Fwd: ldap-radius integration
Please don't write private mail to me with FreeRADIUS questions.
Forwarding to freeradius-users.
Original Message
Subject:ldap-radius integration
Date: Fri, 30 Mar 2012 12:35:53 -0700
From: exu...@gmail.com
To: stefan.win...@restena.lu
could you give me some refrence material or the steps involved in integrating
radius and ldap?
Iam stuck with the error
[ldap] bind as
cn=Manager,ou=radius,dc=example,dc=com/{SSHA}N0HDoA07iBXb/qW6JmhxnkUeTkVex1mN
to 127.0.0.1:389
[ldap] waiting for bind result ...
[ldap] LDAP login failed: check identity, password settings in ldap section
of radiusd.conf
cant understand how to proceed..!
PS: Im using ubuntu 11.10
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: ldap-radius integration
could you give me some refrence material or the steps involved in integrating
radius and ldap?
Iam stuck with the error
[ldap] bind as
cn=Manager,ou=radius,dc=example,dc=com/{SSHA}N0HDoA07iBXb/qW6JmhxnkUeTkVex1mN
to 127.0.0.1:389
[ldap] waiting for bind result ...
[ldap] LDAP login failed: check identity, password settings in ldap section
of radiusd.conf
cant understand how to proceed..!
PS: Im using ubuntu 11.10
You need to tell FreeRADIUS login credentials for your LDAP
administrator account. According to the query, the username for that is
Manager and the LDAP server is radius.example.com.
I believe these are the default (shipped) values that come with
FreeRADIUS. Replace them with the *real* login details of your LDAP
admin account.
In general: *read* the debug output and *apply common sense*.
Greetings,
Stefan Winter
P.S.: your Operating System is irrelevant for this error.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: ldap-radius integration
On 03/30/2012 05:46 PM, Stefan Winter wrote:
Please don't write private mail to me with FreeRADIUS questions.
Forwarding to freeradius-users.
Original Message
Subject:ldap-radius integration
Date: Fri, 30 Mar 2012 12:35:53 -0700
From: exu...@gmail.com
To: stefan.win...@restena.lu
could you give me some refrence material or the steps involved in integrating
radius and ldap?
Iam stuck with the error
[ldap] bind as
cn=Manager,ou=radius,dc=example,dc=com/{SSHA}N0HDoA07iBXb/qW6JmhxnkUeTkVex1mN
to 127.0.0.1:389
[ldap] waiting for bind result ...
[ldap] LDAP login failed: check identity, password settings in ldap section
of radiusd.conf
cant understand how to proceed..!
Then get a book on LDAP and read it, or use Google to find any of the
dozens of tutorials on LDAP and read it. It's your job to learn the
material, not our job as volunteers to spoon feed you the answers.
I say this in part because the answer to your question is so glaringly
obvious if you have even the most rudimentary understanding of ldap
authentication and password formats. So acquire the knowledge and answer
the question yourself, how do you think we learned it? BTW this has
nothing to do with FreeRADIUS, it's basic LDAP usage.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
Tom Leach wrote: Grr, off on a goose chase. Problem isn't in rlm_pap.c, but rlm_ldap.c. rlm_ldap only likes the Cleartext-Password and User-Password attributes. Yes... the message you posted clearly shows it's output from the LDAP mdoule. Would it be a bad thing to patch rlm_ldap.c to also work with Password-With-Header? If not, then I guess I'll have to use User-Password in the ldap dictionary and live with the suggestion message in debug output. PLEASE don't do that. I suggested to use Password-With-Header as the preferred alternative. Don't go pick *another* method with *more* warning messages, just because you don't like seeing the warning message produced by the LDAP module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
Grr, off on a goose chase. Problem isn't in rlm_pap.c, but rlm_ldap.c.
rlm_ldap only likes the Cleartext-Password and User-Password
attributes. Would it be a bad thing to patch rlm_ldap.c to also work
with Password-With-Header? If not, then I guess I'll have to use
User-Password in the ldap dictionary and live with the suggestion
message in debug output.
