Please forgive if a repost. Not sure my comments below got passed
along...also wanted to tack on a a "sample test packet":
sample test:
/usr/local/bin/radclient -x radius-server.mycompany.com auth
mysharedsecret < radtest.txt
where radtest.txt resembles:
User-Name = "someradiususer"
CHAP-Password = "cleartextofpassword"
NAS-IP-Address = somenas.mycompany.com
NAS-Port-Id = 0
NAS-Port-Type = Async
Service-Type = Framed
Framed-Protocol = PPP
State = ""
Calling-Station-Id = "8475061520"
Called-Station-Id = "8476311672"
Acct-Session-Id = "379094840"
Ascend-Data-Rate = 26400
Ascend-Xmit-Rate = 44000
Proxy-State = blah
-Shawn
On Tue, 26 Mar 2002, Shawn O'Shea wrote:
>
> I got the better part of this working on Friday....here's most of the
> pertinent parts:
>
> radiusd.conf:
>
> -add a blank section for chap options (something complained when I didnt
> do this)
>
> chap {
> }
>
> -make sure that your ldap section is configured for your setup
>
> -make sure authorize{} has chap and ldap. Mine looks like:
> authorize {
> preprocess
> chap
> ldap
> suffix
> files
> }
>
> -make sure authenticate{} has chap. I have:
> authenticate {
> unix
> chap
> }
>
> I only have one type of user....I'm not sure how to setup realms properly,
> so I'm being lame and matching the realm in their username attribute and
> giving them some ascend vendor attributes:
> users:
>
> DEFAULT Suffix == "@realm.mycompany.com"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Ascend-Data-Filter = "IP IN FORWARD TCP",
> Ascend-Data-Filter += "IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE",
> Ascend-Data-Filter += "IP IN DROP TCP DSTPORT = 25",
> Ascend-Data-Filter += "IP IN FORWARD 0",
> Ascend-Assign-IP-Pool = 0
>
> -Shawn
>
> On Mon, 25 Mar 2002, Michael S. McCollough wrote:
>
> > I am probably just dense but either the faq is incomplete or I cannot
> > translate to suit my needs. I cannot even get chap to work with Auth-Type
> > :=system I need it to work with ldap. Once key point may be CHAP vs
> > MS-CHAP. The radiusd.conf file only has ms-chap in it. I remember log time
> > ago when chap was proposed, ms did their own version. Since the MS version
> > became the defacto standard, I am not sure is ms-chap and chap are used
> > interchangably.
> >
> > From radiusd -X
> > rlm_ldap: Attribute "Password" is required for authentication. Cannot use
> > "CHAP-Password".
> >
> > I need CHAP to work with LDAP but would be happy to see it work with system
> > auth just to know it works.
> >
> > --
> > Michael
> >
> >
> > -----Original Message-----
> > From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, March 21, 2002 2:09 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: CHAP-Password & LDAP Auth?
> >
> >
> > On Thu, 21 Mar 2002, Mike Cathey wrote:
> >
> > > Chris,
> > >
> > >
> > > Chris Parker wrote:
> > > > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
> > > >
> > > >> Chris,
> > > >>
> > > >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC it's
> > > >> the auth code) supports 2 menthods of LDAP auth. One method
> > > >> attempts to bind to the directory as the user, which is what it
> > > >> sounds like FreeRADIUS does. The other methold is to bind to the
> > > >> directory as a privileged user (one who has access to all user
> > > >> attributes), crypt what the client handed you and compare it to
> > > >> userPassword.
> > > >
> > > >
> > > > The client hands you an already ( and non-reversable ) encrypted
> > > > string. Encrypting it a second time will yield nothing useful.
> > > >
> > > >> I may be possible to implement the second method in FreeRADIUS and
> > > >> use it for LDAP/CHAP auth. Comments?
> > > >
> > > >
> > > > The only way to perform CHAP authentication is for the server to
> > > > have access to the unecrypted password locally.
> > >
> > > Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was just
> > > pointing out the method of binding as a privileged user (a user who
> > > has rights to access the userPassword attribute for the RADIUS users).
> > > You can then get the value of userPassword and send the 'challenge'
> > > back to the proxy. I haven't read docs on CHAP in a while, but it
> > > seems like this would work ok. Of course, this assumes you store all
> > > of your users passwords in plain text.
> > >
> > > Cheers,
> > >
> > > Mike
> >
> > It's already supported. Please read the FAQ at
> > http://www.freeradius.org/faq/#5.11
> >
> > and doc/rlm_ldap
> >
> > --
> > Kostas Kalevras Network Operations Center
> > [EMAIL PROTECTED] National Technical University of Athens, Greece
> > Work Phone: +30 10 7721861
> > 'Go back to the shadow' Gandalf
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
>
> Shawn K. O'Shea
> Sr. Unix Administrator
> DSL.net, Inc.
>
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
