Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi,
Any news for this problem?
Br,
Ville
5.8.2013 19:08, vi...@leinonen.org kirjoitti:
Here:
rad_recv: Access-Request packet from host 172.150.0.62 port 25196, id=194,
length=63
User-Name = testu...@.fi
User-Password = testpass
NAS-IP-Address = 172.150.0.62
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log] expand: %t - Mon Aug 5 19:03:20 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm .fi for User-Name = testu...@.fi
[suffix] No such realm .fi
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] Entering ldap_groupcmp()
[files] expand: dc=demonet,dc=local - dc=demonet,dc=local
[files] expand: %{Stripped-User-Name} -
[files] ... expanding second conditional
[files] expand: %{User-Name} - testu...@.fi
[files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=testu...@.fi)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(uid=testu...@.fi)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
((cn=)(|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Tauno
Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group
[ldap] ldap_release_conn: Release Id: 0
[ldap] Entering ldap_groupcmp()
[files] expand: dc=demonet,dc=local - dc=demonet,dc=local
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
((cn=disabled)(|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Tauno
Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group disabled not found or user not a member
[ldap] ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for testu...@.fi
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - testu...@.fi
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=testu...@.fi)
[ldap] expand: dc=demonet,dc=local - dc=demonet,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(uid=testu...@.fi)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword - Password-With-Header ==
{SSHA}g5PDm9CrOOQu+XjbMGHTPnY43mifXND0
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] user testu...@.fi authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap]
Problem in freeradius 2.1.10, ldap and huntgroups
Hi, I have installed fr 2.1.10 w openldap and I can authenticate users against ldap. I have also added groups in ldap and allowed ldap module to search groups and it also works fine. Now the problem is that is huntgroups wont work. I need to restrict access to NAS for specific groups. I can see that groups match rlm_ldap::ldap_groupcmp: User found in group , huntgroup match wont work. file huntgroups: NAS-IP-Address == 172.150.0.1 file users: DEFAULT Ldap-Group == Huntgroup-Name == I am very glad for any help and if someone have better solution for this i'm happy to hear it. There is about 600 NAS (sw's and routers) for different customers and we need to provide mgmt access to customers and our NOC staff, so i think we need to use huntgroups w groups and if someone have example for this one I'm very glad for that also. Best regards, Ville Leinonen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, file users: DEFAULT Ldap-Group == Huntgroup-Name == multiple lines? the first line is CHECK items. other lines are REPY items alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, Thank you for your reply. It was my mistake, when i was testing. Corrected DEFAULT Ldap-Group == , Huntgroup-Name == Still not working as i want. Br, Ville Hi, file users: DEFAULT Ldap-Group == Huntgroup-Name == multiple lines? the first line is CHECK items. other lines are REPY items alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, It was my mistake, when i was testing. Corrected DEFAULT Ldap-Group == , Huntgroup-Name == Still not working as i want. output? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Here comes: rlm_ldap::ldap_groupcmp: User found in group and user still access in. I noticed that if i disable ldap and put user in users file like this: vi...@.fi Cleartext-Password := , Huntgroup-Name == it works and i can filter users based on huntgroup. Br, Ville Hi, It was my mistake, when i was testing. Corrected DEFAULT Ldap-Group == , Huntgroup-Name == Still not working as i want. output? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi, Here comes: rlm_ldap::ldap_groupcmp: User found in group radiusd -X its what the docs say. for a reason alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in freeradius 2.1.10, ldap and huntgroups
Here:
rad_recv: Access-Request packet from host 172.150.0.62 port 25196, id=194,
length=63
User-Name = testu...@.fi
User-Password = testpass
NAS-IP-Address = 172.150.0.62
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log] expand: %t - Mon Aug 5 19:03:20 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm .fi for User-Name = testu...@.fi
[suffix] No such realm .fi
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] Entering ldap_groupcmp()
[files] expand: dc=demonet,dc=local - dc=demonet,dc=local
[files] expand: %{Stripped-User-Name} -
[files] ... expanding second conditional
[files] expand: %{User-Name} - testu...@.fi
[files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=testu...@.fi)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(uid=testu...@.fi)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
((cn=)(|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Tauno
Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group
[ldap] ldap_release_conn: Release Id: 0
[ldap] Entering ldap_groupcmp()
[files] expand: dc=demonet,dc=local - dc=demonet,dc=local
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
((cn=disabled)(|((objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))((objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Tauno
Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group disabled not found or user not a member
[ldap] ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for testu...@.fi
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - testu...@.fi
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=testu...@.fi)
[ldap] expand: dc=demonet,dc=local - dc=demonet,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(uid=testu...@.fi)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword - Password-With-Header ==
{SSHA}g5PDm9CrOOQu+XjbMGHTPnY43mifXND0
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] user testu...@.fi authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns
FreeRadius error LDAP Authentication
Hi All,
i am new about FreeRadius. I am moving from Cisco ACS Tacacs to FreeRadius.