!!!
!!!Replacing User-Password in config items with Cleartext-Password.
!!!
!!!
!!! Please update your configuration so that the known good
!!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!
Thanks!
Tom
On 07/28/2010 11:59 AM, Tom Leach wrote:
Alan, changing from User-Password to Password-With-Header brought back
the 'No known good password' error. I'm going through the rlm_pap.c
code to try to see what's going on here. I haven't found any docs yet
on what the various mapping possibilities are and what they do. Do you
have a pointer to any so I don't keep bugging you and the list?
I agree with the 'get it work, then tune it' approach. That's where I'm
at now. It's working, I'm just trying to make all the messages go away :)
Thanks!
Tom
Here is a snippet from radiusd -X:
[ldap-server1] Added Crypt-Password = 4gOgBZqZgtwIw in check items
[ldap-server1] looking for check items in directory...
[ldap-server1] userPassword - Password-With-Header ==
{crypt}4gOgBZqZgtwIw
[ldap-server1] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap-server1] user testuser authorized to use remote access
Date: Tue, 27 Jul 2010 09:00:23 +0200
From: Alan DeKok al...@deployingradius.com
Subject: Re: Another LDAP/RADIUS integration problem.
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 4c4e8407.3030...@deployingradius.com
Content-Type: text/plain; charset=ISO-8859-1
Tom Leach wrote:
Alan, I changed the ldap.attrmap file from checkItem Crypt-Password
userPassword to checkItem User-Password userPassword and it's
authenticating now, but I now have a new message in the debug output and
I'm not sure if it's a problem, suggestion, or otherwise.
It's a suggestion. But the first step was to get it to work.
I can't
change the LDAP directory to contain actual cleartext passwords, so it
may just be something that I have to live with.
Change the mapping in ldap.attrmap to:
checkItem Password-With-Header userPassword
That should *still* work, and will remove the warning.
The process here is to first get it to work, and then get it to work
better.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
Tom Leach wrote: Alan, I changed the ldap.attrmap file from checkItem Crypt-Password userPassword to checkItem User-Password userPassword and it's authenticating now, but I now have a new message in the debug output and I'm not sure if it's a problem, suggestion, or otherwise. It's a suggestion. But the first step was to get it to work. I can't change the LDAP directory to contain actual cleartext passwords, so it may just be something that I have to live with. Change the mapping in ldap.attrmap to: checkItem Password-With-Header userPassword That should *still* work, and will remove the warning. The process here is to first get it to work, and then get it to work better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
{
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = inner-tunnel
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = /usr/local/etc/raddb/users
acctusersfile = /usr/local/etc/raddb/acct_users
preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
compat = no
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = /var/log/radius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = /usr/local/etc/raddb/attrs.access_reject
key = %{User-Name}
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating ldap-server1
ldap ldap-server1 {
server = ldap://server1.coas.oregonstate.edu;
port = 389
password = secret
identity = uid=admin,o=radtree
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = yes
tls_require_cert = allow
tls {
start_tls = yes
cacertdir = /etc/pki/tls/certs/
require_cert = demand
}
basedn = ou=People,o=mydomain
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
password_attribute = userPassword
auto_header = yes
access_attr_used_for_allow = yes
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
dictionary_mapping = /usr/local/etc/raddb/ldap.pap.attrmap
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ldap-server1-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ldap-server1-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap-server1
rlm_ldap: reading ldap-radius mappings from file
/usr/local/etc/raddb/ldap.pap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Crypt-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP
Another LDAP/RADIUS integration problem.
-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap-server1
rlm_ldap: reading ldap-radius mappings from file
/usr/local/etc/raddb/ldap.pap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Crypt-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x1480f5e0
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating auth_log
detail auth_log {
detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating detail
detail {
detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = /usr/local/etc/raddb/attrs.accounting_response
key = %{User-Name}
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: Opening IP addresses and Ports
listen {
type = auth
Re: Another LDAP/RADIUS integration problem.
