Re: Fw: freeradius and ldap using chap

[Eric Eric]

When I remove ldap-Vpn from authenticate part error is:
 
rlm_chap: login attempt by test with CHAP password
  rlm_chap: Could not find clear text password for user test
Login incorrect (rlm_chap: Clear text password not available): [test] (from 
client vpntist port 128 cli 10.10.10.24)

what is wrong in my config?any help?

--- On Sun, 2/21/10, Eric Eric eric121...@yahoo.com wrote:

From: Eric Eric eric121...@yahoo.com
Subject: Fw: freeradius and ldap using chap
To: freeradius-users@lists.freeradius.org
Date: Sunday, February 21, 2010, 1:33 PM


Hi
I want to change authentication pap to chap. The users with clear passwords are 
in ldap server. The error is :

rlm_ldap: - authenticate
rlm_ldap: Attribute User-Password is required for authentication. Cannot use 
CHAP-Password.
Login incorrect (rlm_chap: Clear text password not available):

I saw the problem in faq but I didn't find what is my mistake. The config is:
in users :

 DEFAULT Client-IP-Address ==
 10.10.10.2 , Auth-Type := Vpn, Autz-Type := Vpn, Post-Auth-Type := Vpn, 
Session-type := Vpn

in radius.conf:
ldap ldap-Vpn{
   
    password_attribute =
 userPassword
    password_header = {clear}
   
    }
authorize {
chap
Autz-Type Vpn{
    ldap-Vpn
    chap
  }
}

authenticate {
Auth-Type CHAP {
    chap
    }
 Auth-Type Vpn{
   
 chap
   ldap-Vpn

  }

}


what is my mistake? should I do any other config or change in ldap.attrmap?






  


  
-Inline Attachment Follows-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap-ttls and eap-peap againts OpenLdap

[John smith]

Hi Fajar,
I don't use ntlm_auth, i'd think was necessary when using a Active
Directory,

My version of samba is 3.0.24

I'm going to read about ntlm_auth option and i'll try it

Thank you
Nick


2010/2/22 Fajar A. Nugraha fa...@fajar.net

 On Mon, Feb 22, 2010 at 2:04 AM, John smith ohn...@gmail.com wrote:
  My problem is when I try to authenticate using peap-mschapv2
  I've read  a lot mails about similar problems but i can't find the answer
 to
  it

 Did you use ntlm_auth? what version of samba? IIRC you need older
 version of samba (search list archive, someone mention v3.2.5 works).

 If you have cleartext password on your LDAP schema there might be other
 options.

 --
 Fajar

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

default_eap_type in ttls configuraion in file eap.conf

[ZHANG Gina]

Hi!

I have a question regarding to the default_eap_type setting for ttls
configuration in
file eap.conf. From TTLS protocol, it is not necessary to do
authentication in the tunnel and
it is the user who decides and initiates which eap type to use inside
tunnel. What the default_eap_type
is used for?

Thanks!
Gina Zhang

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Authorization through inner identity

[ZHANG Gina]

Hi,

Is it possible to do authorization through the identity in inner tunnel?

Thanks,
Gina Zhang

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authorization through inner identity

[Alan Buxey]

Hi,
 Hi,
 
 Is it possible to do authorization through the identity in inner tunnel?

check out the authorize {} section in the inner-tunnel virtual server
in FreeRADIUS 2.x   - thats what its there for

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authorization through inner identity

[ZHANG Gina]

Alan,

Thanks for the quick response! 

I did look there before I sent the first email. I think that I should
add something
In authorize section like
update request.

But I don't know the details.

Could you advise?

Thanks,
Gina 

-Original Message-
From:
freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius.
org
[mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.fre
eradius.org] On Behalf Of Alan Buxey
Sent: Monday, February 22, 2010 4:53 PM
To: FreeRadius users mailing list
Subject: Re: Authorization through inner identity

Hi,
 Hi,
 
 Is it possible to do authorization through the identity in inner
tunnel?

check out the authorize {} section in the inner-tunnel virtual server
in FreeRADIUS 2.x   - thats what its there for

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authorization through inner identity

[Alan Buxey]

Hi,

 I did look there before I sent the first email. I think that I should
 add something In authorize section like update request.

well, that all dependds on what you want to achieve. the current listed
modules in tat section all behave as per normal and deal with the basic
yes/no of authorization and access policy.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authorization through inner identity

[ZHANG Gina]

Alan,

All I want to do is to use inner username to lookup the database table
to authorize.

