Fwd: ldap-radius integration
Please don't write private mail to me with FreeRADIUS questions. Forwarding to freeradius-users. Original Message Subject:ldap-radius integration Date: Fri, 30 Mar 2012 12:35:53 -0700 From: exu...@gmail.com To: stefan.win...@restena.lu could you give me some refrence material or the steps involved in integrating radius and ldap? Iam stuck with the error [ldap] bind as cn=Manager,ou=radius,dc=example,dc=com/{SSHA}N0HDoA07iBXb/qW6JmhxnkUeTkVex1mN to 127.0.0.1:389 [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf cant understand how to proceed..! PS: Im using ubuntu 11.10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: ldap-radius integration
could you give me some refrence material or the steps involved in integrating radius and ldap? Iam stuck with the error [ldap] bind as cn=Manager,ou=radius,dc=example,dc=com/{SSHA}N0HDoA07iBXb/qW6JmhxnkUeTkVex1mN to 127.0.0.1:389 [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf cant understand how to proceed..! PS: Im using ubuntu 11.10 You need to tell FreeRADIUS login credentials for your LDAP administrator account. According to the query, the username for that is Manager and the LDAP server is radius.example.com. I believe these are the default (shipped) values that come with FreeRADIUS. Replace them with the *real* login details of your LDAP admin account. In general: *read* the debug output and *apply common sense*. Greetings, Stefan Winter P.S.: your Operating System is irrelevant for this error. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: ldap-radius integration
On 03/30/2012 05:46 PM, Stefan Winter wrote: Please don't write private mail to me with FreeRADIUS questions. Forwarding to freeradius-users. Original Message Subject:ldap-radius integration Date: Fri, 30 Mar 2012 12:35:53 -0700 From: exu...@gmail.com To: stefan.win...@restena.lu could you give me some refrence material or the steps involved in integrating radius and ldap? Iam stuck with the error [ldap] bind as cn=Manager,ou=radius,dc=example,dc=com/{SSHA}N0HDoA07iBXb/qW6JmhxnkUeTkVex1mN to 127.0.0.1:389 [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf cant understand how to proceed..! Then get a book on LDAP and read it, or use Google to find any of the dozens of tutorials on LDAP and read it. It's your job to learn the material, not our job as volunteers to spoon feed you the answers. I say this in part because the answer to your question is so glaringly obvious if you have even the most rudimentary understanding of ldap authentication and password formats. So acquire the knowledge and answer the question yourself, how do you think we learned it? BTW this has nothing to do with FreeRADIUS, it's basic LDAP usage. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
Tom Leach wrote: Grr, off on a goose chase. Problem isn't in rlm_pap.c, but rlm_ldap.c. rlm_ldap only likes the Cleartext-Password and User-Password attributes. Yes... the message you posted clearly shows it's output from the LDAP mdoule. Would it be a bad thing to patch rlm_ldap.c to also work with Password-With-Header? If not, then I guess I'll have to use User-Password in the ldap dictionary and live with the suggestion message in debug output. PLEASE don't do that. I suggested to use Password-With-Header as the preferred alternative. Don't go pick *another* method with *more* warning messages, just because you don't like seeing the warning message produced by the LDAP module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
Grr, off on a goose chase. Problem isn't in rlm_pap.c, but rlm_ldap.c. rlm_ldap only likes the Cleartext-Password and User-Password attributes. Would it be a bad thing to patch rlm_ldap.c to also work with Password-With-Header? If not, then I guess I'll have to use User-Password in the ldap dictionary and live with the suggestion message in debug output. !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! Thanks! Tom On 07/28/2010 11:59 AM, Tom Leach wrote: Alan, changing from User-Password to Password-With-Header brought back the 'No known good password' error. I'm going through the rlm_pap.c code to try to see what's going on here. I haven't found any docs yet on what the various mapping possibilities are and what they do. Do you have a pointer to any so I don't keep bugging you and the list? I agree with the 'get it work, then tune it' approach. That's where I'm at now. It's working, I'm just trying to make all the messages go away :) Thanks! Tom Here is a snippet from radiusd -X: [ldap-server1] Added Crypt-Password = 4gOgBZqZgtwIw in check items [ldap-server1] looking for check items in directory... [ldap-server1] userPassword - Password-With-Header == {crypt}4gOgBZqZgtwIw [ldap-server1] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap-server1] user testuser authorized to use remote access Date: Tue, 27 Jul 2010 09:00:23 +0200 From: Alan DeKok al...