Re: Authentication using LDAP for 802.1x
On 19.06.2013 14:11, Marco Streich wrote: Hi all We have deployed FreeRADIUS on OS X before, but our configuration was rather ugly. What we would do is authenticate users locally, having the machine attached to our OpenDirectory server directly using the Connect Network Account Server functionality provided by OS X. I have seen this question getting asked a lot but still wasn't able to fill my gap in understanding the whole process. I will make it short and easy. You can't do LDAP authentication with 802.1x. EAP needs the password of the user in cleartext. if it's not in your ldap, you're screwed. And the debug log explains it : WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [pap] WARNING! No known good password found for the user. Authentication may fail because of this. [snip] At this moment, I cannot wrap my mind around what is going on here. I understand that ldap tries to authenticate the user by itself, instead of handing it to the LDAP server. But what is different when I run radtest? Debug from radtest: ... # Executing group from file /etc/freeradius/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by a4 with password whatever [ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu [ldap] (re)connect to ldap.hopro.edu:389, authentication 1 [ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to ldap.hopro.edu:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user a4 authenticated successfully ++[ldap] returns ok ... This works because you're doing PAP. with radtest the user password is sent in cleartext. so YES you can authenticate with ldap because you can BIND to the ldap with the provided password. you don't have this password with 802.1x/EAP. you work only with challenges, hash and keys. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
Hi, I will make it short and easy. You can't do LDAP authentication with 802.1x. EAP needs the password of the user in cleartext. if it's not in your ldap, you're screwed. ..EAP-TTLS/PAP ? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19/06/13 13:11, Marco Streich wrote: When I run radtest from my laptop, the authentication is successful: radtest does not send eap. Download the wpa_supplicant sources and compile eapol_test to test EAP. WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? This suggests your LDAP server does not contain, or is not returning, password info. So auth would probably have failed... [ttls] eaptls_verify returned 11 [ttls] TLS 1.0 Alert [length 0002], warning close_notify TLS Alert read:warning:close notify [ttls] WARNING: No data inside of the tunnel. ...except it never gets as far as the inner tunnel because the client drops the EAP session. Most likely the client doesn't trust the server cert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On Wed, Jun 19, 2013 at 02:49:21PM +0200, Olivier Beytrison wrote: On 19.06.2013 14:11, Marco Streich wrote: We have deployed FreeRADIUS on OS X before, but our configuration was rather ugly. What we would do is authenticate users locally, having the machine attached to our OpenDirectory server directly using the Connect Network Account Server functionality provided by OS X. I will make it short and easy. You can't do LDAP authentication with 802.1x. EAP needs the password of the user in cleartext. if it's not in your ldap, you're screwed. Not entirely true. With PAP (which is what radtest is doing) then you can work without a cleartext password as auth is (generally) based on a ldap bind. With EAP-TTLS/PAP, you can also work with just the hash in ldap, as (same as clear PAP) you get the password from the client to do a bind with. With EAP-TTLS/MSCHAP or PEAP/EAP-MSCHAP etc you need the cleartext password from ldap - auth is done by checking this in FreeRADIUS, not by a bind to ldap. [ldap] login attempt by a4 with password whatever [ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu [ldap] (re)connect to ldap.hopro.edu:389, authentication 1 [ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to ldap.hopro.edu:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user a4 authenticated successfully ++[ldap] returns ok This works because you're doing PAP. with radtest the user password is sent in cleartext. so YES you can authenticate with ldap because you can BIND to the ldap with the provided password. you don't have this password with 802.1x/EAP. you work only with challenges, hash and keys. Apple OS X can do EAP-TTLS/PAP as far as I am aware (native Windows 8 can't), so this should work. I don't recognise the error you're getting, though - it looks like the client gave up and sent an empty packet. Note you don't need ldap configured in the outer for 802.1X to work - the outer is just doing EAP. It's the inner that will need the ldap modules. Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
Hi, Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. ..and save some more hits to LDAP by wrapping the call to it in the authorization stage to just the EAP Identity packet :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19.06.2013 16:02, a.l.m.bu...@lboro.ac.uk wrote: Hi, Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. ..and save some more hits to LDAP by wrapping the call to it in the authorization stage to just the EAP Identity packet :-) That's pretty interesting, what's the if() you're doing to achieve that? -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19/06/13 15:32, Olivier Beytrison wrote: On 19.06.2013 16:02, a.l.m.bu...@lboro.ac.uk wrote: Hi, Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. ..and save some more hits to LDAP by wrapping the call to it in the authorization stage to just the EAP Identity packet :-) That's pretty interesting, what's the if() you're doing to achieve that? He he he... if I recall correctly I came up with something like: server inner-tunnel { authorize { eap # stop processing authorize on eap identity or mschap success/fail if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) { noop } else { # rest of config goes here } } } Note however that you can avoid this in master versions of the server with: server inner-tunnel { authorize { eap { ok = return } } } ...as the EAP module was updated to return ok on identity/mschap responses. Yet another reason to upgrade! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
Hi, He he he... if I recall correctly I came up with something like: yes, thats the one. quoted as 'most evil unlang ever' if I recall have used it on many occasions...does the job well ...as the EAP module was updated to return ok on identity/mschap responses. Yet another reason to upgrade! yep...as well as proper pools of LDAP servers in 3.x alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
One question relating to this is about the /etc/raddb/users file- It doesn't seem to work as it's documented, If I have a group set to be rejected based on its membership like this: DEFAULT Group=disabled, Auth-Type:=Reject radius doesn't even check for group membership. The only way it seems to get directed to check membership is with a negative check (!=). DEFAULT LDAP-Group!=newgroup, Auth-Type:=Reject Regardless, I still can't figure out what filter would validate the user newuser as a member of newgroup- performing search in cn=accounts,dc=abc,dc=xyz, with filter ((cn=newgroup)((memberOf=cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz)(uid=newuser))) This is the output of the ldapsearch that shows the group and the fact that the user is a member- # LDAPv3 # base cn=accounts,dc=abc,dc=xyz with scope subtree # filter: ((cn=newgroup)) # requesting: ALL # # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapsergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: switch administrators gidNumber: 89586 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713503.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
g17jimmy wrote: One question relating to this is about the /etc/raddb/users file- It doesn't seem to work as it's documented, Well... no. If I have a group set to be rejected based on its membership like this: DEFAULT Group=disabled, Auth-Type:=Reject radius doesn't even check for group membership. The only way it seems to get directed to check membership is with a negative check (!=). See man users. Use Group == ... The operators do different things. DEFAULT LDAP-Group!=newgroup, Auth-Type:=Reject Regardless, I still can't figure out what filter would validate the user newuser as a member of newgroup- LDAP-Group == newgroup Everyone else is using it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
Cool, thanks for pointing that out. My brain filtered out the '==', been staring at this screen too long. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713505.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius authentication against LDAP question
How do I enable Freeradius to not only authenticate the a user but verify a specific attribute for the user? I've been going though the docs but this is escaping me. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
In Thu, May 31, 2012 at 10:05 AM, Jimmy g17ji...@gmail.com wrote: How do I enable Freeradius to not only authenticate the a user but verify a specific attribute for the user? I've been going though the docs but this is escaping me. Thanks. - I'm not sure if this will help, but i have tutorial on how to configure two-factor authentication through freeradius with authorization by openldap. The setup uses the access_attr = dialupAccess. I bet you can use whatever. http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius HTH, Nick -- -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
Nick- I have found that we can use any attribute for the access, but I'm trying to expand our use of radius for another type of user login. In this case I've created an LDAP group for the new user role and have created a new radius virtual server to service the specific authentication and accounting. I have added the group membership checking to the ldap module, and set thefilter for posixGroup. The meaningful config changes and output are below- ===/etc/raddb/modules/ldap (excerpt) groupname_attribute = cn groupmembership_filter = ((objectclass=posixGroup)(memberUid=%u)) ===/etc/raddb/users DEFAULT LDAP-Group!=newgroup, Auth-Type:=Reject Reply-Message=You are not allowed to connect ===radiusd -X (excerpt) [files] expand: ((objectclass=posixGroup)(memberUid=%u)) - ((objectclass=posixGroup)(memberUid=newhuser)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=accounts,dc=abc,dc=xyz, with filter ((cn=newgroup)((objectclass=posixGroup)(memberUid=newuser))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group newgroup not found or user is not a member. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = Reject ===ldapsearch output # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapusergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: new group gidNumber: 89586 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713481.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
Playing with ldapsearch I see that the search string that radiusd -X is reporting to use indeed does not work: =ldapsearch filter (from radiusd -X) performing search in cn=accounts,dc=abc,dc=xyz, with filter ((cn=newgroup)((objectclass=posixGroup)(memberUid=newuser))) = Returns no entries. If I run ldap search with ((cn=newgroup)((objectclass=posixGroup))) - removing the memberUid entry, it returns the entry for the group itself, so something is wrong with how I have the member uid configured. =ldapsearch filter (filter trimmed to group) ldapsearch -x -b cn=accounts,dc=abc,dc=xyz ((cn=newgroup)((objectclass=posixGroup))) # extended LDIF # # LDAPv3 # base cn=accounts,dc=abc,dc=xyz with scope subtree # filter: ((cn=newgroup)((objectclass=posixGroup))) # requesting: ALL # # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapsergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: switch administrators gidNumber: 89586 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Any ideas? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713483.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem: FreeRadius Authentication using LDAP
Hi, I have configured FreeRadius to authenticate against LDAP. I have installed and configured FreeRadius in FreeBSD Server and LDAP is already set up in another server. I configured as below: (Changes on file are shown on bold letter) */usr/local/etc/raddb/modules/ldap :* ldap { # Define the LDAP server and the base domain name server = *localhost* basedn = *dc=example,dc=com* # Define which attribute from an LDAP ldapsearch query # is the password. Create a filter to extract the password # from the ldapsearch output password_attribute = userPassword filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # The following are RADIUS defaults start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } */usr/local/etc/raddb/sites-enabled/default :* authorize { ... ... # # The ldap module will set Auth-Type to LDAP if it has not # already been set Ldap ... ... } Auth-Type LDAP { ldap } Also, same type of modifications has been done on : */usr/local/etc/raddb/sites-enabled/inner-tunnel* Also, change has been made to users file adding LDAP user authentication. But when I run radiusd -X command to run freeradius on debug mode, it gives following error: /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': file not found /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to load module ldap. /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to parse ldap entry. I don't know what to do? I would appreciate anyone's idea. Should I need to configure anything if I have freeradius server on one machine and LDAP server on another machine. They are not on same machine/host. Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problem-FreeRadius-Authentication-using-LDAP-tp4974896p4974896.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: FreeRadius Authentication using LDAP
suggestme wrote: But when I run radiusd -X command to run freeradius on debug mode, it gives following error: /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': file not found /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to load module ldap. /usr/local/etc/raddb/sites-enabled/inner-tunnel[237]: Failed to parse ldap entry. This is in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: FreeRadius Authentication using LDAP
Alan, Are you talking about the following FAQ: http://wiki.freeradius.org/FAQ#How+do+I+make+CHAP+work+with+LDAP%3F I have followed the same configuration method it has suggested. Or is there any other FAQ which mentions about this error and method to solve this? Thank you so much for your suggestion. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problem-FreeRadius-Authentication-using-LDAP-tp4974896p4975206.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: FreeRadius Authentication using LDAP
suggestme wrote: Are you talking about the following FAQ: No. I meant the FAQ entry which talked about being unable to load a module. The example is rlm_mysql, but the underlying cause and solution is the same. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius authentication from ldap to local
Hello, Server freeradius and authentification with user in file to use it is good but if authentification on openldap server then it does not work. Somebody has t it files modules / ldap and sites-enables / inner-serveur which work with openldap authentification. Because concerns it is the tunnel TLS which does not go(take) up between WiFi AP8600 and the customer seven Windows pro in PEAP / Mschapv2 Thank you for your help Cordially Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius authentication from ldap to local
