with filter (uid=xxx) rlm_ldap: object not found or got ambiguous search result Well, that's relatively clear. There's no such user, OR it got multiple responses. You need to fix the LDAP configuration so that it can find the user's clear-text password in LDAP. This can be awkward... and I'm not an LDAP expert. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Alan DeKok wrote: Frank Bonnet wrote: OK here is the debug of one failed session ... rlm_ldap: performing search in dc=esiee,dc=fr, with filter (uid=xxx) rlm_ldap: object not found or got ambiguous search result Well, that's relatively clear. There's no such user, OR it got multiple responses. You need to fix the LDAP configuration so that it can find the user's clear-text password in LDAP. This can be awkward... and I'm not an LDAP expert. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html is it possible to use freeradius with NIS instead of LDAP ? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Frank Bonnet wrote: is it possible to use freeradius with NIS instead of LDAP ? thanks Yes. NIS is just a different way of getting users to seem to be in /etc/passwd. So there shouldn't be anything to do. Just install the server, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with ldap authentication
Alan DeKok wrote: Frank Bonnet wrote: is it possible to use freeradius with NIS instead of LDAP ? thanks Yes. NIS is just a different way of getting users to seem to be in /etc/passwd. So there shouldn't be anything to do. Just install the server, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html OK thanks a lot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html