During LDAP configuration i am getting the follow error :
[ldap] bind as cn=User,ou=people,dc=domain,dc=it/Password to
ldapserver:636
[ldap] waiting for bind result ...
[ldap] cn=user,ou=people,dc=domain,dc=it bind to ldapServer:636
failed No such object
[ldap] (re)connection attempt failed
Any idea about the error?
Below the ldap configuration
server = ldapserver
port = 636
identity = cn=user,ou=people,dc=domain,dc=it
password = password
basedn = dc=domain,dc=it
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
base_filter = (objectclass=groupofuniquenames)
Thanks
Marco Aresu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius error LDAP Authentication
You shouldn't have quotes around your username or domain. You should use
identity = cn=user,ou=people,dc=domain,dc=it
On 19/07/2013 7:05 PM, Marco Aresu marcoar...@gmail.com wrote:
Hi All,
i am new about FreeRadius. I am moving from Cisco ACS Tacacs to
FreeRadius. During LDAP configuration i am getting the follow error :
[ldap] bind as cn=User,ou=people,dc=domain,dc=it/Password to
ldapserver:636
[ldap] waiting for bind result ...
[ldap] cn=user,ou=people,dc=domain,dc=it bind to ldapServer:636
failed No such object
[ldap] (re)connection attempt failed
Any idea about the error?
Below the ldap configuration
server = ldapserver
port = 636
identity = cn=user,ou=people,dc=domain,dc=it
password = password
basedn = dc=domain,dc=it
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
base_filter = (objectclass=groupofuniquenames)
Thanks
Marco Aresu
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Freeradius 3 LDAP Generic Attributes
The ldap.attrmap syntax in FR2 was: checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem Basically the ldap attributes radiusCheckItem radiusReplyItem contained FR attr/value pairs which were then added to the corresponding attribute list in FR (e.g. in LDAP radiusReplyItem could be Primary-DNS-Server := 1.1.1.1). They wouldn't necessarily need to be distinct check/reply attributes in the new rlm_ldap... it could work more like unlang where an LDAP attribute value could be control:Disabled := true, and where if the list: portion is omitted it would default to reply. No matter how this happens, there's probably going to need to be a special case syntax made in the rlm_ldap attribute mapping... Best Regards, -Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 LDAP Generic Attributes
On 12 Apr 2013, at 15:00, Nicholas Lemberger nick.lember...@lkfd.net wrote: The ldap.attrmap syntax in FR2 was: checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem Basically the ldap attributes radiusCheckItem radiusReplyItem contained FR attr/value pairs which were then added to the corresponding attribute list in FR (e.g. in LDAP radiusReplyItem could be Primary-DNS-Server := 1.1.1.1). They wouldn't necessarily need to be distinct check/reply attributes in the new rlm_ldap... it could work more like unlang where an LDAP attribute value could be control:Disabled := true, and where if the list: portion is omitted it would default to reply. No matter how this happens, there's probably going to need to be a special case syntax made in the rlm_ldap attribute mapping... I was thinking just adding a valuepair_attr = blah config item in the ldap config and then doing exactly what you suggested above. It's not much work, i'll take a look at it later today or tomorrow. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 LDAP Generic Attributes
On 12 Apr 2013, at 15:21, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 12 Apr 2013, at 15:00, Nicholas Lemberger nick.lember...@lkfd.net wrote: The ldap.attrmap syntax in FR2 was: checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem Basically the ldap attributes radiusCheckItem radiusReplyItem contained FR attr/value pairs which were then added to the corresponding attribute list in FR (e.g. in LDAP radiusReplyItem could be Primary-DNS-Server := 1.1.1.1). They wouldn't necessarily need to be distinct check/reply attributes in the new rlm_ldap... it could work more like unlang where an LDAP attribute value could be control:Disabled := true, and where if the list: portion is omitted it would default to reply. No matter how this happens, there's probably going to need to be a special case syntax made in the rlm_ldap attribute mapping... I was thinking just adding a valuepair_attr = blah config item in the ldap config and then doing exactly what you suggested above. It's not much work, i'll take a look at it later today or tomorrow. Done, but somebody's new xlat parser is segfaulting so i'd wait until tomorrow for that to be fixed before testing. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 3 LDAP Generic Attributes
