Re: Freeradius + OpenLDAP - user password problem
Yeah, i think radius doesn't even boot if there is something wrong with certs. I checked firewalls, routing tables, etc. and no problem there. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Oh my god, now i opened up brand new Linksys router, installed dd-wrt on it and plugged it into my first freeradius server, that worked already. And now it doesn't get past the Access-Challenge! Please help me, what could be wrong? I used tcpdump to make sure, AP is sending nothing but access-request and radius sends back only access-challenge packets! It all worked before on the SAME setup! Nothing changed. :S If anyone has ANY idea please don't hasitate to post it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
SOLVED! Problem is, Lynksys v5.1 can use only DD-WRT 23 sp1 MICRO - micro version is cousing problems! I used Lynksys v7 (thanks god i have plenty of those with different versions on dispossial :P) with original FW and it works! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Hello, it's me again, did you miss me? :)Thing is, i tried to make 2nd freeradius server (eap-peap,mschapv2,openldap), with same setup and i configured it exact same way, but i get this when i try to connect: rad_recv: Access-Request packet from host 192.168.1.1:3079, id=0, length=121 User-Name = test NAS-IP-Address = 192.168.1.1 Called-Station-Id = 00401013 Calling-Station-Id = 000e3557c74e NAS-Identifier = 00401013 NAS-Port = 30 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02090174657374 Message-Authenticator = 0x39a9a7986f599b0dc47291d0bbcce631 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0rlm_ldap: - authorizerlm_ldap: performing user authorization for test radius_xlat: '(uid=test)'radius_xlat: 'ou=People,dc=kapion,dc=si'rlm_ldap: ldap_get_conn: Checking Id: 0rlm_ldap: ldap_get_conn: Got Id: 0rlm_ldap: attempting LDAP reconnectionrlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389rlm_ldap: waiting for bind result ...rlm_ldap: Bind was successfulrlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test)rlm_ldap: Added password tset1 in check items rlm_ldap: looking for check items in directory...rlm_ldap: looking for reply items in directory...rlm_ldap: user test authorized to use remote accessrlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAPauth: type EAP Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 192.168.1.1:3079 EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0x9ef689c7fbaeabf2695de1a430324a73 Finished request 0Going to the next request--- Walking the entire request list ---Waking up in 6 seconds...rad_recv: Access-Request packet from host 192.168.1.1:3079 , id=0, length=121 User-Name = test NAS-IP-Address = 192.168.1.1 Called-Station-Id = 00401013 Calling-Station-Id = 000e3557c74e NAS-Identifier = 00401013 NAS-Port = 30 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02090174657374 Message-Authenticator = 0x2ec95d116f20e8634b835c646acc514c Processing the authorize section of radiusd.confmodcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius_xlat: '(uid=test)'radius_xlat: 'ou=People,dc=kapion,dc=si'rlm_ldap: ldap_get_conn: Checking Id: 0rlm_ldap: ldap_get_conn: Got Id: 0rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test) rlm_ldap: Added password tset1 in check itemsrlm_ldap: looking for check items in directory...rlm_ldap: looking for reply items in directory...rlm_ldap: user test authorized to use remote accessrlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 1modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAPauth: type EAP Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 1 modcall: group authenticate returns handled for request 1Sending Access-Challenge of id 0 to 192.168.1.1:3079 EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0x7272c2a0a6297ac9ea330896b6ff418fFinished request 1Going to the next requestWaking up in 6 seconds...rad_recv: Access-Request packet
Re: Freeradius + OpenLDAP - user password problem
Hi, On 9/22/06, Tilen [EMAIL PROTECTED] wrote: Hello, it's me again, did you miss me? :) Thing is, i tried to make 2nd freeradius server (eap-peap,mschapv2,openldap), with same setup and i configured it exact same way, but i get this when i try to connect: Welcome back to our regular program *g*, Well, while your supplicant keeps sending EAP Type Identity requests, radius keeps answering them with EAP (Type PEAP) START messages. Why they don't get answered properly (TLS Client Helo inside EAP) by your supplicant is not really a freeradius problem. You might check (again) the usual suspects: oid's in certs on supplicant, reception of Access-Request there, time, MS foo (they sound familiar somehow *g*) regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 9/22/06, K. Hoercher [EMAIL PROTECTED] wrote: the usual suspects: oid's in certs on supplicant, reception of ah, for peap, of course you only need a proper root ca cert there. Anyways it doesn't look like that gets even relevant. regards K .Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Wohoo it works now :D Clear text password in LDAP worked like a charm now (dunno why i had problems with it in the past) :P Thank you all guys 10x!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Ok i really don't get it. I made all certificates myself using only openssl (no scripts) and entered path to them in TLS part of the eap.conf file. CA, server cert.., everything is there in the same directory (in my case - CERTS, with big letters) (how would i sign certificate if i wouldn't create CA first?). And i don't have CA.all file at all :\ Files i'm using: cacert.pem -- this is my CA cakey.pem newcert.pem -- and this is my server cert newcert.req - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/30/06, Tilen [EMAIL PROTECTED] wrote: Ok i really don't get it. I made all certificates myself using only openssl (no scripts) and entered path to them in TLS part of the eap.conf file. CA, server cert.., everything is there in the same directory (in my case - CERTS, with big letters) (how would i sign certificate if i wouldn't create CA first?). And i don't have CA.all file at all :\ Files i'm using: cacert.pem-- this is my CA cakey.pem newcert.pem -- and this is my server cert newcert.req Your supplicant is sending an TLS Alert Message, because _it_ cannot find a CA certificate. What you are talking about is the freeradius side of things which looks alright at first glance. And if you don't get it to work, please first check with demo certficates to be generated by the CA.all script. hth K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Yes yes, i understand, this works now :) I copied CA public key to wireless client and now it works. Now i only get this error: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 5 modcall: group Auth-Type returns reject for request 5 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 5 modcall: group authenticate returns reject for request 5 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE Hm, now i have to make LDAP passwords in NT hash and it will work (still gotta figure out how)? Or should i make changes in ldap.attrmap file too? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Tilen [EMAIL PROTECTED] wrote: rlm_mschap: No User-Password configured. Cannot create LM-Password. ... Hm, now i have to make LDAP passwords in NT hash and it will work (still gotta figure out how)? Or should i make changes in ldap.attrmap file too? No. If you have the clear-text password in the ldap userPassword attribute, it should just work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + OpenLDAP - user password problem
Set up the ldap module right for your server and map your NAS attributes to the LDAP attributes ! Shouldnt be hard to set up ! Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tilen Sent: Mittwoch, 30. August 2006 16:58 To: FreeRadius users mailing list Subject: Re: Freeradius + OpenLDAP - user password problem So, what i want to achieve is, to authorize against OpenLDAP the easiest way. I don't care if i use cleartext passwords or NT hashes. What would be the fastest way to make things work? I'm running out of time for this . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Tilen [EMAIL PROTECTED] wrote:
rlm_ldap: Added password {crypt}$1$9wlsOcEJ$QA/FskGvrnnmsj1SWi1kY/ in check
items
...
rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
http://deployingradius.com/documents/protocols/compatibility.html
It is impossible to do MS-CHAP if the passwords are stored in
crypt'd format.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Requests prior to #4 are missing becouse i tried to connect multiple
times, and i didn't want to paste same thing twice. Then everything got
corrupted, becouse i had to paste it by pieces in the gmail and it
really got messed up. So here is the example of full (pasted with care
:p) radius log:
[EMAIL PROTECTED] ~]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = peap
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/raddb/CERTS/newreq.pem
tls: certificate_file = /etc/raddb/CERTS/newcert.pem
tls: CA_file = /etc/raddb/CERTS/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /etc/raddb/certs/dh
tls: random_file = /etc/raddb/certs/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = md5
ttls: copy_request_to_tunnel = no
ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded LDAP
ldap: server = localhost
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity =
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password =
ldap: basedn = ou=People,dc=kapion,dc=si
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute =
Re: Freeradius + OpenLDAP - user password problem