Tom Leach wrote:
To correct the bind problem, I added an ACL to the directory to allow
'uid=admin,o=radtree' to access the userPassword attribute, then
configured the ldap module to use 'uid=admin,o=radtree' as the identity
and 'secret' as the password. Now the bind succeeds, the -X output says
that it's mapping userPassword - Crypt-Password ==
{crypt}4gOgBZqZgtwIw
The Crypt-Password attribute is supposed to be the crypt'd version
of the password *without* the {crypt} header. Change the mapping from
userPassword - Crypt-Password to userPassword - User-Password, and
it will work.
The PAP module will look for the {crypt} header, and create a
Crypt-Password with the appropriate value.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
On 07/23/2010 02:59 PM, Alan DeKok wrote:
Tom Leach wrote:
To correct the bind problem, I added an ACL to the directory to allow
'uid=admin,o=radtree' to access the userPassword attribute, then
configured the ldap module to use 'uid=admin,o=radtree' as the identity
and 'secret' as the password. Now the bind succeeds, the -X output says
that it's mapping userPassword - Crypt-Password ==
{crypt}4gOgBZqZgtwIw
The Crypt-Password attribute is supposed to be the crypt'd version
of the password *without* the {crypt} header. Change the mapping from
userPassword - Crypt-Password to userPassword - User-Password, and
it will work.
The PAP module will look for the {crypt} header, and create a
Crypt-Password with the appropriate value.
Hmm ...
Just from looking at the rlm_ldap code (not actual testing) I thought if
auto_header was set to True in the ldap config then rlm_ldap after
looking up the configured password attribute would perform the steps you
describe above. (strip the hash prefix and add a new attribute with the
correct attribute type for the hash type)
Am I confused?
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
John Dennis wrote: Just from looking at the rlm_ldap code (not actual testing) I thought if auto_header was set to True in the ldap config then rlm_ldap after looking up the configured password attribute would perform the steps you describe above. (strip the hash prefix and add a new attribute with the correct attribute type for the hash type) Am I confused? The auto-header should be off by default. I think it was off in the debug log posted earlier. And it shouldn't be used. The PAP module does all that, and more. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user-Password required for ldap radius
Basant Agarwal wrote: Hello, I am trying to authenticate wifi users for wireless network ... for this i am using freeradius with ldap... When we run radtest on localhost, it is able to get authorised and authenticated .. it works fine but when i try from laptop(windows ) then it rejects the same user... please let me know what to do ...?? You have edited the configuration to force Auth-Type := LDAP. Don't do that. It's breaking EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user-Password required for ldap radius
Hello, I am trying to authenticate wifi users for wireless network ... for this i am using freeradius with ldap... When we run radtest on localhost, it is able to get authorised and authenticated .. it works fine but when i try from laptop(windows ) then it rejects the same user... please let me know what to do ...?? here is the debug output .. Ready to process requests. rad_recv: Access-Request packet from host 172.16.1.80:1122, id=0, length=204 Message-Authenticator = 0x3f459af06e42a2a0b7cf9c1d80092e31 Service-Type = Framed-User User-Name = testap Framed-MTU = 1488 Called-Station-Id = 00-15-E9-C9-F3-80:MNIT-DC-AP Calling-Station-Id = 00-16-6F-7C-DB-2D NAS-Identifier = D-link Corp. Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020b01746573746170 NAS-IP-Address = 172.16.1.80 NAS-Port = 1 NAS-Port-Id = STA port # 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = testap, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 177 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testap radius_xlat: '(uid=testap)' radius_xlat: 'dc=mnit,dc=ac,dc=in' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 172.16.1.20:389, authentication 0 rlm_ldap: bind as uid=admin,ou=people,dc=mnit,dc=ac,dc=in/system to 172.16.1.20:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mnit,dc=ac,dc=in, with filter (uid=testap) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testap authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type ldap auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 0 modcall: leaving group LDAP (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 172.16.1.80 http://172.16.1.80/port 1122 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 46b1b8cb Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user-Password required for ldap radius
