Hiya,
I am trying to get freeradius 0.4 to support the
following setup..
Username and password for each user are stored in
cleartext in an ldap server. The free radius server
should support obtaining this information from ldap
via a TLS connection and authenticating the user
using Password, PAP, Chap, MS-Chap, MS-Chap2, and
EAP-MD5.
I got ldap authentication working using PAP/Password
but none of the other protocols seem to work. I am sure
I am messing up the config files bigtime.
Can anyone point out where I am going wrong?
Thanks.. Mike
Users file
-----------------
DEFAULT Auth-Type := LDAP
Fall-Through = Yes
DEFAULT Auth-Type := MSCHAP
Fall-Through = Yes
DEFAULT Auth-Type := CHAP
Fall-Through = Yes
# Defaults for all connections.
DEFAULT Service-Type == Framed-User
Framed-Protocol = PPP,
Framed-Netmask = 255.255.255.0,
Framed-Routing = None,
Ascend-Route-IP = Route-IP-Yes,
Ascend-Bridge = Bridge-Yes,
Ascend-Assign-IP-Pool = 1,
Ascend-Idle-Limit = 0,
Ascend-Force-56 = Force-56-No,
Fall-Through = No
Important bits from the radiusd.conf file
-----------------------------------------
modules {
ldap {
server = "ldaptest2.xpedite.com"
identity = "uid=radius, ou=people, dc=xpedite, dc=com"
password = "tcpip"
basedn = "ou=people, dc=xpedite, dc=com"
filter = "(uid=%u)"
start_tls = yes
dictionary_mapping = ${raddbdir}/ldap.attrmap
password_header = "{clear}"
password_attribute = "userPassword"
timeout = 30
timelimit = 30
net_timeout = 30
}
chap {
}
mschap {
}
eap {
}
....etc...
authorize {
files
ldap {
notfound = return
}
}
authenticate {
ldap
authtype CHAP {
chap
}
authtype MSCHAP {
mschap
}
# authtype EAP {
# eap
#
# For some reason when trying to insert this
# module I get this error "Module: Loaded eap
# radiusd.conf[383]: eap: Module instantiation
# failed.
# }
}
Here I am trying to authenticate using chap
--------------------------------------------------------------
rad_recv: Access-Request packet from host 137.236.215.1:4069, id=138,
length=92
User-Name = "mdh"
CHAP-Password =
"\256\300/\260\215\272G\350\320\021\035$\360\003F\254"
CHAP-Challenge = "O\ta\243Q\330\010\256\350E\211\277{+n\320"
Service-Type = Authenticate-Only
Framed-Protocol = PPP
NAS-IP-Address = 137.236.215.1
NAS-Port = 23435
NAS-Port-Type = Virtual
rlm_ldap: - authorize
rlm_ldap: performing user authorization for mdh
rlm_ldap: (re)connect to ldaptest2.xpedite.com:389, authentication 0
rlm_ldap: try to start TLS
rlm_ldap: bind as uid=radius, ou=people, dc=xpedite, dc=com/tcpip
rlm_ldap: waiting for bind result ...
rlm_ldap: Password header not found in password welcome for user mdh
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mdh authorized to use remote access
rlm_chap: login attempt by "mdh" with CHAP password /?G??$?F
rlm_chap: Could not find clear text password for user mdh
Login incorrect: [mdh/<CHAP-Password>] (from nas 137.236.215.1 port 23435)
Sending Access-Reject of id 138 to 137.236.215.1:4069
Here I am trying to log in via PAP
----------------------------------
rad_recv: Access-Request packet from host 137.236.215.1:4074, id=195,
length=73
User-Name = "mdh"
Password = "\373a\312{k\347\314\375\373\2729\014[\331\037\005"
Service-Type = Authenticate-Only
Framed-Protocol = PPP
NAS-IP-Address = 137.236.215.1
NAS-Port = 23447
NAS-Port-Type = Virtual
rlm_ldap: - authorize
rlm_ldap: performing user authorization for mdh
rlm_ldap: Password header not found in password welcome for user mdh
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mdh authorized to use remote access
rlm_chap: Attribute "CHAP-Password" is required for authentication. Cannot
use "Password".
Login incorrect: [mdh/welcome] (from nas 137.236.215.1 port 23447)
Sending Access-Reject of id 195 to 137.236.215.1:4074
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
