Re: Authentication using LDAP for 802.1x
On 19.06.2013 14:11, Marco Streich wrote:
Hi all
We have deployed FreeRADIUS on OS X before, but our configuration was rather
ugly. What we would do is authenticate users locally, having the machine
attached to our OpenDirectory server directly using the Connect Network
Account Server functionality provided by OS X.
I have seen this question getting asked a lot but still wasn't able to fill
my gap in understanding the whole process.
I will make it short and easy.
You can't do LDAP authentication with 802.1x. EAP needs the password of
the user in cleartext. if it's not in your ldap, you're screwed.
And the debug log explains it :
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
[snip]
At this moment, I cannot wrap my mind around what is going on here.
I understand that ldap tries to authenticate the user by itself, instead of
handing it to the LDAP server. But what is different when I run radtest?
Debug from radtest:
...
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by a4 with password whatever
[ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu
[ldap] (re)connect to ldap.hopro.edu:389, authentication 1
[ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to
ldap.hopro.edu:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user a4 authenticated successfully
++[ldap] returns ok
...
This works because you're doing PAP. with radtest the user password is
sent in cleartext. so YES you can authenticate with ldap because you can
BIND to the ldap with the provided password.
you don't have this password with 802.1x/EAP. you work only with
challenges, hash and keys.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
Hi, I will make it short and easy. You can't do LDAP authentication with 802.1x. EAP needs the password of the user in cleartext. if it's not in your ldap, you're screwed. ..EAP-TTLS/PAP ? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19/06/13 13:11, Marco Streich wrote: When I run radtest from my laptop, the authentication is successful: radtest does not send eap. Download the wpa_supplicant sources and compile eapol_test to test EAP. WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? This suggests your LDAP server does not contain, or is not returning, password info. So auth would probably have failed... [ttls] eaptls_verify returned 11 [ttls] TLS 1.0 Alert [length 0002], warning close_notify TLS Alert read:warning:close notify [ttls] WARNING: No data inside of the tunnel. ...except it never gets as far as the inner tunnel because the client drops the EAP session. Most likely the client doesn't trust the server cert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On Wed, Jun 19, 2013 at 02:49:21PM +0200, Olivier Beytrison wrote: On 19.06.2013 14:11, Marco Streich wrote: We have deployed FreeRADIUS on OS X before, but our configuration was rather ugly. What we would do is authenticate users locally, having the machine attached to our OpenDirectory server directly using the Connect Network Account Server functionality provided by OS X. I will make it short and easy. You can't do LDAP authentication with 802.1x. EAP needs the password of the user in cleartext. if it's not in your ldap, you're screwed. Not entirely true. With PAP (which is what radtest is doing) then you can work without a cleartext password as auth is (generally) based on a ldap bind. With EAP-TTLS/PAP, you can also work with just the hash in ldap, as (same as clear PAP) you get the password from the client to do a bind with. With EAP-TTLS/MSCHAP or PEAP/EAP-MSCHAP etc you need the cleartext password from ldap - auth is done by checking this in FreeRADIUS, not by a bind to ldap. [ldap] login attempt by a4 with password whatever [ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu [ldap] (re)connect to ldap.hopro.edu:389, authentication 1 [ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to ldap.hopro.edu:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user a4 authenticated successfully ++[ldap] returns ok This works because you're doing PAP. with radtest the user password is sent in cleartext. so YES you can authenticate with ldap because you can BIND to the ldap with the provided password. you don't have this password with 802.1x/EAP. you work only with challenges, hash and keys. Apple OS X can do EAP-TTLS/PAP as far as I am aware (native Windows 8 can't), so this should work. I don't recognise the error you're getting, though - it looks like the client gave up and sent an empty packet. Note you don't need ldap configured in the outer for 802.1X to work - the outer is just doing EAP. It's the inner that will need the ldap modules. Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
Hi, Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. ..and save some more hits to LDAP by wrapping the call to it in the authorization stage to just the EAP Identity packet :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19.06.2013 16:02, a.l.m.bu...@lboro.ac.uk wrote: Hi, Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. ..and save some more hits to LDAP by wrapping the call to it in the authorization stage to just the EAP Identity packet :-) That's pretty interesting, what's the if() you're doing to achieve that? -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19/06/13 15:32, Olivier Beytrison wrote:
On 19.06.2013 16:02, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Some other comments -
Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
2.2.x.
Save yourself some round trip packets by setting default_eap_type
= ttls in eap.conf
Save yourself some LDAP lookups by removing ldap from the outer.
..and save some more hits to LDAP by wrapping the call to it in the
authorization stage to just the EAP Identity packet :-)
That's pretty interesting, what's the if() you're doing to achieve that?
He he he... if I recall correctly I came up with something like:
server inner-tunnel {
authorize {
eap
# stop processing authorize on eap identity or mschap success/fail
if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) {
noop
}
else {
# rest of config goes here
}
}
}
Note however that you can avoid this in master versions of the server
with:
server inner-tunnel {
authorize {
eap {
ok = return
}
}
}
...as the EAP module was updated to return ok on identity/mschap
responses. Yet another reason to upgrade!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
Hi, He he he... if I recall correctly I came up with something like: yes, thats the one. quoted as 'most evil unlang ever' if I recall have used it on many occasions...does the job well ...as the EAP module was updated to return ok on identity/mschap responses. Yet another reason to upgrade! yep...as well as proper pools of LDAP servers in 3.x alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
One question relating to this is about the /etc/raddb/users file- It doesn't seem to work as it's documented, If I have a group set to be rejected based on its membership like this: DEFAULT Group=disabled, Auth-Type:=Reject radius doesn't even check for group membership. The only way it seems to get directed to check membership is with a negative check (!=). DEFAULT LDAP-Group!=newgroup, Auth-Type:=Reject Regardless, I still can't figure out what filter would validate the user newuser as a member of newgroup- performing search in cn=accounts,dc=abc,dc=xyz, with filter ((cn=newgroup)((memberOf=cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz)(uid=newuser))) This is the output of the ldapsearch that shows the group and the fact that the user is a member- # LDAPv3 # base cn=accounts,dc=abc,dc=xyz with scope subtree # filter: ((cn=newgroup)) # requesting: ALL # # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapsergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: switch administrators gidNumber: 89586 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713503.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
g17jimmy wrote: One question relating to this is about the /etc/raddb/users file- It doesn't seem to work as it's documented, Well... no. If I have a group set to be rejected based on its membership like this: DEFAULT Group=disabled, Auth-Type:=Reject radius doesn't even check for group membership. The only way it seems to get directed to check membership is with a negative check (!=). See man users. Use Group == ... The operators do different things. DEFAULT LDAP-Group!=newgroup, Auth-Type:=Reject Regardless, I still can't figure out what filter would validate the user newuser as a member of newgroup- LDAP-Group == newgroup Everyone else is using it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
Cool, thanks for pointing that out. My brain filtered out the '==', been staring at this screen too long. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713505.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius authentication against LDAP question
How do I enable Freeradius to not only authenticate the a user but verify a specific attribute for the user? I've been going though the docs but this is escaping me. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
In Thu, May 31, 2012 at 10:05 AM, Jimmy g17ji...@gmail.com wrote: How do I enable Freeradius to not only authenticate the a user but verify a specific attribute for the user? I've been going though the docs but this is escaping me. Thanks. - I'm not sure if this will help, but i have tutorial on how to configure two-factor authentication through freeradius with authorization by openldap. The setup uses the access_attr = dialupAccess. I bet you can use whatever. http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius HTH, Nick -- -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
Nick- I have found that we can use any attribute for the access, but I'm trying to expand our use of radius for another type of user login. In this case I've created an LDAP group for the new user role and have created a new radius virtual server to service the specific authentication and accounting. I have added the group membership checking to the ldap module, and set thefilter for posixGroup. The meaningful config changes and output are below- ===/etc/raddb/modules/ldap (excerpt) groupname_attribute = cn groupmembership_filter = ((objectclass=posixGroup)(memberUid=%u)) ===/etc/raddb/users DEFAULT LDAP-Group!=newgroup, Auth-Type:=Reject Reply-Message=You are not allowed to connect ===radiusd -X (excerpt) [files] expand: ((objectclass=posixGroup)(memberUid=%u)) - ((objectclass=posixGroup)(memberUid=newhuser)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=accounts,dc=abc,dc=xyz, with filter ((cn=newgroup)((objectclass=posixGroup)(memberUid=newuser))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group newgroup not found or user is not a member. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = Reject ===ldapsearch output # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapusergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: new group gidNumber: 89586 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713481.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
Playing with ldapsearch I see that the search string that radiusd -X is reporting to use indeed does not work: =ldapsearch filter (from radiusd -X) performing search in cn=accounts,dc=abc,dc=xyz, with filter ((cn=newgroup)((objectclass=posixGroup)(memberUid=newuser))) = Returns no entries. If I run ldap search with ((cn=newgroup)((objectclass=posixGroup))) - removing the memberUid entry, it returns the entry for the group itself, so something is wrong with how I have the member uid configured. =ldapsearch filter (filter trimmed to group) ldapsearch -x -b cn=accounts,dc=abc,dc=xyz ((cn=newgroup)((objectclass=posixGroup))) # extended LDIF # # LDAPv3 # base cn=accounts,dc=abc,dc=xyz with scope subtree # filter: ((cn=newgroup)((objectclass=posixGroup))) # requesting: ALL # # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapsergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: switch administrators gidNumber: 89586 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Any ideas? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713483.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem: FreeRadius Authentication using LDAP
Hi,
I have configured FreeRadius to authenticate against LDAP. I have installed
and configured FreeRadius in FreeBSD Server and LDAP is already set up in
another server. I configured as below: (Changes on file are shown on bold
letter)
*/usr/local/etc/raddb/modules/ldap :*
ldap {
# Define the LDAP server and the base domain name
server = *localhost*
basedn = *dc=example,dc=com*
# Define which attribute from an LDAP ldapsearch query
# is the password. Create a filter to extract the password
# from the ldapsearch output
password_attribute = userPassword
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
# The following are RADIUS defaults
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
*/usr/local/etc/raddb/sites-enabled/default :*
authorize {
...
...
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
Ldap
...
...
}
Auth-Type LDAP {
ldap
}
Also, same type of modifications has been done on :
*/usr/local/etc/raddb/sites-enabled/inner-tunnel*
Also, change has been made to users file adding LDAP user authentication.
But when I run radiusd -X command to run freeradius on debug mode, it gives
following error:
/usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap':
file not found
/usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to load module
ldap.
/usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to parse ldap
entry.
I don't know what to do? I would appreciate anyone's idea.
Should I need to configure anything if I have freeradius server on one
machine and LDAP server on another machine. They are not on same
machine/host.
Thanks
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Problem-FreeRadius-Authentication-using-LDAP-tp4974896p4974896.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: FreeRadius Authentication using LDAP
suggestme wrote: But when I run radiusd -X command to run freeradius on debug mode, it gives following error: /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': file not found /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to load module ldap. /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to parse ldap entry. This is in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: FreeRadius Authentication using LDAP
Alan, Are you talking about the following FAQ: http://wiki.freeradius.org/FAQ#How+do+I+make+CHAP+work+with+LDAP%3F I have followed the same configuration method it has suggested. Or is there any other FAQ which mentions about this error and method to solve this? Thank you so much for your suggestion. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problem-FreeRadius-Authentication-using-LDAP-tp4974896p4975206.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: FreeRadius Authentication using LDAP
suggestme wrote: Are you talking about the following FAQ: No. I meant the FAQ entry which talked about being unable to load a module. The example is rlm_mysql, but the underlying cause and solution is the same. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius authentication from ldap to local
Hello, Server freeradius and authentification with user in file to use it is good but if authentification on openldap server then it does not work. Somebody has t it files modules / ldap and sites-enables / inner-serveur which work with openldap authentification. Because concerns it is the tunnel TLS which does not go(take) up between WiFi AP8600 and the customer seven Windows pro in PEAP / Mschapv2 Thank you for your help Cordially Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius authentication from ldap to local
On Sat, May 7, 2011 at 5:34 PM, rene.go...@laposte.net rene.go...@laposte.net wrote: Hello, Server freeradius and authentification with user in file to use it is good but if authentification on openldap server then it does not work. Somebody has t it files modules / ldap and sites-enables / inner-serveur which work with openldap authentification. Because concerns it is the tunnel TLS which does not go(take) up between WiFi AP8600 and the customer seven Windows pro in PEAP / Mschapv2 Thank you for your help Cordially You're giving me a headache. What the heck is TLS which does not go(take) up or seven Windows pro? Try writing questions in the way that other people can understand them. Otherwise no one will be able to help you. As for your problem, try reading the FAQ first: http://wiki.freeradius.org/index.php/FAQ Don't forget the section It still doesn't work Another note that may help you, mschap requires that you have plain text password, or authenticate against Active Directory. So if you don't have plaintext password in your openldap schema, then it will never work. Period. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
Can someone please help provide a clue into the problems with using ntlm_auth
in a Freeradius config running on Debian.