On 8/29/06, Tilen [EMAIL PROTECTED] wrote: So here comes something really weird: Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:3072, id=0, length=147 User-Name = test NAS-IP-Address = 192.168.1.1 Called-Station-Id = 00401013 Calling-Station-Id = 000e3557c74e NAS-Identifier = 00401013 NAS-Port = 30 Framed-MTU = 1400 State = 0x123b5c7e213692f7121dbe4052274024 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02020011198715030100020230 Message-Authenticator = 0xd65ea4a0e55f28c1e76a6b51f9ec9467 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 That's a tls1.0 Alert message the part 1503 Therefore the openssl lib bails out of further processing as specified in RFC2246. Thats (arguably somewhat hard to understand) also mentioned int the output: 3447:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 3447:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: So your client wasn't able to fiind a correct CA certificate for the cert freeradius had sent before. Please see to provide those. If in doubt, check with dummy ones to be created by CA.all script. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
I get Access-Reject, whole debug log is here: rad_recv: Access-Request packet from host 192.168.1.1:3072, id=0, length=236 User-Name = test NAS-IP-Address = 192.168.1.1 Called-Station-Id = 00401013 Calling-Station-Id = 000e3557c74e NAS-Identifier = 00401013 NAS-Port = 30 Framed-MTU = 1400 State = 0xfbfc085c4b8a5b1973ea7d92703b0061 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201006a19800060160301005b0157030144ec0618e33d04cad22340edcd83b5b8a5aa6be4a035146cfe433178e4e054a13000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100 Message-Authenticator = 0x11f7f2a8e75c95f1e0e284a7dfd86163 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module preprocess returns ok for request 4 modcall[authorize]: module chap returns noop for request 4 modcall[authorize]: module mschap returns noop for request 4 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 4 rlm_eap: EAP packet type response id 1 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'ou=People,dc=kapion,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 031d], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module eap returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 0 to 192.168.1.1:3072 EAP-Message = 0x010203801900160301004a0246030144ec0617ad338f7b43db504027f5cb34fe48656cf6713337665d0e235bc61dde201783bdc208cdc4349989ca629b9d754dd1a4f17e1855d2fba8c00b4b7dbe5537003500160301031d0b0003190003160003133082030f30820278a003020102020102300d06092a864886f70d01010405003056310b30090603550406130253493110300e06035504081307506f6d75726a65310f300d060355040713064d7572736b6131163014060355040a130d4b6170696f6e20642e6f2e6f2e310c300a060355040313036b6579301e170d3036303832313134303731395a170d3037303832313134303731395a305e EAP-Message = 0x310b30090603550406130253493110300e06035504081307506f6d75726a653117301506035504070c0e4d757264736b7f7f1b5b441b5b4431163014060355040a130d4b6170696f6e20642e6f2e6f2e310c300a06035504031303626c6130819f300d06092a864886f70d010101050003818d0030818902818100b2f4bc83918aa62084cd46a33410a0d63ee1f94f9a58f365bd098cb5dc2241cc453055c26284969ea573f5a43aaaec74da7c00d56651fc15cdcddd68d208a01396d98cd70a81b57ec0814e8089045187c625b2a78a7e9c70c77e4968935a1aa733933959fc003b02738dbcca20ef62d0899c42fba7ba5b2988efca5bb7f989030203 EAP-Message = 0x010001a381e43081e130090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414b527b4b72fb126f870699a8fa890b0fc3240f1d53081860603551d23047f307d8014e77015f7708c5f78601009f9db74ff8001a0515aa15aa4583056310b30090603550406130253493110300e06035504081307506f6d75726a65310f300d060355040713064d7572736b6131163014060355040a130d4b6170696f6e20642e6f2e6f2e310c300a060355040313036b6579820900d29d80bb0e169c12300d06092a864886f70d010104050003818100 EAP-Message = 0x3a6b3a362928faf1324f11e2202b1b32cb9d12d8e91726c8124c4e9e1a2c43ad421889195c0259f4bdb0aa05f07eb4ac1c1ac549a72d3a80a4939e9f2dcc9c7f0952da152dea01582401cab1daa39ab88f8a7d798a00342d11d73e6ec25852c6f95ef91244f31e385ad9806f6de6eae7577a9da564622aaa69bb75c1ff941e3316030100040e00
Re: Freeradius + OpenLDAP - user password problem
Still doesn't work. I tried yesterday on new machine, i set up everything and configure eap.conf to use peap. I set up server certificates and CA. When i try to login from XP client via Linksys wireless router i get error reading client certificate messege from freeRadius. Since i don't need client certificate for peap, i'm pretty confused (again :D). -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5921516 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/22/06, Stuckzor [EMAIL PROTECTED] wrote: try to login from XP client via Linksys wireless router i get error reading client certificate messege from freeRadius. Since i don't need client Hi, thats probably the linked in openssl complaining about not being able to read the client certificate (which is