I had same problem few days back...I think its problem of certificate. plz check the client certificate you have selected on your laptop... Basant Agarwal wrote: Hello, I am trying to authenticate wifi users for wireless network ... for this i am using freeradius with ldap... When we run radtest on localhost, it is able to get authorised and authenticated .. it works fine but when i try from laptop(windows ) then it rejects the same user... please let me know what to do ...?? here is the debug output .. Ready to process requests. rad_recv: Access-Request packet from host 172.16.1.80:1122, id=0, length=204 Message-Authenticator = 0x3f459af06e42a2a0b7cf9c1d80092e31 Service-Type = Framed-User User-Name = testap Framed-MTU = 1488 Called-Station-Id = 00-15-E9-C9-F3-80:MNIT-DC-AP Calling-Station-Id = 00-16-6F-7C-DB-2D NAS-Identifier = D-link Corp. Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020b01746573746170 NAS-IP-Address = 172.16.1.80 NAS-Port = 1 NAS-Port-Id = STA port # 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = testap, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 177 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testap radius_xlat: '(uid=testap)' radius_xlat: 'dc=mnit,dc=ac,dc=in' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 172.16.1.20:389, authentication 0 rlm_ldap: bind as uid=admin,ou=people,dc=mnit,dc=ac,dc=in/system to 172.16.1.20:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mnit,dc=ac,dc=in, with filter (uid=testap) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testap authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type ldap auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 0 modcall: leaving group LDAP (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 172.16.1.80 http://172.16.1.80/port 1122 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 46b1b8cb Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/user-Password-required-for-ldap-radius-tp22861643p22861786.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap+radius authentication problem
Dear all, I have configured freeradius with ldap backed as given in http://freeradius.org/radiusd/doc/ldap_howto.txt. The user get authorized but the authentication failed. The detail output is here: Ready to process requests. rad_recv: Access-Request packet from host a.b.c.d:3272, id=0, length=47 User-Name = abc User-Password = 12345 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for abc radius_xlat: '(uid=abc)' radius_xlat: 'ou=users,ou=radius,dc=whitehouse,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to x.x.x.x:389, authentication 0 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as cn=Manager,dc=whitehouse,dc=edu/password to x.x.x.x:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,ou=radius,dc=whitehouse,dc=edu, with filter (uid=abc) rlm_ldap: Added password 12345 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user abc authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by abc with password 12345 rlm_ldap: user DN: uid=abc,ou=users,ou=radius,dc=whitehouse,dc=edu rlm_ldap: (re)connect to x.x.x.x:389, authentication 1 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as uid=abc,ou=users,ou=radius,dc=whitehouse,dc=edu/12345 to x.x.x.x:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module ldap returns reject for request 0 modcall: leaving group LDAP (returns reject) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Can anyone help me?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius authentication problem
amir shrestha wrote: I have configured freeradius with ldap backed as given in http://freeradius.org/radiusd/doc/ldap_howto.txt. The user get authorized but the authentication failed. ... rlm_ldap: bind as uid=abc,ou=users,ou=radius,dc=whitehouse,dc=edu/12345 to x.x.x.x:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials There isn't much more to say. The supplied password is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP-RADIUS Attribute Mapping
I have an environment where I am already using LDAP for AAA for a number of things. We have historically used the AuthorizedService attribute in LDAP to control the level of access available to the user. We would like to continue to do so. However, in order for that to work, I need to map AuthorizedService to different RADIUS attributes in the response depending on the authentication client. Ideally, I'd like to be able to map RADIUS clients into groups and have a mapping of AuthorizedService values for each group. The client groups would, ideally, be defined by matching the client IP address. An example of what I'd like that mapping to look like is below: Client GroupAuthorizedService RADIUS Attribute in Reply == == === PIX Group 1 Pix1Auth1 cisco-avpair=shell:priv-lvl=1 PIX Group 1 Pix1Auth7 cisco-avpair=shell:priv-lvl=7 PIX Group 1 Pix1Auth15 cisco-avpair=shell:priv-lvl=15 PIX Group 2 Pix2auth1 cisco-avpair=shell:priv-lvl=1 ... Router Grp 1Rtr1Auth1 cisco-avpair=shell:priv-lvl=1 ... LB Group 1 LBAdmin Service-Type=Authenticate-Only ... etc. Is there any way to do this kind of dynamic mapping in FreeRadius? As near as I can tell, all I can do is statically map the contents of a particular LDAP attribute to a single RADIUS attribute. I'd also like to avoid mapping values of AuthorizedService which don't apply to the particular RADIUS client. I'm assuming I probably need to use something like rlm_perl to do this, and, I have no problem doing that, but, I have been unable to decipher the documentation to rlm_perl enough to have any confidence in creating a working solution. If anyone could provide a configuration example or a pointer to documentation that actually describes the various pieces of solving this problem, I'd be very grateful. Alan, your flames and RTFM comments are welcome, but, please understand, I've done my best to RTFM before posting this. Owen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP-RADIUS Attribute Mapping
Owen DeLong wrote: We have historically used the AuthorizedService attribute in LDAP to control the level of access available to the user. We would like to continue to do so. However, in order for that to work, I need to map AuthorizedService to different RADIUS attributes in the response depending on the authentication client. Do it in two steps. Map the AuthorisedService LDAP attribute to a RADIUS attribute (invent a local one, see the dictionary docs), and then depending on the NAS, map that to another attribute. The reason for doing it this way is that the LDAP - RADIUS attribute mapping is simple, and should be kept simple. Ideally, I'd like to be able to map RADIUS clients into groups and have a mapping of AuthorizedService values for each group. The client groups would, ideally, be defined by matching the client IP address. An example of what I'd like that mapping to look like is below: Use rlm_passwd to map clients to groups (see it's documentation), and then the users file to map AuthorizedService to another RADIUS attribute, as described above. Alan, your flames and RTFM comments are welcome, but, please understand, I've done my best to RTFM before posting this. As I tell my co-workers, Remember, there are no stupid questions. There are only stupid people.. And they still speak to me after that. :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap+radius+wpa 802.1x authentication
No help for me?I'm desperate I've lost 3 nights now :D I already have my own certs. Best Regards João Mamede Hi I've been trying to set up my freeradius with my ldap database(all users to authenticate) and I can't authenticate my wireless machines using my AP with EAP. all my config files can be found at http://nebioq.ath.cx:85/radius.tar.bz2 and my radiusd -X -A in http://nebioq.ath.cx:85/radiuslog.txt I've tried EAP-MD5 and EAP-TTLS I'm using the certs that came with freeradius because I'm unable to create new one's(an error about some library or something). I can associate to my AP(d-link DI-624) but then the EAP auth fails. My machine is a freeBSD machine(with the radiusd). Oh radtest: radtest forevertheuni mypassword t4 0 radiussecret Sending Access-Request of id 42 to 192.168.5.100 port 1812 User-Name = forevertheuni User-Password = mypassword NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 192.168.5.100:1812, id=42, length=20 Hope you folks can help me! Thanks for any help in advance. João Mamede - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap+radius+wpa 802.1x authentication
Hi I've been trying to set up my freeradius with my ldap database(all users to authenticate) and I can't authenticate my wireless machines using my AP with EAP. all my config files can be found at http://nebioq.ath.cx:85/radius.tar.bz2 and my radiusd -X -A in http://nebioq.ath.cx:85/radiuslog.txt I've tried EAP-MD5 and EAP-TTLS I'm using the certs that came with freeradius because I'm unable to create new one's(an error about some library or something). I can associate to my AP(d-link DI-624) but then the EAP auth fails. My machine is a freeBSD machine(with the radiusd). Oh radtest: radtest forevertheuni mypassword t4 0 radiussecret Sending Access-Request of id 42 to 192.168.5.100 port 1812 User-Name = forevertheuni User-Password = mypassword NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 192.168.5.100:1812, id=42, length=20 Hope you folks can help me! Thanks for any help in advance. João Mamede - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Radius -x help...