The user/password information are held in the LDAP server. I have been able
to authenticate successfully with packets coming from non-EAP clients. But
for EAP authentication clients, I have been receiving the following error
lines. (I am using ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} to call the LDAP server.
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang
for details
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang
for details
[mschap]expand: --username=%{Stripped-User-Name:-%{User-Name:-None}}
- --username=otha1_00
[mschap] mschap2: 18
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=b06bae6a129ec4e7
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=c0bec1a04bdd9fb489ef30a2bc22e5806405493ac2038167
Exec-Program output: Invalid handle (0xc008)
Exec-Program-Wait: plaintext: Invalid handle (0xc008)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = \026E=691 R=1
EAP-Message = 0x04160004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = \026E=691 R=1
EAP-Message = 0x04160004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
Clement
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
The user/password information are held in the LDAP server. I have been
able
to authenticate successfully with packets coming from non-EAP clients.
But
for EAP authentication clients, I have been receiving the following error
lines. (I am using ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} to call the LDAP server.
ntlm_auth is for Active Directory. Comment out ntlm_auth line in maschap
module and it will work as long as you have clear or nt hashed password
stored in ldap.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
OK. I have done that, But still returned the error below!
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE
Clement
-Original Message-
From: freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org]
On Behalf Of Ivan Kalik
Sent: 03 July 2009 12:17
To: FreeRadius users mailing list
Subject: Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to
LDAP server
The user/password information are held in the LDAP server. I have been
able
to authenticate successfully with packets coming from non-EAP clients.
But
for EAP authentication clients, I have been receiving the following error
lines. (I am using ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} to call the LDAP server.
ntlm_auth is for Active Directory. Comment out ntlm_auth line in maschap
module and it will work as long as you have clear or nt hashed password
stored in ldap.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
Am 03.07.2009 um 13:24 schrieb Clement Ogedengbe:
OK. I have done that, But still returned the error below!
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
You have either Cleartext-Password or NT-Password defined in your LDAP
database, haven't you?
If not, see:
http://deployingradius.com/documents/protocols/compatibility.html
Have a nice day!
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = \010E=691 R=1
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE
Clement
-Original Message-
From: freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org
]
On Behalf Of Ivan Kalik
Sent: 03 July 2009 12:17
To: FreeRadius users mailing list
Subject: Re: ntlm_auth problem using EAP-TLS with MSCHAP
authentication to
LDAP server
The user/password information are held in the LDAP server. I have
been
able
to authenticate successfully with packets coming from non-EAP
clients.
But
for EAP authentication clients, I have been receiving the following
error
lines. (I am using ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} to call the LDAP server.
ntlm_auth is for Active Directory. Comment out ntlm_auth line in
maschap
module and it will work as long as you have clear or nt hashed
password
stored in ldap.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
hi, is the required config in your inner-tunnel? ie is LDAP defined at all? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assistance with FreeRADIUS and Windows Authentication via LDAP
Hello, I am running FreeRADIUS version 1.1.3. I'm trying to setup LDAP authentication for Windows users accessing our networking devices especially with Cisco switches and routers. Windows authentication is working properly on my FreeRADIUS server, but I'm trying to figure out how to give different users special privilege access without providing them the enable password. I'd like to specify another Security group with providing them a read-only or special privilege mode with their Windows account. Is this possible? I'm new with using FreeRADIUS, please help. Thanks, Edwin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assistance with FreeRADIUS and Windows Authentication via LDAP
I am running FreeRADIUS version 1.1.3. Why? Upgrade to current version. I'm trying to setup LDAP authentication for Windows users accessing our networking devices especially with Cisco switches and routers. Windows authentication is working properly on my FreeRADIUS server, but I'm trying to figure out how to give different users special privilege access without providing them the enable password. I'd like to specify another Security group with providing them a read-only or special privilege mode with their Windows account. Is this possible? Yes. Send them priv-level Cisco AVpair. You will need add that attribute mapping to ldap.attrmap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assistance with FreeRADIUS and Windows Authentication via LDAP
Edwin Isada wrote: I am running FreeRADIUS version 1.1.3. Why? I'm trying to setup LDAP authentication for Windows users accessing our networking devices especially with Cisco switches and routers. Windows authentication is working properly on my FreeRADIUS server, but I'm trying to figure out how to give different users special privilege access without providing them the enable password. I'd like to specify another Security group with providing them a read-only or special privilege mode with their Windows account. Is this possible? I'm new with using FreeRADIUS, please help. Yes, it's possible. See doc/rlm_ldap for going LDAP group checking in the server. You should use a new version of the server, not one that is 2-3 years old. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSCHAP Authentication and LDAP Group Membership checking
Access-Accept of id 83 to 10.2.1.6 port 1059
MS-CHAP2-Success =
0x00533d3136423031434136463832333133373034393432393943303539423539334346434433314336
MS-MPPE-Recv-Key = 0x5e34def484a9a9c160f712e90322bca0
MS-MPPE-Send-Key = 0x2f644ea60d80525ed0b13527ca916aae
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 83 with timestamp +888
Ready to process requests.
It appears that MSCHAP is used to verify the password but LDAP is not
properly checking the VPN-Users AD groupI believe it is not stripping
the domain portion off correctly as I see the domain name appended to
(sAMAccountName=voila\5cwebtest)
My users File entries:
(The first entry I would like to be used by the concentrator to search the
group and if the user is a member allow them access - of course
authenticating the provided password)
DEFAULT LDAP-Group == vpn-users
Fall-Through = Yes
This entry is for our network switches/routers - this appears to be working
without any issue.
DEFAULT LDAP-Group == Radius-Admin
Service-Type = Login-User,
cisco-avpair = shell:priv-lvl=15,
Fall-Through = Yes
If I login from my network devices it performs the ldap searches without
issue and authenticates/authorizes the user - You can see this below:
rlm_ldap: performing search in dc=voila,dc=com, with filter
((cn=vpn-users)(|((objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom
rlm_ldap::ldap_groupcmp: User found in group vpn-users
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 178
rlm_ldap: Entering ldap_groupcmp()
expand: dc=voila,dc=com - dc=voila,dc=com
expand:
(|((objectClass=group)(member=%{check:LDAP-UserDn}))((objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))
-
(|((objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=voila,dc=com, with filter
((cn=Radius-Admin)(|((objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom
rlm_ldap::ldap_groupcmp: User found in group Radius-Admin
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 181
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for zkms
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -
(sAMAccountName=zkms)
expand: dc=voila,dc=com - dc=voila,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=voila,dc=com, with filter
(sAMAccountName=zkms)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: user zkms authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
+- entering group LDAP
rlm_ldap: - authenticate
rlm_ldap: login attempt by zkms with password Omitted
rlm_ldap: user DN: CN=zkms,CN=Users,DC=voila,DC=com
rlm_ldap: (re)connect to control.voila.com:389, authentication 1
rlm_ldap: bind as CN=zkms,CN=Users,DC=voila,DC=com/Omitted to
control.voila.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user zkms authenticated succesfully
Thanks in advance for any pointers.
--
View this message in context:
http://www.nabble.com/MSCHAP-Authentication-and-LDAP-Group-Membership-checking-tp19321178p19321178.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAP Authentication and LDAP Group Membership checking
: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
Login OK: [voila\\webtest] (from client VPN port 1151 cli 123.111.6.76)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 83 to 10.2.1.6 port 1059
MS-CHAP2-Success =
0x00533d3136423031434136463832333133373034393432393943303539423539334346434433314336
MS-MPPE-Recv-Key = 0x5e34def484a9a9c160f712e90322bca0
MS-MPPE-Send-Key = 0x2f644ea60d80525ed0b13527ca916aae
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 83 with timestamp +888
Ready to process requests.
It appears that MSCHAP is used to verify the password but LDAP is not
properly checking the VPN-Users AD groupI believe it is not stripping
the domain portion off correctly as I see the domain name appended to
(sAMAccountName=voila\5cwebtest)
My users File entries:
(The first entry I would like to be used by the concentrator to search the
group and if the user is a member allow them access - of course
authenticating the provided password)
DEFAULT LDAP-Group == vpn-users
Fall-Through = Yes
This entry is for our network switches/routers - this appears to be working
without any issue.
DEFAULT LDAP-Group == Radius-Admin
Service-Type = Login-User,
cisco-avpair = shell:priv-lvl=15,
Fall-Through = Yes
If I login from my network devices it performs the ldap searches without
issue and authenticates/authorizes the user - You can see this below:
rlm_ldap: performing search in dc=voila,dc=com, with filter
((cn=vpn-users)(|((objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom
rlm_ldap::ldap_groupcmp: User found in group vpn-users
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 178
rlm_ldap: Entering ldap_groupcmp()
expand: dc=voila,dc=com - dc=voila,dc=com
expand:
(|((objectClass=group)(member=%{check:LDAP-UserDn}))((objectClass=GroupOfNames)(member=%{check:LDAP-UserDn})))
-
(|((objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=voila,dc=com, with filter
((cn=Radius-Admin)(|((objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom
rlm_ldap::ldap_groupcmp: User found in group Radius-Admin
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 181
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for zkms
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -
(sAMAccountName=zkms)
expand: dc=voila,dc=com - dc=voila,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=voila,dc=com, with filter
(sAMAccountName=zkms)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: user zkms authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
+- entering group LDAP
rlm_ldap: - authenticate
rlm_ldap: login attempt by zkms with password Omitted
rlm_ldap: user DN: CN=zkms,CN=Users,DC=voila,DC=com
rlm_ldap: (re)connect to control.voila.com:389, authentication 1
rlm_ldap: bind as CN=zkms,CN=Users,DC=voila,DC=com/Omitted to
control.voila.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user zkms authenticated succesfully
Thanks in advance for any pointers.
--
View this message in context:
http://www.nabble.com/MSCHAP-Authentication-and-LDAP-Group-Membership-checking-tp19321178p19321178.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Your did needs to be a distinguished name. Ivan Kalik Kalik Informatika ISP Dana 26/3/2008, Eric Martell [EMAIL PROTECTED] piše: Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, We already have this existing Legacy system setup in production ldap and not sure we can change that anymore as we don't use did as dn. No change in existing ldap tree. If there a way when ldap query finds multiple resultset, gets the first result and returns success instead of sending reject. Please let me know if this is doable. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: Your did needs to be a distinguished name. Ivan Kalik Kalik Informatika ISP Dana 26/3/2008, Eric Martell pi¹e: Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Sorry. Don't know much about ldap. Ivan Kalik Dana 26/3/2008, Eric Martell [EMAIL PROTECTED] piše: Hi Ivan, We already have this existing Legacy system setup in production ldap and not sure we can change that anymore as we don't use did as dn. No change in existing ldap tree. If there a way when ldap query finds multiple resultset, gets the first result and returns success instead of sending reject. Please let me know if this is doable. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: Your did needs to be a distinguished name. Ivan Kalik Kalik Informatika ISP Dana 26/3/2008, Eric Martell piše: Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Thanks so much Ivan. Alan DeKok, is there a way if the ldap filter query returns multiple resultset, we can send radius Accept on the reply? Please let me know. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: Sorry. Don't know much about ldap. Ivan Kalik Dana 26/3/2008, Eric Martell pi¹e: Hi Ivan, We already have this existing Legacy system setup in production ldap and not sure we can change that anymore as we don't use did as dn. No change in existing ldap tree. If there a way when ldap query finds multiple resultset, gets the first result and returns success instead of sending reject. Please let me know if this is doable. Thanks and Regards. Ivan Kalik wrote: Your did needs to be a distinguished name. Ivan Kalik Kalik Informatika ISP Dana 26/3/2008, Eric Martell pi¹e: Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Never miss a thing. Make Yahoo your homepage.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan,
Sorry to get back to you early as I did not had ldap access :(
After adding radiusAuthType on ONE uid it is working fine now.