@deployingradius.com Subject: Re: Another LDAP/RADIUS integration problem. To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4c4e8407.3030...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 Tom Leach wrote: Alan, I changed the ldap.attrmap file from checkItem Crypt-Password userPassword to checkItem User-Password userPassword and it's authenticating now, but I now have a new message in the debug output and I'm not sure if it's a problem, suggestion, or otherwise. It's a suggestion. But the first step was to get it to work. I can't change the LDAP directory to contain actual cleartext passwords, so it may just be something that I have to live with. Change the mapping in ldap.attrmap to: checkItem Password-With-Header userPassword That should *still* work, and will remove the warning. The process here is to first get it to work, and then get it to work better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
Tom Leach wrote: Alan, I changed the ldap.attrmap file from checkItem Crypt-Password userPassword to checkItem User-Password userPassword and it's authenticating now, but I now have a new message in the debug output and I'm not sure if it's a problem, suggestion, or otherwise. It's a suggestion. But the first step was to get it to work. I can't change the LDAP directory to contain actual cleartext passwords, so it may just be something that I have to live with. Change the mapping in ldap.attrmap to: checkItem Password-With-Header userPassword That should *still* work, and will remove the warning. The process here is to first get it to work, and then get it to work better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
{ default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = inner-tunnel } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = /usr/local/etc/raddb/users acctusersfile = /usr/local/etc/raddb/acct_users preproxy_usersfile = /usr/local/etc/raddb/preproxy_users compat = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = /var/log/radius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /usr/local/etc/raddb/attrs.access_reject key = %{User-Name} } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_ldap Module: Instantiating ldap-server1 ldap ldap-server1 { server = ldap://server1.coas.oregonstate.edu; port = 389 password = secret identity = uid=admin,o=radtree net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = yes tls_require_cert = allow tls { start_tls = yes cacertdir = /etc/pki/tls/certs/ require_cert = demand } basedn = ou=People,o=mydomain filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) base_filter = (objectclass=radiusprofile) password_attribute = userPassword auto_header = yes access_attr_used_for_allow = yes groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) dictionary_mapping = /usr/local/etc/raddb/ldap.pap.attrmap ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap-server1-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap-server1-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap-server1 rlm_ldap: reading ldap-radius mappings from file /usr/local/etc/raddb/ldap.pap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Crypt-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP
Another LDAP/RADIUS integration problem.
-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap-server1 rlm_ldap: reading ldap-radius mappings from file /usr/local/etc/raddb/ldap.pap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Crypt-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x1480f5e0 Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_detail Module: Instantiating auth_log detail auth_log { detailfile = /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Instantiating detail detail { detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = /usr/local/etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: Opening IP addresses and Ports listen { type = auth
Re: Another LDAP/RADIUS integration problem.
