Quoting kevin J <[EMAIL PROTECTED]>:
> Thanks Alastair,
>
> But, I just want to do ldap-athorize and pap-authenticate. So, I
> uncommented only ldap in authorize
> and uncommented only pap in authenticate. I am using clear-txt so I put
> {clear} in module def.
What I do for authentication is have LDAP do a bind to the directory with the user-name
and password. I guess what you want though is to have the authorize get the password
from the directory and then have PAP authenticate this password against the user's
credentials. This could be done by adding the user-password as a check item. That
way, the item will be retrieved from the directory and checked against the value passed
from the supplicant. To do this, uncomment passwordAttribute in the ldap section and
set it's value to the name of the user password attribute (typically User-Password) in
the directory.
I am not too sure of what settings you will need in autorize and authenticate since I
never had a chance to test this method (we use encrypted passwords) but I would guess
you would need ldap in authorize and nothing in authenticate (if you can leave that
block empty). Just play around with it.
Hopefully this is a bit more of what you want. Let me know how it works out for you.
-Al
> It looks like that pap is not found for auth-type.
> :
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> ERROR: Unknown value specified for Auth-Type. Cannot perform
> requested action.
> auth: Failed to validate the user.
>
> I guess this is "authorize" issue and chap or eap can work because they
> have authorize function. I guess radius does not run a module in
> authenticate if it is not identified in authorize. Give me an advice
> if I am wrong.
>
> Thanks,
> Kevin
>
> Alastair Grant wrote:
>
> >Kevin,
> > I have it working. Well I use EAP-TTLS to create a secure tunnel between
> >RADIUS and my supplicant first but then I send the data from supplicant to
> >Radius via PAP and do LDAP authentication. In this case it is alfa-ariss on
> >Windows 2000. I am at home and won't be back at the office until monday but
> >I'll do my best to explain my set up.
> > RADIUS:
> > my default_eap_type in the eap module is TTLS
> > in my authorize section I have preprocess, eap and ldap uncommented.
> >Everything else is commented out.
> > in my authenticate section I have the LDAP block and eap uncommented.
> >Everything else is commented out even the PAP stuff.
> > Supplicant
> > I use an anonymous outer identity
> > My inner authentication method is PAP.
> >
> > Basically this allows the client to send a clear text password to the
> >server (even though it is encrypted in the tunnel) and the server can then
> >use this clear text password to do an LDAP bind for authentication.
> >
> > This might not seem very clear but I am doing it all from memory. If
> >this is at all waht you are trying to do, send me an email monday and I'll
> >send you some documentation I have on the actual setup. Good luck.
> >
> >-Al
> >
> >----- Original Message -----
> >From: "kevin J" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Thursday, August 19, 2004 5:50 PM
> >Subject: Re: PAP not working with ldap
> >
> >
> >
> >
> >>kevin J wrote:
> >>
> >>
> >>
> >>>Alan DeKok wrote:
> >>>
> >>>
> >>>
> >>>>kevin J <[EMAIL PROTECTED]> wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>Is it true? So, PAP and some other module can't work with
> >>>>>ldap-authorize???
> >>>>>
> >>>>>
> >>>>>
> >>>> No.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>CHAP worked but PAP did not work.
> >>>What configuration should I check? RADIUS did not bring PAP but tried
> >>>LDAP for authentication.
> >>>
> >>>Kevin
> >>>
> >>>
> >>I am still having this problem. Anybody who had worked for PAP with LDAP?
> >>
> >>Kevin
> >>
> >>
> >>-
> >>List info/subscribe/unsubscribe? See
> >>
> >>
> >http://www.freeradius.org/list/users.html
> >
> >
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
> >
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