Hi, I've been puttering around with FR3 and haven't been able to figure out how to set up a mapping from LDAP 'radiusReplyItem' 'radiusCheckItem' attributes to FR3 generic attributes. While we do often create a special LDAP attribute for what we need, the generic attributes in FR2 made testing and certain one-off configurations much quicker. I was hoping someone could point me in the correct direction! Thanks, -Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 LDAP Generic Attributes
I've been puttering around with FR3 and haven't been able to figure out how to set up a mapping from LDAP 'radiusReplyItem' 'radiusCheckItem' attributes to FR3 generic attributes. I guess if it was useful we could add it back in, there's no real reason not to. Could you remind me what the value format was? While we do often create a special LDAP attribute for what we need, the generic attributes in FR2 made testing and certain one-off configurations much quicker. Ok. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Please contribute documentation: http://wiki.freeradius.org Stupidity is a harsh teacher and her lesson is pain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentification Problem with Cisco AP, freeradius and LDAP
Hello,
i have got a realy annoing authentification problem and i would be glad if
you could help me.
I use a Cisco Aironet 1130ag Access Point, the radius-server is a Debian
Squeeze (6.0.5) and i installed FreeRadius Version 2.1.10 from the packet
sources.
After i made some changes to the /etc/freeradius/modules/ldap to let my
radius know where the LDAP is and some other things it looks like this:
-- /etc/freeradius/modules/ldap
ldap {
server = 172.26.100.1
identity= uid=binduser,cn=users,ou=
Infrastruktur,dc=tarent,dc=de
password=
basedn = dc=tarent,dc=de
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
base_filter = (objectclass=posixAccount)
groupname_attribute = cn
# groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
groupmembership_filter =
((objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))
# groupmembership_attribute = radiusGroupName
groupmembership_attribute = WLAN
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
dictionary_mapping = /etc/freeradius/ldap.attrmap
password_attribute = CleartextPassword
set_auth_type = yes
}
when i start the freeradius with freeradius -X this is the output i get:
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 11
2012 at 17:06:46
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/detail
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/sql_log
including configuration
Re: Authentification Problem with Cisco AP, freeradius and LDAP
1 there is no such word as authentification, its just 'authentication' 2 your client is trying to do EAP-TLS 3 check FreeRADIUS compatability matrix because when you do use eg PEAP (and have the CA cert on the client, the MSCHAPv2 will only work with passwords from LDAP in certain formats alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with ldap
I'min trouble andI think thatfreeradiusis,can anyonehelp me,I configured theldapgroupand createdawireless andwantonly theusersof this groupto accessmywifi network? -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with ldap
Marlos Alex wrote: I'm in trouble and I think that freeradius is, can anyone help me, I configured theldap group and created a wireless and want only the users of this group to accessmy wifi network? Examples of LDAP group checking are in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with ldap
The FAQ gives a *very* basic and less than complete example of using groups. I found an old maillist entry that might be of help here. - http://lists.freeradius.org/pipermail/freeradius-users/2007-June/019764.html I'm trying to do something similar and I'm having trouble getting radius to be able to successfully validate a user as part of a group. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-with-ldap-tp5713478p5713482.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring Freeradius with LDAP