Thanks,
Gina

 

-Original Message-
From:
freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius.
org
[mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.fre
eradius.org] On Behalf Of Alan Buxey
Sent: Monday, February 22, 2010 5:12 PM
To: FreeRadius users mailing list
Subject: Re: Authorization through inner identity

Hi,

 I did look there before I sent the first email. I think that I should 
 add something In authorize section like update request.

well, that all dependds on what you want to achieve. the current listed
modules in tat section all behave as per normal and deal with the basic
yes/no of authorization and access policy.

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: modules instantiation

[Latha Krishnamurthi]

Thankyou will try that.

--- On Fri, 2/19/10, Alan DeKok al...@deployingradius.com wrote:


From: Alan DeKok al...@deployingradius.com
Subject: Re: modules instantiation
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Date: Friday, February 19, 2010, 6:07 PM


Latha Krishnamurthi wrote:
 I see that a new instance is getting created when the first one is busy
 handling a request. (I do this this by adding a sleep in the module and
 printing the threadid) I am expecting the xxx_instantiate function to
 get called each time a new instance is created (reading in the
 documentation).

  No.  The module is NOT having a new instance created.

  A module instance is defined by a module configuration.  One
configuration: one instance.

  The instance data is *constant*.  The module gets called multiple
times simultaneously from multiple threads when multiple requests are
received.

 This does not happen. I am actually connecting to a
 server in the instantiate function and storing the socket id in the
 *instance, so that I can use it later in the authenticate etc.

  Why?

  Is that connection changing the way the module behaves?

 But it seems that the socket id is the same for all the instances.
 *instance seems to be shared by all the instances ??
  
 Am I missing something/configuration, your help is grately appreciated.

  If you need to store data that is associated with a particulare
*request*, and is valid only for the lifetime of a request, see
request_data_add(), and request_data_get().

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap-ttls and eap-peap againts OpenLdap

[Fajar A. Nugraha]

On Mon, Feb 22, 2010 at 9:14 PM, John smith ohn...@gmail.com wrote:
 Hi Fajar,
 I don't use ntlm_auth, i'd think was necessary when using a Active
 Directory,

 My version of samba is 3.0.24

 I'm going to read about ntlm_auth option and i'll try it


IIRC, when you use peap-mschap, you need either:
- use ntlm_auth (which in trun connects to AD or other LDAP server), OR
- have cleartext password.

You only have MD5 password.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm-ldap error for chap

[Eric Eric]

Hi
I want to change authentication pap to chap. The users with clear passwords are 
in ldap server. but the is error with clear password in rlm-ldap

radiusd -x 
Starting - reading configuration files ...
Using deprecated naslist file.  Support for this will go away soon.
Module: Loaded exec 
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
Module: Instantiated mschap (mschap) 
Module: Loaded LDAP 
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ldap-Dial-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ldap-Dial-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap-Dial
rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS 
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x90f2d90
Module: Instantiated ldap (ldap-Vpn) 
Module: Loaded always 
Module: Instantiated always (ok) 
Module: Loaded preprocess 
Module: Instantiated preprocess (preprocess) 
Module: Loaded detail 
Module: Instantiated detail (auth_log) 
Module: Loaded realm 
Module: Instantiated realm (suffix) 
Module: Loaded SQL Counter 
Module: Instantiated sqlcounter (monthly-Vpn) 
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ldap-Vpn-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ldap-Vpn-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap-Vpn
rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address

Re: rlm-ldap error for chap

[Fajar A. Nugraha]

On Tue, Feb 23, 2010 at 1:32 PM, Eric Eric eric121...@yahoo.com wrote:

 Hi
 I want to change authentication pap to chap. The users with clear passwords 
 are in ldap server. but the is error with clear password in rlm-ldap

 rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password

is the cleartext password there?

 ldap ldap-Vpn{
    
     password_attribute = userPassword
     password_header = {clear}

     }

does the cleartext password have a header?

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: modules instantiation

[Doug Hardie]

I tried to correct the wiki's description but was not able to do so.  I can log 
in fine and it says I can edit the file.  However, after making the changes 
save just gives a blank screen and the changes never appear in the text.

In the modules2 file change:

The xxx_instantiate module is called each time a new instance is started. 
Generally this module is used to establish the data for the instance that needs 
to be retained during the life of the instance. For example, reading the 
configuration variables. cf_section_parse(conf, data, module_config) is used to 
do this function.


to:

The xxx_instantiate module is called each time a new instance is started during 
the initial configuration process.  Generally this module is used to establish 
the data for the instance that needs to be retained during the life of the 
instance.  For example, reading the configuration variables.  
cf_section_parse(conf, data, module_config) is used to do this function.  Note 
that the instantiate module is not called each time a new instantiation of the 
module is started during run time.  The data established during the instantiate 
module is available to all instantiations during run time.   If you need to 
store data that is associated with a particulare *request*, and is valid only 
for the lifetime of a request, see request_data_add(), and request_data_get().
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html