Authentication with Kerberos
Hello, I would like to set up that kind of configuration : EAP-PEAP(Mschapv2) Request --- AP --- Freeradius Kerberos authentication to an Active Directory In fact i would like to use Kerberos (wich is supported by Active Directory) instead of ntlm_auth, in freeradius features list avalaible onf the official website I have found : authentication to a Windows Domain Controller (via ntlm_auth and winbindd) Kerberos authentication Anyone can confirm this possibility to use Kerberos auth with freeradius and maybe any how-to or advices ? thank you Thomas Hahusseau - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with Kerberos
the problem is that my wifi card (Cisco Aironet) doesn't support the TTLS i'll try to find one which support it . About TTLS is it that kind of EAP authentification with : Step 1 : TLS handshake , 1 certificat on radius server and 1 certificate on supplicant ? Step 2 : Kerberos or any other kind of authentication inside the TLS tunnel ? in fact I plan to use the PEAP authentication like that : Step 1 : building a TLS tunnel (Certificate on Radius server only) Step 2 : Supplicant sent login + hashed password Step 3 : freeradius ask Active Directory for a kerberos ticket/token Step 4 :freeradius send its token to the AD and ask for performing a search in ldap directory Step 5 : check in the token if freeradius is allowed to search inside LDAPStep 6 : comparason of hashed password. According to me that solution would remplace the ntlm auth , and it's not the supplicant which use kerberos but freeradius, to perform a secure authentication with LDAP database. could you give informations or telling me if I'm right ? thank you thomas2006/6/15, Josh Howlett [EMAIL PROTECTED]: thomas hahusseau wrote: Hello, I would like to set up that kind of configuration : EAP-PEAP(Mschapv2) Request --- AP --- Freeradius Kerberos authentication to an Active Directory This isn't possible - EAP-PEAP requires access to the plaintext passwordor NTLM hash.You should be able to do this with EAP-TTLS, however.best regards, josh. In fact i would like to use Kerberos (wich is supported by Active Directory) instead of ntlm_auth, in freeradius features list avalaible onf the official website I have found : * authentication to a Windows Domain Controller (via ntlm_auth and winbindd) * Kerberos authentication Anyone can confirm this possibility to use Kerberos auth with freeradius and maybe any how-to or advices ? thank you Thomas Hahusseau - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentification link with PEAP + PAM + LDAP
Hello, Finally my boss is not interested in an PEAP authentication due to password and login stocked in clear in the OpenLDAP database, and he doesn't want to use the ntlm_auth to ask a Active Directory Server. So I wonder if that kind of authentication is possible. PEAP(MsCHAP) request -- Freeradius server (extract the hashed password ) -- Authentication request sent to PAM (login + Hashed password ) via rlm_auth --- OpenLDAP Server ( compare hashed password received with the one stocked in database ) PAM is used as mediator to permit comparason with hashed stocked in OpenLDAP. My boss only wants cipher/hashed password and login. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error using MS-CHAPv2 - new in 1.1.2
Despite this Error the Authentification works well ? because I've got the same error but LDAP authentification fail and I don't know if it's due to that client certificate error ? Thomas Hahusseau2006/6/6, Stefan Winter [EMAIL PROTECTED]: Hi,I logged in via PEAP after a brand-new upgrade to 1.1.2 today, and saw a newerror message (everything worked fine though):Error: TLS_accept:error in SSLv3 read client certificate AError: rlm_eap: SSL error error::lib(0):func(0):reason(0) Error: rlm_eap: SSL error error::lib(0):func(0):reason(0)Info: rlm_eap_mschapv2: Issuing ChallengeAuth: Login OK: [[EMAIL PROTECTED]] (from client localhost port 0) these new errors in rlm_eap are somewhat intriguing. Anyone a clue?Greetings,Stefan Winter--Stefan WINTERStiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la RechercheIngenieur Forschung Entwicklung6, rue Richard Coudenhove-KalergiL-1359 LuxembourgE-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP authentication with freerad ?