But now the issue is, I have some cases where the MAC address are stored
multiple times in Ldap. Thus the ldap query is failing.
Please check the log below. Can you please suggest me any workaround? Will
really appreciate.
Thanks and Regards.
Test Case 1 :: 1 UID
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = 0014F846C199, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 0014F846C199
expand: %{Stripped-User-Name} -
expand: %{User-Name} - 0014F846C199
expand: ((did=%{%{Stripped-User-Name}:-%{User-Name}})) -
((did=0014F846C199))
expand: ou=roles,o=entitlement - ou=roles,o=entitlement
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=roles,o=entitlement, with filter
((did=0014F846C199))
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute radiusAuthType as RADIUS attribute Auth-Type == Accept
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: user 0014F846C199 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [0014F846C199/via Auth-Type = Accept] (from client samir port 0)
Sending Access-Accept of id 39 to 216.2.193.1 port 38625
Finished request 3.
Test Case 2 :: Multiple UIDs
rad_recv: Access-Request packet from host 216.2.193.1 port 37788, id=38,
length=34
User-Name = 0014F846C199
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = 0014F846C199, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 0014F846C199
expand: %{Stripped-User-Name} -
expand: %{User-Name} - 0014F846C199
expand: ((uid=%{%{Stripped-User-Name}:-%{User-Name}})) -
((uid=0014F846C199))
expand: ou=roles,o=entitlement - ou=roles,o=entitlement
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=roles,o=entitlement, with filter
((uid=0014F846C199))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found): [0014F846C199/no User-Password
attribute] (from client samir port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - 0014F846C199
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
- Original Message
From: Ivan Kalik [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Thursday, March 20, 2008 1:01:11 PM
Subject: Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Bit confusing..do you want me to create entries in
ldap as,
No:
uid = 001122334455
radiusAuthType = Accept
Forget about the device entries. radius authenticates users. Have a look
at the filter configured in ldap section of radiusd.conf
If yes, what additional changes I have to do in
freeradius and how I can return devicename along the
freeradius reply?
And what would you do with that? Groups? Than create a group entries for
them and use memberof in (mac) user entry.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ-
List info/subscribe
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] piše: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
No file. These are ldap entries which you need to make. You have entries as devices - now make entries as users. Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Eric Martell [EMAIL PROTECTED] piše: Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] piše: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Bit confusing..do you want me to create entries in ldap as, No: uid = 001122334455 radiusAuthType = Accept Forget about the device entries. radius authenticates users. Have a look at the filter configured in ldap section of radiusd.conf If yes, what additional changes I have to do in freeradius and how I can return devicename along the freeradius reply? And what would you do with that? Groups? Than create a group entries for them and use memberof in (mac) user entry. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
PS. Sorry, got mixed up. radiusGroupName for group membership. Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Eric Martell [EMAIL PROTECTED] piše: Hi Ivan, Bit confusing..do you want me to create entries in ldap as, deviceid = 111 macaddress = 001122334455 username = 001122334455 radiusAuthType = Accept devicename = Personal PC. deviceid = 222 macaddress = 001199887766 username = 001199887766 radiusAuthType = Accept devicename = SIP Phone. If yes, what additional changes I have to do in freeradius and how I can return devicename along the freeradius reply? Please reply. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: No file. These are ldap entries which you need to make. You have entries as devices - now make entries as users. Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Eric Martell [EMAIL PROTECTED] piše: Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] piše: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, Bit confusing..do you want me to create entries in ldap as, deviceid = 111 macaddress = 001122334455 username = 001122334455 radiusAuthType = Accept devicename = Personal PC. deviceid = 222 macaddress = 001199887766 username = 001199887766 radiusAuthType = Accept devicename = SIP Phone. If yes, what additional changes I have to do in freeradius and how I can return devicename along the freeradius reply? Please reply. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: No file. These are ldap entries which you need to make. You have entries as devices - now make entries as users. Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MACAddress silent authentication in LDAP using freeradius2.0.2
Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication type (ldap, users, etc) per client or user?
falz wrote:
This would technically get things working, but poses a security issue.
I want to have clients associated with backends. The above example
appears that it will simply give priority of one authentication source
over the other, which isn't what I'm trying to do.
You can use Autz-Type to get what you want, but it's more complicated.
I'll look into 2.0 if this is the only way to get this functionality.
It's not the only way, but it's *much* easier in 2.0. You just put an
entry in the client configuration saying virtual_server = foo, and
all requests get processed through foo.
No, I did not remove the files section. It is called, and loaded per
my output in the previous email.
It's not listed in the debug output you posted. So it's not being called.
Looking through the docs, it appears that Autz-Type gives indications
of what I am trying to do:
http://www.freeradius.org/radiusd/doc/Autz-Type
Yes. It may require running two copies of the files module, which
is more complicated.
I will experiment with it and some syntax, and chime back in when I
get things working for future reference for other users (and for me,
if I neglect to document it myself :)
In 2.0:
client a {
ipaddr = 1.2.3.4
...
virtual_server = foo
}
client b {
ipaddr = 5.6.7.8
...
virtual_server = bar
}
server foo {
authorize {
users
...
}
...
}
server bar {
authorize {
ldap
...
}
...
}
It's more typing to set up, but it's significantly easier to
understand and to maintain. It means that there are fewer possibilities
for something to go wrong, too.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication type (ldap, users, etc) per client or user?
Hello,
I have a FreeRADIUS server working properly with an LDAP backend. I've
brought some user config into the 'users' file for a legacy system
we're migrating to this server. However, I cannot seem to find the
appropriate way to have FreeRADIUS map clients to a specific
authentication type. In my example I want everything to use LDAP,
except one client to use the legacy 'users' file syntax.
The closest example to this that I can find is here:
https://lists.freeradius.org/pipermail/freeradius-users/2005-April/043218.html
However, this deals with multple LDAP instances, and it does not like
syntax of my chaning:
files { }
to:
files foo {}
and the other steps that seem logical when looking at the above. Is
there any way to do this off of a single FreeRADIUS install? Any
suggestions appreciated!
Thanks,
--falz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication type (ldap, users, etc) per client or user?
On Jan 3, 2008 10:18 AM, Alan DeKok [EMAIL PROTECTED] wrote: falz wrote: I have a FreeRADIUS server working properly with an LDAP backend. I've brought some user config into the 'users' file for a legacy system we're migrating to this server. However, I cannot seem to find the appropriate way to have FreeRADIUS map clients to a specific authentication type. What does that mean? Radius Client A uses rlm_ldap, Radius Client B uses 'files' for the livingston-style 'users' file. What I have now is Client A works fine with LDAP, but it seems to be a default across the system. Client B always talks to LDAP, it doesn't seem to read from the user's file. Here's some debug stuff. When I start radiusd -X, it does show that it reads the files module: Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no As well as ldap: Module: Loaded LDAP snipped because it all works But when one authenticate, it chooses ldap only: rad_recv: Access-Request packet from host 192.168.0.130:1028, id=18, length=119 User-Name = falz User-Password = abc123 NAS-IP-Address = 192.168.0.130 NAS-Port = 4 NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP Connect-Info = 52000 LAPM/V42BIS Called-Station-Id = 5552271012 Calling-Station-Id = 5552291017 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '@' in User-Name = falz, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for falz radius_xlat: '(uid=falz)' radius_xlat: 'ou=staff,dc=domain,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=staff,dc=domain,dc=net, with filter (uid=falz) request done: ld 0x8068e00 msgid 3 rlm_ldap: checking if remote access for falz is allowed by radiusReplyItem rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: extracted attribute Cisco-AVPair from generic item Cisco-AVPair := shell:priv-lvl=15 rlm_ldap: extracted attribute Fall-Through from generic item Fall-Through = 1 rlm_ldap: extracted attribute Extreme-CLI-Authorization from generic item Extreme-CLI-Authorization = Enabled rlm_ldap: extracted attribute Service-Type from generic item Service-Type = NAS-Prompt-User rlm_ldap: extracted attribute Service-Type from generic item Service-Type := Administrative-User rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user falz authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 2 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type ldap auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 2 rlm_ldap: - authenticate rlm_ldap: login attempt by falz with password abc123 rlm_ldap: user DN: uid=falz,ou=users,ou=staff,dc=domain,dc=net rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=falz,ou=users,ou=staff,dc=domain,dc=net/abc123 to localhost:389 rlm_ldap: waiting for bind result ... request done: ld 0x8068f00 msgid 1 rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module ldap returns reject for request 2 modcall: leaving group LDAP (returns reject) for request 2 auth: Failed to validate the user. Login incorrect (rlm_ldap: Bind as user failed): [falz] (from client portmaster3 port 4 cli 6082291017) Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 18 to 192.168.0.130 port 1028 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 18 with timestamp 477d0e80 Nothing to do. Sleeping until we see a request. It is logical that it does this, as I have nothing in my config about this client using 'files'/'users', because I do not know what to put in. I posted the original link, and also found this, which is related:
Re: Authentication type (ldap, users, etc) per client or user?
falz wrote:
Radius Client A uses rlm_ldap, Radius Client B uses 'files' for the
livingston-style 'users' file. What I have now is Client A works fine
with LDAP, but it seems to be a default across the system. Client B
always talks to LDAP, it doesn't seem to read from the user's file.
If you want to use one OR the other, try the following:
authorize {
...
group {
files {
ok = return
}
ldap
}
...
}
i.e. if an entry is found in the users file, then don't do LDAP. If
no entry is found in the users file, do LDAP.
Of course, in 2.0, you could just have a virtual server for client A,
and a different virtual server for client B.
But when one authenticate, it chooses ldap only:
Because that's what you've configured it to do. In this case, the
debug output shows that it's not calling the files module. So you've
edited the default configuration so that the files module isn't
called... and yet you say you want it to call the files module.
It is logical that it does this, as I have nothing in my config about
this client using 'files'/'users', because I do not know what to put
in.
What's wrong with the default configuration file that ships with the
server?
I posted the original link, and also found this, which is related:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg40372.html
However, in all cases that I find, users are trying to authenticate
with multiple same-type backends. Original link user is authenticating
off of different LDAP servers, this case they're authenticating off of
multiple SQL servers. I want 1 LDAP and one 'files'.
You can copy paste an example that doesn't apply to what you want to
do, or you can understand how the server works. In this case, reading
the files in the doc directory would help. They explain *how* those
examples are configured, and *why* they work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication type (ldap, users, etc) per client or user?
On Jan 3, 2008 3:45 PM, Alan DeKok [EMAIL PROTECTED] wrote:
If you want to use one OR the other, try the following:
authorize {
...
group {
files {
ok = return
}
ldap
}
...
}
i.e. if an entry is found in the users file, then don't do LDAP. If
no entry is found in the users file, do LDAP.
This would technically get things working, but poses a security issue.
I want to have clients associated with backends. The above example
appears that it will simply give priority of one authentication source
over the other, which isn't what I'm trying to do.
Of course, in 2.0, you could just have a virtual server for client A,
and a different virtual server for client B.
I'll look into 2.0 if this is the only way to get this functionality.
Because that's what you've configured it to do. In this case, the
debug output shows that it's not calling the files module. So you've
edited the default configuration so that the files module isn't
called... and yet you say you want it to call the files module.
No, I did not remove the files section. It is called, and loaded per
my output in the previous email. Both are listed, but nothing in the
config points a client to an auth method, because I don't know the
syntax for this, or it's not possible.
What's wrong with the default configuration file that ships with the
server?
I don't believe I said anything is. I simply don't know its syntax
well enough to know what to put in, or it's not possible.
You can copy paste an example that doesn't apply to what you want to
do, or you can understand how the server works. In this case, reading
the files in the doc directory would help. They explain *how* those
examples are configured, and *why* they work.
Looking through the docs, it appears that Autz-Type gives indications
of what I am trying to do:
http://www.freeradius.org/radiusd/doc/Autz-Type
I will experiment with it and some syntax, and chime back in when I
get things working for future reference for other users (and for me,
if I neglect to document it myself :)
--falz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure authentication via LDAP Group membership issue
All,
I have still not been able to find a solution for this, it looks like I might
be able to use an xlat rule for it, but I can't get my head around how to write
it. Can anyone point me to suitable documentation for xlat - while I have read
all the docco that comes with the FreeRadius (in /usr/share) I am missing
something in order to apply it.
