Re: Fw: freeradius and ldap using chap
When I remove ldap-Vpn from authenticate part error is: rlm_chap: login attempt by test with CHAP password rlm_chap: Could not find clear text password for user test Login incorrect (rlm_chap: Clear text password not available): [test] (from client vpntist port 128 cli 10.10.10.24) what is wrong in my config?any help? --- On Sun, 2/21/10, Eric Eric eric121...@yahoo.com wrote: From: Eric Eric eric121...@yahoo.com Subject: Fw: freeradius and ldap using chap To: freeradius-users@lists.freeradius.org Date: Sunday, February 21, 2010, 1:33 PM Hi I want to change authentication pap to chap. The users with clear passwords are in ldap server. The error is : rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. Cannot use CHAP-Password. Login incorrect (rlm_chap: Clear text password not available): I saw the problem in faq but I didn't find what is my mistake. The config is: in users : DEFAULT Client-IP-Address == 10.10.10.2 , Auth-Type := Vpn, Autz-Type := Vpn, Post-Auth-Type := Vpn, Session-type := Vpn in radius.conf: ldap ldap-Vpn{ password_attribute = userPassword password_header = {clear} } authorize { chap Autz-Type Vpn{ ldap-Vpn chap } } authenticate { Auth-Type CHAP { chap } Auth-Type Vpn{ chap ldap-Vpn } } what is my mistake? should I do any other config or change in ldap.attrmap? -Inline Attachment Follows- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls and eap-peap againts OpenLdap
Hi Fajar, I don't use ntlm_auth, i'd think was necessary when using a Active Directory, My version of samba is 3.0.24 I'm going to read about ntlm_auth option and i'll try it Thank you Nick 2010/2/22 Fajar A. Nugraha fa...@fajar.net On Mon, Feb 22, 2010 at 2:04 AM, John smith ohn...@gmail.com wrote: My problem is when I try to authenticate using peap-mschapv2 I've read a lot mails about similar problems but i can't find the answer to it Did you use ntlm_auth? what version of samba? IIRC you need older version of samba (search list archive, someone mention v3.2.5 works). If you have cleartext password on your LDAP schema there might be other options. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
default_eap_type in ttls configuraion in file eap.conf
Hi! I have a question regarding to the default_eap_type setting for ttls configuration in file eap.conf. From TTLS protocol, it is not necessary to do authentication in the tunnel and it is the user who decides and initiates which eap type to use inside tunnel. What the default_eap_type is used for? Thanks! Gina Zhang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization through inner identity
Hi, Is it possible to do authorization through the identity in inner tunnel? Thanks, Gina Zhang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization through inner identity
Hi, Hi, Is it possible to do authorization through the identity in inner tunnel? check out the authorize {} section in the inner-tunnel virtual server in FreeRADIUS 2.x - thats what its there for alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authorization through inner identity
Alan, Thanks for the quick response! I did look there before I sent the first email. I think that I should add something In authorize section like update request. But I don't know the details. Could you advise? Thanks, Gina -Original Message- From: freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius. org [mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.fre eradius.org] On Behalf Of Alan Buxey Sent: Monday, February 22, 2010 4:53 PM To: FreeRadius users mailing list Subject: Re: Authorization through inner identity Hi, Hi, Is it possible to do authorization through the identity in inner tunnel? check out the authorize {} section in the inner-tunnel virtual server in FreeRADIUS 2.x - thats what its there for alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization through inner identity
Hi, I did look there before I sent the first email. I think that I should add something In authorize section like update request. well, that all dependds on what you want to achieve. the current listed modules in tat section all behave as per normal and deal with the basic yes/no of authorization and access policy. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authorization through inner identity
Alan, All I want to do is to use inner username to lookup the database table to authorize. Thanks, Gina -Original Message- From: freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius. org [mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.fre eradius.org] On Behalf Of Alan Buxey Sent: Monday, February 22, 2010 5:12 PM To: FreeRadius users mailing list Subject: Re: Authorization through inner identity Hi, I did look there before I sent the first email. I think that I should add something In authorize section like update request. well, that all dependds on what you want to achieve. the current listed modules in tat section all behave as per normal and deal with the basic yes/no of authorization and access policy. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: modules instantiation
Thankyou will try that. --- On Fri, 2/19/10, Alan DeKok al...@deployingradius.com wrote: From: Alan DeKok al...@deployingradius.com Subject: Re: modules instantiation To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Friday, February 19, 2010, 6:07 PM Latha Krishnamurthi wrote: I see that a new instance is getting created when the first one is busy handling a request. (I do this this by adding a sleep in the module and printing the threadid) I am expecting the xxx_instantiate function to get called each time a new instance is created (reading in the documentation). No. The module is NOT having a new instance created. A module instance is defined by a module configuration. One configuration: one instance. The instance data is *constant*. The module gets called multiple times simultaneously from multiple threads when multiple requests are received. This does not happen. I am actually connecting to a server in the instantiate function and storing the socket id in the *instance, so that I can use it later in the authenticate etc. Why? Is that connection changing the way the module behaves? But it seems that the socket id is the same for all the instances. *instance seems to be shared by all the instances ?? Am I missing something/configuration, your help is grately appreciated. If you need to store data that is associated with a particulare *request*, and is valid only for the lifetime of a request, see request_data_add(), and request_data_get(). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls and eap-peap againts OpenLdap
On Mon, Feb 22, 2010 at 9:14 PM, John smith ohn...@gmail.com wrote: Hi Fajar, I don't use ntlm_auth, i'd think was necessary when using a Active Directory, My version of samba is 3.0.24 I'm going to read about ntlm_auth option and i'll try it IIRC, when you use peap-mschap, you need either: - use ntlm_auth (which in trun connects to AD or other LDAP server), OR - have cleartext password. You only have MD5 password. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm-ldap error for chap
Hi I want to change authentication pap to chap. The users with clear passwords are in ldap server. but the is error with clear password in rlm-ldap radiusd -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded LDAP rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap-Dial-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap-Dial-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap-Dial rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x90f2d90 Module: Instantiated ldap (ldap-Vpn) Module: Loaded always Module: Instantiated always (ok) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded detail Module: Instantiated detail (auth_log) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded SQL Counter Module: Instantiated sqlcounter (monthly-Vpn) rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap-Vpn-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap-Vpn-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap-Vpn rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
Re: rlm-ldap error for chap
On Tue, Feb 23, 2010 at 1:32 PM, Eric Eric eric121...@yahoo.com wrote: Hi I want to change authentication pap to chap. The users with clear passwords are in ldap server. but the is error with clear password in rlm-ldap rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password is the cleartext password there? ldap ldap-Vpn{ password_attribute = userPassword password_header = {clear} } does the cleartext password have a header? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: modules instantiation
I tried to correct the wiki's description but was not able to do so. I can log in fine and it says I can edit the file. However, after making the changes save just gives a blank screen and the changes never appear in the text. In the modules2 file change: The xxx_instantiate module is called each time a new instance is started. Generally this module is used to establish the data for the instance that needs to be retained during the life of the instance. For example, reading the configuration variables. cf_section_parse(conf, data, module_config) is used to do this function. to: The xxx_instantiate module is called each time a new instance is started during the initial configuration process. Generally this module is used to establish the data for the instance that needs to be retained during the life of the instance. For example, reading the configuration variables. cf_section_parse(conf, data, module_config) is used to do this function. Note that the instantiate module is not called each time a new instantiation of the module is started during run time. The data established during the instantiate module is available to all instantiations during run time. If you need to store data that is associated with a particulare *request*, and is valid only for the lifetime of a request, see request_data_add(), and request_data_get(). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html