On Sat, May 7, 2011 at 5:34 PM, rene.go...@laposte.net rene.go...@laposte.net wrote: Hello, Server freeradius and authentification with user in file to use it is good but if authentification on openldap server then it does not work. Somebody has t it files modules / ldap and sites-enables / inner-serveur which work with openldap authentification. Because concerns it is the tunnel TLS which does not go(take) up between WiFi AP8600 and the customer seven Windows pro in PEAP / Mschapv2 Thank you for your help Cordially You're giving me a headache. What the heck is TLS which does not go(take) up or seven Windows pro? Try writing questions in the way that other people can understand them. Otherwise no one will be able to help you. As for your problem, try reading the FAQ first: http://wiki.freeradius.org/index.php/FAQ Don't forget the section It still doesn't work Another note that may help you, mschap requires that you have plain text password, or authenticate against Active Directory. So if you don't have plaintext password in your openldap schema, then it will never work. Period. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
Can someone please help provide a clue into the problems with using ntlm_auth in a Freeradius config running on Debian. The user/password information are held in the LDAP server. I have been able to authenticate successfully with packets coming from non-EAP clients. But for EAP authentication clients, I have been receiving the following error lines. (I am using ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} to call the LDAP server. Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap]expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=otha1_00 [mschap] mschap2: 18 [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=b06bae6a129ec4e7 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=c0bec1a04bdd9fb489ef30a2bc22e5806405493ac2038167 Exec-Program output: Invalid handle (0xc008) Exec-Program-Wait: plaintext: Invalid handle (0xc008) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \026E=691 R=1 EAP-Message = 0x04160004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \026E=691 R=1 EAP-Message = 0x04160004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. Clement - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
The user/password information are held in the LDAP server. I have been able to authenticate successfully with packets coming from non-EAP clients. But for EAP authentication clients, I have been receiving the following error lines. (I am using ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} to call the LDAP server. ntlm_auth is for Active Directory. Comment out ntlm_auth line in maschap module and it will work as long as you have clear or nt hashed password stored in ldap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
OK. I have done that, But still returned the error below! Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE Clement -Original Message- From: freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: 03 July 2009 12:17 To: FreeRadius users mailing list Subject: Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server The user/password information are held in the LDAP server. I have been able to authenticate successfully with packets coming from non-EAP clients. But for EAP authentication clients, I have been receiving the following error lines. (I am using ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} to call the LDAP server. ntlm_auth is for Active Directory. Comment out ntlm_auth line in maschap module and it will work as long as you have clear or nt hashed password stored in ldap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
Am 03.07.2009 um 13:24 schrieb Clement Ogedengbe: OK. I have done that, But still returned the error below! Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for otha1_00 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect You have either Cleartext-Password or NT-Password defined in your LDAP database, haven't you? If not, see: http://deployingradius.com/documents/protocols/compatibility.html Have a nice day! ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE Clement -Original Message- From: freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+c.ogedengbe=worc.ac...@lists.freeradius.org ] On Behalf Of Ivan Kalik Sent: 03 July 2009 12:17 To: FreeRadius users mailing list Subject: Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server The user/password information are held in the LDAP server. I have been able to authenticate successfully with packets coming from non-EAP clients. But for EAP authentication clients, I have been receiving the following error lines. (I am using ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} to call the LDAP server. ntlm_auth is for Active Directory. Comment out ntlm_auth line in maschap module and it will work as long as you have clear or nt hashed password stored in ldap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth problem using EAP-TLS with MSCHAP authentication to LDAP server
hi, is the required config in your inner-tunnel? ie is LDAP defined at all? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assistance with FreeRADIUS and Windows Authentication via LDAP
Hello, I am running FreeRADIUS version 1.1.3. I'm trying to setup LDAP authentication for Windows users accessing our networking devices especially with Cisco switches and routers. Windows authentication is working properly on my FreeRADIUS server, but I'm trying to figure out how to give different users special privilege access without providing them the enable password. I'd like to specify another Security group with providing them a read-only or special privilege mode with their Windows account. Is this possible? I'm new with using FreeRADIUS, please help. Thanks, Edwin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assistance with FreeRADIUS and Windows Authentication via LDAP
I am running FreeRADIUS version 1.1.3. Why? Upgrade to current version. I'm trying to setup LDAP authentication for Windows users accessing our networking devices especially with Cisco switches and routers. Windows authentication is working properly on my FreeRADIUS server, but I'm trying to figure out how to give different users special privilege access without providing them the enable password. I'd like to specify another Security group with providing them a read-only or special privilege mode with their Windows account. Is this possible? Yes. Send them priv-level Cisco AVpair. You will need add that attribute mapping to ldap.attrmap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assistance with FreeRADIUS and Windows Authentication via LDAP
Edwin Isada wrote: I am running FreeRADIUS version 1.1.3. Why? I'm trying to setup LDAP authentication for Windows users accessing our networking devices especially with Cisco switches and routers. Windows authentication is working properly on my FreeRADIUS server, but I'm trying to figure out how to give different users special privilege access without providing them the enable password. I'd like to specify another Security group with providing them a read-only or special privilege mode with their Windows account. Is this possible? I'm new with using FreeRADIUS, please help. Yes, it's possible. See doc/rlm_ldap for going LDAP group checking in the server. You should use a new version of the server, not one that is 2-3 years old. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSCHAP Authentication and LDAP Group Membership checking
Access-Accept of id 83 to 10.2.1.6 port 1059 MS-CHAP2-Success = 0x00533d3136423031434136463832333133373034393432393943303539423539334346434433314336 MS-MPPE-Recv-Key = 0x5e34def484a9a9c160f712e90322bca0 MS-MPPE-Send-Key = 0x2f644ea60d80525ed0b13527ca916aae MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 83 with timestamp +888 Ready to process requests. It appears that MSCHAP is used to verify the password but LDAP is not properly checking the VPN-Users AD groupI believe it is not stripping the domain portion off correctly as I see the domain name appended to (sAMAccountName=voila\5cwebtest) My users File entries: (The first entry I would like to be used by the concentrator to search the group and if the user is a member allow them access - of course authenticating the provided password) DEFAULT LDAP-Group == vpn-users Fall-Through = Yes This entry is for our network switches/routers - this appears to be working without any issue. DEFAULT LDAP-Group == Radius-Admin Service-Type = Login-User, cisco-avpair = shell:priv-lvl=15, Fall-Through = Yes If I login from my network devices it performs the ldap searches without issue and authenticates/authorizes the user - You can see this below: rlm_ldap: performing search in dc=voila,dc=com, with filter ((cn=vpn-users)(|((objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom rlm_ldap::ldap_groupcmp: User found in group vpn-users rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 178 rlm_ldap: Entering ldap_groupcmp() expand: dc=voila,dc=com - dc=voila,dc=com expand: (|((objectClass=group)(member=%{check:LDAP-UserDn}))((objectClass=GroupOfNames)(member=%{check:LDAP-UserDn}))) - (|((objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=voila,dc=com, with filter ((cn=Radius-Admin)(|((objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom rlm_ldap::ldap_groupcmp: User found in group Radius-Admin rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 181 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for zkms WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) - (sAMAccountName=zkms) expand: dc=voila,dc=com - dc=voila,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=voila,dc=com, with filter (sAMAccountName=zkms) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user zkms authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type LDAP auth: type LDAP +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: login attempt by zkms with password Omitted rlm_ldap: user DN: CN=zkms,CN=Users,DC=voila,DC=com rlm_ldap: (re)connect to control.voila.com:389, authentication 1 rlm_ldap: bind as CN=zkms,CN=Users,DC=voila,DC=com/Omitted to control.voila.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user zkms authenticated succesfully Thanks in advance for any pointers. -- View this message in context: http://www.nabble.com/MSCHAP-Authentication-and-LDAP-Group-Membership-checking-tp19321178p19321178.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAP Authentication and LDAP Group Membership checking
: NT_KEY: 1E79BE41DB018B9E293DA357E6E5EA0D Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok Login OK: [voila\\webtest] (from client VPN port 1151 cli 123.111.6.76) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 83 to 10.2.1.6 port 1059 MS-CHAP2-Success = 0x00533d3136423031434136463832333133373034393432393943303539423539334346434433314336 MS-MPPE-Recv-Key = 0x5e34def484a9a9c160f712e90322bca0 MS-MPPE-Send-Key = 0x2f644ea60d80525ed0b13527ca916aae MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 83 with timestamp +888 Ready to process requests. It appears that MSCHAP is used to verify the password but LDAP is not properly checking the VPN-Users AD groupI believe it is not stripping the domain portion off correctly as I see the domain name appended to (sAMAccountName=voila\5cwebtest) My users File entries: (The first entry I would like to be used by the concentrator to search the group and if the user is a member allow them access - of course authenticating the provided password) DEFAULT LDAP-Group == vpn-users Fall-Through = Yes This entry is for our network switches/routers - this appears to be working without any issue. DEFAULT LDAP-Group == Radius-Admin Service-Type = Login-User, cisco-avpair = shell:priv-lvl=15, Fall-Through = Yes If I login from my network devices it performs the ldap searches without issue and authenticates/authorizes the user - You can see this below: rlm_ldap: performing search in dc=voila,dc=com, with filter ((cn=vpn-users)(|((objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom rlm_ldap::ldap_groupcmp: User found in group vpn-users rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 178 rlm_ldap: Entering ldap_groupcmp() expand: dc=voila,dc=com - dc=voila,dc=com expand: (|((objectClass=group)(member=%{check:LDAP-UserDn}))((objectClass=GroupOfNames)(member=%{check:LDAP-UserDn}))) - (|((objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=voila,dc=com, with filter ((cn=Radius-Admin)(|((objectClass=group)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dzkms\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom rlm_ldap::ldap_groupcmp: User found in group Radius-Admin rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 181 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for zkms WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) - (sAMAccountName=zkms) expand: dc=voila,dc=com - dc=voila,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=voila,dc=com, with filter (sAMAccountName=zkms) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user zkms authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type LDAP auth: type LDAP +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: login attempt by zkms with password Omitted rlm_ldap: user DN: CN=zkms,CN=Users,DC=voila,DC=com rlm_ldap: (re)connect to control.voila.com:389, authentication 1 rlm_ldap: bind as CN=zkms,CN=Users,DC=voila,DC=com/Omitted to control.voila.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user zkms authenticated succesfully Thanks in advance for any pointers. -- View this message in context: http://www.nabble.com/MSCHAP-Authentication-and-LDAP-Group-Membership-checking-tp19321178p19321178.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Your did needs to be a distinguished name. Ivan Kalik Kalik Informatika ISP Dana 26/3/2008, Eric Martell [EMAIL PROTECTED] piše: Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, We already have this existing Legacy system setup in production ldap and not sure we can change that anymore as we don't use did as dn. No change in existing ldap tree. If there a way when ldap query finds multiple resultset, gets the first result and returns success instead of sending reject. Please let me know if this is doable. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: Your did needs to be a distinguished name. Ivan Kalik Kalik Informatika ISP Dana 26/3/2008, Eric Martell pi¹e: Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Sorry. Don't know much about ldap. Ivan Kalik Dana 26/3/2008, Eric Martell [EMAIL PROTECTED] piše: Hi Ivan, We already have this existing Legacy system setup in production ldap and not sure we can change that anymore as we don't use did as dn. No change in existing ldap tree. If there a way when ldap query finds multiple resultset, gets the first result and returns success instead of sending reject. Please let me know if this is doable. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: Your did needs to be a distinguished name. Ivan Kalik Kalik Informatika ISP Dana 26/3/2008, Eric Martell piše: Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Thanks so much Ivan. Alan DeKok, is there a way if the ldap filter query returns multiple resultset, we can send radius Accept on the reply? Please let me know. Thanks and Regards. Ivan Kalik [EMAIL PROTECTED] wrote: Sorry. Don't know much about ldap. Ivan Kalik Dana 26/3/2008, Eric Martell pi¹e: Hi Ivan, We already have this existing Legacy system setup in production ldap and not sure we can change that anymore as we don't use did as dn. No change in existing ldap tree. If there a way when ldap query finds multiple resultset, gets the first result and returns success instead of sending reject. Please let me know if this is doable. Thanks and Regards. Ivan Kalik wrote: Your did needs to be a distinguished name. Ivan Kalik Kalik Informatika ISP Dana 26/3/2008, Eric Martell pi¹e: Hi Ivan, We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. Please let me know. Thanks and Regards. Ivan Kalik wrote: After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Never miss a thing. Make Yahoo your homepage.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, Sorry to get back to you early as I did not had ldap access :( After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Thanks and Regards. Test Case 1 :: 1 UID +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = 0014F846C199, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for 0014F846C199 expand: %{Stripped-User-Name} - expand: %{User-Name} - 0014F846C199 expand: ((did=%{%{Stripped-User-Name}:-%{User-Name}})) - ((did=0014F846C199)) expand: ou=roles,o=entitlement - ou=roles,o=entitlement rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=roles,o=entitlement, with filter ((did=0014F846C199)) rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusAuthType as RADIUS attribute Auth-Type == Accept rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user 0014F846C199 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [0014F846C199/via Auth-Type = Accept] (from client samir port 0) Sending Access-Accept of id 39 to 216.2.193.1 port 38625 Finished request 3. Test Case 2 :: Multiple UIDs rad_recv: Access-Request packet from host 216.2.193.1 port 37788, id=38, length=34 User-Name = 0014F846C199 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = 0014F846C199, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for 0014F846C199 expand: %{Stripped-User-Name} - expand: %{User-Name} - 0014F846C199 expand: ((uid=%{%{Stripped-User-Name}:-%{User-Name}})) - ((uid=0014F846C199)) expand: ou=roles,o=entitlement - ou=roles,o=entitlement rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=roles,o=entitlement, with filter ((uid=0014F846C199)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [0014F846C199/no User-Password attribute] (from client samir port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - 0014F846C199 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds - Original Message From: Ivan Kalik [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, March 20, 2008 1:01:11 PM Subject: Re: MACAddress silent authentication in LDAP using freeradius2.0.2 Bit confusing..do you want me to create entries in ldap as, No: uid = 001122334455 radiusAuthType = Accept Forget about the device entries. radius authenticates users. Have a look at the filter configured in ldap section of radiusd.conf If yes, what additional changes I have to do in freeradius and how I can return devicename along the freeradius reply? And what would you do with that? Groups? Than create a group entries for them and use memberof in (mac) user entry. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ- List info/subscribe
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] piše: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
No file. These are ldap entries which you need to make. You have entries as devices - now make entries as users. Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Eric Martell [EMAIL PROTECTED] piše: Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] piše: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Bit confusing..do you want me to create entries in ldap as, No: uid = 001122334455 radiusAuthType = Accept Forget about the device entries. radius authenticates users. Have a look at the filter configured in ldap section of radiusd.conf If yes, what additional changes I have to do in freeradius and how I can return devicename along the freeradius reply? And what would you do with that? Groups? Than create a group entries for them and use memberof in (mac) user entry. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
PS. Sorry, got mixed up. radiusGroupName for group membership. Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Eric Martell [EMAIL PROTECTED] piše: Hi Ivan, Bit confusing..do you want me to create entries in ldap as, deviceid = 111 macaddress = 001122334455 username = 001122334455 radiusAuthType = Accept devicename = Personal PC. deviceid = 222 macaddress = 001199887766 username = 001199887766 radiusAuthType = Accept devicename = SIP Phone. If yes, what additional changes I have to do in freeradius and how I can return devicename along the freeradius reply? Please reply. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: No file. These are ldap entries which you need to make. You have entries as devices - now make entries as users. Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Eric Martell [EMAIL PROTECTED] piše: Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] piše: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan, Bit confusing..do you want me to create entries in ldap as, deviceid = 111 macaddress = 001122334455 username = 001122334455 radiusAuthType = Accept devicename = Personal PC. deviceid = 222 macaddress = 001199887766 username = 001199887766 radiusAuthType = Accept devicename = SIP Phone. If yes, what additional changes I have to do in freeradius and how I can return devicename along the freeradius reply? Please reply. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: No file. These are ldap entries which you need to make. You have entries as devices - now make entries as users. Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Hi Ivan, Thanks for the response. I am newbie for freeradius. Not sure which file I should configure this? I have ldap module configured in radiusd.conf. Can you please be more specific? I will really appreciate that. Thanks and Regards. --- Ivan Kalik [EMAIL PROTECTED] wrote: In mac authentication mac address is used as username. So you will have to create entries that have (only) username equal to mac address and radiusAuthType Accept. Ivan Kalik Kalik Informatika ISP Dana 19/3/2008, Eric Martell [EMAIL PROTECTED] pi¹e: Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MACAddress silent authentication in LDAP using freeradius2.0.2
Please let me know if this topic is already discussed or has doc/wiki. If yes please guide me to the right thread. Thanks. We are going to use MACaddress as silent authentication. When the users tries to connect to the WIFI Access point, Aptilo Networks is going to send MacAddress as User-Name attribute of freeradius. User-Password attribute will be empty. We are storing MAC Addresses in the LDAP under the device tree thru user interface tools. The LDAP tree is as, deviceid = 111 macaddress = 001122334455 devicename = Personal PC. deviceid = 222 macaddress = 001199887766 devicename = SIP Phone. How do I configure ldap module in the freeradius so that it checks if the MACaddress exists in LDAP and returns Access-Accept or Access-Reject along with reply of devicename. Not sure how do I handle this in authorization or authentication or post-auth? There are NO passwords. I am using freeradius-2.0.2. Is there a way I can use unlang ? Thanks and Regards. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication type (ldap, users, etc) per client or user?
falz wrote: This would technically get things working, but poses a security issue. I want to have clients associated with backends. The above example appears that it will simply give priority of one authentication source over the other, which isn't what I'm trying to do. You can use Autz-Type to get what you want, but it's more complicated. I'll look into 2.0 if this is the only way to get this functionality. It's not the only way, but it's *much* easier in 2.0. You just put an entry in the client configuration saying virtual_server = foo, and all requests get processed through foo. No, I did not remove the files section. It is called, and loaded per my output in the previous email. It's not listed in the debug output you posted. So it's not being called. Looking through the docs, it appears that Autz-Type gives indications of what I am trying to do: http://www.freeradius.org/radiusd/doc/Autz-Type Yes. It may require running two copies of the files module, which is more complicated. I will experiment with it and some syntax, and chime back in when I get things working for future reference for other users (and for me, if I neglect to document it myself :) In 2.0: client a { ipaddr = 1.2.3.4 ... virtual_server = foo } client b { ipaddr = 5.6.7.8 ... virtual_server = bar } server foo { authorize { users ... } ... } server bar { authorize { ldap ... } ... } It's more typing to set up, but it's significantly easier to understand and to maintain. It means that there are fewer possibilities for something to go wrong, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication type (ldap, users, etc) per client or user?
Hello, I have a FreeRADIUS server working properly with an LDAP backend. I've brought some user config into the 'users' file for a legacy system we're migrating to this server. However, I cannot seem to find the appropriate way to have FreeRADIUS map clients to a specific authentication type. In my example I want everything to use LDAP, except one client to use the legacy 'users' file syntax. The closest example to this that I can find is here: https://lists.freeradius.org/pipermail/freeradius-users/2005-April/043218.html However, this deals with multple LDAP instances, and it does not like syntax of my chaning: files { } to: files foo {} and the other steps that seem logical when looking at the above. Is there any way to do this off of a single FreeRADIUS install? Any suggestions appreciated! Thanks, --falz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication type (ldap, users, etc) per client or user?
On Jan 3, 2008 10:18 AM, Alan DeKok [EMAIL PROTECTED] wrote: falz wrote: I have a FreeRADIUS server working properly with an LDAP backend. I've brought some user config into the 'users' file for a legacy system we're migrating to this server. However, I cannot seem to find the appropriate way to have FreeRADIUS map clients to a specific authentication type. What does that mean? Radius Client A uses rlm_ldap, Radius Client B uses 'files' for the livingston-style 'users' file. What I have now is Client A works fine with LDAP, but it seems to be a default across the system. Client B always talks to LDAP, it doesn't seem to read from the user's file. Here's some debug stuff. When I start radiusd -X, it does show that it reads the files module: Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no As well as ldap: Module: Loaded LDAP snipped because it all works But when one authenticate, it chooses ldap only: rad_recv: Access-Request packet from host 192.168.0.130:1028, id=18, length=119 User-Name = falz User-Password = abc123 NAS-IP-Address = 192.168.0.130 NAS-Port = 4 NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP Connect-Info = 52000 LAPM/V42BIS Called-Station-Id = 5552271012 Calling-Station-Id = 5552291017 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '@' in User-Name = falz, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for falz radius_xlat: '(uid=falz)' radius_xlat: 'ou=staff,dc=domain,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=staff,dc=domain,dc=net, with filter (uid=falz) request done: ld 0x8068e00 msgid 3 rlm_ldap: checking if remote access for falz is allowed by radiusReplyItem rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: extracted attribute Cisco-AVPair from generic item Cisco-AVPair := shell:priv-lvl=15 rlm_ldap: extracted attribute Fall-Through from generic item Fall-Through = 1 rlm_ldap: extracted attribute Extreme-CLI-Authorization from generic item Extreme-CLI-Authorization = Enabled rlm_ldap: extracted attribute Service-Type from generic item Service-Type = NAS-Prompt-User rlm_ldap: extracted attribute Service-Type from generic item Service-Type := Administrative-User rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user falz authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 2 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type ldap auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 2 rlm_ldap: - authenticate rlm_ldap: login attempt by falz with password abc123 rlm_ldap: user DN: uid=falz,ou=users,ou=staff,dc=domain,dc=net rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=falz,ou=users,ou=staff,dc=domain,dc=net/abc123 to localhost:389 rlm_ldap: waiting for bind result ... request done: ld 0x8068f00 msgid 1 rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module ldap returns reject for request 2 modcall: leaving group LDAP (returns reject) for request 2 auth: Failed to validate the user. Login incorrect (rlm_ldap: Bind as user failed): [falz] (from client portmaster3 port 4 cli 6082291017) Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 18 to 192.168.0.130 port 1028 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 18 with timestamp 477d0e80 Nothing to do. Sleeping until we see a request. It is logical that it does this, as I have nothing in my config about this client using 'files'/'users', because I do not know what to put in. I posted the original link, and also found this, which is related:
Re: Authentication type (ldap, users, etc) per client or user?
falz wrote: Radius Client A uses rlm_ldap, Radius Client B uses 'files' for the livingston-style 'users' file. What I have now is Client A works fine with LDAP, but it seems to be a default across the system. Client B always talks to LDAP, it doesn't seem to read from the user's file. If you want to use one OR the other, try the following: authorize { ... group { files { ok = return } ldap } ... } i.e. if an entry is found in the users file, then don't do LDAP. If no entry is found in the users file, do LDAP. Of course, in 2.0, you could just have a virtual server for client A, and a different virtual server for client B. But when one authenticate, it chooses ldap only: Because that's what you've configured it to do. In this case, the debug output shows that it's not calling the files module. So you've edited the default configuration so that the files module isn't called... and yet you say you want it to call the files module. It is logical that it does this, as I have nothing in my config about this client using 'files'/'users', because I do not know what to put in. What's wrong with the default configuration file that ships with the server? I posted the original link, and also found this, which is related: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg40372.html However, in all cases that I find, users are trying to authenticate with multiple same-type backends. Original link user is authenticating off of different LDAP servers, this case they're authenticating off of multiple SQL servers. I want 1 LDAP and one 'files'. You can copy paste an example that doesn't apply to what you want to do, or you can understand how the server works. In this case, reading the files in the doc directory would help. They explain *how* those examples are configured, and *why* they work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication type (ldap, users, etc) per client or user?