Cheers,
David
- Original Message -
From: David Hobley [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000) Australia/Brisbane
Subject: Configure authentication via LDAP Group membership issue
I have set up a VPN pointing to a FreeRadius server and have it
authenticating successfully against my LDAP server, but I would also like to
limit access to only those people who are a member of the VPN group.
Normally, this would be simple, but because of the LDAP server I am using,
the hierarchy looks like this:
User Account:
ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (uid=firstname.lastname)
dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN
uidNumber: 1024
...
Group entry is:
ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (cn=VPN Users)
dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN
memberUid: 1024
...
So I need to somehow configure Radius to search on me, get my uidNumber and
then search on the group. If I skip the searching to get the uidNumber, I
can configure the Radius (for this single account) correctly:
In the ldap module I include:
...
groupname_attribute = cn
groupmembership_filter = (memberUid=1024)
with the following entry in the users file:
DEFAULT Auth-Type = LDAP
Fall-Through = 1
DEFAULT LDAP-Group == VPN Users
Service-Type = Administrative-User
and this works as expected, but is there any way I can substitute the 1024
for an ldap search result so I can dynamically return the uidNumber for the
%{User-Name} field?
Thanks!
Cheers,
David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configure authentication via LDAP Group membership issue [sec=unclassified]
___
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
David Hobley
Sent: Wednesday, 31 October 2007 10:50
To: FreeRadius users mailing list
Subject: Re: Configure authentication via LDAP Group membership
issue
All,
I have still not been able to find a solution for this, it looks
like I might be able to use an xlat rule for it, but I can't get my head
around how to write it. Can anyone point me to suitable documentation
for xlat - while I have read all the docco that comes with the
FreeRadius (in /usr/share) I am missing something in order to apply it.
Cheers,
David
- Original Message -
From: David Hobley [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000)
Australia/Brisbane
Subject: Configure authentication via LDAP Group membership
issue
I have set up a VPN pointing to a FreeRadius server and have it
authenticating successfully against my LDAP server, but I would
also like to
limit access to only those people who are a member of the VPN
group.
Normally, this would be simple, but because of the LDAP server I
am using,
the hierarchy looks like this:
User Account:
ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN
(uid=firstname.lastname)
dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN
uidNumber: 1024
...
Group entry is:
ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (cn=VPN Users)
dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN
memberUid: 1024
...
So I need to somehow configure Radius to search on me, get my
uidNumber and
then search on the group. If I skip the searching to get the
uidNumber, I
can configure the Radius (for this single account) correctly:
In the ldap module I include:
...
groupname_attribute = cn
groupmembership_filter = (memberUid=1024)
with the following entry in the users file:
DEFAULT Auth-Type = LDAP
Fall-Through = 1
DEFAULT LDAP-Group == VPN Users
Service-Type = Administrative-User
and this works as expected, but is there any way I can
substitute the 1024
for an ldap search result so I can dynamically return the
uidNumber for the
%{User-Name} field?
Thanks!
Cheers,
David
The memberUid attribute in a posixgroup is supposed to hold the uid, not
the uidNumber. That would make your groupmembership_filter =
(memberUid=%{User-Name}) or more robustly,
groupmembership_filter =
((memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou
p))
Regards,
Frank Ranner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure authentication via LDAP Group membership issue [sec=unclassified]
Frank,
Thank you - greatly appreciated. This made me realise that my thinking was
foggy when I had defined group memberships. All working now.
Cheers,
David
- Original Message -
From: Frank MR Ranner [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Wednesday, 31 October 2007 10:20:36 AM (GMT+1000) Australia/Brisbane
Subject: RE: Configure authentication via LDAP Group membership issue
[sec=unclassified]
...
___
The memberUid attribute in a posixgroup is supposed to hold the uid, not
the uidNumber. That would make your groupmembership_filter =
(memberUid=%{User-Name}) or more robustly,
groupmembership_filter =
((memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou
p))
Regards,
Frank Ranner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure authentication via LDAP Group membership issue
I have set up a VPN pointing to a FreeRadius server and have it
authenticating successfully against my LDAP server, but I would also like to
limit access to only those people who are a member of the VPN group.
Normally, this would be simple, but because of the LDAP server I am using,
the hierarchy looks like this:
User Account:
ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (uid=firstname.lastname)
dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN
uidNumber: 1024
...
Group entry is:
ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (cn=VPN Users)
dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN
memberUid: 1024
...
So I need to somehow configure Radius to search on me, get my uidNumber and
then search on the group. If I skip the searching to get the uidNumber, I
can configure the Radius (for this single account) correctly:
In the ldap module I include:
...
groupname_attribute = cn
groupmembership_filter = (memberUid=1024)
with the following entry in the users file:
DEFAULT Auth-Type = LDAP
Fall-Through = 1
DEFAULT LDAP-Group == VPN Users
Service-Type = Administrative-User
and this works as expected, but is there any way I can substitute the 1024
for an ldap search result so I can dynamically return the uidNumber for the
%{User-Name} field?
Thanks!
Cheers,
David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (Solved) Re: MAC authorisation (but not authentication) via LDAP
we a trying to add mac authentication to our wireless aps radius request
comes in like so.
rad_recv: Access-Request packet from host 10.250.100.3:1038, id=119,
length=95
Service-Type = Framed-User
NAS-Port-Id = wlan1
User-Name = 00:0B:6B:56:1D:48
User-Password =
NAS-Identifier = ballyvaughan_ap_1
NAS-IP-Address = 10.250.100.3
the mac address is in a field in the ldap so i created a second
ldap.attrib.map and a new ldap autz-type. the problem is that the
user-password that is sent i blank so i added this to the users file.
like so.
DEFAULT Huntgroup-Name == test, Autz-Type := ldapMAC, User-Password ==
, Simultaneous-Use := 1
Fall-Through = 0
great now the user with authorise and authenticate from files. but what
i had hoped would happen was if they failure authorisation they would
not continue, i can see this is not the default proceedure. how can i
make this work this way.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
users: Matched entry DEFAULT at line 4
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
Found Autz-Type ldapMAC
Processing the authorize section of radiusd.conf
modcall: entering group ldapMAC for request 0
modcall: entering group redundant for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 00:0B:6B:56:1D:48
radius_xlat: '(rdwaveuserWirelessMac=00:0B:6B:56:1D:48)'
radius_xlat: 'o=clients,dc=radiowave,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=admin,dc=radiowave,dc=net/xxx to 127.0.0.1:389
radiustest:/etc/freeradius/config-clients#
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with
filter (rdwaveuserWirelessMac=00:0B:6B:56:1D:48)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldapmac1 returns notfound for request 0
modcall: leaving group redundant (returns notfound) for request 0
modcall: leaving group ldapMAC (returns notfound) for request 0
but when the authentication starts this stilll happens, below was an
idea someone had in respect to this issue or a similar one but i have no
idea how to deploy this look forward to your replys.
auth: type Local
auth: user supplied User-Password matches local User-Password
Processing the session section of radiusd.conf
modcall: entering group session for request 0
modcall: entering group redundant for request 0
modcall[session]: module sql2 returns noop for request 0
modcall: leaving group redundant (returns noop) for request 0
modcall: leaving group session (returns noop) for request 0
Login OK: [00:0B:6B:56:1D:48/] (from client ballyvaughan port 0)
Sending Access-Accept of id 119 to 10.250.100.3 port 1038
On Sun, 2007-02-25 at 20:05 +, Martin Whinnery wrote:
Martin Whinnery wrote:
Markus Krause wrote:
Zitat von Martin Whinnery [EMAIL PROTECTED]:
Hi.
Probly just me not understanding...
What I want is for our switches to only allow access to MAC addresses in
our LDAP database.
I don't want to store passwords on our LDAP host entries.
I'm set up to check LDAP during authorisation, and it correctly returns
authorised / not authorised depending on whether the appropriate
attribute contains the right value.
The trouble comes with authentication - either I set Auth-Type :=
Accept, in which case and failed authorisation is overridden, or I allow
authentication to carry on against LDAP ( or System, or whatever ), in
which case it fails always and access is denied, even for authorised MACs.
Is there a way to make the Authorisation part final and authoritative?
As I say, probly just being stoopid.
Mart
don't no if it is a good solution, but i just do this by setting the
following in radiusd.conf:
authenticate {
...
Auth-Type LdapMAC {
ok
}
...
}
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type :=
LdapMAC
i assume there are better/smarter sollutions as one can read don't
set Auth-Type on many places but it works here ;-)
regards
markus
Thanks Markus,
the problem seems to be that the authorisation pass returns notfound,
whereas I want it to reject, as if it found an entry in LDAP without
the appropriate attribute.
Mart
This was exactly the problem.
RE: (Solved) Re: MAC authorisation (but not authentication) via LDAP
this looks great for my purpose as well thanks very much for your help
Alan,
The problem for me was that when the ldapsearch failed to find the MAC
address, freeradius didn't reject authorisation.
The solution for me, ( I'm sure the big boys can point out how it's
wrong ), was the following script..
---snip---
#!/bin/sh
if $( echo $MODULE_FAILURE_MESSAGE | grep not found /dev/null ); then
echo Auth-Type := reject;
exit 0;
fi
---snip---
and the following clause in radiusd.conf
---snip---
exec rejectOnNotFound {
wait = yes
program = /usr/local/etc/raddb/rejectOnNotFound.sh
input_pairs = request
output_pairs = config
}
---snip---
which is used in the authorise section thus
---snip---
Autz-Type LdapMAC {
ldapMAC
rejectOnNotFound
}
---snip---
As I said, works for me.
Hope it helps..
Mart
Alan Walters wrote:
we a trying to add mac authentication to our wireless aps radius request
comes in like so.
rad_recv: Access-Request packet from host 10.250.100.3:1038, id=119,
length=95
Service-Type = Framed-User
NAS-Port-Id = wlan1
User-Name = 00:0B:6B:56:1D:48
User-Password =
NAS-Identifier = ballyvaughan_ap_1
NAS-IP-Address = 10.250.100.3
the mac address is in a field in the ldap so i created a second
ldap.attrib.map and a new ldap autz-type. the problem is that the
user-password that is sent i blank so i added this to the users file.
like so.
DEFAULT Huntgroup-Name == test, Autz-Type := ldapMAC, User-Password ==
, Simultaneous-Use := 1
Fall-Through = 0
great now the user with authorise and authenticate from files. but what
i had hoped would happen was if they failure authorisation they would
not continue, i can see this is not the default proceedure. how can i
make this work this way.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
users: Matched entry DEFAULT at line 4
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
Found Autz-Type ldapMAC
Processing the authorize section of radiusd.conf
modcall: entering group ldapMAC for request 0
modcall: entering group redundant for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 00:0B:6B:56:1D:48
radius_xlat: '(rdwaveuserWirelessMac=00:0B:6B:56:1D:48)'
radius_xlat: 'o=clients,dc=radiowave,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=admin,dc=radiowave,dc=net/xxx to 127.0.0.1:389
radiustest:/etc/freeradius/config-clients#
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with
filter (rdwaveuserWirelessMac=00:0B:6B:56:1D:48)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldapmac1 returns notfound for request 0
modcall: leaving group redundant (returns notfound) for request 0
modcall: leaving group ldapMAC (returns notfound) for request 0
but when the authentication starts this stilll happens, below was an
idea someone had in respect to this issue or a similar one but i have no
idea how to deploy this look forward to your replys.
auth: type Local
auth: user supplied User-Password matches local User-Password
Processing the session section of radiusd.conf
modcall: entering group session for request 0
modcall: entering group redundant for request 0
modcall[session]: module sql2 returns noop for request 0
modcall: leaving group redundant (returns noop) for request 0
modcall: leaving group session (returns noop) for request 0
Login OK: [00:0B:6B:56:1D:48/] (from client ballyvaughan port 0)
Sending Access-Accept of id 119 to 10.250.100.3 port 1038
On Sun, 2007-02-25 at 20:05 +, Martin Whinnery wrote:
Martin Whinnery wrote:
Markus Krause wrote:
Zitat von Martin Whinnery [EMAIL PROTECTED]:
Hi.
Probly just me not understanding...
What I want is for our switches to only allow access to MAC addresses in
our LDAP database.
I don't want to store passwords on our LDAP host entries.
I'm set up to check LDAP during authorisation, and it correctly returns
authorised / not authorised depending on whether the appropriate
attribute contains the right value.