Tom Leach wrote: To correct the bind problem, I added an ACL to the directory to allow 'uid=admin,o=radtree' to access the userPassword attribute, then configured the ldap module to use 'uid=admin,o=radtree' as the identity and 'secret' as the password. Now the bind succeeds, the -X output says that it's mapping userPassword - Crypt-Password == {crypt}4gOgBZqZgtwIw The Crypt-Password attribute is supposed to be the crypt'd version of the password *without* the {crypt} header. Change the mapping from userPassword - Crypt-Password to userPassword - User-Password, and it will work. The PAP module will look for the {crypt} header, and create a Crypt-Password with the appropriate value. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
On 07/23/2010 02:59 PM, Alan DeKok wrote: Tom Leach wrote: To correct the bind problem, I added an ACL to the directory to allow 'uid=admin,o=radtree' to access the userPassword attribute, then configured the ldap module to use 'uid=admin,o=radtree' as the identity and 'secret' as the password. Now the bind succeeds, the -X output says that it's mapping userPassword - Crypt-Password == {crypt}4gOgBZqZgtwIw The Crypt-Password attribute is supposed to be the crypt'd version of the password *without* the {crypt} header. Change the mapping from userPassword - Crypt-Password to userPassword - User-Password, and it will work. The PAP module will look for the {crypt} header, and create a Crypt-Password with the appropriate value. Hmm ... Just from looking at the rlm_ldap code (not actual testing) I thought if auto_header was set to True in the ldap config then rlm_ldap after looking up the configured password attribute would perform the steps you describe above. (strip the hash prefix and add a new attribute with the correct attribute type for the hash type) Am I confused? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
John Dennis wrote: Just from looking at the rlm_ldap code (not actual testing) I thought if auto_header was set to True in the ldap config then rlm_ldap after looking up the configured password attribute would perform the steps you describe above. (strip the hash prefix and add a new attribute with the correct attribute type for the hash type) Am I confused? The auto-header should be off by default. I think it was off in the debug log posted earlier. And it shouldn't be used. The PAP module does all that, and more. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user-Password required for ldap radius
Basant Agarwal wrote: Hello, I am trying to authenticate wifi users for wireless network ... for this i am using freeradius with ldap... When we run radtest on localhost, it is able to get authorised and authenticated .. it works fine but when i try from laptop(windows ) then it rejects the same user... please let me know what to do ...?? You have edited the configuration to force Auth-Type := LDAP. Don't do that. It's breaking EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user-Password required for ldap radius
Hello, I am trying to authenticate wifi users for wireless network ... for this i am using freeradius with ldap... When we run radtest on localhost, it is able to get authorised and authenticated .. it works fine but when i try from laptop(windows ) then it rejects the same user... please let me know what to do ...?? here is the debug output .. Ready to process requests. rad_recv: Access-Request packet from host 172.16.1.80:1122, id=0, length=204 Message-Authenticator = 0x3f459af06e42a2a0b7cf9c1d80092e31 Service-Type = Framed-User User-Name = testap Framed-MTU = 1488 Called-Station-Id = 00-15-E9-C9-F3-80:MNIT-DC-AP Calling-Station-Id = 00-16-6F-7C-DB-2D NAS-Identifier = D-link Corp. Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020b01746573746170 NAS-IP-Address = 172.16.1.80 NAS-Port = 1 NAS-Port-Id = STA port # 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = testap, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 177 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testap radius_xlat: '(uid=testap)' radius_xlat: 'dc=mnit,dc=ac,dc=in' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 172.16.1.20:389, authentication 0 rlm_ldap: bind as uid=admin,ou=people,dc=mnit,dc=ac,dc=in/system to 172.16.1.20:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mnit,dc=ac,dc=in, with filter (uid=testap) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testap authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type ldap auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 0 modcall: leaving group LDAP (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 172.16.1.80 http://172.16.1.80/port 1122 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 46b1b8cb Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user-Password required for ldap radius