On Jan 3, 2008 3:45 PM, Alan DeKok [EMAIL PROTECTED] wrote: If you want to use one OR the other, try the following: authorize { ... group { files { ok = return } ldap } ... } i.e. if an entry is found in the users file, then don't do LDAP. If no entry is found in the users file, do LDAP. This would technically get things working, but poses a security issue. I want to have clients associated with backends. The above example appears that it will simply give priority of one authentication source over the other, which isn't what I'm trying to do. Of course, in 2.0, you could just have a virtual server for client A, and a different virtual server for client B. I'll look into 2.0 if this is the only way to get this functionality. Because that's what you've configured it to do. In this case, the debug output shows that it's not calling the files module. So you've edited the default configuration so that the files module isn't called... and yet you say you want it to call the files module. No, I did not remove the files section. It is called, and loaded per my output in the previous email. Both are listed, but nothing in the config points a client to an auth method, because I don't know the syntax for this, or it's not possible. What's wrong with the default configuration file that ships with the server? I don't believe I said anything is. I simply don't know its syntax well enough to know what to put in, or it's not possible. You can copy paste an example that doesn't apply to what you want to do, or you can understand how the server works. In this case, reading the files in the doc directory would help. They explain *how* those examples are configured, and *why* they work. Looking through the docs, it appears that Autz-Type gives indications of what I am trying to do: http://www.freeradius.org/radiusd/doc/Autz-Type I will experiment with it and some syntax, and chime back in when I get things working for future reference for other users (and for me, if I neglect to document it myself :) --falz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure authentication via LDAP Group membership issue
All, I have still not been able to find a solution for this, it looks like I might be able to use an xlat rule for it, but I can't get my head around how to write it. Can anyone point me to suitable documentation for xlat - while I have read all the docco that comes with the FreeRadius (in /usr/share) I am missing something in order to apply it. Cheers, David - Original Message - From: David Hobley [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000) Australia/Brisbane Subject: Configure authentication via LDAP Group membership issue I have set up a VPN pointing to a FreeRadius server and have it authenticating successfully against my LDAP server, but I would also like to limit access to only those people who are a member of the VPN group. Normally, this would be simple, but because of the LDAP server I am using, the hierarchy looks like this: User Account: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (uid=firstname.lastname) dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN uidNumber: 1024 ... Group entry is: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (cn=VPN Users) dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN memberUid: 1024 ... So I need to somehow configure Radius to search on me, get my uidNumber and then search on the group. If I skip the searching to get the uidNumber, I can configure the Radius (for this single account) correctly: In the ldap module I include: ... groupname_attribute = cn groupmembership_filter = (memberUid=1024) with the following entry in the users file: DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT LDAP-Group == VPN Users Service-Type = Administrative-User and this works as expected, but is there any way I can substitute the 1024 for an ldap search result so I can dynamically return the uidNumber for the %{User-Name} field? Thanks! Cheers, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configure authentication via LDAP Group membership issue [sec=unclassified]
___ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Hobley Sent: Wednesday, 31 October 2007 10:50 To: FreeRadius users mailing list Subject: Re: Configure authentication via LDAP Group membership issue All, I have still not been able to find a solution for this, it looks like I might be able to use an xlat rule for it, but I can't get my head around how to write it. Can anyone point me to suitable documentation for xlat - while I have read all the docco that comes with the FreeRadius (in /usr/share) I am missing something in order to apply it. Cheers, David - Original Message - From: David Hobley [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000) Australia/Brisbane Subject: Configure authentication via LDAP Group membership issue I have set up a VPN pointing to a FreeRadius server and have it authenticating successfully against my LDAP server, but I would also like to limit access to only those people who are a member of the VPN group. Normally, this would be simple, but because of the LDAP server I am using, the hierarchy looks like this: User Account: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (uid=firstname.lastname) dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN uidNumber: 1024 ... Group entry is: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (cn=VPN Users) dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN memberUid: 1024 ... So I need to somehow configure Radius to search on me, get my uidNumber and then search on the group. If I skip the searching to get the uidNumber, I can configure the Radius (for this single account) correctly: In the ldap module I include: ... groupname_attribute = cn groupmembership_filter = (memberUid=1024) with the following entry in the users file: DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT LDAP-Group == VPN Users Service-Type = Administrative-User and this works as expected, but is there any way I can substitute the 1024 for an ldap search result so I can dynamically return the uidNumber for the %{User-Name} field? Thanks! Cheers, David The memberUid attribute in a posixgroup is supposed to hold the uid, not the uidNumber. That would make your groupmembership_filter = (memberUid=%{User-Name}) or more robustly, groupmembership_filter = ((memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou p)) Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure authentication via LDAP Group membership issue [sec=unclassified]
Frank, Thank you - greatly appreciated. This made me realise that my thinking was foggy when I had defined group memberships. All working now. Cheers, David - Original Message - From: Frank MR Ranner [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, 31 October 2007 10:20:36 AM (GMT+1000) Australia/Brisbane Subject: RE: Configure authentication via LDAP Group membership issue [sec=unclassified] ... ___ The memberUid attribute in a posixgroup is supposed to hold the uid, not the uidNumber. That would make your groupmembership_filter = (memberUid=%{User-Name}) or more robustly, groupmembership_filter = ((memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou p)) Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure authentication via LDAP Group membership issue
I have set up a VPN pointing to a FreeRadius server and have it authenticating successfully against my LDAP server, but I would also like to limit access to only those people who are a member of the VPN group. Normally, this would be simple, but because of the LDAP server I am using, the hierarchy looks like this: User Account: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (uid=firstname.lastname) dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN uidNumber: 1024 ... Group entry is: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (cn=VPN Users) dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN memberUid: 1024 ... So I need to somehow configure Radius to search on me, get my uidNumber and then search on the group. If I skip the searching to get the uidNumber, I can configure the Radius (for this single account) correctly: In the ldap module I include: ... groupname_attribute = cn groupmembership_filter = (memberUid=1024) with the following entry in the users file: DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT LDAP-Group == VPN Users Service-Type = Administrative-User and this works as expected, but is there any way I can substitute the 1024 for an ldap search result so I can dynamically return the uidNumber for the %{User-Name} field? Thanks! Cheers, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (Solved) Re: MAC authorisation (but not authentication) via LDAP
we a trying to add mac authentication to our wireless aps radius request comes in like so. rad_recv: Access-Request packet from host 10.250.100.3:1038, id=119, length=95 Service-Type = Framed-User NAS-Port-Id = wlan1 User-Name = 00:0B:6B:56:1D:48 User-Password = NAS-Identifier = ballyvaughan_ap_1 NAS-IP-Address = 10.250.100.3 the mac address is in a field in the ldap so i created a second ldap.attrib.map and a new ldap autz-type. the problem is that the user-password that is sent i blank so i added this to the users file. like so. DEFAULT Huntgroup-Name == test, Autz-Type := ldapMAC, User-Password == , Simultaneous-Use := 1 Fall-Through = 0 great now the user with authorise and authenticate from files. but what i had hoped would happen was if they failure authorisation they would not continue, i can see this is not the default proceedure. how can i make this work this way. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 users: Matched entry DEFAULT at line 4 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 Found Autz-Type ldapMAC Processing the authorize section of radiusd.conf modcall: entering group ldapMAC for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:0B:6B:56:1D:48 radius_xlat: '(rdwaveuserWirelessMac=00:0B:6B:56:1D:48)' radius_xlat: 'o=clients,dc=radiowave,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=admin,dc=radiowave,dc=net/xxx to 127.0.0.1:389 radiustest:/etc/freeradius/config-clients# rlm_ldap: Bind was successful rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter (rdwaveuserWirelessMac=00:0B:6B:56:1D:48) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldapmac1 returns notfound for request 0 modcall: leaving group redundant (returns notfound) for request 0 modcall: leaving group ldapMAC (returns notfound) for request 0 but when the authentication starts this stilll happens, below was an idea someone had in respect to this issue or a similar one but i have no idea how to deploy this look forward to your replys. auth: type Local auth: user supplied User-Password matches local User-Password Processing the session section of radiusd.conf modcall: entering group session for request 0 modcall: entering group redundant for request 0 modcall[session]: module sql2 returns noop for request 0 modcall: leaving group redundant (returns noop) for request 0 modcall: leaving group session (returns noop) for request 0 Login OK: [00:0B:6B:56:1D:48/] (from client ballyvaughan port 0) Sending Access-Accept of id 119 to 10.250.100.3 port 1038 On Sun, 2007-02-25 at 20:05 +, Martin Whinnery wrote: Martin Whinnery wrote: Markus Krause wrote: Zitat von Martin Whinnery [EMAIL PROTECTED]: Hi. Probly just me not understanding... What I want is for our switches to only allow access to MAC addresses in our LDAP database. I don't want to store passwords on our LDAP host entries. I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value. The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs. Is there a way to make the Authorisation part final and authoritative? As I say, probly just being stoopid. Mart don't no if it is a good solution, but i just do this by setting the following in radiusd.conf: authenticate { ... Auth-Type LdapMAC { ok } ... } the Auth-Type is set in users file depending on huntgroups: DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC i assume there are better/smarter sollutions as one can read don't set Auth-Type on many places but it works here ;-) regards markus Thanks Markus, the problem seems to be that the authorisation pass returns notfound, whereas I want it to reject, as if it found an entry in LDAP without the appropriate attribute. Mart This was exactly the problem.