Running Freeradius on fedora core 4 When I use Radiusd -X I can authenticate via the ldap server I have running.. But when I start radius normally service radiusd start it starts but the error log says It can't talk to The ldap server.. Ideas? Why would it working in debug but not normally? Here's the log info Radius log--- Mon Sep 26 15:55:27 2005 : Info: Using deprecated naslist file. Support for this will go away soon. Mon Sep 26 15:55:27 2005 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Sep 26 15:55:27 2005 : Info: Ready to process requests. Mon Sep 26 15:55:30 2005 : Error: rlm_ldap: bind to 192.168.77.6:389 failed: Can't contact LDAP server Mon Sep 26 15:55:30 2005 : Error: rlm_ldap: (re)connection attempt failed --radius x output - modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by [EMAIL PROTECTED] with password test1234 radius_xlat: '([EMAIL PROTECTED])' radius_xlat: 'o=pork.com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.77.6:389, authentication 0 rlm_ldap: bind as / to 192.168.77.6:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=pork.com, with filter ([EMAIL PROTECTED]) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: user DN: uid=wow,ou=People,o=pork.com rlm_ldap: (re)connect to 192.168.77.6:389, authentication 1 rlm_ldap: bind as uid=wow,ou=People,o=pork.com/test1234 to 192.168.77.6:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user [EMAIL PROTECTED] authenticated succesfully modcall[authenticate]: module ldap returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Sending Access-Accept of id 26 to 192.168.77.6:3665 Finished request 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
digest+ldap+radius
Hi all I'm trying to authenticate sip server with radius and ldap backend. SIP uses digest authentication, i've mede it to work without problems i i put an user directrly in /etc/freeradius/users: [EMAIL PROTECTED] Auth-Type := Digest, User-Password == 1000 Reply-Message = Authenticated if i try to authorize sip with ldap: DEFAULT Auth-Type := LDAP Fall-Through = 1 if i try to login from a standard cisco nas with a user in ldap it's working ok (i think because it's sending clear text password) it i try to login via sip: Thu May 5 12:05:21 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 5060) (in the meanwhile i see ldap looking at User-Password attribute of [EMAIL PROTECTED] ...) can sb help me? Thanks in advance, Tiziano -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: digest+ldap+radius
On Thu, 5 May 2005, Tiziano wrote: Hi all I'm trying to authenticate sip server with radius and ldap backend. SIP uses digest authentication, i've mede it to work without problems i i put an user directrly in /etc/freeradius/users: [EMAIL PROTECTED] Auth-Type := Digest, User-Password == 1000 Reply-Message = Authenticated if i try to authorize sip with ldap: DEFAULT Auth-Type := LDAP Fall-Through = 1 if i try to login from a standard cisco nas with a user in ldap it's working ok (i think because it's sending clear text password) it i try to login via sip: Thu May 5 12:05:21 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 5060) (in the meanwhile i see ldap looking at User-Password attribute of [EMAIL PROTECTED] ...) can sb help me? You are performing ldap authentication. Don't do that. You need to read the user password from ldap but perform authentication with the digest module. Thanks in advance, Tiziano -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: digest+ldap+radius
Il giorno gio, 05-05-2005 alle 15:09 +0300, Kostas Kalevras ha scritto: Thu May 5 12:05:21 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 5060) (in the meanwhile i see ldap looking at User-Password attribute of [EMAIL PROTECTED] ...) can sb help me? You are performing ldap authentication. Don't do that. You need to read the user password from ldap but perform authentication with the digest module. ok, i was thinking about this... but how to read password from ldap and authenticate with digest? (speaking about configuration i mean) i haven't found docs about this... Thanks for help, Tiziano -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: digest+ldap+radius
