Re: EAP-TTLS + LDAP + PAP with encrypted password
Thanks Alan. I wanted to test your solution before replying. I've been trying it all day but couldn't get it work. Something very strange is happening . I've added, as you suggested, Auth-Type=PAP. I do that with a users-file at the end of authorization module and I set password_header={sha} in my ldaps modules ( I hope I won't be wrong ).
The problem is rlm_pap: Attribute Password is required for authentication. I don't know why the client is not sending the password. I've been watching packets with ethereal and can't see the password although I can see username. I'm using Win XP + Secure W2.
Did it ever happen to you something similar? 2006/8/4, Alan DeKok
[EMAIL PROTECTED]:
wekz [EMAIL PROTECTED] wrote:The user is authorized and the password is got from the
ldap (rlm_ldap: Adding userPassword as User-Password, value
{sha}rur+4yJuecpmc8vxS/8wAyAMNHM= op=21)In 1.1.x, you have to configure the ldap module to know about the{sha} password header.See the ldap section of modules.
And after matching the group Local in my users-file:auth: type Localauth: user supplied User-Password does NOT
match local User-Passwordauth: Failed to validate the user.Unfortunately, this is one of the few cases where you probably haveto set Auth-Type = PAP.Note that this is ONLY a
1.1.x limitation.The CVS head, and therefore 2.0 has that fixed.Alan DeKok.--http://deployingradius.com
- The web site of the book
http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS + LDAP + PAP with encrypted password
wekz [EMAIL PROTECTED] wrote:
I've added, as you suggested, Auth-Type=PAP. I do that with a users-file at
the end of authorization module and I set password_header={sha} in my ldaps
modules ( I hope I won't be wrong ).
That can work, IF the LDAP module returns the sha1 password to
the server.
rlm_pap: Attribute Password is required for
authentication.
The LDAP module isn't returning the sha1 password to the server.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS + LDAP + PAP with encrypted password
Hi all, I've been trying to get over this configuration but without any success. I'm using freeradius-1.1.1.First I had this working with eap-tls and peap for authentication and ldap for authorization, it was working quite well. As I have to integrate this configuration with an ldap that has encrypted passwords I decide to change authtype to pap over eap-ttls after watching Protocol and Password Compatibility in Alan's site.
The authorization part of ldap does the following:A user will be authorized to use remote access if he is in the ldap and depending on the access policy defined if he belongs to a white or blacklist.After being authorized within the authorize section the user find these lines:
users_branch eapuser-branch is the users file I use that has entries by the form (and nothing else ): DEFAULT ldap11-Ldap-Group == Local
Tunnel-Type=VLAN,Tunnel-Medium-Type=6, Tunnel-Private-Group-Id=Local, Fall-Through = NoThis, as I said, was working right.
Now the only things I've added to radiusd.conf ismodules { ( I've commented any other type like chap, mschap, peap, leap... only the onse listed here are set ) ldap-modules-stuff
pap { encryption_scheme = sha1 } eap { default_eap_type = ttls ... gtc {
auth_type = PAP # I've test without configuring gtc too and setting default_eap_type in ttls to md5 and commenting it out } tls {
my old configuration that works} ttls { default_eap_type = gtc copy_request_to_tunnel = yes
use_tunneled_reply = yes } } }authorize { ... ldap stuff
user_branch eap }authenticate { Auth-Type PAP { pap } eap
} Then in the logs I can see that ( I don't put them because they are nearly endless ): The user is authorized and the password is got from the ldap (rlm_ldap: Adding userPassword as User-Password, value {sha}rur+4yJuecpmc8vxS/8wAyAMNHM= op=21)
. rad_check_password: Found Auth-Type EAP auth: type EAP ... The eap-ttls tunnel is ok
.. And after matching the group Local in my users-file: auth: type Local auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user. Access-rejectWhen I try this with clear-text passwords it works quite well but I don't know if it is working the way I want or not (with pap), because neither with encrypted nor with clear-text I can't see in the logs a reference to rlm_pap or gtc...
I imagine I'm doing something wrong but can't figure out what it is.I've googled on the internet and in the mailing list but I don't make any progress with what I've found. So any comments are welcome
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS + LDAP + PAP with encrypted password
wekz [EMAIL PROTECTED] wrote:
The user is authorized and the password is got from the
ldap (rlm_ldap: Adding userPassword as User-Password, value
{sha}rur+4yJuecpmc8vxS/8wAyAMNHM= op=21)
In 1.1.x, you have to configure the ldap module to know about the
{sha} password header. See the ldap section of modules.
And after matching the group Local in my users-file:
auth: type Local
auth: user supplied User-Password does NOT
match local User-Password
auth: Failed to validate the user.
Unfortunately, this is one of the few cases where you probably have
to set Auth-Type = PAP. Note that this is ONLY a 1.1.x limitation.
The CVS head, and therefore 2.0 has that fixed.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