I had same problem few days back...I think its problem of certificate. plz check the client certificate you have selected on your laptop... Basant Agarwal wrote: Hello, I am trying to authenticate wifi users for wireless network ... for this i am using freeradius with ldap... When we run radtest on localhost, it is able to get authorised and authenticated .. it works fine but when i try from laptop(windows ) then it rejects the same user... please let me know what to do ...?? here is the debug output .. Ready to process requests. rad_recv: Access-Request packet from host 172.16.1.80:1122, id=0, length=204 Message-Authenticator = 0x3f459af06e42a2a0b7cf9c1d80092e31 Service-Type = Framed-User User-Name = testap Framed-MTU = 1488 Called-Station-Id = 00-15-E9-C9-F3-80:MNIT-DC-AP Calling-Station-Id = 00-16-6F-7C-DB-2D NAS-Identifier = D-link Corp. Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020b01746573746170 NAS-IP-Address = 172.16.1.80 NAS-Port = 1 NAS-Port-Id = STA port # 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = testap, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 177 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testap radius_xlat: '(uid=testap)' radius_xlat: 'dc=mnit,dc=ac,dc=in' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 172.16.1.20:389, authentication 0 rlm_ldap: bind as uid=admin,ou=people,dc=mnit,dc=ac,dc=in/system to 172.16.1.20:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mnit,dc=ac,dc=in, with filter (uid=testap) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testap authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type ldap auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 0 modcall: leaving group LDAP (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 172.16.1.80 http://172.16.1.80/port 1122 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 46b1b8cb Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/user-Password-required-for-ldap-radius-tp22861643p22861786.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap+radius authentication problem
Dear all, I have configured freeradius with ldap backed as given in http://freeradius.org/radiusd/doc/ldap_howto.txt. The user get authorized but the authentication failed. The detail output is here: Ready to process requests. rad_recv: Access-Request packet from host a.b.c.d:3272, id=0, length=47 User-Name = abc User-Password = 12345 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for abc radius_xlat: '(uid=abc)' radius_xlat: 'ou=users,ou=radius,dc=whitehouse,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to x.x.x.x:389, authentication 0 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as cn=Manager,dc=whitehouse,dc=edu/password to x.x.x.x:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,ou=radius,dc=whitehouse,dc=edu, with filter (uid=abc) rlm_ldap: Added password 12345 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user abc authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by abc with password 12345 rlm_ldap: user DN: uid=abc,ou=users,ou=radius,dc=whitehouse,dc=edu rlm_ldap: (re)connect to x.x.x.x:389, authentication 1 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as uid=abc,ou=users,ou=radius,dc=whitehouse,dc=edu/12345 to x.x.x.x:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module ldap returns reject for request 0 modcall: leaving group LDAP (returns reject) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Can anyone help me?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius authentication problem
amir shrestha wrote: I have configured freeradius with ldap backed as given in http://freeradius.org/radiusd/doc/ldap_howto.txt. The user get authorized but the authentication failed. ... rlm_ldap: bind as uid=abc,ou=users,ou=radius,dc=whitehouse,dc=edu/12345 to x.x.x.x:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials There isn't much more to say. The supplied password is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP-RADIUS Attribute Mapping
I have an environment where I am already using LDAP for AAA for a number of things. We have historically used the AuthorizedService attribute in LDAP to control the level of access available to the user. We would like to continue to do so. However, in order for that to work, I need to map AuthorizedService to different RADIUS attributes in the response depending on the authentication client. Ideally, I'd like to be able to map RADIUS clients into groups and have a mapping of AuthorizedService values for each group. The client groups would, ideally, be defined by matching the client IP address. An example of what I'd like that mapping to look like is below: Client GroupAuthorizedService RADIUS Attribute in Reply == == === PIX Group 1 Pix1Auth1 cisco-avpair=shell:priv-lvl=1 PIX Group 1 Pix1Auth7 cisco-avpair=shell:priv-lvl=7 PIX Group 1 Pix1Auth15 cisco-avpair=shell:priv-lvl=15 PIX Group 2 Pix2auth1 cisco-avpair=shell:priv-lvl=1 ... Router Grp 1Rtr1Auth1 cisco-avpair=shell:priv-lvl=1 ... LB Group 1 LBAdmin Service-Type=Authenticate-Only ... etc. Is there any way to do this kind of dynamic mapping in FreeRadius? As near as I can tell, all I can do is statically map the contents of a particular LDAP attribute to a single RADIUS attribute. I'd also like to avoid mapping values of AuthorizedService which don't apply to the particular RADIUS client. I'm assuming I probably need to use something like rlm_perl to do this, and, I have no problem doing that, but, I have been unable to decipher the documentation to rlm_perl enough to have any confidence in creating a working solution. If anyone could provide a configuration example or a pointer to documentation that actually describes the various pieces of solving this problem, I'd be very grateful. Alan, your flames and RTFM comments are welcome, but, please understand, I've done my best to RTFM before posting this. Owen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP-RADIUS Attribute Mapping
Owen DeLong wrote: We have historically used the AuthorizedService attribute in LDAP to control the level of access available to the user. We would like to continue to do so. However, in order for that to work, I need to map AuthorizedService to different RADIUS attributes in the response depending on the authentication client. Do it in two steps. Map the AuthorisedService LDAP attribute to a RADIUS attribute (invent a local one, see the dictionary docs), and then depending on the NAS, map that to another attribute. The reason for doing it this way is that the LDAP - RADIUS attribute mapping is simple, and should be kept simple. Ideally, I'd like to be able to map RADIUS clients into groups and have a mapping of AuthorizedService values for each group. The client groups would, ideally, be defined by matching the client IP address. An example of what I'd like that mapping to look like is below: Use rlm_passwd to map clients to groups (see it's documentation), and then the users file to map AuthorizedService to another RADIUS attribute, as described above. Alan, your flames and RTFM comments are welcome, but, please understand, I've done my best to RTFM before posting this. As I tell my co-workers, Remember, there are no stupid questions. There are only stupid people.. And they still speak to me after that. :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap+radius+wpa 802.1x authentication
No help for me?I'm desperate I've lost 3 nights now :D I already have my own certs. Best Regards João Mamede Hi I've been trying to set up my freeradius with my ldap database(all users to authenticate) and I can't authenticate my wireless machines using my AP with EAP. all my config files can be found at http://nebioq.ath.cx:85/radius.tar.bz2 and my radiusd -X -A in http://nebioq.ath.cx:85/radiuslog.txt I've tried EAP-MD5 and EAP-TTLS I'm using the certs that came with freeradius because I'm unable to create new one's(an error about some library or something). I can associate to my AP(d-link DI-624) but then the EAP auth fails. My machine is a freeBSD machine(with the radiusd). Oh radtest: radtest forevertheuni mypassword t4 0 radiussecret Sending Access-Request of id 42 to 192.168.5.100 port 1812 User-Name = forevertheuni User-Password = mypassword NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 192.168.5.100:1812, id=42, length=20 Hope you folks can help me! Thanks for any help in advance. João Mamede - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius+wpa 802.1x authentication
Jag är bortrest några dagar och kan inte kontrollera min mail, återkom efter den 24/4 eller kontakta kontoret på [EMAIL PROTECTED] eller +46-612-717780 Im out of office until April 24, contact office: [EMAIL PROTECTED] or +46-612-717780 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap+radius+wpa 802.1x authentication
Hi I've been trying to set up my freeradius with my ldap database(all users to authenticate) and I can't authenticate my wireless machines using my AP with EAP. all my config files can be found at http://nebioq.ath.cx:85/radius.tar.bz2 and my radiusd -X -A in http://nebioq.ath.cx:85/radiuslog.txt I've tried EAP-MD5 and EAP-TTLS I'm using the certs that came with freeradius because I'm unable to create new one's(an error about some library or something). I can associate to my AP(d-link DI-624) but then the EAP auth fails. My machine is a freeBSD machine(with the radiusd). Oh radtest: radtest forevertheuni mypassword t4 0 radiussecret Sending Access-Request of id 42 to 192.168.5.100 port 1812 User-Name = forevertheuni User-Password = mypassword NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 192.168.5.100:1812, id=42, length=20 Hope you folks can help me! Thanks for any help in advance. João Mamede - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Radius -x help...