unneeded as you already noted). If so, it' s not an error with respect to freeradius eap etc. As you didn't provide meaningful output one cannot be sure of course... regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/22/06, Stuckzor [EMAIL PROTECTED] wrote: try to login from XP client via Linksys wireless router i get error reading client certificate messege from freeRadius. Since i don't need client Hi, thats probably the linked in openssl complaining about not being able to read the client certificate (which is possible but unneeded as you already noted). If so, it' s not an error with respect to freeradius eap etc. As you didn't provide meaningful output one cannot be sure of course... regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Thanks to you too. I noticed some people feel offended by my attitude, so let me apologize - i don't mean to be a smartass, and i definetly don't have any doubts in your knowledge, but i'm a young computer engineer (first months of work) and when things get hard for me i can get a little pushy while trying to solve them. Now i configured radius to use EAP-PEAP and i tought i have only 1 step left to take - make OpenLDAP use NT hash passwords (already know how to do that), but damn, that no dialup access attribute error strikes again with radtest:( If even radtest doesn't get through (though it doesn't use eap) there is no chance a real client would, eh? And i ask again - is it normal, that i don't get access-accept with radtest without setting auth-type to ldap and can i simply ignore that(i get that dialup access attribute error), or should i get access-accept with radtest without setting auth-type to ldap? That's what i wanted to know in one of my previous posts. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5649743 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Stuckzor [EMAIL PROTECTED] wrote: Now i configured radius to use EAP-PEAP and i tought i have only 1 step left to take - make OpenLDAP use NT hash passwords (already know how to do that), but damn, that no dialup access attribute error strikes again with radtest:( From the ldap section of radiusd.conf: access_attr = dialupAccess Comment that out, and it won't check for dial-up access permissions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Ok, let me try to get that straight - i can't use ldap in authorization section of radiusd.conf (or in users file) and connect to radius with WinXP client. But i can use something else instead and still connect to radius with ldap accounts, right? John wrote:However, in my LDAP directory, it looks a little different:dn: uid=user1,ou=Users,ou=radiusdc=example,dc=comobjectClass: top objectClass: inetOrgPersonobjectClass: radiusprofileradiusAuthType: LocalradiusServiceType: Framed-Useruid: user1cn: user1sn: user1radiusFramedIPAddress: y.y.y.yradiusAcctInterimInterval: 60radiusTunnelServerEndpoint: x.x.x.xdialupAccess: trueAs you can see, AuthType is set to Local in LDAP. I don't know if thisis the recommended way to do this, but it work for me :-) Is that .ldif file for your ldap users? If it is, it has way more lines than mine and doesn't have password. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Okey i tried some things out and noticed, that what John pasted definitly isn't .ldif file. And if i set Auth-Type to LDAP in users file or if i uncomment it in authorize section of radiusd.conf -- isn't the same! If i set ldap in radiusd.conf i get rlm_ldap: no dialupAccess attribute - access denied by default with radtest. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5629052 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Tilen wrote: Ok, let me try to get that straight - i can't use ldap in authorization section of radiusd.conf (or in users file) and connect to radius with WinXP client. But i can use something else instead and still connect to radius with ldap accounts, right? Wrong. You're very confused about how this work. Your original mail states you want to do EAP-PEAP+MS-CHAP for wireless auth. Unless your LDAP directory contains the plaintext password or the NT hash, what you want to do is impossible. If it does contain the plaintext or NT hashes, correct configuration will make it work. Does it? Also, you've failed to register this several times, but I'll repeat it. DO NOT SET Auth-Type. At all. To anything. In common use, there's no need to set it, and in fact it can actively break things. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Phil Mayers wrote: Wrong. You're very confused about how this work. Your original mail states you want to do EAP-PEAP+MS-CHAP for wireless auth. Unless your LDAP directory contains the plaintext password or the NT hash, what you want to do is impossible. If it does contain the plaintext or NT hashes, correct configuration will make it work. Does it? Also, you've failed to register this several times, but I'll repeat it. DO NOT SET Auth-Type. At all. To anything. In common use, there's no need to set it, and in fact it can actively break things. Thank you, your reply was very usefull, and yes, i am confused about how this things work and i am not ashamed to admit it, but it's getting clearer pretty rapidly :) Now i have one last question (or at least i hope so) - which choice is more viable, using EAP-PEAP+MS-CHAP for wireless auth. (but with clear text passwords this time), like i originaly planned to, or can you recommend using something else? I really don't care, as long as it works with most wireless hardware :) -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5630872 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Stuckzor wrote: Thank you, your reply was very usefull, and yes, i am confused about how this things work and i am not ashamed to admit it, but it's getting clearer pretty rapidly :) Now i have one last question (or at least i hope so) - which choice is more viable, using EAP-PEAP+MS-CHAP for wireless auth. (but with clear text passwords this time), like i originaly planned to, or can you recommend using something else? I really don't care, as long as it works with most wireless hardware :) Unless the wireless hardware is very broken (assuming you mean APs and so forth) it won't care. The main issue is software support. EAP-PEAP+MS-CHAP is generally considered to be the most widely supported. It works on WinXP, MacOS X and with Linux wpa_supplicant/NetworkManager, most PDAs and so forth. EAP-TLS is about as well supported, but has much higher administrative overhead since you have to generate and distribute certificates. All the other EAP mechanisms require special software on windows, which is obviously effort to distribute, install and configure. If you are willing to go to that effort, Secure_W2 offers EAP-TTLS+PAP which will work with any auth database. If you have the choice, I would recommend going with plaintext or NT-hashed passwords and EAP-PEAP+MS-CHAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Thank you again, you were very helpful, but still i have issues. That's bugging me: Only under these circumstances: 1.)I have ldap in authenticate section 2.)AUTH-TYPE set ot LDAP in users fileand 3.)MUST NOT have ldap under authorize section of radiusd.conf. Only with this config i get access-accept with radtest (i tried all possible combinations of those 3). I get this message otherwise: rlm_ldap: no dialupAccess attribute - access denied by default And with my working config i get already mentioned userPassword attribute error. So, i'm afraid i don't even get so far, to have problems with password encription. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5633159 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/3/06, Stuckzor [EMAIL PROTECTED] wrote:
1.)I have ldap in authenticate section
2.)AUTH-TYPE set ot LDAP in users fileand
3.)MUST NOT have ldap under authorize section of radiusd.conf.
Only with this config i get access-accept with radtest (i tried all possible
combinations of those 3). I get this message otherwise:
rlm_ldap: no dialupAccess attribute - access denied by default
And with my working config i get already mentioned userPassword attribute
error. So, i'm afraid i don't even get so far, to have problems with
password encription.
Hi,
OK, I'll give it a try.
1. Going far back in this thread, you said something about using
EAP-PEAP/MSCHAP. Therefore you are _required_ to have the cleartext
password in LDAP or in the alternative an equivalent hash (nt/lm) if
you want to use that.
If so, configure your ldap instance in radius.conf accordingly AND
include it in authorize{}. This was pointed out often enough one might
think (and from people who really know, because they wrote the
software you are trying to use). Then there will be no need for
explicit setting of Auth-Type. It has been said.
2. Even if you tried something else (EAP-TTLS for example) you were
already told how to proceed and how that relates to the need for
cleartext passwords. Even then there is no need for setting Auth-Type
manually.
3. If you insist on setting Auth-Type nevertheless, you will break
other things you obviously don't know about. There is plenty of
(perhaps even a bit too overwhelming) documentation on freeradius.org,
in the tarball, in the example configuration, this very list, etctetc.
Believe its contents. If you think their is a fault and you are wiser
show that precisely (NOT by reasoning in generalities stemming from
false assumptions on your side).
4. Whatever you test with radtest does not relate to EAP-PEAP/MSCHAP.
Please restart your efforts with unchanged default configuration
files. Alter them step-by-step according to the information you were
already given. And, sorry, don't whip a dead horse, again, by setting
Auth-Type.
