I am running freeradius 0.9.3 on RH 9. I am trying to get ldap
authorization and authentication. The debug output show the following:
rad_recv: Access-Request packet from host 10.5.10.24:2810, id=111,
length=147
User-Name = "ctd3"
Cisco-AVPair = "ssid=DBUACAD"
NAS-IP-Address = 10.5.10.24
Called-Station-Id = "0040964684f1"
Calling-Station-Id = "00409645c07a"
NAS-Identifier = "LIBRARY WEST"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x020a00090163746433
Message-Authenticator = 0xafa673ae819679da2945f1189002a71a
modcall: entering group authorize for request 10
modcall[authorize]: module "preprocess" returns ok for request 10
modcall[authorize]: module "chap" returns noop for request 10
rlm_realm: No '@' in User-Name = "ctd3", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 10
users: Matched ctd3 at 244
modcall[authorize]: module "files" returns ok for request 10
modcall[authorize]: module "mschap" returns noop for request 10
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ctd3
radius_xlat: '(uid=ctd3)'
radius_xlat: 'ou=academics,o=DBU'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=academics,o=DBU, with filter
(uid=ctd3)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user ctd3 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 10
modcall: group authorize returns ok for request 10
rad_check_password: Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Delaying request 10 for 1 seconds
Finished request 10
Going to the next request
Sending Access-Reject of id 183 to 10.5.10.2:1645
Here is radiusd.conf:
ldap {
server = "10.5.10.215"
identity = "cn=LDAPUser,ou=Users,o=DBU"
password = n0neshall
basedn = "ou=academics,o=DBU"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# password_header = "{clear}"
password_attribute = User-Password
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds a Client-IP-Address attribute to the request.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been
set
chap
# attr_filter
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
# eap
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line.
# digest
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# realmslash
suffix
#
# Read the 'users' file
files
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type :=
MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
# The ldap module will set Auth-Type to LDAP if it has not already been
set
ldap
# daily
}
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line.
# digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
Auth-Type LDAP {
ldap
}
#
# Allow EAP authentication.
# eap
}
The only changes to the system I made were to add the clients to
clients.conf and configure the ldap module and uncomment ldap in the
authenticate and authorize sections of radiusd.conf. I have read the
Radius book and the docs in freeradius and the examples all show using
the users file. I am using the Alfa&Ariss supplicant which uses pap as
its internal authentication. The book says the PAP module places the
password in the User-Password attribute. Do I need to map something?
Thanks for any assistance.
rick...
Rom.5:8
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