Running Freeradius on fedora core 4 When I use Radiusd -X I can authenticate via the ldap server I have running.. But when I start radius normally service radiusd start it starts but the error log says It can't talk to The ldap server.. Ideas? Why would it working in debug but not normally? Here's the log info Radius log--- Mon Sep 26 15:55:27 2005 : Info: Using deprecated naslist file. Support for this will go away soon. Mon Sep 26 15:55:27 2005 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Sep 26 15:55:27 2005 : Info: Ready to process requests. Mon Sep 26 15:55:30 2005 : Error: rlm_ldap: bind to 192.168.77.6:389 failed: Can't contact LDAP server Mon Sep 26 15:55:30 2005 : Error: rlm_ldap: (re)connection attempt failed --radius x output - modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by [EMAIL PROTECTED] with password test1234 radius_xlat: '([EMAIL PROTECTED])' radius_xlat: 'o=pork.com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.77.6:389, authentication 0 rlm_ldap: bind as / to 192.168.77.6:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=pork.com, with filter ([EMAIL PROTECTED]) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: user DN: uid=wow,ou=People,o=pork.com rlm_ldap: (re)connect to 192.168.77.6:389, authentication 1 rlm_ldap: bind as uid=wow,ou=People,o=pork.com/test1234 to 192.168.77.6:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user [EMAIL PROTECTED] authenticated succesfully modcall[authenticate]: module ldap returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Sending Access-Accept of id 26 to 192.168.77.6:3665 Finished request 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
digest+ldap+radius
Hi all I'm trying to authenticate sip server with radius and ldap backend. SIP uses digest authentication, i've mede it to work without problems i i put an user directrly in /etc/freeradius/users: [EMAIL PROTECTED] Auth-Type := Digest, User-Password == 1000 Reply-Message = Authenticated if i try to authorize sip with ldap: DEFAULT Auth-Type := LDAP Fall-Through = 1 if i try to login from a standard cisco nas with a user in ldap it's working ok (i think because it's sending clear text password) it i try to login via sip: Thu May 5 12:05:21 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 5060) (in the meanwhile i see ldap looking at User-Password attribute of [EMAIL PROTECTED] ...) can sb help me? Thanks in advance, Tiziano -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: digest+ldap+radius
On Thu, 5 May 2005, Tiziano wrote: Hi all I'm trying to authenticate sip server with radius and ldap backend. SIP uses digest authentication, i've mede it to work without problems i i put an user directrly in /etc/freeradius/users: [EMAIL PROTECTED] Auth-Type := Digest, User-Password == 1000 Reply-Message = Authenticated if i try to authorize sip with ldap: DEFAULT Auth-Type := LDAP Fall-Through = 1 if i try to login from a standard cisco nas with a user in ldap it's working ok (i think because it's sending clear text password) it i try to login via sip: Thu May 5 12:05:21 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 5060) (in the meanwhile i see ldap looking at User-Password attribute of [EMAIL PROTECTED] ...) can sb help me? You are performing ldap authentication. Don't do that. You need to read the user password from ldap but perform authentication with the digest module. Thanks in advance, Tiziano -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: digest+ldap+radius
Il giorno gio, 05-05-2005 alle 15:09 +0300, Kostas Kalevras ha scritto: Thu May 5 12:05:21 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 5060) (in the meanwhile i see ldap looking at User-Password attribute of [EMAIL PROTECTED] ...) can sb help me? You are performing ldap authentication. Don't do that. You need to read the user password from ldap but perform authentication with the digest module. ok, i was thinking about this... but how to read password from ldap and authenticate with digest? (speaking about configuration i mean) i haven't found docs about this... Thanks for help, Tiziano -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: digest+ldap+radius
