On Thu, 26 Aug 2004, Alan DeKok wrote:
> To be a little pickier: LDAP doesn't understand EAP, but FreeRADIUS
> does. So if you use LDAP as a user/password store, and tie that
> password to EAP via FreeRADIUS, it will work. If you try to pass the
> EAP session to an LDAP database, it won't work.
Right. Thanks for the clarification.
> If you configure the LDAP module in "radiusd.conf", and un-comment
> it's entry in the "authorize" section, then any user who has a
> clear-text password in LDAP will be able to do PAP, CHAP, MS-CHAP,
> etc.
I currently have LDAP working for other NAS clients (VPN and network
equipmnet access). Our passwords are stored crypted in LDAP.
> Once you configure tls && ttls, then those users will be able to do
> EAP-TTLS, too. The goal of the server is to make all of these
> authentication/database methods as independent as possible, which
> makes it easier to configure and deploy.
That sounds great -- and I think I'm really close, but I'm not quite
there.
Here's my config files and the output of 'radiusd -X':
users:
DEFAULT�NAS-IP-Address == 138.72.250.12, NAS-Port-Type == Wireless-802.11
����Fall-Through = No
DEFAULT�Auth-Type := Reject
����Reply-Message = "You do not have permission to this system."
radiusd.conf:
This is pretty much the same as the stock radiusd.conf with the
ldap stuff uncommented in the authorize and authenticate sections.
This also confuses me -- the comments in radiusd.conf say:
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
But I need Auth-Type LDAP for my non-EAP clients using just LDAP.
Anyway, here's the debug output:
rad_recv: Access-Request packet from host 138.72.250.12:1108, id=123, length=139
User-Name = "sotnickd"
NAS-IP-Address = 138.72.250.12
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "port-02"
Called-Station-Id = "00-20-A6-53-19-AF:WPANetTest"
Calling-Station-Id = "00-30-65-0B-9B-B0"
EAP-Message = 0x0283000d01736f746e69636b64
Message-Authenticator = 0xc1528083d9701f023156aca80134d852
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/etc/raddb-test/radacct-test/138.72.250.12/auth-detail-20040826'
rlm_detail:
/usr/local/etc/raddb-test/radacct-test/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /usr/local/etc/raddb-test/radacct-test/138.72.250.12/auth-detail-20040826
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "sotnickd", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 131 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 1
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for sotnickd
radius_xlat: '(uid=sotnickd)'
radius_xlat: 'o=example.com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.example.com:389, authentication 0
rlm_ldap: bind as / to ldap.example.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=example.com, with filter (uid=sotnickd)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user sotnickd authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 123 to 138.72.250.12:1108
EAP-Message = 0x018400061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5a26d1528b7b24612a53713ef28b24b1
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 138.72.250.12:1108, id=124, length=246
User-Name = "sotnickd"
NAS-IP-Address = 138.72.250.12
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "port-02"
Called-Station-Id = "00-20-A6-53-19-AF:WPANetTest"
Calling-Station-Id = "00-30-65-0B-9B-B0"
State = 0x5a26d1528b7b24612a53713ef28b24b1
EAP-Message =
0x0284006615800000005c1603010057010000530301412e4fe334b5362407a80acbebb93d9fbe408dff91add54c1795cd0e0a8ab05d00002c00050004000aff830009ff82000300080006ff8000010016001500140013001200110018001b001a001700190100
Message-Authenticator = 0xfb701ec40c2dea4ec3abe31fcb3ce644
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat:
'/usr/local/etc/raddb-test/radacct-test/138.72.250.12/auth-detail-20040826'
rlm_detail:
/usr/local/etc/raddb-test/radacct-test/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /usr/local/etc/raddb-test/radacct-test/138.72.250.12/auth-detail-20040826
modcall[authorize]: module "auth_log" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "sotnickd", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 132 length 102
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched DEFAULT at 1
modcall[authorize]: module "files" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for sotnickd
radius_xlat: '(uid=sotnickd)'
radius_xlat: 'o=example.com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=example.com, with filter (uid=sotnickd)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user sotnickd authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0057], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 124 to 138.72.250.12:1108
EAP-Message =
0x0185040a15c0000006f1160301004a020000460301412e4fe34c7aaf33a82b1bc5ffe5bf494a51556ccb36568cac6460d22763cf0e209968b7e2c4a339da3b4abc5865fb53c07c1465067dcd8607905e19d1859f194b00050016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365
EAP-Message =
0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003
EAP-Message =
0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c74696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52cc
EAP-Message =
0xb99b41e80ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e
EAP-Message =
0x31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c51603010004
EAP-Message = 0x0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x47320257adba6252d7f1360e8352ba19
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 138.72.250.12:1108, id=126, length=340
User-Name = "sotnickd"
NAS-IP-Address = 138.72.250.12
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "port-02"
Called-Station-Id = "00-20-A6-53-19-AF:WPANetTest"
Calling-Station-Id = "00-30-65-0B-9B-B0"
State = 0x47320257adba6252d7f1360e8352ba19
EAP-Message = 0x028600c41580000000ba16030100861000008200801564359af5e "mschap"
returns ok for request 4
rlm_realm: No '@' in User-Name = "sotnickd", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 4
users: Matched DEFAULT at 4
modcall[authorize]: module "files" returns ok for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for sotnickd
radius_xlat: '(uid=sotnickd)'
radius_xlat: 'o=example.com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=example.com, with filter (uid=sotnickd)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user sotnickd authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 4
modcall: group authorize returns ok for request 4
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect: [sotnickd] (from client localhost port 0)
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 4
modcall: group authenticate returns invalid for request 4
auth: Failed to validate the user.
Login incorrect: [sotnickd] (from client wavelan port 1 cli 00-30-65-0B-9B-B0)
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 138.72.250.12:1108, id=127, length=285
Sending Access-Reject of id 127 to 138.72.250.12:1108
EAP-Message = 0x04870004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Cleaning up request 0 ID 123 with timestamp 412e4fe3
Cleaning up request 1 ID 124 with timestamp 412e4fe3
Cleaning up request 2 ID 125 with timestamp 412e4fe3
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 126 with timestamp 412e4fe4
Cleaning up request 4 ID 127 with timestamp 412e4fe4
Nothing to do. Sleeping until we see a request.
...
Thanks for the help.
-David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