The trouble comes with authentication - either I set Auth-Type :=
Accept, in which case and failed authorisation is overridden, or I allow
authentication to carry on against LDAP ( or
Re: MAC authorisation (but not authentication) via LDAP
Markus Krause wrote: i am not sure if your approach could really fullfill my needs (no redundancy, serving different types of requests) ... but i would really like to know ;-) Hmm. Without more details it's difficult to say, but what you need does not sound excessively difficult. At most, Autz-Type should suffice. Why are you finding you need to set Auth-Type? The ldap module can be peculiar in this regard - are you authenticating the users by doing simple bind, or are you extracting the passwords from ldap and using rlm_pap and such? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Phil Mayers [EMAIL PROTECTED]:
Markus Krause wrote:
i am not sure if your approach could really fullfill my needs (no
redundancy, serving different types of requests) ... but i would
really like to know ;-)
Hmm.
Without more details it's difficult to say, but what you need does not
sound excessively difficult. At most, Autz-Type should suffice. Why are
you finding you need to set Auth-Type?
i thought this is necessary as i use redundant sections.
in users i have something like:
DEFAULT Huntgroup-Name == vpn, Autz-Type := LdapUser, Auth-Type := LdapUser
some parts of my radiusd.conf:
- radiusd.conf parts
modules {
...
ldap LdapUser1 {
ldapserv1
}
ldap LdapUser2 {
ldapserv2
}
...
}
authorize {
...
Autz-Type LdapUser {
redundant {
LdapUser1
LdapUser2
}
}
...
}
authenticate {
...
Auth-Type LdapUser {
redundant {
LdapUser1
LdapUser2
}
}
...
}
-
it seems that if the authorization is successfully done by LdapUser1
the Auth-Type is set LdapUser1. if i do not set it to LdapUser in the
file users i get the error message No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user. if i set
Auth-Type to LdapUser in users it works. it also works without setting
this if i do not use redundant settings (just call the module LdapUser).
The ldap module can be peculiar in this regard - are you authenticating
the users by doing simple bind, or are you extracting the passwords from
ldap and using rlm_pap and such?
i am just authenticating by doing simple bind.
if i should post more details please let me know!
with best regards
markus
--
This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Markus Krause wrote:
modules {
...
ldap LdapUser1 {
ldapserv1
}
ldap LdapUser2 {
ldapserv2
}
...
}
authorize {
...
Autz-Type LdapUser {
redundant {
LdapUser1
LdapUser2
}
}
...
}
authenticate {
...
Auth-Type LdapUser {
redundant {
LdapUser1
LdapUser2
}
}
...
}
You should be able to replace this last bit with:
authenticate {
Auth-Type LdapUser1 {
LdapUser1
}
Auth-Type LdapUser2 {
LdapUser2
}
}
...and set the set_auth_type = yes on each LDAP module.
The general idea is that MODULES should set Auth-Type (to themselves)
indicating that they will handle the authenticate phase.
Note that the above is still redundant - if the ldap module answered
during the authorize phase, there's clearly only a miniscule chance it
will have failed by the time authenticate runs.
And in fact, if ldap1 succeeds during authorize but fails during
authenticate, arguably passing it to ldap2 is an error - example, the
user might have just changed their password so ldap1 fails, but ldap2 is
still replicating so thinks the old password is valid.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Phil Mayers [EMAIL PROTECTED]:
Markus Krause wrote:
modules {
...
ldap LdapUser1 {
ldapserv1
}
ldap LdapUser2 {
ldapserv2
}
...
}
authorize {
...
Autz-Type LdapUser {
redundant {
LdapUser1
LdapUser2
}
}
...
}
authenticate {
...
Auth-Type LdapUser {
redundant {
LdapUser1
LdapUser2
}
}
...
}
You should be able to replace this last bit with:
authenticate {
Auth-Type LdapUser1 {
LdapUser1
}
Auth-Type LdapUser2 {
LdapUser2
}
}
...and set the set_auth_type = yes on each LDAP module.
The general idea is that MODULES should set Auth-Type (to themselves)
indicating that they will handle the authenticate phase.
Note that the above is still redundant - if the ldap module answered
during the authorize phase, there's clearly only a miniscule chance it
will have failed by the time authenticate runs.
And in fact, if ldap1 succeeds during authorize but fails during
authenticate, arguably passing it to ldap2 is an error - example, the
user might have just changed their password so ldap1 fails, but ldap2 is
still replicating so thinks the old password is valid.
ok, i agree with you, enough redundancy can be achieved by this
also. (the ldap servers used here are both consumers of the same
provider, all with very low load so it seems quite unlikely that they
run out of sync, but one never know...)
but what if the Auth-Type is not set, for example in a perl module
(btw. how can i set the auth-type? that would solve my problem here!).
example:
we (will) have a wlan which can be used by all our users known in ldap
and we have additional accounts saved in sql, which can be given to
guests by our departments and research groups, these accounts are then
valid for a fixed (preset) number of days since their first usage. to
check this i wrote a small perl script which works. so for
authorization i use in radiusd.conf:
- part of radiusd.conf
authorization {
Autz-Type WLAN {
group {
mpi-sta {
ok = return
}
redundant {
LdapUser1
LdapUser2
}
}
}
}
authentication {
Auth-Type WLAN {
mpi-sta {
notfound = 1
}
redundant {
LdapUser1
LdapUser2
}
}
}
the Auth-Type is set in users according to the huntgroup of the wlan-switch as
the perl skript does not set auth-type (because i did not find any
documentation on how to set it) so i had to force auth-type to WLAN,
now it works.
--
This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Markus Krause wrote:
but what if the Auth-Type is not set, for example in a perl module
(btw. how can i set the auth-type? that would solve my problem here!).
example:
we (will) have a wlan which can be used by all our users known in ldap
and we have additional accounts saved in sql, which can be given to
guests by our departments and research groups, these accounts are then
valid for a fixed (preset) number of days since their first usage. to
check this i wrote a small perl script which works. so for
authorization i use in radiusd.conf:
I'm obviously not understanding what you're trying to do.
Auth-Type is meant solely to be a key that indicates to the server which
module to call in the authenticate section to execute the
authentication *algorithm*. The reason setting Auth-Type is so bad is
that it breaks the ability for the server to correctly detect the
algorithm and people don't understand why.
Disabling an account is not part of the authentication algorithm, and
should happen in the authorize section (ideally by setting the
Expiration attribute built into FreeRadius, but there are cases where
that's not applicable)
I assume you're using the mpi-sta module to do something like:
if not USERNAME in firstseen:
firstseen[USERNAME] = now
else:
if now - firstseen[USERNAME] VALIDTIME:
return reject
In which case they'll just get rejected during authorize and the mpi-sta
module doesn't need to (and SHOULD NOT) appear in the authenticate section.
- part of radiusd.conf
authorization {
Autz-Type WLAN {
group {
mpi-sta {
ok = return
}
redundant {
LdapUser1
LdapUser2
}
}
}
}
authentication {
Auth-Type WLAN {
mpi-sta {
notfound = 1
}
redundant {
LdapUser1
LdapUser2
}
}
}
the Auth-Type is set in users according to the huntgroup of the wlan-switch as
the perl skript does not set auth-type (because i did not find any
documentation on how to set it) so i had to force auth-type to WLAN,
now it works.
It seems a very complicated way of doing something very simple - I
assume I am misunderstanding you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(Solved) Re: MAC authorisation (but not authentication) via LDAP
Martin Whinnery wrote:
Markus Krause wrote:
Zitat von Martin Whinnery [EMAIL PROTECTED]:
Hi.
Probly just me not understanding...
What I want is for our switches to only allow access to MAC addresses in
our LDAP database.
I don't want to store passwords on our LDAP host entries.
I'm set up to check LDAP during authorisation, and it correctly returns
authorised / not authorised depending on whether the appropriate
attribute contains the right value.
The trouble comes with authentication - either I set Auth-Type :=
Accept, in which case and failed authorisation is overridden, or I allow
authentication to carry on against LDAP ( or System, or whatever ), in
which case it fails always and access is denied, even for authorised MACs.
Is there a way to make the Authorisation part final and authoritative?
As I say, probly just being stoopid.
Mart
don't no if it is a good solution, but i just do this by setting the
following in radiusd.conf:
authenticate {
...
Auth-Type LdapMAC {
ok
}
...
}
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
i assume there are better/smarter sollutions as one can read don't
set Auth-Type on many places but it works here ;-)
regards
markus
Thanks Markus,
the problem seems to be that the authorisation pass returns notfound,
whereas I want it to reject, as if it found an entry in LDAP without
the appropriate attribute.
Mart
This was exactly the problem. What I've done is created an exec module,
which checks for 'not found' in MODULE_FAILURE_MESSAGE, returning
non-zero if there's a match. So authorization *fails* rather than
succeeds with 'not found'.
I think.
Anyway, it works.
Thanks for all your help.
Mart
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC authorisation (but not authentication) via LDAP
Hi. Probly just me not understanding... What I want is for our switches to only allow access to MAC addresses in our LDAP database. I don't want to store passwords on our LDAP host entries. I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value. The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs. Is there a way to make the Authorisation part final and authoritative? As I say, probly just being stoopid. Mart -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Martin Whinnery [EMAIL PROTECTED]:
Hi.
Probly just me not understanding...
What I want is for our switches to only allow access to MAC addresses in
our LDAP database.
I don't want to store passwords on our LDAP host entries.
I'm set up to check LDAP during authorisation, and it correctly returns
authorised / not authorised depending on whether the appropriate
attribute contains the right value.
The trouble comes with authentication - either I set Auth-Type :=
Accept, in which case and failed authorisation is overridden, or I allow
authentication to carry on against LDAP ( or System, or whatever ), in
which case it fails always and access is denied, even for authorised MACs.
Is there a way to make the Authorisation part final and authoritative?
As I say, probly just being stoopid.
Mart
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
don't no if it is a good solution, but i just do this by setting the
following in radiusd.conf:
authenticate {
...
Auth-Type LdapMAC {
ok
}
...
}
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
i assume there are better/smarter sollutions as one can read don't
set Auth-Type on many places but it works here ;-)
regards
markus
+-+
| Markus Krause, Mogli-Soft |
| Support for Mac OS X, Webmail/Horde, LDAP, RADIUS |
| by order of the |
|Computing Center of the Max-Planck-Institute of Biochemistry |
+++
| E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 |
| [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 |
| Skype: markus.krause | iChat: [EMAIL PROTECTED] |
+++
--
This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Markus Krause wrote:
don't no if it is a good solution, but i just do this by setting the
following in radiusd.conf:
authenticate {
...
Auth-Type LdapMAC {
ok
}
...
}
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
i assume there are better/smarter sollutions as one can read don't
set Auth-Type on many places but it works here ;-)
Sorry, but it's an awful suggestion. Don't do it, and certainly don't
recommend others do it. There's no need to go setting Auth-Type to
random values.
The correct way to do this is to reject unknown, not blindly accept known.
Example - you could modify the ldap group membership query to find
groups based on both the username and callingstationid:
groupmembership_filter = (|
((objectClass=GroupOfMacaddrs)(member=%{Calling-Station-Id}))
((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))
)
Then in ldap:
dn: cn=GoodMacs,dc=example,dc=com
objectClass: top
objectClass: GroupOfMacadds
member: 00:11:22:33:44:55
member: 66:77:88:99:aa:bb
Then in the users file:
DEFAULT Ldap-Group == GoodMacs
Fall-Through = No
DEFAULT Auth-Type := Reject
Reply-Message = your mac is unknown
There are lots of variations of this scheme.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Markus Krause wrote:
Zitat von Martin Whinnery [EMAIL PROTECTED]:
Hi.
Probly just me not understanding...
What I want is for our switches to only allow access to MAC addresses in
our LDAP database.
I don't want to store passwords on our LDAP host entries.
I'm set up to check LDAP during authorisation, and it correctly returns
authorised / not authorised depending on whether the appropriate
attribute contains the right value.
The trouble comes with authentication - either I set Auth-Type :=
Accept, in which case and failed authorisation is overridden, or I allow
authentication to carry on against LDAP ( or System, or whatever ), in
which case it fails always and access is denied, even for authorised MACs.
Is there a way to make the Authorisation part final and authoritative?
As I say, probly just being stoopid.
Mart
don't no if it is a good solution, but i just do this by setting the
following in radiusd.conf:
authenticate {
...
Auth-Type LdapMAC {
ok
}
...