Hi, check out the ldapattr.map file ( I think its called like that ). There you will find which attributes are mapped to some attributes in LDAP. You will find User-Password attribute mapped to Password I think. You can adjust this to fit your needs. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tiziano Sent: Donnerstag, 05. Mai 2005 15:55 To: freeradius-users@lists.freeradius.org Subject: Re: digest+ldap+radius Il giorno gio, 05-05-2005 alle 15:09 +0300, Kostas Kalevras ha scritto: Thu May 5 12:05:21 2005 : Auth: Login incorrect: [EMAIL PROTECTED]/no User-Password attribute] (from client localhost port 5060) (in the meanwhile i see ldap looking at User-Password attribute of [EMAIL PROTECTED] ...) can sb help me? You are performing ldap authentication. Don't do that. You need to read the user password from ldap but perform authentication with the digest module. ok, i was thinking about this... but how to read password from ldap and authenticate with digest? (speaking about configuration i mean) i haven't found docs about this... Thanks for help, Tiziano -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: digest+ldap+radius
Hi, Il giorno gio, 05-05-2005 alle 16:03 +0200, Seferovic Edvin ha scritto: check out the ldapattr.map file ( I think its called like that ). There you will find which attributes are mapped to some attributes in LDAP. You will find User-Password attribute mapped to Password I think. You can adjust this to fit your needs. working perfectly! Thanks a lot! -- Tiziano [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Radius
Does someone have a good howto on setting up Radius to make use of an LDAP group. I read the ldap docs at freeradius.org and that seemed like overkill I just want to have a group and put the user in the group to give them access? Say you have two groups, one that has access to dial and one that has access to adsl. Some users can be in both groups. You have a NAS from 1.1.1.1 for dial and 2.2.2.2 for adsl. -dialonly user dn: uid=dialuser,ou=radius,dc=yourdomain,dc=com objectclass: radiusprofile uid: dialuser userpassword: somepass radiusgroupname: dial -adslonly user dn: uid=adsluser,... objectclass: radiusprofile uid: adsluser userpassword: pass radiusgroupname: adsl -adsl and dial user dn: uid=both,... objectclass: radiusprofile uid: both userpassword: pass radiusgroupname: dial radiusgroupname: adsl In your users file DEFAULT NAS-IP-Address == 1.1.1.1, Ldap-Group == dial DEFAULT NAS-IP-Address == 2.2.2.2, Ldap-Group == adsl DEFAULT Auth-Type := Reject Packet comes from dial NAS, checks to see if user has radiusgroupname dial, if so it will match and then authenticate the user. User doesn't have dial, it will fall-through to Reject. Packet comes from adsl NAS, checks to see if user has radiusgroupname adsl, ... Hope that helps, Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Radius
Does someone have a good howto on setting up Radius to make use of an LDAP group. I read the ldap docs at freeradius.org and that seemed like overkill I just want to have a group and put the user in the group to give them access? Douglas Sterner
LDAP/Radius authentication
Hello list, I'm new to freeradius, and I'd like to know if a construction like this is possible with freeradius: +--+ +-+ | [EMAIL PROTECTED] |--+ +--+ RADIUS1 | +--+ | | +-+ | | +--+ | +---+ | +-+ | [EMAIL PROTECTED] |--+--|FreeRad|--+--+ LDAP1 | +--+ | +---+ | +-+ | | +--+ | | +-+ | [EMAIL PROTECTED] |--+ +--+ LDAP2 | +--+ +-+ I want that [EMAIL PROTECTED] authenticates through the FreeRadius server against RADIUS1 I want that [EMAIL PROTECTED] authenticates through the FreeRadius server against LDAP1 I want that [EMAIL PROTECTED] authenticates through the FreeRadius server against LDAP2 Just authentication for the moment. When reading the O'Reilly book RADIUS and some docs on the internet, I understand that it must be possible one way or another (with realms AFAIUI), although I have no idea yet how to do this. I already have a freeradius-0.9.3 server running and I am able to authenticate against 1 LDAP server (without using realms). The most important thing is: is this possible? Richard. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html