I got in to a discussion with a list serve at novell, for using 802.1x & freeradius, against Novells LDAP server included with eDirectory. Novell is working on a solution to make eDirectory authentication & mschapv2 possible with freeradius. Currently it is not!!! The LDAP server included with eDirectory, will not supply a clear text password to freeradius. I spent much time trying to make this work....bottom line, the Novell LDAP server supplies a hash of the user password and mschapv2 needs clear text.
http://forums.novell.com/group/novell.support.bordermanager.bmas-nmas-radius/readerNoFrame.tpt/@[EMAIL PROTECTED]@[EMAIL PROTECTED]@D-,[EMAIL PROTECTED]/@[EMAIL PROTECTED] Quote from forum: You are correct that the FreeRADIUS LDAP module cannot authenticate a MS-CHAP password against eDirectory. This is because the RADIUS server receives only a hash of the password from the client. To verify the password, the server must lookup a clear-text version of the password, then compute a hash using the clear-text password with a nonce provided in the access-request packet. If the server generated hash matches the hash provided by the client, then authentication is accepted. The FreeRADIUS LDAP module is quite simple, and just does an LDAP search followed by a simple bind. Since you're trying to do an MS-CHAPv2 authentication, FreeRADIUS is trying to bind to eDirectory with an MS-CHAPv2 hash, which obviously does not work. You can do this type of authentication over LDAP, but you have to use SASL, and FreeRADIUS does not support SASL. If you've been reading the other posts in this group, then you probably know that there is a team at Novell working on integrating FreeRADIUS more tightly with eDirectory. Part of this work will be to allow FreeRADIUS to authenticate CHAP, MS-CHAPv1/MSCHAPv2, and LEAP passwords against eDirectory. This will allow you to process PEAP/MSCHAPv2 authentications using your users' Universal Passwords in eDirectory. Daniel D. Hesse Technology Administrator Methodist Manor Retirement Community 712-732-1120 Ext.116 [EMAIL PROTECTED] >>> [EMAIL PROTECTED] 12/8/2004 9:12:48 AM >>> I installed Freeradius ver.1.0.1 and successfully authenticated against local users on my Red Hat Enterprise ver.2.1 system. I then tried to configure it to authenticated users on a Novell server via LDAP. It did not work. Here is the log from the Novell server: [2004/12/08 9:24:43] Found available monitor 0x93a [2004/12/08 9:24:43] New SSL connection 0xcb2d9760, monitor = 0x93a, index = 1 [2004/12/08 9:24:43] Monitor 0x93a initiating handshake on connection 0xcb2d976 0 [2004/12/08 9:24:43] DoHandshake on connection 0xcb2d9760 [2004/12/08 9:24:43] Connection 0xcb2d9760 failed SSL handshake, err = -25 Check the client's certificate [2004/12/08 9:24:43] Server closing connection 0xcb2d9760, socket error = -25 Here is the output from the freeradius debugger: rad_recv: Access-Request packet from host 10.192.1.11:1407, id=22, length=45 --- Walking the entire request list --- Waking up in 31 seconds... Thread 2 got semaphore Thread 2 handling request 1, (1 handled so far) User-Name = "admin" User-Password = "password" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "admin", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for admin radius_xlat: '(uid=admin)' radius_xlat: 'o=ADMIN' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.192.1.250:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: could not set LDAP_OPT_X_TLS option Success rlm_ldap: bind as cn=admin,o=ADMIN/ to 10.192.1.250:636 rlm_ldap: waiting for bind result ... rlm_ldap: ldap_result() rlm_ldap: cn=admin,o=ADMIN bind to 10.192.1.250:636 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 1 modcall: group authorize returns fail for request 1 Finished request 1 Going to the next request Thread 2 waiting to be assigned a request --- Walking the entire request list --- Cleaning up request 1 ID 22 with timestamp 41b70ead Nothing to do. Sleeping until we see a request. Michael Basso Michael Basso Network Specialist Bedford Central School District (914) 241-6186 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