Yes i use PEAP/MsChapv2 , and password in OpenLDAP are stocked in clear mode , but there is a really strange eror while I try an autothentication via EAP-PEAP (MSCHAPv2) here is the output of Freeradius : lm_ldap: checking if remote access for test is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 6 modcall: group authorize returns ok for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. Login incorrect: [test/no User-Password attribute] (from client localhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE I dont know if that error is due to an impossible comporason beetwen hashed password in mschap and clear openldap password or if there is problems fields NT/LM-Password. 2006/6/6, Michael Griego [EMAIL PROTECTED]: I assume by PEAP, you mean the most-often-seen PEAP/EAP-MSCHAPv2.Inthis case, MD5 is not involved anywhere.The passwords are hasheddifferently.As such, you must either have an NT hashed password(which is actually a unicode-encoded MD4 hash of the password) or a cleartext password in your directory.--MikeOn Jun 6, 2006, at 3:36 AM, thomas hahusseau wrote: Hello, I would like to use PEAP to perfome authentication of wlan users , I choose PEAP because Users and Passwords are in an LDAP Server (OPEN-LDAP). According to me PEAP works like this : Phase 1 :: TLS handshake the server authenticate to the client as a trusted radius serveur and a cipher tunel is created. Phase 2 :: Login + Password + Domain hashed with MD5 are send to the Radius Server which ask LDAP server for password and login. acording to the doc file :realm_eap , freeradius supports only eap-tls (authentication based only on certificates (client + server ) lead and eap-MD5 ( according to me even if PEAP use MD5 hash , the EAP-MD5 is different with no mutual autenthication and no TLS handshake ) I dont want to use a full certifcate based solution like EAP-TLS or a authentification with no ciphered tunel like with EAP-MD5 Anyone could help me for using PEAP (or at least authentication with the two phases described upper) with freeradius ? thank you. Ps : sorry for english mistakes :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP authentication with freerad ?
I dont understand why it doesn't work , Password are in clear in LDAP base , the only thing that i want is freeradius recieve login and password form an PEAP (Mschapv2) authentification request and compare it from password and login stocked in LDAP database if it's matched so allow the access. here is my conf file users DEFAULT Auth-Type = EAP, EAP-Type == EAP-PEAP DEFAULT Auth-Type = LDAP there to different situation , in both of them authentication section about LDAP and EAP are uncommented. First : If I uncomment eap in authorize section of radiusd.conf : # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. eap I've got that kind of error : --- lm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user. Login incorrect: [test/no User-Password attribute] (from client Access_Point_3COM port 1 cli 004096a1ce69) Delaying request 7 for 1 seconds Finished request 7 -- Authorize part with ldap works well but not the authentification one with eap (the tls handshake works well) Second : If I comment eap in authorize section of radiusd.conf I've got a long output attached in that mail. As a conclusion if I edit the users config file like that : I hope you could help I'm blocked on that problem for 2 weeks and the end of my training period is close and I would like to finish it before :). Thank you2006/6/6, Alan DeKok [EMAIL PROTECTED]: thomas hahusseau [EMAIL PROTECTED] wrote: modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured.Cannot create LM-Password. rlm_mschap: No User-Password configured.Cannot create NT-Password.This means that the server has no clear-text password.i.e. itwasn't retrieved from LDAP.See the rest of the debug log to see what was retrieved from LDAP.Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /opt/freeradius/etc/raddb/clients.conf Config: including file: /opt/freeradius/etc/raddb/eap.conf main: prefix = /opt/freeradius main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /opt/freeradius/lib main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /opt/freeradius/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /opt/freeradius/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = localhost ldap: port = 389 ldap: net_timeout
LDAP and Freeradius Bind problem
Hello, I try to use Freeradius and OpenLDAP for authentification and I'be got some problems about binding. First of all OpenLDAP works well I'm able to connect to the database with anonymous connection and perform search in the database (no write access of course). freeRadius works well when the user and the password is directly inclued on the conf file clients but when i try radtest with a user wich is the LDAP database it doiesn't work here the command performed : radtest test 4886 localhost 1812 testing123 an user with uid=test and password is already created in LDAP database. here is the freeradius output : modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by test with password 4886 radius_xlat: '(uid=test)' radius_xlat: 'dc=dist,dc=demo,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dist,dc=demo,dc=net, with filter (uid=test) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: user DN: uid=test,ou=utilisateurs,dc=dist,dc=demo,dc=net rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=test,ou=utilisateurs,dc=dist,dc=demo,dc=net/4886 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials rlm_ldap: modcall[authenticate]: module ldap returns reject for request 0 modcall: leaving group LDAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_ldap: Bind as user failed): [test/4886] (from client localhost port 1812) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 89 to 127.0.0.1 port 32768 Reply-Message = Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 89 with timestamp 447ad91a Nothing to do. Sleeping until we see a request. As you can the binding in anonymous mode works well and the search is performed and 1 result is found : test.utilisateurs.dist.demo.net But I don't understand why radius try to bind again with the LDAP server using account test.utilisateurs.demo.net Is there a mechanisme with LDAP authentification that I don't Understand ? According to me as soon as freeradius found in LDAP the user with the right password it should authorize acess. this is my radiusd.conf (samples) # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap { server = localhost port = 389 # identity = cn=admin,dc=dist,dc=demo,dc=net # password = * basedn = dc=dist,dc=demo,dc=net # filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = demand # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn access_attr = uid # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = {clear} # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with 0x, such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading 0x, NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # Un-comment the following