regards
K. Hoercher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Ok, i'm back on this case. I didn't have time to work on it past few days. The debug log you posted hows that you set Auth-Type := LDAP. Don't do that. Alan DeKok.I have that set in users file:--DEFAULT Auth-Type := LDAPFall-Through = 1 -And i'm pretty sure, that is okay, if i comment it out i don't get access-accept even with radtest if i use ldap password, which makes sense. So, why do you think this is the cause of my problem and how could i fix it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
I said: The debug log you posted hows that you set Auth-Type := LDAP. Don't do that. To which you responded: I have that set in users file: -- DEFAULT Auth-Type := LDAP Fall-Through = 1 - And i'm pretty sure, that is okay To which I respond again: No, it's not. Honestly, if you know better than the people here about what's OK and what's not, why are you asking questions on this list? if i comment it out i don't get access-accept even with radtest if i use ldap password, which makes sense. So, why do you think this is the cause of my problem and how could i fix it? You're not following instructions. Please search the list archives for the answer to your question. It's there. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Hi Tillen, Although I'm no expert, I do have a working FreeRadius+LDAP set-up, so I can tell you what works for me. Tilen wrote: I have that set in users file: -- DEFAULT Auth-Type := LDAP Fall-Through = 1 - My users file says: DEFAULT Auth-Type := LDAP Fall-Through = Yes However, in my LDAP directory, it looks a little different: dn: uid=user1,ou=Users,ou=radius,dc=example,dc=com objectClass: top objectClass: inetOrgPerson objectClass: radiusprofile radiusAuthType: Local radiusServiceType: Framed-User uid: user1 cn: user1 sn: user1 radiusFramedIPAddress: y.y.y.y radiusAcctInterimInterval: 60 radiusTunnelServerEndpoint: x.x.x.x dialupAccess: true As you can see, AuthType is set to Local in LDAP. I don't know if this is the recommended way to do this, but it work for me :-) Regards, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
John McEleney [EMAIL PROTECTED] wrote: As you can see, AuthType is set to Local in LDAP. I don't know if this is the recommended way to do this, but it work for me :-) If all you do is PAP authentication. And if you have ldap listed in the authorise section, the module takes care of setting Auth-Type = LDAP. i.e. you could delete that entry from the users file and nothing would change. Try it. The original post that started this was using EAP. LDAP doesn't do EAP, hence the problem. PLEASE don't tell people to set Auth-Type. It's not needed for your deployment, and it breaks most other peoples deployments. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
OK, i guess, i should paste that anyway, so here it is, hope it helps: rad_recv: Access-Request packet from host 192.168.1.1:2051, id=0, length=121 User-Name = root NAS-IP-Address = 192.168.1.1 Called-Station-Id = 0016b6016815 Calling-Station-Id = 00130237d9db NAS-Identifier = 0016b6016815 NAS-Port = 53 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020901726f6f74 Message-Authenticator = 0x4ec4b4b08fe410e47f6c233f47b4dbb0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = root, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 users: Matched entry DEFAULT at line 1 users: Matched entry DEFAULT at line 156 modcall[authorize]: module files returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 3 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 3 modcall: group Auth-Type returns invalid for request 3 auth: Failed to validate the user. Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.1:2051 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 0 with timestamp 44c9f898 Nothing to do. Sleeping until we see a request. ### -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5538103 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
And here is the example of sucessful logon with radtest: radtest bbb badblueboy 192.168.1.129 1 testing123 rad_recv: Access-Request packet from host 192.168.1.129:35640, id=191, length=55 User-Name = bbb User-Password = badblueboy NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 modcall[authorize]: module mschap returns noop for request 5 rlm_realm: No '@' in User-Name = bbb, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 users: Matched entry DEFAULT at line 1 users: Matched entry DEFAULT at line 156 modcall[authorize]: module files returns ok for request 5 modcall: group authorize returns ok for request 5 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 5 rlm_ldap: - authenticate rlm_ldap: login attempt by bbb with password badblueboy radius_xlat: '(uid=bbb)' radius_xlat: 'ou=People,dc=BLah,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=BLah,dc=si, with filter (uid=bbb) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: user DN: uid=bbb,ou=People,dc=BLah,dc=si rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=bbb,ou=People,dc=kapion,dc=si/badblueboy to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user bbb authenticated succesfully modcall[authenticate]: module ldap returns ok for request 5 modcall: group Auth-Type returns ok for request 5 Sending Access-Accept of id 191 to 192.168.1.129:35640 Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 191 with timestamp 44c9f995 Nothing to do. Sleeping until we see a request. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5538165 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + OpenLDAP - user password problem
Hello, as you can see, i must be pretty desperate to register somewhere so i can ask for help. Anyway, the situation is: i recently set up a freeradius server with openldap for auth., everything seemed to work great (radtest returns access-accept ), until i tried to login via notebook and Linksys router (with dd-wrt firmware). Linksys is properly configured, i believe. On laptop i have chosen WPA 2 security using ms-chap, and when i try to connect, access-request packet doesn't contain attribute user-password! I am really stuck here, have no idea what to do so any help would be really apprechiated. If you need additional info i will be glad to asisst (e.g. post debug output or something). -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5537868 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Stuckzor [EMAIL PROTECTED] wrote: Hello, as you can see, i must be pretty desperate to register somewhere so i can ask for help. Anyway, the situation is: i recently set up a freeradius server with openldap for auth., everything seemed to work great (radtest returns access-accept ), until i tried to login via notebook and Linksys router (with dd-wrt firmware). The debug log you posted hows that you set Auth-Type := LDAP. Don't do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
