I got the better part of this working on Friday....here's most of the
pertinent parts:
radiusd.conf:
-add a blank section for chap options (something complained when I didnt
do this)
chap {
}
-make sure that your ldap section is configured for your setup
-make sure authorize{} has chap and ldap. Mine looks like:
authorize {
preprocess
chap
ldap
suffix
files
}
-make sure authenticate{} has chap. I have:
authenticate {
unix
chap
}
I only have one type of user....I'm not sure how to setup realms properly,
so I'm being lame and matching the realm in their username attribute and
giving them some ascend vendor attributes:
users:
DEFAULT Suffix == "@realm.mycompany.com"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Ascend-Data-Filter = "IP IN FORWARD TCP",
Ascend-Data-Filter += "IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE",
Ascend-Data-Filter += "IP IN DROP TCP DSTPORT = 25",
Ascend-Data-Filter += "IP IN FORWARD 0",
Ascend-Assign-IP-Pool = 0
-Shawn
On Mon, 25 Mar 2002, Michael S. McCollough wrote:
> I am probably just dense but either the faq is incomplete or I cannot
> translate to suit my needs. I cannot even get chap to work with Auth-Type
> :=system I need it to work with ldap. Once key point may be CHAP vs
> MS-CHAP. The radiusd.conf file only has ms-chap in it. I remember log time
> ago when chap was proposed, ms did their own version. Since the MS version
> became the defacto standard, I am not sure is ms-chap and chap are used
> interchangably.
>
> From radiusd -X
> rlm_ldap: Attribute "Password" is required for authentication. Cannot use
> "CHAP-Password".
>
> I need CHAP to work with LDAP but would be happy to see it work with system
> auth just to know it works.
>
> --
> Michael
>
>
> -----Original Message-----
> From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, March 21, 2002 2:09 PM
> To: [EMAIL PROTECTED]
> Subject: Re: CHAP-Password & LDAP Auth?
>
>
> On Thu, 21 Mar 2002, Mike Cathey wrote:
>
> > Chris,
> >
> >
> > Chris Parker wrote:
> > > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
> > >
> > >> Chris,
> > >>
> > >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC it's
> > >> the auth code) supports 2 menthods of LDAP auth. One method
> > >> attempts to bind to the directory as the user, which is what it
> > >> sounds like FreeRADIUS does. The other methold is to bind to the
> > >> directory as a privileged user (one who has access to all user
> > >> attributes), crypt what the client handed you and compare it to
> > >> userPassword.
> > >
> > >
> > > The client hands you an already ( and non-reversable ) encrypted
> > > string. Encrypting it a second time will yield nothing useful.
> > >
> > >> I may be possible to implement the second method in FreeRADIUS and
> > >> use it for LDAP/CHAP auth. Comments?
> > >
> > >
> > > The only way to perform CHAP authentication is for the server to
> > > have access to the unecrypted password locally.
> >
> > Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was just
> > pointing out the method of binding as a privileged user (a user who
> > has rights to access the userPassword attribute for the RADIUS users).
> > You can then get the value of userPassword and send the 'challenge'
> > back to the proxy. I haven't read docs on CHAP in a while, but it
> > seems like this would work ok. Of course, this assumes you store all
> > of your users passwords in plain text.
> >
> > Cheers,
> >
> > Mike
>
> It's already supported. Please read the FAQ at
> http://www.freeradius.org/faq/#5.11
>
> and doc/rlm_ldap
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
