Are you using LDAP? This did not work for me. I did get the realms working though.
rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". modcall[authenticate]: module "ldap" returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [[EMAIL PROTECTED]/<CHAP-Password>] (from client MR-Firewall port 0) -----Original Message----- From: Shawn O'Shea [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 10:48 AM To: '[EMAIL PROTECTED]' Subject: RE: CHAP-Password & LDAP Auth? I got the better part of this working on Friday....here's most of the pertinent parts: radiusd.conf: -add a blank section for chap options (something complained when I didnt do this) chap { } -make sure that your ldap section is configured for your setup -make sure authorize{} has chap and ldap. Mine looks like: authorize { preprocess chap ldap suffix files } -make sure authenticate{} has chap. I have: authenticate { unix chap } I only have one type of user....I'm not sure how to setup realms properly, so I'm being lame and matching the realm in their username attribute and giving them some ascend vendor attributes: users: DEFAULT Suffix == "@realm.mycompany.com" Service-Type = Framed-User, Framed-Protocol = PPP, Ascend-Data-Filter = "IP IN FORWARD TCP", Ascend-Data-Filter += "IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE", Ascend-Data-Filter += "IP IN DROP TCP DSTPORT = 25", Ascend-Data-Filter += "IP IN FORWARD 0", Ascend-Assign-IP-Pool = 0 -Shawn On Mon, 25 Mar 2002, Michael S. McCollough wrote: > I am probably just dense but either the faq is incomplete or I cannot > translate to suit my needs. I cannot even get chap to work with > Auth-Type :=system I need it to work with ldap. Once key point may be > CHAP vs MS-CHAP. The radiusd.conf file only has ms-chap in it. I > remember log time ago when chap was proposed, ms did their own > version. Since the MS version became the defacto standard, I am not > sure is ms-chap and chap are used interchangably. > > From radiusd -X > rlm_ldap: Attribute "Password" is required for authentication. Cannot > use "CHAP-Password". > > I need CHAP to work with LDAP but would be happy to see it work with > system auth just to know it works. > > -- > Michael > > > -----Original Message----- > From: Kostas Kalevras [mailto:[EMAIL PROTECTED]] > Sent: Thursday, March 21, 2002 2:09 PM > To: [EMAIL PROTECTED] > Subject: Re: CHAP-Password & LDAP Auth? > > > On Thu, 21 Mar 2002, Mike Cathey wrote: > > > Chris, > > > > > > Chris Parker wrote: > > > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote: > > > > > >> Chris, > > >> > > >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC it's > > >> the auth code) supports 2 menthods of LDAP auth. One method > > >> attempts to bind to the directory as the user, which is what it > > >> sounds like FreeRADIUS does. The other methold is to bind to the > > >> directory as a privileged user (one who has access to all user > > >> attributes), crypt what the client handed you and compare it to > > >> userPassword. > > > > > > > > > The client hands you an already ( and non-reversable ) encrypted > > > string. Encrypting it a second time will yield nothing useful. > > > > > >> I may be possible to implement the second method in FreeRADIUS > > >> and use it for LDAP/CHAP auth. Comments? > > > > > > > > > The only way to perform CHAP authentication is for the server to > > > have access to the unecrypted password locally. > > > > Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was just > > pointing out the method of binding as a privileged user (a user who > > has rights to access the userPassword attribute for the RADIUS > > users). You can then get the value of userPassword and send the > > 'challenge' back to the proxy. I haven't read docs on CHAP in a > > while, but it seems like this would work ok. Of course, this > > assumes you store all of your users passwords in plain text. > > > > Cheers, > > > > Mike > > It's already supported. Please read the FAQ at > http://www.freeradius.org/faq/#5.11 > > and doc/rlm_ldap > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 10 7721861 > 'Go back to the shadow' Gandalf > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