Hi, check out the ldapattr.map file ( I think its called like that ). There you will find which attributes are mapped to some attributes in LDAP. You will find User-Password attribute mapped to Password I think. You can adjust this to fit your needs. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tiziano Sent: Donnerstag, 05. Mai 2005 15:55 To: freeradius-users@lists.freeradius.org Subject: Re: digest+ldap+radius Il giorno gio, 05-05-2005 alle 15:09 +0300, Kostas Kalevras ha scritto: Thu May 5 12:05:21 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 5060) (in the meanwhile i see ldap looking at User-Password attribute of [EMAIL PROTECTED] ...) can sb help me? You are performing ldap authentication. Don't do that. You need to read the user password from ldap but perform authentication with the digest module. ok, i was thinking about this... but how to read password from ldap and authenticate with digest? (speaking about configuration i mean) i haven't found docs about this... Thanks for help, Tiziano -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: digest+ldap+radius
Hi, Il giorno gio, 05-05-2005 alle 16:03 +0200, Seferovic Edvin ha scritto: check out the ldapattr.map file ( I think its called like that ). There you will find which attributes are mapped to some attributes in LDAP. You will find User-Password attribute mapped to Password I think. You can adjust this to fit your needs. working perfectly! Thanks a lot! -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Radius
Does someone have a good howto on setting up Radius to make use of an LDAP group. I read the ldap docs at freeradius.org and that seemed like overkill I just want to have a group and put the user in the group to give them access? Say you have two groups, one that has access to dial and one that has access to adsl. Some users can be in both groups. You have a NAS from 1.1.1.1 for dial and 2.2.2.2 for adsl. -dialonly user dn: uid=dialuser,ou=radius,dc=yourdomain,dc=com objectclass: radiusprofile uid: dialuser userpassword: somepass radiusgroupname: dial -adslonly user dn: uid=adsluser,... objectclass: radiusprofile uid: adsluser userpassword: pass radiusgroupname: adsl -adsl and dial user dn: uid=both,... objectclass: radiusprofile uid: both userpassword: pass radiusgroupname: dial radiusgroupname: adsl In your users file DEFAULT NAS-IP-Address == 1.1.1.1, Ldap-Group == dial DEFAULT NAS-IP-Address == 2.2.2.2, Ldap-Group == adsl DEFAULT Auth-Type := Reject Packet comes from dial NAS, checks to see if user has radiusgroupname dial, if so it will match and then authenticate the user. User doesn't have dial, it will fall-through to Reject. Packet comes from adsl NAS, checks to see if user has radiusgroupname adsl, ... Hope that helps, Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Radius
Does someone have a good howto on setting up Radius to make use of an LDAP group. I read the ldap docs at freeradius.org and that seemed like overkill I just want to have a group and put the user in the group to give them access? Douglas Sterner
LDAP/Radius authentication
Hello list, I'm new to freeradius, and I'd like to know if a construction like this is possible with freeradius: +--+ +-+ | [EMAIL PROTECTED] |--+ +--+ RADIUS1 | +--+ | | +-+ | | +--+ | +---+ | +-+ | [EMAIL PROTECTED] |--+--|FreeRad|--+--+ LDAP1 | +--+ | +---+ | +-+ | | +--+ | | +-+ | [EMAIL PROTECTED] |--+ +--+ LDAP2 | +--+ +-+ I want that [EMAIL PROTECTED] authenticates through the FreeRadius server against RADIUS1 I want that [EMAIL PROTECTED] authenticates through the FreeRadius server against LDAP1 I want that [EMAIL PROTECTED] authenticates through the FreeRadius server against LDAP2 Just authentication for the moment. When reading the O'Reilly book RADIUS and some docs on the internet, I understand that it must be possible one way or another (with realms AFAIUI), although I have no idea yet how to do this. I already have a freeradius-0.9.3 server running and I am able to authenticate against 1 LDAP server (without using realms). The most important thing is: is this possible? Richard. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