}
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
i assume there are better/smarter sollutions as one can read don't
set Auth-Type on many places but it works here ;-)
regards
markus
Thanks Markus,
the problem seems to be that the authorisation pass returns notfound,
whereas I want it to reject, as if it found an entry in LDAP without
the appropriate attribute.
Mart
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Phil Mayers [EMAIL PROTECTED]:
Markus Krause wrote:
don't no if it is a good solution, but i just do this by setting the
following in radiusd.conf:
authenticate {
...
Auth-Type LdapMAC {
ok
}
...
}
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type
:= LdapMAC
i assume there are better/smarter sollutions as one can read don't
set Auth-Type on many places but it works here ;-)
Sorry, but it's an awful suggestion. Don't do it, and certainly don't
recommend others do it. There's no need to go setting Auth-Type to
random values.
no need to say sorry, and i did not meant this as a suggestion but
just show how i did it, along with the warning that it is not a good
solution. and i am really open for any suggestions/corrections!
The correct way to do this is to reject unknown, not blindly accept known.
hmm, maybe i should have been more precisely on what i am doing, at
least i am not thinking to blindly accept known.
let me describe the scenario and what i am doing:
we have a radius server which is contacted by a vpn-concentrator, a
wlan-router and several switches which have dynamic ports (with vlan
based on mac) and 802.1x ports (vlan based on users).
depending on the huntgroup (chosen via nas-ip-address) i am setting
auth-type and autz-type. i read on several places that this is
commonly a very bad idea but i could not think of another way to solve
it and it works for me (at least it seems so). again, i am open for
any suggestions/corrections!
the users for vpn and wlan are authenticated/authorized via ldap user
entries ((uid=..)(objectclass=posixaccount)), some accounts for wlan
are also stored in sql (for guests, only valid for a fixed amount of
days after first usage). the vlans for users and devices are stored in
radiusprofiles. then finally the mac addresses are stored in a way a
dhcpd server can understand also, so i do not have redundant entries
(easier to maintain), all known mac addreses are therefor accepted,
unknown are rejected (i am using an ldap query 'filter =
(dhcpHWAddress=ethernet %{Stripped-User-Name:-%{User-Name}})' and
base 'base_filter =
(|(objectClass=dhcpHost)(objectClass=ipNetwork))' to verify in the
autz section).
and here again: any suggestions/corrections are really appreciated!
since now (just in testing, not yet fully in production) this solution
does what it should, but there are certainly better ways to do this!
Example - you could modify the ldap group membership query to find
groups based on both the username and callingstationid:
groupmembership_filter = (|
((objectClass=GroupOfMacaddrs)(member=%{Calling-Station-Id}))
((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))
)
Then in ldap:
dn: cn=GoodMacs,dc=example,dc=com
objectClass: top
objectClass: GroupOfMacadds
member: 00:11:22:33:44:55
member: 66:77:88:99:aa:bb
Then in the users file:
DEFAULT Ldap-Group == GoodMacs
Fall-Through = No
DEFAULT Auth-Type := Reject
Reply-Message = your mac is unknown
There are lots of variations of this scheme.
i am not sure if your approach could really fullfill my needs (no
redundancy, serving different types of requests) ... but i would
really like to know ;-)
with best regards
markus
+-+
| Markus Krause, Mogli-Soft |
| Support for Mac OS X, Webmail/Horde, LDAP, RADIUS |
| by order of the |
|Computing Center of the Max-Planck-Institute of Biochemistry |
+++
| E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 |
| [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 |
| Skype: markus.krause | iChat: [EMAIL PROTECTED] |
+++
--
This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Martin Whinnery [EMAIL PROTECTED]:
Thanks Markus,
the problem seems to be that the authorisation pass returns notfound,
whereas I want it to reject, as if it found an entry in LDAP without
the appropriate attribute.
Mart
Hi Mart,
ugh, you are of course right, i forgot on important detail, sorry!
(has been quite a time since i set this up and it is getting quite
late in the night now ...)
directly after the ldap entry in authorize a call a small perl script
which checks for $RAD_REQUEST{'Module-Failure-Message'}, and if it
is set then return with RLM_MODULE_REJECT, so 'notfound' is replaced
by 'reject'.
i must admit that this actually is a very dirty solution ... i should
really overthink it (altough it works ...)
regards
markus
+-+
| Markus Krause, Mogli-Soft |
| Support for Mac OS X, Webmail/Horde, LDAP, RADIUS |
| by order of the |
|Computing Center of the Max-Planck-Institute of Biochemistry |
+++
| E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 |
| [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 |
| Skype: markus.krause | iChat: [EMAIL PROTECTED] |
+++
--
This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS-PAP authentication with LDAP bind
Richard Hesse wrote: If I force the Mac or Windows supplicants to use TTLS-PAP, the request is never passed to radiusd. The NAS is broken. I don't know what's going on but my AP (Aruba 200) seems to be detecting that something isn't right with its AAA server Disable the Aruba AAA server. If you're using FreeRADIUS, you DO NOT need the Aruba AAA server. and not passing the request on. If I change the supplicants to use their default settings, the requests are sent to FreeRadius, but the requests fail. Again, the Aruba seems to think that something is wrong and presents its certificate instead of my server's. Disable the Aruba AAA server. Yes, I've run the server in debug mode (there are no requests coming in). Then the NAS is broken. It's not rocket science: If FreeRADIUS isn't getting any requests, then there is NOTHING YOU CAN DO to FreeRADIUS to fix the problem. The NAS is broken. Disable its AAA server. I can't emphasize that enough. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS-PAP authentication with LDAP bind
First off, I'd like to say thanks in advance to anyone who can help me here.
I've spent the past few days searching the list archives and other sites for
information on how to accomplish this. The overwhelming message from these
searches was that it should just work and that the server will figure out
what to do. Sadly, that's not the case here.
My goals here are straightforward:
-Authorize the user in LDAP if a corresponding entry exists (just checking
against uid, nothing fancy).
-Support TTLS-PAP and PEAP-GTC. The default Macintosh configuration supports
PEAP-GTC with no config. SecureW2 will be used for TTLS-PAP on Windows clients.
-Authenticate the user's clear-text password via a simple LDAP bind encrypted
via TLS. No userPassword attribute checking here. A simple bind is all.
Using version 1.14.
Here's my eap.conf with comments stripped out:
eap {
default_eap_type = ttls
timer_expire = 10
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
gtc {
challenge = Password:
auth_type = PAP
}
tls {
private_key_password = foo
private_key_file = ${raddbdir}/certs/key.pem
certificate_file = ${raddbdir}/certs/cert.pem
CA_file = ${raddbdir}/certs/sf_issuing.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
}
ttls {
default_eap_type = gtc
}
peap {
default_eap_type = gtc
}
}
Relevant sections of radius.conf are:
ldap {
server = myserverentry
basedn = myDN
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = yes
tls_cacertfile = /opt/fedora-ds/alias/intCA.pem
tls_require_cert= demand
access_attr = uid
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
preprocess
suffix
ntdomain
eap
files
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
eap
}
If I force the Mac or Windows supplicants to use TTLS-PAP, the request is never
passed to radiusd. I don't know what's going on but my AP (Aruba 200) seems to
be detecting that something isn't right with its AAA server and not passing the
request on. If I change the supplicants to use their default settings, the
requests are sent to FreeRadius, but the requests fail. Again, the Aruba seems
to think that something is wrong and presents its certificate instead of my
server's. At one point, I had the clients seeing the server's certificate but I
can't seem to get back in that state. So I don't think my AP is broken, I'm
pretty sure it's my FreeRadius config that's broken. The users file is
unchanged and the proper entries are in clients.
Yes, I've run the server in debug mode (there are no requests coming in).
Thanks,
-richard
Have a burning question?
Go to www.Answers.yahoo.com and get answers from real people who know.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless authentication via LDAP
Hello everyone, does any of you get freeradius working with LDAP and AP 1200? Please let me know. I have a hard time to get this system working. If you don't mind, please forward your configuration to me. Thanks, Tho- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless authentication via LDAP
Tho Nguyen [EMAIL PROTECTED] wrote: does any of you get freeradius working with LDAP and AP 1200? Please let me know. I have a hard time to get this system working. If you don't mind, please forward your configuration to me. Perhaps you could follow the FAQ, README, etc., and post the output of debugging mode. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with LDAP
What if you run freeradius with ssl enable, is it still going to show the authenticating user's password while connecting to LDAP in debug mode or in log file? --- Alan DeKok [EMAIL PROTECTED] wrote: fvt3 [EMAIL PROTECTED] wrote: How do you hide password that is sent to LDAP so it will not show up in the log and in debug mode ..Thanks in advance I don't think the LDAP password is logged normally. But it *is* printed out in debugging mode, nad that won't change. Printout out what the server is doing is the whole point of debugging mode. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with LDAP
fvt3 [EMAIL PROTECTED] wrote: How do you hide password that is sent to LDAP so it will not show up in the log and in debug mode ..Thanks in advance I don't think the LDAP password is logged normally. But it *is* printed out in debugging mode, nad that won't change. Printout out what the server is doing is the whole point of debugging mode. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP Authentication But LDAP Authorization?
I have CHAP (PEAP) authentication working against my Samba PDC via ntlm_auth. I want to use that authentication but have users and their parameters from an LDAP DSA (that contains the SAM Samba is using). I see that a radius schema file is included and has an auxilliary objectclass. But I can't seem to find any informaiton on using LDAP for the user database but EAP/ntlm_auth for the authentication. Is this possible? -- Adam Tauno Williams - http://www.whitemice.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication using LDAP on port 636
Hi, I installed freeradius 1.0.1 for RHEL4 from RedHat network. As an ldap server I have Sun Directory server 5.2 patch3 with SSL enabled. I have plenty of applications using port 636 to access LDAP (ypldapd from padl, /etc/ldap.conf on linux, Mozilla address book, etc..) . With freeradius as long as I use standard port 389 I don't have problems to use LDAP, but I have problems to use port 636 (Can't contact LDAP server). Or I missed something but I seem to be unable to find a procedure how to setup freeradius using SSL. Any help would be appriciated Thanks, Dany - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
Michael Kopp [EMAIL PROTECTED] wrote: I installed Freeradius 0.9.3 on the same box, and did a test for the notfound=return and it worked in that version, in Version 1.0.1 it is not working, could somebody ackknowledge that ? I said I would look into it. The CVS snapshot from today contains the fix, which will also be in 1.0.2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Authorization via LDAP and Files, Authentication via LDAP Date: Sat, 16 Oct 2004 12:40:53 -0400 Reply-To: [EMAIL PROTECTED] Michael Kopp [EMAIL PROTECTED] wrote: I installed Freeradius 0.9.3 on the same box, and did a test for the notfound=return and it worked in that version, in Version 1.0.1 it is not working, could somebody ackknowledge that ? I said I would look into it. Sorry I didn`t want to bother you, I only read the digest form of this list, so I saw your response only after I wrote this message The CVS snapshot from today contains the fix, which will also be in 1.0.2. Thanks again for your great and fast help !!! Michael -- +++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++ Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
Alan DeKok aland[AT]ox.org wrote:
Michael Kopp michael.kopp[AT]gmx.net wrote:
radiusd.conf[1559] Unknown configuration directive ldap in authorize
section.
...
ldap{
Try putting a space in between ldap and {
Alan DeKok.
hmm, same error as before ,
...
ldap {
notfound = return
}
files
...
I also tested
ldap { notfound = return
}
files
and
ldap {notfound = return
}
files
and
ldap { notfound=return
}
files
and
ldap {notfound=return
}
files
all combinations are resulting in the same error :
radiusd.conf[1559] Unknown configuration directive ldap in authorize
section.
Between I`m using Freeradius 1.0.1
I tested this now on two different machine
Sparc Solaris 9 and Intel Debian Linux Sarge Installation
Regards
Michael
--
+++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++
Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
Michael Kopp [EMAIL PROTECTED] wrote:
Try putting a space in between ldap and {
hmm, same error as before ,
Weird. It's supposed to work. I'll take a look at it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
Hi all,
I installed Freeradius 0.9.3 on the same box, and did a test for the
notfound=return
and it worked in that version, in Version 1.0.1 it is not working, could
somebody ackknowledge that ?
