Re: Freeradius, EAP-PEAP, LDAP and users file...
Mandi! Alan DeKok In chel di` si favelave... Start with the default configuration and make small changes. Test them. You WILL get it working very quickly. Exactly what i've done. I've wrote a little docs (sorry, in italian) on how to setup all the stuff, and it count 5-6 modification. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
Mandi! Phil Mayers In chel di` si favelave... You are not running the default config. You've added the ldap module, so even though files doesn't match, ldap does. Perfectly clear. Reviewing all the stuff indeed now is clear, thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius, EAP-PEAP, LDAP and users file...
[i'm not subscribed to this list, so, please, put me on CC] I've just setup a 'test installation' of freeradius in a debian etch box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS). In my environments there's ever a LDAP server that serve, among other thinks, also a samba3 server using standard stuff (smbldap-tools, ...). Clearly my users are mostly (ahem, totally ;( ) windows XPsp2. Firstly i've setup all the stuff using winbind/ntlm_auth to do the MS-CHAP auth, but because i know that in LDAP the NT-Password hare simply stored, and looking at the (deprecated) /etc/smbpasswd module with the aid of some google, i've finally reached a good (for me) working point: ldap module extract NT-Password and give it to mschap module for authentication, with the bonus of group filtering, all in LDAP (i've disabled 'unix')... The strange, the only strangeness i've found, are that i was forced to insert an explicitly 'deny' rule in users file, eg my users are: DEFAULT Service-Type == Framed-User, Ldap-Group == ced DEFAULT Service-Type == Framed-User, Ldap-Group == diramm DEFAULT Service-Type == Framed-User, Ldap-Group == ricerca DEFAULT Service-Type == Framed-User, Ldap-Group == *, Auth-Type := Reject Reply-Message = Gruppo non autorizzato if i remove the last entry, user got authenticated. But users file was 'no match, no party'? What i'm missing? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
Marco Gaiarin wrote: [i'm not subscribed to this list, so, please, put me on CC] I've just setup a 'test installation' of freeradius in a debian etch box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS). Upgrade to 1.1.7 at least In my environments there's ever a LDAP server that serve, among other thinks, also a samba3 server using standard stuff (smbldap-tools, ...). Clearly my users are mostly (ahem, totally ;( ) windows XPsp2. Firstly i've setup all the stuff using winbind/ntlm_auth to do the MS-CHAP auth, but because i know that in LDAP the NT-Password hare simply stored, and looking at the (deprecated) /etc/smbpasswd module with the aid of some google, i've finally reached a good (for me) working point: ldap module extract NT-Password and give it to mschap module for authentication, with the bonus of group filtering, all in LDAP (i've disabled 'unix')... The strange, the only strangeness i've found, are that i was forced to insert an explicitly 'deny' rule in users file, eg my users are: DEFAULT Service-Type == Framed-User, Ldap-Group == ced DEFAULT Service-Type == Framed-User, Ldap-Group == diramm DEFAULT Service-Type == Framed-User, Ldap-Group == ricerca DEFAULT Service-Type == Framed-User, Ldap-Group == *, Auth-Type := Reject Reply-Message = Gruppo non autorizzato if i remove the last entry, user got authenticated. Yes But users file was 'no match, no party'? What i'm missing? What does no match no party mean? In all probability, you've got something like: authorize { preprocess eap mschap ldap files } authenticate { Auth-Type MSCHAP { mschap } eap } ...if so, mschap (or eap, for the outer module) finds the relevant attributes, sets Auth-Type to itself, and processes the request; if the user has a password, they're authenticated. If you want to deny people you need to do that. Since you're not subscribed to the mailing list and haven't read the documents, you have failed to see the advice repeated daily; namely, to run radiusd under debugging with radiusd -X, examine the output and if you can't figure out what it's saying, post that output here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
Mandi! Phil Mayers In chel di` si favelave... box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS). Upgrade to 1.1.7 at least ...as a debian user, i prefer to keep on 'debian stable' ad using the offical packet, even if repackaged... But users file was 'no match, no party'? What i'm missing? What does no match no party mean? On users file, last line say: # On no match, the user is denied access. (so no match imply deny, that imply no WLAN-party ;). In all probability, you've got something like: Precisely: authorize { preprocess chap mschap ntdomain eap files ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } (indeed probably a bit more than needed...) ...if so, mschap (or eap, for the outer module) finds the relevant attributes, sets Auth-Type to itself, and processes the request; if the user has a password, they're authenticated. If you want to deny people you need to do that. Probably i'm missing something... i've tried to type a wrong password and works (eg, radius refuse to auth me), i've not clear what you mean with 'if the user has a password, they're authenticated' and expecially with 'you need to do that': 'that' what? Explicitly neglet access? More deeper, i've not clear if this is a configuration error by me, or with this setup things NEED to be done in this way. Since you're not subscribed to the mailing list and haven't read the List refuse posts from non-subscribed user, so now i'm subscribed. I've read tons of docs, expecially the FAQ (with no clue at all), expecially the freeradius.org site where some doc say something and some other doc say the converse (or at least this seems to me, clearly i'm ignorant and stupid). documents, you have failed to see the advice repeated daily; namely, to run radiusd under debugging with radiusd -X, examine the output and if you can't figure out what it's saying, post that output here. It is two days that i run with 'freeradius -X' in my hand. I've solved at least half a dozen of trouble myself using the FAQ and other docs on the net. Because this is not a trouble (at least for me, again remember i'm ignorant and stupid), i think that was not the case to start sending tons of attachments. I've shut off my test system, and i've accumulated too many 'freeradius -X' logs to remember where was the culprit, so please wait tomorrow for the config file and associated log. good night. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
Marco Gaiarin wrote: ...as a debian user, i prefer to keep on 'debian stable' ad using the offical packet, even if repackaged... ... with all of the bugs that were found fixed in a later version. (so no match imply deny, that imply no WLAN-party ;). Please don't be cute. It just makes it harder to help you. More deeper, i've not clear if this is a configuration error by me, or with this setup things NEED to be done in this way. The default configuration works. There is very little you need to do in order to make PEAP and LDAP work. It is two days that i run with 'freeradius -X' in my hand. I've solved at least half a dozen of trouble myself using the FAQ and other docs on the net. A common problem is that people change a LOT in the configuration files. Don't do that. The default configuration works. I've shut off my test system, and i've accumulated too many 'freeradius -X' logs to remember where was the culprit, so please wait tomorrow for the config file and associated log. Please don't send config files. Please don't send log files from configurations where you have made large changes. We KNOW that large changes break the server. We also know that the default configuration works. Start with the default configuration and make small changes. Test them. You WILL get it working very quickly. If you're spending a lot of time reading documentation, debug outputs, and fighting with the server, it means that you have made too many changes to the default configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
On users file, last line say: # On no match, the user is denied access. In the default config, that's correct, since the default config says: authorize { preprocess chap mschap suffix eap files pap } i.e. files is the only data source and no match means no password. You are not running the default config. You've added the ldap module, so even though files doesn't match, ldap does. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
On users file, last line say: # On no match, the user is denied access. (so no match imply deny, that imply no WLAN-party ;). That applies if user details are stored (only) in files. Not if they are in ldap, sql ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html