Re: Freeradius, EAP-PEAP, LDAP and users file...
Mandi! Alan DeKok In chel di` si favelave... Start with the default configuration and make small changes. Test them. You WILL get it working very quickly. Exactly what i've done. I've wrote a little docs (sorry, in italian) on how to setup all the stuff, and it count 5-6 modification. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
Mandi! Phil Mayers In chel di` si favelave... You are not running the default config. You've added the ldap module, so even though files doesn't match, ldap does. Perfectly clear. Reviewing all the stuff indeed now is clear, thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius, EAP-PEAP, LDAP and users file...
[i'm not subscribed to this list, so, please, put me on CC] I've just setup a 'test installation' of freeradius in a debian etch box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS). In my environments there's ever a LDAP server that serve, among other thinks, also a samba3 server using standard stuff (smbldap-tools, ...). Clearly my users are mostly (ahem, totally ;( ) windows XPsp2. Firstly i've setup all the stuff using winbind/ntlm_auth to do the MS-CHAP auth, but because i know that in LDAP the NT-Password hare simply stored, and looking at the (deprecated) /etc/smbpasswd module with the aid of some google, i've finally reached a good (for me) working point: ldap module extract NT-Password and give it to mschap module for authentication, with the bonus of group filtering, all in LDAP (i've disabled 'unix')... The strange, the only strangeness i've found, are that i was forced to insert an explicitly 'deny' rule in users file, eg my users are: DEFAULT Service-Type == Framed-User, Ldap-Group == ced DEFAULT Service-Type == Framed-User, Ldap-Group == diramm DEFAULT Service-Type == Framed-User, Ldap-Group == ricerca DEFAULT Service-Type == Framed-User, Ldap-Group == *, Auth-Type := Reject Reply-Message = Gruppo non autorizzato if i remove the last entry, user got authenticated. But users file was 'no match, no party'? What i'm missing? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
Marco Gaiarin wrote:
[i'm not subscribed to this list, so, please, put me on CC]
I've just setup a 'test installation' of freeradius in a debian etch
box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS).
Upgrade to 1.1.7 at least
In my environments there's ever a LDAP server that serve, among other
thinks, also a samba3 server using standard stuff (smbldap-tools, ...).
Clearly my users are mostly (ahem, totally ;( ) windows XPsp2.
Firstly i've setup all the stuff using winbind/ntlm_auth to do the
MS-CHAP auth, but because i know that in LDAP the NT-Password hare
simply stored, and looking at the (deprecated) /etc/smbpasswd module
with the aid of some google, i've finally reached a good (for me)
working point: ldap module extract NT-Password and give it to mschap
module for authentication, with the bonus of group filtering, all in
LDAP (i've disabled 'unix')...
The strange, the only strangeness i've found, are that i was forced to
insert an explicitly 'deny' rule in users file, eg my users are:
DEFAULT Service-Type == Framed-User, Ldap-Group == ced
DEFAULT Service-Type == Framed-User, Ldap-Group == diramm
DEFAULT Service-Type == Framed-User, Ldap-Group == ricerca
DEFAULT Service-Type == Framed-User, Ldap-Group == *, Auth-Type := Reject
Reply-Message = Gruppo non autorizzato
if i remove the last entry, user got authenticated.
Yes
But users file was 'no match, no party'? What i'm missing?
What does no match no party mean?
In all probability, you've got something like:
authorize {
preprocess
eap
mschap
ldap
files
}
authenticate {
Auth-Type MSCHAP {
mschap
}
eap
}
...if so, mschap (or eap, for the outer module) finds the relevant
attributes, sets Auth-Type to itself, and processes the request; if the
user has a password, they're authenticated. If you want to deny people
you need to do that.
Since you're not subscribed to the mailing list and haven't read the
documents, you have failed to see the advice repeated daily; namely, to
run radiusd under debugging with radiusd -X, examine the output and if
you can't figure out what it's saying, post that output here.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
Mandi! Phil Mayers
In chel di` si favelave...
box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS).
Upgrade to 1.1.7 at least
...as a debian user, i prefer to keep on 'debian stable' ad using the
offical packet, even if repackaged...
But users file was 'no match, no party'? What i'm missing?
What does no match no party mean?
On users file, last line say:
# On no match, the user is denied access.
(so no match imply deny, that imply no WLAN-party ;).
In all probability, you've got something like:
Precisely:
authorize {
preprocess
chap
mschap
ntdomain
eap
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
(indeed probably a bit more than needed...)
...if so, mschap (or eap, for the outer module) finds the relevant
attributes, sets Auth-Type to itself, and processes the request; if the
user has a password, they're authenticated. If you want to deny people you
need to do that.
Probably i'm missing something... i've tried to type a wrong password
and works (eg, radius refuse to auth me), i've not clear what you mean
with 'if the user has a password, they're authenticated' and expecially
with 'you need to do that': 'that' what? Explicitly neglet access?
More deeper, i've not clear if this is a configuration error by me, or
with this setup things NEED to be done in this way.
Since you're not subscribed to the mailing list and haven't read the
List refuse posts from non-subscribed user, so now i'm subscribed.
I've read tons of docs, expecially the FAQ (with no clue at all),
expecially the freeradius.org site where some doc say something and
some other doc say the converse (or at least this seems to me, clearly
i'm ignorant and stupid).
documents, you have failed to see the advice repeated daily; namely, to run
radiusd under debugging with radiusd -X, examine the output and if you
can't figure out what it's saying, post that output here.
It is two days that i run with 'freeradius -X' in my hand. I've solved
at least half a dozen of trouble myself using the FAQ and other docs on
the net.
Because this is not a trouble (at least for me, again remember i'm
ignorant and stupid), i think that was not the case to start sending
tons of attachments.
I've shut off my test system, and i've accumulated too many 'freeradius
-X' logs to remember where was the culprit, so please wait tomorrow for
the config file and associated log.
good night.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
Marco Gaiarin wrote: ...as a debian user, i prefer to keep on 'debian stable' ad using the offical packet, even if repackaged... ... with all of the bugs that were found fixed in a later version. (so no match imply deny, that imply no WLAN-party ;). Please don't be cute. It just makes it harder to help you. More deeper, i've not clear if this is a configuration error by me, or with this setup things NEED to be done in this way. The default configuration works. There is very little you need to do in order to make PEAP and LDAP work. It is two days that i run with 'freeradius -X' in my hand. I've solved at least half a dozen of trouble myself using the FAQ and other docs on the net. A common problem is that people change a LOT in the configuration files. Don't do that. The default configuration works. I've shut off my test system, and i've accumulated too many 'freeradius -X' logs to remember where was the culprit, so please wait tomorrow for the config file and associated log. Please don't send config files. Please don't send log files from configurations where you have made large changes. We KNOW that large changes break the server. We also know that the default configuration works. Start with the default configuration and make small changes. Test them. You WILL get it working very quickly. If you're spending a lot of time reading documentation, debug outputs, and fighting with the server, it means that you have made too many changes to the default configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
On users file, last line say:
# On no match, the user is denied access.
In the default config, that's correct, since the default config says:
authorize {
preprocess
chap
mschap
suffix
eap
files
pap
}
i.e. files is the only data source and no match means no password.
You are not running the default config. You've added the ldap module,
so even though files doesn't match, ldap does.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, EAP-PEAP, LDAP and users file...
On users file, last line say: # On no match, the user is denied access. (so no match imply deny, that imply no WLAN-party ;). That applies if user details are stored (only) in files. Not if they are in ldap, sql ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