If it is a bug, could somebody fix it, (maybe for FR 1.0.2) or give me some
hints at which files I have to look in order to fix it (I`m not very
expirienced in programming )
Regards
Michael
Alan DeKok aland[AT]ox.org wrote:
Michael Kopp michael.kopp[AT]gmx.net wrote:
radiusd.conf[1559] Unknown configuration directive ldap in authorize
section.
...
ldap{
Try putting a space in between ldap and {
Alan DeKok.
hmm, same error as before ,
...
ldap {
notfound = return
}
files
...
I also tested
ldap { notfound = return
}
files
and
ldap {notfound = return
}
files
and
ldap { notfound=return
}
files
and
ldap {notfound=return
}
files
all combinations are resulting in the same error :
radiusd.conf[1559] Unknown configuration directive ldap in authorize
section.
Between I`m using Freeradius 1.0.1
I tested this now on two different machine
Sparc Solaris 9 and Intel Debian Linux Sarge Installation
Regards
Michael
--
GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail
+++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
the 'etc_smbpasswd' module, above.
# etc_smbpasswd
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap{
notfound = return
}
files
#
# Enforce daily limits on time spent logged in.
# daily
#
# Use the checkval module
# checkval
}
do you need more infos to help me ?
regards
Michael
--- Weitergeleitete Nachricht / Forwarded Message ---
Date: Tue, 12 Oct 2004 21:50:59 +0200 (MEST)
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Authorization via LDAP and Files, Authentication via LDAP
Hi all,
I have some problems getting Freeradius to work with following configuration
:
Freeradius should check if user exists in LDAP and also should authenticate
user via LDAP.
As we are not planning to integrate the the RADIUS-LDAPv3.schema and
therefore want to add Return-Attributes via users file.
I read in freeradius/docs/rlm-ldap.txt that I should add { notfound=return }
to the ldap entry in the authorize section.
When doing this I always get the error seen below :
gaia:/usr/local/etc/raddb# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
/usr/local/etc/raddb/radiusd.conf[1654]: Unexpected end of section
Errors reading radiusd.conf
Here is my authorize section of radiusd.conf
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log
# attr_filter
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# If you are using multiple kinds of realms, you probably
# want to set ignore_null = yes for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
# ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
eap
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap
{
notfound=return
}
files
# daily
# checkval
}
Also it would be great if somebody could give me a hint if this users file
entry is correct for the above situation
radiustest Service-Type = Framed-User
Framed-Protocol = PPP,
Framed-IP-Address = 3.3.3.3
From my understanding Service-Type = Framed-User is now a Check-Item,
(if
I understand users file syntax correctly) but what I want to achive is that
there is no Check-Item at all in the users file and only Replay Items are
stated in users file.
Kind regards
Micheal
--
GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail
+++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
Michael Kopp [EMAIL PROTECTED] wrote:
radiusd.conf[1559] Unknown configuration directive ldap in authorize
section.
...
ldap{
Try putting a space in between ldap and {
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
On Tue, 12 Oct 2004 [EMAIL PROTECTED] wrote:
Hi all,
I have some problems getting Freeradius to work with following configuration
:
Freeradius should check if user exists in LDAP and also should authenticate
user via LDAP.
As we are not planning to integrate the the RADIUS-LDAPv3.schema and
therefore want to add Return-Attributes via users file.
I read in freeradius/docs/rlm-ldap.txt that I should add { notfound=return }
to the ldap entry in the authorize section.
When doing this I always get the error seen below :
gaia:/usr/local/etc/raddb# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
/usr/local/etc/raddb/radiusd.conf[1654]: Unexpected end of section
Errors reading radiusd.conf
Here is my authorize section of radiusd.conf
authorize {
ldap
{
notfound=return
}
Please do:
ldap{
notfound = return
}
files
# daily
# checkval
}
Also it would be great if somebody could give me a hint if this users file
entry is correct for the above situation
radiustest Service-Type = Framed-User
Framed-Protocol = PPP,
Framed-IP-Address = 3.3.3.3
From my understanding Service-Type = Framed-User is now a Check-Item, (if
I understand users file syntax correctly) but what I want to achive is that
there is no Check-Item at all in the users file and only Replay Items are
stated in users file.
radiustest
Framed-Protocol = PPP,
Framed-IP-Address = 3.3.3.3
How about that?
Kind regards
Micheal
--
+++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++
Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization via LDAP and Files, Authentication via LDAP
Hi all,
I have some problems getting Freeradius to work with following configuration
:
Freeradius should check if user exists in LDAP and also should authenticate
user via LDAP.
As we are not planning to integrate the the RADIUS-LDAPv3.schema and
therefore want to add Return-Attributes via users file.
I read in freeradius/docs/rlm-ldap.txt that I should add { notfound=return }
to the ldap entry in the authorize section.
When doing this I always get the error seen below :
gaia:/usr/local/etc/raddb# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
/usr/local/etc/raddb/radiusd.conf[1654]: Unexpected end of section
Errors reading radiusd.conf
Here is my authorize section of radiusd.conf
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log
# attr_filter
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# If you are using multiple kinds of realms, you probably
# want to set ignore_null = yes for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
# ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
eap
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap
{
notfound=return
}
files
# daily
# checkval
}
Also it would be great if somebody could give me a hint if this users file
entry is correct for the above situation
radiustest Service-Type = Framed-User
Framed-Protocol = PPP,
Framed-IP-Address = 3.3.3.3
From my understanding Service-Type = Framed-User is now a Check-Item, (if
I understand users file syntax correctly) but what I want to achive is that
there is no Check-Item at all in the users file and only Replay Items are
stated in users file.
Kind regards
Micheal
--
+++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++
Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Fwd: Re: Wireless authentication via LDAP and PEAP
Hi, Well we are looking at a time frame of Jan/Feb 2005 for the complete product. However we will submitting patches at regular intervals to freeradius. Sayantan Sorry for not making the distinction. It's all Novell to me ;-) Any ETA? Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sayantan Bhowmick Sent: Monday, 13 September 2004 7:30 PM To: [EMAIL PROTECTED] Subject: Re: RE: Fwd: Re: Wireless authentication via LDAP and PEAP CHAP. No EAP or MSCHAP yet. Novell Radius which was bundled with NMAS / Border Manager does have support for CHAP. Novell is working on a new FreeRadius based Radius solution that will support all the above mentioned methods. Again eDirectory on its own does not support CHAP,EAP,MS-CHAP. Sayantan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, 10 September 2004 10:39 PM To: [EMAIL PROTECTED] Subject: Re: Fwd: Re: Wireless authentication via LDAP and PEAP Sayantan Bhowmick [EMAIL PROTECTED] wrote: Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. Does eDirectory do CHAP, MS-CHAP, or EAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Fwd: Re: Wireless authentication via LDAP and PEAP
Sorry for not making the distinction. It's all Novell to me ;-) Any ETA? Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sayantan Bhowmick Sent: Monday, 13 September 2004 7:30 PM To: [EMAIL PROTECTED] Subject: Re: RE: Fwd: Re: Wireless authentication via LDAP and PEAP CHAP. No EAP or MSCHAP yet. Novell Radius which was bundled with NMAS / Border Manager does have support for CHAP. Novell is working on a new FreeRadius based Radius solution that will support all the above mentioned methods. Again eDirectory on its own does not support CHAP,EAP,MS-CHAP. Sayantan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, 10 September 2004 10:39 PM To: [EMAIL PROTECTED] Subject: Re: Fwd: Re: Wireless authentication via LDAP and PEAP Sayantan Bhowmick [EMAIL PROTECTED] wrote: Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. Does eDirectory do CHAP, MS-CHAP, or EAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Re: Wireless authentication via LDAP and PEAP
Hi, Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. regards Sayantan Hmm... We can do that already. Just use EAP-TTLS/PAP and have freeradius authenticate via an LDAP bind rather than a password compare. It works great for me. Thats correct. But it is not possible to use password based authentication methods such as MS-CHAP, EAP. For this the users plain text password should be available at the radius server side. We are going to make the plain text password available to the radius server to allow support for these password based authentication methods. eDirectory on its own does not support CHAP,EAP etc. Regards Sayantan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE: Fwd: Re: Wireless authentication via LDAP and PEAP
CHAP. No EAP or MSCHAP yet. Novell Radius which was bundled with NMAS / Border Manager does have support for CHAP. Novell is working on a new FreeRadius based Radius solution that will support all the above mentioned methods. Again eDirectory on its own does not support CHAP,EAP,MS-CHAP. Sayantan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, 10 September 2004 10:39 PM To: [EMAIL PROTECTED] Subject: Re: Fwd: Re: Wireless authentication via LDAP and PEAP Sayantan Bhowmick [EMAIL PROTECTED] wrote: Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. Does eDirectory do CHAP, MS-CHAP, or EAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Fwd: Re: Wireless authentication via LDAP and PEAP
CHAP. No EAP or MSCHAP yet. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, 10 September 2004 10:39 PM To: [EMAIL PROTECTED] Subject: Re: Fwd: Re: Wireless authentication via LDAP and PEAP Sayantan Bhowmick [EMAIL PROTECTED] wrote: Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. Does eDirectory do CHAP, MS-CHAP, or EAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Re: Wireless authentication via LDAP and PEAP
Hi, Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. regards Sayantan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Re: Wireless authentication via LDAP and PEAP
Sayantan Bhowmick [EMAIL PROTECTED] wrote: Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. Does eDirectory do CHAP, MS-CHAP, or EAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Re: Wireless authentication via LDAP and PEAP
[EMAIL PROTECTED] 9/9/2004 10:59:31 PM Hi, Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. regards Sayantan Hmm... We can do that already. Just use EAP-TTLS/PAP and have freeradius authenticate via an LDAP bind rather than a password compare. It works great for me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless authentication via LDAP and PEAP
Hi again,
Here is the eap.conf file referenced in my previous message.