RE: (Solved) Re: MAC authorisation (but not authentication) via LDAP
this looks great for my purpose as well thanks very much for your help Alan, The problem for me was that when the ldapsearch failed to find the MAC address, freeradius didn't reject authorisation. The solution for me, ( I'm sure the big boys can point out how it's wrong ), was the following script.. ---snip--- #!/bin/sh if $( echo $MODULE_FAILURE_MESSAGE | grep not found /dev/null ); then echo Auth-Type := reject; exit 0; fi ---snip--- and the following clause in radiusd.conf ---snip--- exec rejectOnNotFound { wait = yes program = /usr/local/etc/raddb/rejectOnNotFound.sh input_pairs = request output_pairs = config } ---snip--- which is used in the authorise section thus ---snip--- Autz-Type LdapMAC { ldapMAC rejectOnNotFound } ---snip--- As I said, works for me. Hope it helps.. Mart Alan Walters wrote: we a trying to add mac authentication to our wireless aps radius request comes in like so. rad_recv: Access-Request packet from host 10.250.100.3:1038, id=119, length=95 Service-Type = Framed-User NAS-Port-Id = wlan1 User-Name = 00:0B:6B:56:1D:48 User-Password = NAS-Identifier = ballyvaughan_ap_1 NAS-IP-Address = 10.250.100.3 the mac address is in a field in the ldap so i created a second ldap.attrib.map and a new ldap autz-type. the problem is that the user-password that is sent i blank so i added this to the users file. like so. DEFAULT Huntgroup-Name == test, Autz-Type := ldapMAC, User-Password == , Simultaneous-Use := 1 Fall-Through = 0 great now the user with authorise and authenticate from files. but what i had hoped would happen was if they failure authorisation they would not continue, i can see this is not the default proceedure. how can i make this work this way. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 users: Matched entry DEFAULT at line 4 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 Found Autz-Type ldapMAC Processing the authorize section of radiusd.conf modcall: entering group ldapMAC for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:0B:6B:56:1D:48 radius_xlat: '(rdwaveuserWirelessMac=00:0B:6B:56:1D:48)' radius_xlat: 'o=clients,dc=radiowave,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=admin,dc=radiowave,dc=net/xxx to 127.0.0.1:389 radiustest:/etc/freeradius/config-clients# rlm_ldap: Bind was successful rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter (rdwaveuserWirelessMac=00:0B:6B:56:1D:48) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldapmac1 returns notfound for request 0 modcall: leaving group redundant (returns notfound) for request 0 modcall: leaving group ldapMAC (returns notfound) for request 0 but when the authentication starts this stilll happens, below was an idea someone had in respect to this issue or a similar one but i have no idea how to deploy this look forward to your replys. auth: type Local auth: user supplied User-Password matches local User-Password Processing the session section of radiusd.conf modcall: entering group session for request 0 modcall: entering group redundant for request 0 modcall[session]: module sql2 returns noop for request 0 modcall: leaving group redundant (returns noop) for request 0 modcall: leaving group session (returns noop) for request 0 Login OK: [00:0B:6B:56:1D:48/] (from client ballyvaughan port 0) Sending Access-Accept of id 119 to 10.250.100.3 port 1038 On Sun, 2007-02-25 at 20:05 +, Martin Whinnery wrote: Martin Whinnery wrote: Markus Krause wrote: Zitat von Martin Whinnery [EMAIL PROTECTED]: Hi. Probly just me not understanding... What I want is for our switches to only allow access to MAC addresses in our LDAP database. I don't want to store passwords on our LDAP host entries. I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value. The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or
Re: MAC authorisation (but not authentication) via LDAP
Markus Krause wrote: i am not sure if your approach could really fullfill my needs (no redundancy, serving different types of requests) ... but i would really like to know ;-) Hmm. Without more details it's difficult to say, but what you need does not sound excessively difficult. At most, Autz-Type should suffice. Why are you finding you need to set Auth-Type? The ldap module can be peculiar in this regard - are you authenticating the users by doing simple bind, or are you extracting the passwords from ldap and using rlm_pap and such? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Phil Mayers [EMAIL PROTECTED]: Markus Krause wrote: i am not sure if your approach could really fullfill my needs (no redundancy, serving different types of requests) ... but i would really like to know ;-) Hmm. Without more details it's difficult to say, but what you need does not sound excessively difficult. At most, Autz-Type should suffice. Why are you finding you need to set Auth-Type? i thought this is necessary as i use redundant sections. in users i have something like: DEFAULT Huntgroup-Name == vpn, Autz-Type := LdapUser, Auth-Type := LdapUser some parts of my radiusd.conf: - radiusd.conf parts modules { ... ldap LdapUser1 { ldapserv1 } ldap LdapUser2 { ldapserv2 } ... } authorize { ... Autz-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... } authenticate { ... Auth-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... } - it seems that if the authorization is successfully done by LdapUser1 the Auth-Type is set LdapUser1. if i do not set it to LdapUser in the file users i get the error message No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. if i set Auth-Type to LdapUser in users it works. it also works without setting this if i do not use redundant settings (just call the module LdapUser). The ldap module can be peculiar in this regard - are you authenticating the users by doing simple bind, or are you extracting the passwords from ldap and using rlm_pap and such? i am just authenticating by doing simple bind. if i should post more details please let me know! with best regards markus -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Markus Krause wrote: modules { ... ldap LdapUser1 { ldapserv1 } ldap LdapUser2 { ldapserv2 } ... } authorize { ... Autz-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... } authenticate { ... Auth-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... } You should be able to replace this last bit with: authenticate { Auth-Type LdapUser1 { LdapUser1 } Auth-Type LdapUser2 { LdapUser2 } } ...and set the set_auth_type = yes on each LDAP module. The general idea is that MODULES should set Auth-Type (to themselves) indicating that they will handle the authenticate phase. Note that the above is still redundant - if the ldap module answered during the authorize phase, there's clearly only a miniscule chance it will have failed by the time authenticate runs. And in fact, if ldap1 succeeds during authorize but fails during authenticate, arguably passing it to ldap2 is an error - example, the user might have just changed their password so ldap1 fails, but ldap2 is still replicating so thinks the old password is valid. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Phil Mayers [EMAIL PROTECTED]: Markus Krause wrote: modules { ... ldap LdapUser1 { ldapserv1 } ldap LdapUser2 { ldapserv2 } ... } authorize { ... Autz-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... } authenticate { ... Auth-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... } You should be able to replace this last bit with: authenticate { Auth-Type LdapUser1 { LdapUser1 } Auth-Type LdapUser2 { LdapUser2 } } ...and set the set_auth_type = yes on each LDAP module. The general idea is that MODULES should set Auth-Type (to themselves) indicating that they will handle the authenticate phase. Note that the above is still redundant - if the ldap module answered during the authorize phase, there's clearly only a miniscule chance it will have failed by the time authenticate runs. And in fact, if ldap1 succeeds during authorize but fails during authenticate, arguably passing it to ldap2 is an error - example, the user might have just changed their password so ldap1 fails, but ldap2 is still replicating so thinks the old password is valid. ok, i agree with you, enough redundancy can be achieved by this also. (the ldap servers used here are both consumers of the same provider, all with very low load so it seems quite unlikely that they run out of sync, but one never know...) but what if the Auth-Type is not set, for example in a perl module (btw. how can i set the auth-type? that would solve my problem here!). example: we (will) have a wlan which can be used by all our users known in ldap and we have additional accounts saved in sql, which can be given to guests by our departments and research groups, these accounts are then valid for a fixed (preset) number of days since their first usage. to check this i wrote a small perl script which works. so for authorization i use in radiusd.conf: - part of radiusd.conf authorization { Autz-Type WLAN { group { mpi-sta { ok = return } redundant { LdapUser1 LdapUser2 } } } } authentication { Auth-Type WLAN { mpi-sta { notfound = 1 } redundant { LdapUser1 LdapUser2 } } } the Auth-Type is set in users according to the huntgroup of the wlan-switch as the perl skript does not set auth-type (because i did not find any documentation on how to set it) so i had to force auth-type to WLAN, now it works. -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Markus Krause wrote: but what if the Auth-Type is not set, for example in a perl module (btw. how can i set the auth-type? that would solve my problem here!). example: we (will) have a wlan which can be used by all our users known in ldap and we have additional accounts saved in sql, which can be given to guests by our departments and research groups, these accounts are then valid for a fixed (preset) number of days since their first usage. to check this i wrote a small perl script which works. so for authorization i use in radiusd.conf: I'm obviously not understanding what you're trying to do. Auth-Type is meant solely to be a key that indicates to the server which module to call in the authenticate section to execute the authentication *algorithm*. The reason setting Auth-Type is so bad is that it breaks the ability for the server to correctly detect the algorithm and people don't understand why. Disabling an account is not part of the authentication algorithm, and should happen in the authorize section (ideally by setting the Expiration attribute built into FreeRadius, but there are cases where that's not applicable) I assume you're using the mpi-sta module to do something like: if not USERNAME in firstseen: firstseen[USERNAME] = now else: if now - firstseen[USERNAME] VALIDTIME: return reject In which case they'll just get rejected during authorize and the mpi-sta module doesn't need to (and SHOULD NOT) appear in the authenticate section. - part of radiusd.conf authorization { Autz-Type WLAN { group { mpi-sta { ok = return } redundant { LdapUser1 LdapUser2 } } } } authentication { Auth-Type WLAN { mpi-sta { notfound = 1 } redundant { LdapUser1 LdapUser2 } } } the Auth-Type is set in users according to the huntgroup of the wlan-switch as the perl skript does not set auth-type (because i did not find any documentation on how to set it) so i had to force auth-type to WLAN, now it works. It seems a very complicated way of doing something very simple - I assume I am misunderstanding you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(Solved) Re: MAC authorisation (but not authentication) via LDAP
Martin Whinnery wrote: Markus Krause wrote: Zitat von Martin Whinnery [EMAIL PROTECTED]: Hi. Probly just me not understanding... What I want is for our switches to only allow access to MAC addresses in our LDAP database. I don't want to store passwords on our LDAP host entries. I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value. The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs. Is there a way to make the Authorisation part final and authoritative? As I say, probly just being stoopid. Mart don't no if it is a good solution, but i just do this by setting the following in radiusd.conf: authenticate { ... Auth-Type LdapMAC { ok } ... } the Auth-Type is set in users file depending on huntgroups: DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC i assume there are better/smarter sollutions as one can read don't set Auth-Type on many places but it works here ;-) regards markus Thanks Markus, the problem seems to be that the authorisation pass returns notfound, whereas I want it to reject, as if it found an entry in LDAP without the appropriate attribute. Mart This was exactly the problem. What I've done is created an exec module, which checks for 'not found' in MODULE_FAILURE_MESSAGE, returning non-zero if there's a match. So authorization *fails* rather than succeeds with 'not found'. I think. Anyway, it works. Thanks for all your help. Mart -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC authorisation (but not authentication) via LDAP
Hi. Probly just me not understanding... What I want is for our switches to only allow access to MAC addresses in our LDAP database. I don't want to store passwords on our LDAP host entries. I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value. The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs. Is there a way to make the Authorisation part final and authoritative? As I say, probly just being stoopid. Mart -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Martin Whinnery [EMAIL PROTECTED]: Hi. Probly just me not understanding... What I want is for our switches to only allow access to MAC addresses in our LDAP database. I don't want to store passwords on our LDAP host entries. I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value. The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs. Is there a way to make the Authorisation part final and authoritative? As I say, probly just being stoopid. Mart -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html don't no if it is a good solution, but i just do this by setting the following in radiusd.conf: authenticate { ... Auth-Type LdapMAC { ok } ... } the Auth-Type is set in users file depending on huntgroups: DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC i assume there are better/smarter sollutions as one can read don't set Auth-Type on many places but it works here ;-) regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS | | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Markus Krause wrote: don't no if it is a good solution, but i just do this by setting the following in radiusd.conf: authenticate { ... Auth-Type LdapMAC { ok } ... } the Auth-Type is set in users file depending on huntgroups: DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC i assume there are better/smarter sollutions as one can read don't set Auth-Type on many places but it works here ;-) Sorry, but it's an awful suggestion. Don't do it, and certainly don't recommend others do it. There's no need to go setting Auth-Type to random values. The correct way to do this is to reject unknown, not blindly accept known. Example - you could modify the ldap group membership query to find groups based on both the username and callingstationid: groupmembership_filter = (| ((objectClass=GroupOfMacaddrs)(member=%{Calling-Station-Id})) ((objectClass=GroupOfNames)(member=%{Ldap-UserDn})) ) Then in ldap: dn: cn=GoodMacs,dc=example,dc=com objectClass: top objectClass: GroupOfMacadds member: 00:11:22:33:44:55 member: 66:77:88:99:aa:bb Then in the users file: DEFAULT Ldap-Group == GoodMacs Fall-Through = No DEFAULT Auth-Type := Reject Reply-Message = your mac is unknown There are lots of variations of this scheme. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Markus Krause wrote: Zitat von Martin Whinnery [EMAIL PROTECTED]: Hi. Probly just me not understanding... What I want is for our switches to only allow access to MAC addresses in our LDAP database. I don't want to store passwords on our LDAP host entries. I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value. The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs. Is there a way to make the Authorisation part final and authoritative? As I say, probly just being stoopid. Mart don't no if it is a good solution, but i just do this by setting the following in radiusd.conf: authenticate { ... Auth-Type LdapMAC { ok } ... } the Auth-Type is set in users file depending on huntgroups: DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC i assume there are better/smarter sollutions as one can read don't set Auth-Type on many places but it works here ;-) regards markus Thanks Markus, the problem seems to be that the authorisation pass returns notfound, whereas I want it to reject, as if it found an entry in LDAP without the appropriate attribute. Mart -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Phil Mayers [EMAIL PROTECTED]: Markus Krause wrote: don't no if it is a good solution, but i just do this by setting the following in radiusd.conf: authenticate { ... Auth-Type LdapMAC { ok } ... } the Auth-Type is set in users file depending on huntgroups: DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC i assume there are better/smarter sollutions as one can read don't set Auth-Type on many places but it works here ;-) Sorry, but it's an awful suggestion. Don't do it, and certainly don't recommend others do it. There's no need to go setting Auth-Type to random values. no need to say sorry, and i did not meant this as a suggestion but just show how i did it, along with the warning that it is not a good solution. and i am really open for any suggestions/corrections! The correct way to do this is to reject unknown, not blindly accept known. hmm, maybe i should have been more precisely on what i am doing, at least i am not thinking to blindly accept known. let me describe the scenario and what i am doing: we have a radius server which is contacted by a vpn-concentrator, a wlan-router and several switches which have dynamic ports (with vlan based on mac) and 802.1x ports (vlan based on users). depending on the huntgroup (chosen via nas-ip-address) i am setting auth-type and autz-type. i read on several places that this is commonly a very bad idea but i could not think of another way to solve it and it works for me (at least it seems so). again, i am open for any suggestions/corrections! the users for vpn and wlan are authenticated/authorized via ldap user entries ((uid=..)(objectclass=posixaccount)), some accounts for wlan are also stored in sql (for guests, only valid for a fixed amount of days after first usage). the vlans for users and devices are stored in radiusprofiles. then finally the mac addresses are stored in a way a dhcpd server can understand also, so i do not have redundant entries (easier to maintain), all known mac addreses are therefor accepted, unknown are rejected (i am using an ldap query 'filter = (dhcpHWAddress=ethernet %{Stripped-User-Name:-%{User-Name}})' and base 'base_filter = (|(objectClass=dhcpHost)(objectClass=ipNetwork))' to verify in the autz section). and here again: any suggestions/corrections are really appreciated! since now (just in testing, not yet fully in production) this solution does what it should, but there are certainly better ways to do this! Example - you could modify the ldap group membership query to find groups based on both the username and callingstationid: groupmembership_filter = (| ((objectClass=GroupOfMacaddrs)(member=%{Calling-Station-Id})) ((objectClass=GroupOfNames)(member=%{Ldap-UserDn})) ) Then in ldap: dn: cn=GoodMacs,dc=example,dc=com objectClass: top objectClass: GroupOfMacadds member: 00:11:22:33:44:55 member: 66:77:88:99:aa:bb Then in the users file: DEFAULT Ldap-Group == GoodMacs Fall-Through = No DEFAULT Auth-Type := Reject Reply-Message = your mac is unknown There are lots of variations of this scheme. i am not sure if your approach could really fullfill my needs (no redundancy, serving different types of requests) ... but i would really like to know ;-) with best regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS | | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authorisation (but not authentication) via LDAP
Zitat von Martin Whinnery [EMAIL PROTECTED]: Thanks Markus, the problem seems to be that the authorisation pass returns notfound, whereas I want it to reject, as if it found an entry in LDAP without the appropriate attribute. Mart Hi Mart, ugh, you are of course right, i forgot on important detail, sorry! (has been quite a time since i set this up and it is getting quite late in the night now ...) directly after the ldap entry in authorize a call a small perl script which checks for $RAD_REQUEST{'Module-Failure-Message'}, and if it is set then return with RLM_MODULE_REJECT, so 'notfound' is replaced by 'reject'. i must admit that this actually is a very dirty solution ... i should really overthink it (altough it works ...) regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS | | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS-PAP authentication with LDAP bind
Richard Hesse wrote: If I force the Mac or Windows supplicants to use TTLS-PAP, the request is never passed to radiusd. The NAS is broken. I don't know what's going on but my AP (Aruba 200) seems to be detecting that something isn't right with its AAA server Disable the Aruba AAA server. If you're using FreeRADIUS, you DO NOT need the Aruba AAA server. and not passing the request on. If I change the supplicants to use their default settings, the requests are sent to FreeRadius, but the requests fail. Again, the Aruba seems to think that something is wrong and presents its certificate instead of my server's. Disable the Aruba AAA server. Yes, I've run the server in debug mode (there are no requests coming in). Then the NAS is broken. It's not rocket science: If FreeRADIUS isn't getting any requests, then there is NOTHING YOU CAN DO to FreeRADIUS to fix the problem. The NAS is broken. Disable its AAA server. I can't emphasize that enough. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS-PAP authentication with LDAP bind
First off, I'd like to say thanks in advance to anyone who can help me here. I've spent the past few days searching the list archives and other sites for information on how to accomplish this. The overwhelming message from these searches was that it should just work and that the server will figure out what to do. Sadly, that's not the case here. My goals here are straightforward: -Authorize the user in LDAP if a corresponding entry exists (just checking against uid, nothing fancy). -Support TTLS-PAP and PEAP-GTC. The default Macintosh configuration supports PEAP-GTC with no config. SecureW2 will be used for TTLS-PAP on Windows clients. -Authenticate the user's clear-text password via a simple LDAP bind encrypted via TLS. No userPassword attribute checking here. A simple bind is all. Using version 1.14. Here's my eap.conf with comments stripped out: eap { default_eap_type = ttls timer_expire = 10 ignore_unknown_eap_types = no cisco_accounting_username_bug = no gtc { challenge = Password: auth_type = PAP } tls { private_key_password = foo private_key_file = ${raddbdir}/certs/key.pem certificate_file = ${raddbdir}/certs/cert.pem CA_file = ${raddbdir}/certs/sf_issuing.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes check_crl = no cipher_list = DEFAULT } ttls { default_eap_type = gtc } peap { default_eap_type = gtc } } Relevant sections of radius.conf are: ldap { server = myserverentry basedn = myDN filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = yes tls_cacertfile = /opt/fedora-ds/alias/intCA.pem tls_require_cert= demand access_attr = uid dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } authorize { preprocess suffix ntdomain eap files ldap pap } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } eap } If I force the Mac or Windows supplicants to use TTLS-PAP, the request is never passed to radiusd. I don't know what's going on but my AP (Aruba 200) seems to be detecting that something isn't right with its AAA server and not passing the request on. If I change the supplicants to use their default settings, the requests are sent to FreeRadius, but the requests fail. Again, the Aruba seems to think that something is wrong and presents its certificate instead of my server's. At one point, I had the clients seeing the server's certificate but I can't seem to get back in that state. So I don't think my AP is broken, I'm pretty sure it's my FreeRadius config that's broken. The users file is unchanged and the proper entries are in clients. Yes, I've run the server in debug mode (there are no requests coming in). Thanks, -richard Have a burning question? Go to www.Answers.yahoo.com and get answers from real people who know. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless authentication via LDAP
Hello everyone, does any of you get freeradius working with LDAP and AP 1200? Please let me know. I have a hard time to get this system working. If you don't mind, please forward your configuration to me. Thanks, Tho- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless authentication via LDAP
Tho Nguyen [EMAIL PROTECTED] wrote: does any of you get freeradius working with LDAP and AP 1200? Please let me know. I have a hard time to get this system working. If you don't mind, please forward your configuration to me. Perhaps you could follow the FAQ, README, etc., and post the output of debugging mode. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with LDAP
What if you run freeradius with ssl enable, is it still going to show the authenticating user's password while connecting to LDAP in debug mode or in log file? --- Alan DeKok [EMAIL PROTECTED] wrote: fvt3 [EMAIL PROTECTED] wrote: How do you hide password that is sent to LDAP so it will not show up in the log and in debug mode ..Thanks in advance I don't think the LDAP password is logged normally. But it *is* printed out in debugging mode, nad that won't change. Printout out what the server is doing is the whole point of debugging mode. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with LDAP
fvt3 [EMAIL PROTECTED] wrote: How do you hide password that is sent to LDAP so it will not show up in the log and in debug mode ..Thanks in advance I don't think the LDAP password is logged normally. But it *is* printed out in debugging mode, nad that won't change. Printout out what the server is doing is the whole point of debugging mode. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP Authentication But LDAP Authorization?
I have CHAP (PEAP) authentication working against my Samba PDC via ntlm_auth. I want to use that authentication but have users and their parameters from an LDAP DSA (that contains the SAM Samba is using). I see that a radius schema file is included and has an auxilliary objectclass. But I can't seem to find any informaiton on using LDAP for the user database but EAP/ntlm_auth for the authentication. Is this possible? -- Adam Tauno Williams - http://www.whitemice.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication using LDAP on port 636
Hi, I installed freeradius 1.0.1 for RHEL4 from RedHat network. As an ldap server I have Sun Directory server 5.2 patch3 with SSL enabled. I have plenty of applications using port 636 to access LDAP (ypldapd from padl, /etc/ldap.conf on linux, Mozilla address book, etc..) . With freeradius as long as I use standard port 389 I don't have problems to use LDAP, but I have problems to use port 636 (Can't contact LDAP server). Or I missed something but I seem to be unable to find a procedure how to setup freeradius using SSL. Any help would be appriciated Thanks, Dany - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
Michael Kopp [EMAIL PROTECTED] wrote: I installed Freeradius 0.9.3 on the same box, and did a test for the notfound=return and it worked in that version, in Version 1.0.1 it is not working, could somebody ackknowledge that ? I said I would look into it. The CVS snapshot from today contains the fix, which will also be in 1.0.2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Authorization via LDAP and Files, Authentication via LDAP Date: Sat, 16 Oct 2004 12:40:53 -0400 Reply-To: [EMAIL PROTECTED] Michael Kopp [EMAIL PROTECTED] wrote: I installed Freeradius 0.9.3 on the same box, and did a test for the notfound=return and it worked in that version, in Version 1.0.1 it is not working, could somebody ackknowledge that ? I said I would look into it. Sorry I didn`t want to bother you, I only read the digest form of this list, so I saw your response only after I wrote this message The CVS snapshot from today contains the fix, which will also be in 1.0.2. Thanks again for your great and fast help !!! Michael -- +++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++ Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
Alan DeKok aland[AT]ox.org wrote: Michael Kopp michael.kopp[AT]gmx.net wrote: radiusd.conf[1559] Unknown configuration directive ldap in authorize section. ... ldap{ Try putting a space in between ldap and { Alan DeKok. hmm, same error as before , ... ldap { notfound = return } files ... I also tested ldap { notfound = return } files and ldap {notfound = return } files and ldap { notfound=return } files and ldap {notfound=return } files all combinations are resulting in the same error : radiusd.conf[1559] Unknown configuration directive ldap in authorize section. Between I`m using Freeradius 1.0.1 I tested this now on two different machine Sparc Solaris 9 and Intel Debian Linux Sarge Installation Regards Michael -- +++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++ Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
Michael Kopp [EMAIL PROTECTED] wrote: Try putting a space in between ldap and { hmm, same error as before , Weird. It's supposed to work. I'll take a look at it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
Hi all, I installed Freeradius 0.9.3 on the same box, and did a test for the notfound=return and it worked in that version, in Version 1.0.1 it is not working, could somebody ackknowledge that ? If it is a bug, could somebody fix it, (maybe for FR 1.0.2) or give me some hints at which files I have to look in order to fix it (I`m not very expirienced in programming ) Regards Michael Alan DeKok aland[AT]ox.org wrote: Michael Kopp michael.kopp[AT]gmx.net wrote: radiusd.conf[1559] Unknown configuration directive ldap in authorize section. ... ldap{ Try putting a space in between ldap and { Alan DeKok. hmm, same error as before , ... ldap { notfound = return } files ... I also tested ldap { notfound = return } files and ldap {notfound = return } files and ldap { notfound=return } files and ldap {notfound=return } files all combinations are resulting in the same error : radiusd.conf[1559] Unknown configuration directive ldap in authorize section. Between I`m using Freeradius 1.0.1 I tested this now on two different machine Sparc Solaris 9 and Intel Debian Linux Sarge Installation Regards Michael -- GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail +++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
the 'etc_smbpasswd' module, above. # etc_smbpasswd # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap{ notfound = return } files # # Enforce daily limits on time spent logged in. # daily # # Use the checkval module # checkval } do you need more infos to help me ? regards Michael --- Weitergeleitete Nachricht / Forwarded Message --- Date: Tue, 12 Oct 2004 21:50:59 +0200 (MEST) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Authorization via LDAP and Files, Authentication via LDAP Hi all, I have some problems getting Freeradius to work with following configuration : Freeradius should check if user exists in LDAP and also should authenticate user via LDAP. As we are not planning to integrate the the RADIUS-LDAPv3.schema and therefore want to add Return-Attributes via users file. I read in freeradius/docs/rlm-ldap.txt that I should add { notfound=return } to the ldap entry in the authorize section. When doing this I always get the error seen below : gaia:/usr/local/etc/raddb# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf /usr/local/etc/raddb/radiusd.conf[1654]: Unexpected end of section Errors reading radiusd.conf Here is my authorize section of radiusd.conf authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. # # It also adds the %{Client-IP-Address} attribute to the request. preprocess # # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above. # auth_log # attr_filter # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap # # If you are using multiple kinds of realms, you probably # want to set ignore_null = yes for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # suffix # ntdomain # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. eap # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap { notfound=return } files # daily # checkval } Also it would be great if somebody could give me a hint if this users file entry is correct for the above situation radiustest Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Address = 3.3.3.3 From my understanding Service-Type = Framed-User is now a Check-Item, (if I understand users file syntax correctly) but what I want to achive is that there is no Check-Item at all in the users file and only Replay Items are stated in users file. Kind regards Micheal -- GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail +++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
Michael Kopp [EMAIL PROTECTED] wrote: radiusd.conf[1559] Unknown configuration directive ldap in authorize section. ... ldap{ Try putting a space in between ldap and { Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP and Files, Authentication via LDAP
On Tue, 12 Oct 2004 [EMAIL PROTECTED] wrote: Hi all, I have some problems getting Freeradius to work with following configuration : Freeradius should check if user exists in LDAP and also should authenticate user via LDAP. As we are not planning to integrate the the RADIUS-LDAPv3.schema and therefore want to add Return-Attributes via users file. I read in freeradius/docs/rlm-ldap.txt that I should add { notfound=return } to the ldap entry in the authorize section. When doing this I always get the error seen below : gaia:/usr/local/etc/raddb# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf /usr/local/etc/raddb/radiusd.conf[1654]: Unexpected end of section Errors reading radiusd.conf Here is my authorize section of radiusd.conf authorize { ldap { notfound=return } Please do: ldap{ notfound = return } files # daily # checkval } Also it would be great if somebody could give me a hint if this users file entry is correct for the above situation radiustest Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Address = 3.3.3.3 From my understanding Service-Type = Framed-User is now a Check-Item, (if I understand users file syntax correctly) but what I want to achive is that there is no Check-Item at all in the users file and only Replay Items are stated in users file. radiustest Framed-Protocol = PPP, Framed-IP-Address = 3.3.3.3 How about that? Kind regards Micheal -- +++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++ Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization via LDAP and Files, Authentication via LDAP
Hi all, I have some problems getting Freeradius to work with following configuration : Freeradius should check if user exists in LDAP and also should authenticate user via LDAP. As we are not planning to integrate the the RADIUS-LDAPv3.schema and therefore want to add Return-Attributes via users file. I read in freeradius/docs/rlm-ldap.txt that I should add { notfound=return } to the ldap entry in the authorize section. When doing this I always get the error seen below : gaia:/usr/local/etc/raddb# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf /usr/local/etc/raddb/radiusd.conf[1654]: Unexpected end of section Errors reading radiusd.conf Here is my authorize section of radiusd.conf authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. # # It also adds the %{Client-IP-Address} attribute to the request. preprocess # # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above. # auth_log # attr_filter # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap # # If you are using multiple kinds of realms, you probably # want to set ignore_null = yes for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # suffix # ntdomain # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. eap # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap { notfound=return } files # daily # checkval } Also it would be great if somebody could give me a hint if this users file entry is correct for the above situation radiustest Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Address = 3.3.3.3 From my understanding Service-Type = Framed-User is now a Check-Item, (if I understand users file syntax correctly) but what I want to achive is that there is no Check-Item at all in the users file and only Replay Items are stated in users file. Kind regards Micheal -- +++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++ Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Fwd: Re: Wireless authentication via LDAP and PEAP
Hi, Well we are looking at a time frame of Jan/Feb 2005 for the complete product. However we will submitting patches at regular intervals to freeradius. Sayantan Sorry for not making the distinction. It's all Novell to me ;-) Any ETA? Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sayantan Bhowmick Sent: Monday, 13 September 2004 7:30 PM To: [EMAIL PROTECTED] Subject: Re: RE: Fwd: Re: Wireless authentication via LDAP and PEAP CHAP. No EAP or MSCHAP yet. Novell Radius which was bundled with NMAS / Border Manager does have support for CHAP. Novell is working on a new FreeRadius based Radius solution that will support all the above mentioned methods. Again eDirectory on its own does not support CHAP,EAP,MS-CHAP. Sayantan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, 10 September 2004 10:39 PM To: [EMAIL PROTECTED] Subject: Re: Fwd: Re: Wireless authentication via LDAP and PEAP Sayantan Bhowmick [EMAIL PROTECTED] wrote: Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. Does eDirectory do CHAP, MS-CHAP, or EAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Fwd: Re: Wireless authentication via LDAP and PEAP
Sorry for not making the distinction. It's all Novell to me ;-) Any ETA? Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sayantan Bhowmick Sent: Monday, 13 September 2004 7:30 PM To: [EMAIL PROTECTED] Subject: Re: RE: Fwd: Re: Wireless authentication via LDAP and PEAP CHAP. No EAP or MSCHAP yet. Novell Radius which was bundled with NMAS / Border Manager does have support for CHAP. Novell is working on a new FreeRadius based Radius solution that will support all the above mentioned methods. Again eDirectory on its own does not support CHAP,EAP,MS-CHAP. Sayantan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, 10 September 2004 10:39 PM To: [EMAIL PROTECTED] Subject: Re: Fwd: Re: Wireless authentication via LDAP and PEAP Sayantan Bhowmick [EMAIL PROTECTED] wrote: Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. Does eDirectory do CHAP, MS-CHAP, or EAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Re: Wireless authentication via LDAP and PEAP
Hi, Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. regards Sayantan Hmm... We can do that already. Just use EAP-TTLS/PAP and have freeradius authenticate via an LDAP bind rather than a password compare. It works great for me. Thats correct. But it is not possible to use password based authentication methods such as MS-CHAP, EAP. For this the users plain text password should be available at the radius server side. We are going to make the plain text password available to the radius server to allow support for these password based authentication methods. eDirectory on its own does not support CHAP,EAP etc. Regards Sayantan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE: Fwd: Re: Wireless authentication via LDAP and PEAP
CHAP. No EAP or MSCHAP yet. Novell Radius which was bundled with NMAS / Border Manager does have support for CHAP. Novell is working on a new FreeRadius based Radius solution that will support all the above mentioned methods. Again eDirectory on its own does not support CHAP,EAP,MS-CHAP. Sayantan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, 10 September 2004 10:39 PM To: [EMAIL PROTECTED] Subject: Re: Fwd: Re: Wireless authentication via LDAP and PEAP Sayantan Bhowmick [EMAIL PROTECTED] wrote: Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. Does eDirectory do CHAP, MS-CHAP, or EAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Fwd: Re: Wireless authentication via LDAP and PEAP
CHAP. No EAP or MSCHAP yet. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, 10 September 2004 10:39 PM To: [EMAIL PROTECTED] Subject: Re: Fwd: Re: Wireless authentication via LDAP and PEAP Sayantan Bhowmick [EMAIL PROTECTED] wrote: Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. Does eDirectory do CHAP, MS-CHAP, or EAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Re: Wireless authentication via LDAP and PEAP
Hi, Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. regards Sayantan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Re: Wireless authentication via LDAP and PEAP
Sayantan Bhowmick [EMAIL PROTECTED] wrote: Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. Does eDirectory do CHAP, MS-CHAP, or EAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Re: Wireless authentication via LDAP and PEAP
[EMAIL PROTECTED] 9/9/2004 10:59:31 PM Hi, Novell is working towards making FreeRADIUS work with eDirectory. This will allow eDirectory users to authenticate via FreeRADIUS. regards Sayantan Hmm... We can do that already. Just use EAP-TTLS/PAP and have freeradius authenticate via an LDAP bind rather than a password compare. It works great for me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless authentication via LDAP and PEAP
Hi again, Here is the eap.conf file referenced in my previous message. eap.conf *** ## Whatever you do, do NOT set 'Auth-Type := EAP'. The server# is smart enough to figure this out on its own. The most# common side effect of setting 'Auth-Type := EAP' is that the# users then cannot use ANY other authentication method.##$Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $#eap {# Invoke the default supported EAP type when# EAP-Identity response is received.## The incoming EAP messages DO NOT specify which EAP# type they will be using, so it MUST be set here.## For now, only one default EAP type may be used at a time.## If the EAP-Type attribute is set by another module,# then that EAP type takes precedence over the# default type configured here.#default_eap_type = peap# A list is maintained to correlate EAP-Response# packets with EAP-Request packets. After a# configurable length of time, entries in the list# expire, and are deleted.#timer_expire = 60# There are many EAP types, but the server has support# for only a limited subset. If the server receives# a request for an EAP type it does not support, then# it normally rejects the request. By setting this# configuration to "yes", you can tell the server to# instead keep processing the request. Another module# MUST then be configured to proxy the request to# another RADIUS server which supports that EAP type.## If another module is NOT configured to handle the# request, then the request will still end up being# rejected.ignore_unknown_eap_types = no# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given# a User-Name attribute in an Access-Accept, it copies one# more byte than it should.## We can work around it by configurably adding an extra# zero byte.cisco_accounting_username_bug = no# Supported EAP-types## We do NOT recommend using EAP-MD5 authentication# for wireless connections. It is insecure, and does# not provide for dynamic WEP keys.##md5 {#}# Cisco LEAP## We do not recommend using LEAP in new deployments. See:# http://www.securiteam.com/tools/5TP012ACKE.html## Cisco LEAP uses the MS-CHAP algorithm (but not# the MS-CHAP attributes) to perform it's authentication.## As a result, LEAP *requires* access to the plain-text# User-Password, or the NT-Password attributes.# 'System' authentication is impossible with LEAP.##leap {#}# Generic Token Card.## Currently, this is only permitted inside of EAP-TTLS,# or EAP-PEAP. The module "challenges" the user with# text, and the response from the user is taken to be# the User-Password.## Proxying the tunneled EAP-GTC session is a bad idea,# the users password will go over the wire in plain-text,# for anyone to see.##gtc {# The default challenge, which many clients# ignore..#challenge = "Password: "# The plain-text response which comes back# is put into a User-Password attribute,# and passed to another module for# authentication. This allows the EAP-GTC# response to be checked against plain-text,# or crypt'd passwords.## If you say "Local" instead of "PAP", then# the module will look for a User-Password# configured for the request, and do the# authentication itself.##auth_type = PAP#}## EAP-TLS## To generate ctest certificates, run the script##../scripts/certs.sh## The documents on http://www.freeradius.org/doc# are old, but may be helpful.## See also:## http://www.dslreports.com/forum/remark,9286052~mode=flat##tls {#private_key_password = SiFi2003#private_key_file = ${raddbdir}/certs/cert-srv.pem# If Private key Certificate are located in# the same file, then private_key_file # certificate_file must contain the same file# name.#certificate_file = ${raddbdir}/certs/cert-srv.pem# Trusted Root CA list#CA_file = ${raddbdir}/certs/demoCA/cacert.pem#dh_file = ${raddbdir}/certs/dh#random_file = ${raddbdir}/certs/random## This can never exceed the size of a RADIUS# packet (4096 bytes), and is preferably half# that, to accomodate other attributes in# RADIUS packet. On most APs the MAX packet# length is configured between 1500 - 1600# In these cases, fragment size should be# 1024 or less.##fragment_size = 1024# include_length is a flag which is# by default set to yes If set to# yes, Total Length of the message is# included in EVERY packet we send.# If set to no, Total Length of the# message is included ONLY in the# First packet of a fragment series.##include_length = yes# Check the Certificate Revocation List## 1) Copy CA certificates and CRLs to same directory.# 2) Execute 'c_rehash CA certsCRLs Directory'.# 'c_rehash' is OpenSSL's command.# 3) Add 'CA_path=CA certsCRLs directory'# to radiusd.conf's tls section.# 4) uncomment the line below.# 5) Restart radiusd#check_crl = yes## If check_cert_cn is set, the value will# be xlat'ed and checked against the CN# in the client certificate. If the values# do not match, the certificate verification# will fail rejecting the user.## check_cert_cn = %{User-Name}#}# The TTLS module implements the EAP-TTLS protocol,# which can
Wireless authentication via LDAP and PEAP
Hello folks, I've been trying to setup FreeRadius in order to authenticate my wireless users against my Novell eDirectory via the built in LDAP server. Here is what is happening in my current situation: I connect wirelessly to AP. Enter authentication information into Windows XP (SP2, if that matters) and click OK. On the Radius screen, I see that the request is sent to the LDAP server. The EAP module of FreeRadius responds OK over and over and over again infinitely until I either kill my wireless connection or the server thread. I'm never given an IP address via WPA after authentication. I don't think something is working correctly. I can radping the server and get a auth accept message back, but nothing from the AP. I have read that mostaccess points need PEAP, as does Windows XP. So I look in my radiusd.conf file and have found NO REFERENCE in it to PEAP. However, I found an eap.conf file in the same directory which does make reference to PEAP. I havetyped in an$INCLUDE line in the radiusd.conf to point to this and commented out all other eap references in the EAP section of radiusd.conf. I have only uncommented PEAP and MSCHAPV2 in my EAP.CONF file. When I go to start radius via radiusd -X I get the following error: eap: default_eap_type = "peap" eap: timer_expire = 60 rlm_eap: Invalid type name peap cannot be linked radiusd.conf[9]: eap: Module instantiation failed. Did something not compile correctly?I reran the install sequence and did not see any errors regarding anything other than the configuration files (which would already be present).Is therea file somewhere where I need to manually link thepeap module? I have evenconfigured and installed the module separately with no errors by going to the src/modules/rlm_eap/types/rlm_eap_peap folder and have had no luck. I'm not a linux guru, so this may perhaps be my fault. I do, however,need to get this working in fairly short orderfor a project we have coming up in the next month. Thanks for any assistance you can provide. I have already sent the eap.conf file (sorry...first two messages refused). I can send my radiusd.conf under separate cover if necessary.