eap.conf
***
## Whatever you do, do NOT set 'Auth-Type := EAP'. The server# is smart enough to figure this out on its own. The most# common side effect of setting 'Auth-Type := EAP' is that the# users then cannot use ANY other authentication method.##$Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $#eap {# Invoke the default supported EAP type when# EAP-Identity response is received.## The incoming EAP messages DO NOT specify which EAP# type they will be using, so it MUST be set here.## For now, only one default EAP type may be used at a time.## If the EAP-Type attribute is set by another module,# then that EAP type takes precedence over the# default type configured here.#default_eap_type = peap# A list is maintained to correlate EAP-Response# packets with EAP-Request packets. After a# configurable length of time, entries in the list# expire, and are deleted.#timer_expire = 60# There are many EAP types, but the server has support# for only a limited subset. If the server receives# a request for an EAP type it does not support, then# it normally rejects the request. By setting this# configuration to "yes", you can tell the server to# instead keep processing the request. Another module# MUST then be configured to proxy the request to# another RADIUS server which supports that EAP type.## If another module is NOT configured to handle the# request, then the request will still end up being# rejected.ignore_unknown_eap_types = no# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given# a User-Name attribute in an Access-Accept, it copies one# more byte than it should.## We can work around it by configurably adding an extra# zero byte.cisco_accounting_username_bug = no# Supported EAP-types## We do NOT recommend using EAP-MD5 authentication# for wireless connections. It is insecure, and does# not provide for dynamic WEP keys.##md5 {#}# Cisco LEAP## We do not recommend using LEAP in new deployments. See:# http://www.securiteam.com/tools/5TP012ACKE.html## Cisco LEAP uses the MS-CHAP algorithm (but not# the MS-CHAP attributes) to perform it's authentication.## As a result, LEAP *requires* access to the plain-text# User-Password, or the NT-Password attributes.# 'System' authentication is impossible with LEAP.##leap {#}# Generic Token Card.## Currently, this is only permitted inside of EAP-TTLS,# or EAP-PEAP. The module "challenges" the user with# text, and the response from the user is taken to be# the User-Password.## Proxying the tunneled EAP-GTC session is a bad idea,# the users password will go over the wire in plain-text,# for anyone to see.##gtc {# The default challenge, which many clients# ignore..#challenge = "Password: "# The plain-text response which comes back# is put into a User-Password attribute,# and passed to another module for# authentication. This allows the EAP-GTC# response to be checked against plain-text,# or crypt'd passwords.## If you say "Local" instead of "PAP", then# the module will look for a User-Password# configured for the request, and do the# authentication itself.##auth_type = PAP#}## EAP-TLS## To generate ctest certificates, run the script##../scripts/certs.sh## The documents on http://www.freeradius.org/doc# are old, but may be helpful.## See also:## http://www.dslreports.com/forum/remark,9286052~mode=flat##tls {#private_key_password = SiFi2003#private_key_file = ${raddbdir}/certs/cert-srv.pem# If Private key Certificate are located in# the same file, then private_key_file # certificate_file must contain the same file# name.#certificate_file = ${raddbdir}/certs/cert-srv.pem# Trusted Root CA list#CA_file = ${raddbdir}/certs/demoCA/cacert.pem#dh_file = ${raddbdir}/certs/dh#random_file = ${raddbdir}/certs/random## This can never exceed the size of a RADIUS# packet (4096 bytes), and is preferably half# that, to accomodate other attributes in# RADIUS packet. On most APs the MAX packet# length is configured between 1500 - 1600# In these cases, fragment size should be# 1024 or less.##fragment_size = 1024# include_length is a flag which is# by default set to yes If set to# yes, Total Length of the message is# included in EVERY packet we send.# If set to no, Total Length of the# message is included ONLY in the# First packet of a fragment series.##include_length = yes# Check the Certificate Revocation List## 1) Copy CA certificates and CRLs to same directory.# 2) Execute 'c_rehash CA certsCRLs Directory'.# 'c_rehash' is OpenSSL's command.# 3) Add 'CA_path=CA certsCRLs directory'# to radiusd.conf's tls section.# 4) uncomment the line below.# 5) Restart radiusd#check_crl = yes## If check_cert_cn is set, the value will# be xlat'ed and checked against the CN# in the client certificate. If the values# do not match, the certificate verification# will fail rejecting the user.## check_cert_cn = %{User-Name}#}# The TTLS module implements the EAP-TTLS protocol,# which can
Wireless authentication via LDAP and PEAP
Hello folks, I've been trying to setup FreeRadius in order to authenticate my wireless users against my Novell eDirectory via the built in LDAP server. Here is what is happening in my current situation: I connect wirelessly to AP. Enter authentication information into Windows XP (SP2, if that matters) and click OK. On the Radius screen, I see that the request is sent to the LDAP server. The EAP module of FreeRadius responds OK over and over and over again infinitely until I either kill my wireless connection or the server thread. I'm never given an IP address via WPA after authentication. I don't think something is working correctly. I can radping the server and get a auth accept message back, but nothing from the AP. I have read that mostaccess points need PEAP, as does Windows XP. So I look in my radiusd.conf file and have found NO REFERENCE in it to PEAP. However, I found an eap.conf file in the same directory which does make reference to PEAP. I havetyped in an$INCLUDE line in the radiusd.conf to point to this and commented out all other eap references in the EAP section of radiusd.conf. I have only uncommented PEAP and MSCHAPV2 in my EAP.CONF file. When I go to start radius via radiusd -X I get the following error: eap: default_eap_type = "peap" eap: timer_expire = 60 rlm_eap: Invalid type name peap cannot be linked radiusd.conf[9]: eap: Module instantiation failed. Did something not compile correctly?I reran the install sequence and did not see any errors regarding anything other than the configuration files (which would already be present).Is therea file somewhere where I need to manually link thepeap module? I have evenconfigured and installed the module separately with no errors by going to the src/modules/rlm_eap/types/rlm_eap_peap folder and have had no luck. I'm not a linux guru, so this may perhaps be my fault. I do, however,need to get this working in fairly short orderfor a project we have coming up in the next month. Thanks for any assistance you can provide. I have already sent the eap.conf file (sorry...first two messages refused). I can send my radiusd.conf under separate cover if necessary.
RE: Wireless authentication via LDAP and PEAP
Title: Message
Hi
Jon,
You
haven't configured EAP-TLS despite the fact that it clearly saysin the
notes in the PEAP section that for PEAP to workEAP-TLS must be enabled
even if you don't plan to use EAP-TLS specifically. Uncomment the tls
section and configure it with your server's certificate, etc, and everything
will work just fine.
Regards,
Guy
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jon
StahlerSent: 08 September 2004 20:50To:
[EMAIL PROTECTED]Subject: Wireless
authentication via LDAP and PEAP
Hi again,
Here is the eap.conf file referenced in my previous message.
eap.conf
***
## Whatever you do, do NOT set
'Auth-Type := EAP'. The server# is smart enough to figure this
out on its own. The most# common side effect of setting
'Auth-Type := EAP' is that the# users then cannot use ANY other
authentication method.##$Id: eap.conf,v 1.4
2004/04/15 18:34:41 aland Exp $#eap
{# Invoke the
default supported EAP type
when# EAP-Identity
response is
received.##
The incoming EAP messages DO NOT specify which
EAP# type they will
be using, so it MUST be set
here.##
For now, only one default EAP type may be used at a
time.##
If the EAP-Type attribute is set by another
module,# then that
EAP type takes precedence over
the# default type
configured
here.#default_eap_type
= peap# A list
is maintained to correlate
EAP-Response#
packets with EAP-Request packets. After
a# configurable
length of time, entries in the
list# expire, and
are
deleted.#timer_expire
=
60# There are
many EAP types, but the server has
support# for only a
limited subset. If the server
receives# a request
for an EAP type it does not support,
then# it normally
rejects the request. By setting
this# configuration
to "yes", you can tell the server
to# instead keep
processing the request. Another
module# MUST then be
configured to proxy the request
to# another RADIUS
server which supports that EAP
type.##
If another module is NOT configured to handle
the# request, then
the request will still end up
being#
rejected.ignore_unknown_eap_types
= no# Cisco AP1230B
firmware 12.2(13)JA1 has a bug. When
given# a User-Name
attribute in an Access-Accept, it copies
one# more byte than it
should.##
We can work around it by configurably adding an
extra# zero
byte.cisco_accounting_username_bug
= no# Supported
EAP-types##
We do NOT recommend using EAP-MD5
authentication# for
wireless connections. It is insecure, and
does# not provide
for dynamic WEP
keys.##md5
{#}#
Cisco
LEAP##
We do not recommend using LEAP in new deployments.
See:# http://www.securiteam.com/tools/5TP012ACKE.html##
Cisco LEAP uses the MS-CHAP algorithm (but
not# the MS-CHAP
attributes) to perform it's
authentication.##
As a result, LEAP *requires* access to the
plain-text#
User-Password, or the NT-Password
attributes.#
'System' authentication is impossible with
LEAP.##leap
{#}#
Generic Token
Card.##
Currently, this is only permitted inside of
EAP-TTLS,# or
EAP-PEAP. The module "challenges" the user
with# text, and the
response from the user is taken to
be# the
User-Password.##
Proxying the tunneled EAP-GTC session is a bad
idea,# the users
password will go over the wire in
plain-text,# for
anyone to
see.##gtc
{#
The default challenge, which many
clients#
ignore..#challenge
= "Password:
"#
The plain-text response which comes
back#
is put into a User-Password
attribute,#
and passed to another module
for#
authentication. This allows the
EAP-GTC#
response to be checked against
plain-text,#
or crypt'd
passwords.##
If you say "Local" instead of "PAP",
then#
the module will look for a
User-Password#
configured for the request, and do
the#
authentication
itself.##auth_type
=
PAP#}##
EAP-TLS##
To generate ctest certificates, run the
script##../scripts/certs.sh##
The documents on http://www.freeradius.org/doc#
are old, but may be
helpful.##
See
also:##
http://www.dslreports.com/forum/remark,9286052~mode=flat##tls
{#private_key_password
=
SiFi2003#private_key_file
=
${raddbdir}/certs/cert-srv.pem#
If Private key Certificate are located
in#
the same file, then private_key_file
#
certificate_file must contain the same
file#
name.#certificate_file
=
${raddbdir}/certs/cert-srv.pem#
Trusted Root CA
list#CA_file
=
${raddbdir}/certs/demoCA/cacert.pem#dh_file
=
${raddbdir}/certs/dh#random_file
=
${raddbdir}/certs/random##
This can never exc
RE: Wireless authentication via LDAP and PEAP
Hi Guy,
When I do that, it tells me that I don't have a server cert. The LDAP
server is my netware box, not the linux box. I'm confused as to how to
make a cert in this situation. Please help.
Also, how would this cause a module unknown error?
Jon Stahler
Manager of Systems Services
Illinois Fire Service Institute
11 Gerty Drive
Champaign, IL 61820
(217) 333-2163
[EMAIL PROTECTED] 09/08/04 3:04 PM
Hi Jon,
You haven't configured EAP-TLS despite the fact that it clearly says in
the notes in the PEAP section that for PEAP to work EAP-TLS must be
enabled even if you don't plan to use EAP-TLS specifically. Uncomment
the tls section and configure it with your server's certificate, etc,
and everything will work just fine.
Regards,
Guy
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jon
Stahler
Sent: 08 September 2004 20:50
To: [EMAIL PROTECTED]
Subject: Wireless authentication via LDAP and PEAP
Hi again,
Here is the eap.conf file referenced in my previous message.
eap.conf
***
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# $Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = peap
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to yes, you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
# md5 {
# }
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
# leap {
# }
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module challenges the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
# gtc {
# The default challenge, which many clients
# ignore..
#challenge = Password:
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say Local instead of PAP, then
# the module will look for a User-Password
# configured
RE: Wireless authentication via LDAP and PEAP
Hi Jon,
You *must* create a certificate for the RADIUS server. That is the
certificate about which it is complaining. You need to use something
like OpenSSL (on the box running RADIUS?) or Microsoft's Certificate
Services (on a Windows Server 2000/2003 box). Once you've created it
and placed it onto the RADIUS server (in PEM format) then you can
reference the certificate and key in the tls module. If you don't do
this, your peap module will never work.
The module unknown error refers to the fact (I think) that you haven't
initialised the tls module that is being referenced by the peap module.
Regards,
Guy
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Jon Stahler
Sent: 08 September 2004 21:23
To: [EMAIL PROTECTED]
Subject: RE: Wireless authentication via LDAP and PEAP
Hi Guy,
When I do that, it tells me that I don't have a server cert.
The LDAP server is my netware box, not the linux box. I'm
confused as to how to make a cert in this situation. Please help.
Also, how would this cause a module unknown error?
Jon Stahler
Manager of Systems Services
Illinois Fire Service Institute
11 Gerty Drive
Champaign, IL 61820
(217) 333-2163
[EMAIL PROTECTED] 09/08/04 3:04 PM
Hi Jon,
You haven't configured EAP-TLS despite the fact that it
clearly says in the notes in the PEAP section that for PEAP
to work EAP-TLS must be enabled even if you don't plan to use
EAP-TLS specifically. Uncomment the tls section and
configure it with your server's certificate, etc, and
everything will work just fine.
Regards,
Guy
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Jon Stahler
Sent: 08 September 2004 20:50
To: [EMAIL PROTECTED]
Subject: Wireless authentication via LDAP and PEAP
Hi again,
Here is the eap.conf file referenced in my previous message.
eap.conf
***
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The
server # is smart enough to figure this out on its own. The
most # common side effect of setting 'Auth-Type := EAP' is
that the # users then cannot use ANY other authentication method. #
# $Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = peap
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to yes, you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
# md5 {
# }
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
# leap {
# }
# Generic Token Card.
#
# Currently
Re: Wireless authentication via LDAP and PEAP
[EMAIL PROTECTED] 9/8/2004 12:51:33 PM I've been trying to setup FreeRadius in order to authenticate my wireless users against my Novell eDirectory via the built in LDAP server. Unless you've implemented the 'simple password' feature in eDirectory or added a custom password attribute to the directory, you'll need to use EAP-TTLS/PAP rather than PEAP and set up freeradius to authenticate via an LDAP bind. The reason is that for PEAP to work, the LDAP server needs access to the clear text or NT-hashed password, which is not the case with native eDirectory passwords. EAP-TTLS support is not built into Windows, so unless your NIC driver supports it directly, you'll need a 3rd party supplicant. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless authentication via LDAP and PEAP
Jon Stahler [EMAIL PROTECTED] wrote: Ok...So explain to me how I get my Access Point to authenticate against my eDirectory users. It's nit-picking in terminology: LDAP is a database, RADIUS is an authentication protocol. eDirectory stores the user information, FreeRADIUS uses that information to authenticate users. If you use the wrong terminology, then the solutions you try will be wrong. Input clear-text passwords into LDAP how exactly? The passwords come from eDirectory. Exactly. eDirectory stores passwords, and FreeRADIUS retrieves them. Look in your eDirectory schema to see where passwords are stored. If there are no passwords, you'll have to add them to the database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