RE: Wireless authentication via LDAP and PEAP
Title: Message Hi Jon, You haven't configured EAP-TLS despite the fact that it clearly saysin the notes in the PEAP section that for PEAP to workEAP-TLS must be enabled even if you don't plan to use EAP-TLS specifically. Uncomment the tls section and configure it with your server's certificate, etc, and everything will work just fine. Regards, Guy -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon StahlerSent: 08 September 2004 20:50To: [EMAIL PROTECTED]Subject: Wireless authentication via LDAP and PEAP Hi again, Here is the eap.conf file referenced in my previous message. eap.conf *** ## Whatever you do, do NOT set 'Auth-Type := EAP'. The server# is smart enough to figure this out on its own. The most# common side effect of setting 'Auth-Type := EAP' is that the# users then cannot use ANY other authentication method.##$Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $#eap {# Invoke the default supported EAP type when# EAP-Identity response is received.## The incoming EAP messages DO NOT specify which EAP# type they will be using, so it MUST be set here.## For now, only one default EAP type may be used at a time.## If the EAP-Type attribute is set by another module,# then that EAP type takes precedence over the# default type configured here.#default_eap_type = peap# A list is maintained to correlate EAP-Response# packets with EAP-Request packets. After a# configurable length of time, entries in the list# expire, and are deleted.#timer_expire = 60# There are many EAP types, but the server has support# for only a limited subset. If the server receives# a request for an EAP type it does not support, then# it normally rejects the request. By setting this# configuration to "yes", you can tell the server to# instead keep processing the request. Another module# MUST then be configured to proxy the request to# another RADIUS server which supports that EAP type.## If another module is NOT configured to handle the# request, then the request will still end up being# rejected.ignore_unknown_eap_types = no# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given# a User-Name attribute in an Access-Accept, it copies one# more byte than it should.## We can work around it by configurably adding an extra# zero byte.cisco_accounting_username_bug = no# Supported EAP-types## We do NOT recommend using EAP-MD5 authentication# for wireless connections. It is insecure, and does# not provide for dynamic WEP keys.##md5 {#}# Cisco LEAP## We do not recommend using LEAP in new deployments. See:# http://www.securiteam.com/tools/5TP012ACKE.html## Cisco LEAP uses the MS-CHAP algorithm (but not# the MS-CHAP attributes) to perform it's authentication.## As a result, LEAP *requires* access to the plain-text# User-Password, or the NT-Password attributes.# 'System' authentication is impossible with LEAP.##leap {#}# Generic Token Card.## Currently, this is only permitted inside of EAP-TTLS,# or EAP-PEAP. The module "challenges" the user with# text, and the response from the user is taken to be# the User-Password.## Proxying the tunneled EAP-GTC session is a bad idea,# the users password will go over the wire in plain-text,# for anyone to see.##gtc {# The default challenge, which many clients# ignore..#challenge = "Password: "# The plain-text response which comes back# is put into a User-Password attribute,# and passed to another module for# authentication. This allows the EAP-GTC# response to be checked against plain-text,# or crypt'd passwords.## If you say "Local" instead of "PAP", then# the module will look for a User-Password# configured for the request, and do the# authentication itself.##auth_type = PAP#}## EAP-TLS## To generate ctest certificates, run the script##../scripts/certs.sh## The documents on http://www.freeradius.org/doc# are old, but may be helpful.## See also:## http://www.dslreports.com/forum/remark,9286052~mode=flat##tls {#private_key_password = SiFi2003#private_key_file = ${raddbdir}/certs/cert-srv.pem# If Private key Certificate are located in# the same file, then private_key_file # certificate_file must contain the same file# name.#certificate_file = ${raddbdir}/certs/cert-srv.pem# Trusted Root CA list#CA_file = ${raddbdir}/certs/demoCA/cacert.pem#dh_file = ${raddbdir}/certs/dh#random_file = ${raddbdir}/certs/random## This can never exc
RE: Wireless authentication via LDAP and PEAP
Hi Guy, When I do that, it tells me that I don't have a server cert. The LDAP server is my netware box, not the linux box. I'm confused as to how to make a cert in this situation. Please help. Also, how would this cause a module unknown error? Jon Stahler Manager of Systems Services Illinois Fire Service Institute 11 Gerty Drive Champaign, IL 61820 (217) 333-2163 [EMAIL PROTECTED] 09/08/04 3:04 PM Hi Jon, You haven't configured EAP-TLS despite the fact that it clearly says in the notes in the PEAP section that for PEAP to work EAP-TLS must be enabled even if you don't plan to use EAP-TLS specifically. Uncomment the tls section and configure it with your server's certificate, etc, and everything will work just fine. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Stahler Sent: 08 September 2004 20:50 To: [EMAIL PROTECTED] Subject: Wireless authentication via LDAP and PEAP Hi again, Here is the eap.conf file referenced in my previous message. eap.conf *** # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # # $Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $ # eap { # Invoke the default supported EAP type when # EAP-Identity response is received. # # The incoming EAP messages DO NOT specify which EAP # type they will be using, so it MUST be set here. # # For now, only one default EAP type may be used at a time. # # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. # default_eap_type = peap # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 60 # There are many EAP types, but the server has support # for only a limited subset. If the server receives # a request for an EAP type it does not support, then # it normally rejects the request. By setting this # configuration to yes, you can tell the server to # instead keep processing the request. Another module # MUST then be configured to proxy the request to # another RADIUS server which supports that EAP type. # # If another module is NOT configured to handle the # request, then the request will still end up being # rejected. ignore_unknown_eap_types = no # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given # a User-Name attribute in an Access-Accept, it copies one # more byte than it should. # # We can work around it by configurably adding an extra # zero byte. cisco_accounting_username_bug = no # Supported EAP-types # # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # # md5 { # } # Cisco LEAP # # We do not recommend using LEAP in new deployments. See: # http://www.securiteam.com/tools/5TP012ACKE.html # # Cisco LEAP uses the MS-CHAP algorithm (but not # the MS-CHAP attributes) to perform it's authentication. # # As a result, LEAP *requires* access to the plain-text # User-Password, or the NT-Password attributes. # 'System' authentication is impossible with LEAP. # # leap { # } # Generic Token Card. # # Currently, this is only permitted inside of EAP-TTLS, # or EAP-PEAP. The module challenges the user with # text, and the response from the user is taken to be # the User-Password. # # Proxying the tunneled EAP-GTC session is a bad idea, # the users password will go over the wire in plain-text, # for anyone to see. # # gtc { # The default challenge, which many clients # ignore.. #challenge = Password: # The plain-text response which comes back # is put into a User-Password attribute, # and passed to another module for # authentication. This allows the EAP-GTC # response to be checked against plain-text, # or crypt'd passwords. # # If you say Local instead of PAP, then # the module will look for a User-Password # configured
RE: Wireless authentication via LDAP and PEAP
Hi Jon, You *must* create a certificate for the RADIUS server. That is the certificate about which it is complaining. You need to use something like OpenSSL (on the box running RADIUS?) or Microsoft's Certificate Services (on a Windows Server 2000/2003 box). Once you've created it and placed it onto the RADIUS server (in PEM format) then you can reference the certificate and key in the tls module. If you don't do this, your peap module will never work. The module unknown error refers to the fact (I think) that you haven't initialised the tls module that is being referenced by the peap module. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Stahler Sent: 08 September 2004 21:23 To: [EMAIL PROTECTED] Subject: RE: Wireless authentication via LDAP and PEAP Hi Guy, When I do that, it tells me that I don't have a server cert. The LDAP server is my netware box, not the linux box. I'm confused as to how to make a cert in this situation. Please help. Also, how would this cause a module unknown error? Jon Stahler Manager of Systems Services Illinois Fire Service Institute 11 Gerty Drive Champaign, IL 61820 (217) 333-2163 [EMAIL PROTECTED] 09/08/04 3:04 PM Hi Jon, You haven't configured EAP-TLS despite the fact that it clearly says in the notes in the PEAP section that for PEAP to work EAP-TLS must be enabled even if you don't plan to use EAP-TLS specifically. Uncomment the tls section and configure it with your server's certificate, etc, and everything will work just fine. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Stahler Sent: 08 September 2004 20:50 To: [EMAIL PROTECTED] Subject: Wireless authentication via LDAP and PEAP Hi again, Here is the eap.conf file referenced in my previous message. eap.conf *** # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # # $Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $ # eap { # Invoke the default supported EAP type when # EAP-Identity response is received. # # The incoming EAP messages DO NOT specify which EAP # type they will be using, so it MUST be set here. # # For now, only one default EAP type may be used at a time. # # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. # default_eap_type = peap # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 60 # There are many EAP types, but the server has support # for only a limited subset. If the server receives # a request for an EAP type it does not support, then # it normally rejects the request. By setting this # configuration to yes, you can tell the server to # instead keep processing the request. Another module # MUST then be configured to proxy the request to # another RADIUS server which supports that EAP type. # # If another module is NOT configured to handle the # request, then the request will still end up being # rejected. ignore_unknown_eap_types = no # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given # a User-Name attribute in an Access-Accept, it copies one # more byte than it should. # # We can work around it by configurably adding an extra # zero byte. cisco_accounting_username_bug = no # Supported EAP-types # # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # # md5 { # } # Cisco LEAP # # We do not recommend using LEAP in new deployments. See: # http://www.securiteam.com/tools/5TP012ACKE.html # # Cisco LEAP uses the MS-CHAP algorithm (but not # the MS-CHAP attributes) to perform it's authentication. # # As a result, LEAP *requires* access to the plain-text # User-Password, or the NT-Password attributes. # 'System' authentication is impossible with LEAP. # # leap { # } # Generic Token Card. # # Currently
Re: Wireless authentication via LDAP and PEAP
[EMAIL PROTECTED] 9/8/2004 12:51:33 PM I've been trying to setup FreeRadius in order to authenticate my wireless users against my Novell eDirectory via the built in LDAP server. Unless you've implemented the 'simple password' feature in eDirectory or added a custom password attribute to the directory, you'll need to use EAP-TTLS/PAP rather than PEAP and set up freeradius to authenticate via an LDAP bind. The reason is that for PEAP to work, the LDAP server needs access to the clear text or NT-hashed password, which is not the case with native eDirectory passwords. EAP-TTLS support is not built into Windows, so unless your NIC driver supports it directly, you'll need a 3rd party supplicant. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless authentication via LDAP and PEAP
Jon Stahler [EMAIL PROTECTED] wrote: Ok...So explain to me how I get my Access Point to authenticate against my eDirectory users. It's nit-picking in terminology: LDAP is a database, RADIUS is an authentication protocol. eDirectory stores the user information, FreeRADIUS uses that information to authenticate users. If you use the wrong terminology, then the solutions you try will be wrong. Input clear-text passwords into LDAP how exactly? The passwords come from eDirectory. Exactly. eDirectory stores passwords, and FreeRADIUS retrieves them. Look in your eDirectory schema to see where passwords are stored. If there are no passwords, you'll have to add them to the database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html