Hi, Actually what was helpful is reading the comments in radiusd.conf . Location of ldap config changed starting 2.0.0 . I successfully configured it Thanks. Wassim C. Zaarour Systems Network Engineer On 4/18/12 11:12 PM, Mark Holmes mark.hol...@nuffield.ox.ac.uk wrote: I think http://wiki.freeradius.org/Rlm_ldap Has what you are after. Mark On 18 Apr 2012, at 18:53, Wassim Zaarour wassim.zaar...@navlink.commailto:wassim.zaar...@navlink.com wrote: Hi List, I have installed freeradius 2.1.12, and it's working well. Now I need to configure it to authenticate with LDAP (Sun Directory Server) but I can't seem to find which file to configure in raddb, I can't find it in radiusd.conf I appreciated any help on this. Wassim C. Zaarour Systems Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring Freeradius with LDAP
Hi List, I have installed freeradius 2.1.12, and it's working well. Now I need to configure it to authenticate with LDAP (Sun Directory Server) but I can't seem to find which file to configure in raddb, I can't find it in radiusd.conf I appreciated any help on this. Wassim C. Zaarour Systems Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring Freeradius with LDAP
Am 18.04.2012 19:47, schrieb Wassim Zaarour: Now I need to configure it to authenticate with LDAP (Sun Directory Server) but I can't seem to find which file to configure in raddb, I can't find it in radiusd.conf Did you tried google or just the searchbox on wiki.freeradius.org? http://wiki.freeradius.org/search?q=ldap Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring Freeradius with LDAP
I think http://wiki.freeradius.org/Rlm_ldap Has what you are after. Mark On 18 Apr 2012, at 18:53, Wassim Zaarour wassim.zaar...@navlink.commailto:wassim.zaar...@navlink.com wrote: Hi List, I have installed freeradius 2.1.12, and it's working well. Now I need to configure it to authenticate with LDAP (Sun Directory Server) but I can't seem to find which file to configure in raddb, I can't find it in radiusd.conf I appreciated any help on this. Wassim C. Zaarour Systems Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP Support
Hi, I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has not been compiled. Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP? if you read the output of ./configure eg ./confogure | grep WARN you will see what LDAP stuff is required - openldap alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP Support
On Thu, Dec 8, 2011 at 9:51 AM, Nick Khamis sym...@gmail.com wrote: Hello Everyone, I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has not been compiled. Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP? Try libldap2-dev. That's what on Build-Depends section on debian/control. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP Support
Hello Everyone, I do have libldap2-dev installed however, it seems like openldap in all it's totality is needed? Thanks in Advnace, Nick. On Thu, Dec 8, 2011 at 5:31 AM, Fajar A. Nugraha l...@fajar.net wrote: On Thu, Dec 8, 2011 at 9:51 AM, Nick Khamis sym...@gmail.com wrote: Hello Everyone, I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has not been compiled. Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP? Try libldap2-dev. That's what on Build-Depends section on debian/control. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP Support
On 12/08/2011 01:11 PM, Nick Khamis wrote: Hello Everyone, I do have libldap2-dev installed however, it seems like openldap in all it's totality is needed? What is needed will be listed in the output of configure. Also listed will be where configure looked for the dependency. You should read this. Usually you'll need the headers and libraries, but they may be located in non-standard locations, if so you'll have to tell configure where to find them. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS with LDAP Support
Hello Everyone, I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has not been compiled. Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP? Thanks in Advance, Nick. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP keepalive
Thank you. I have tried those options, but they doesn't work for me. The problem is that they configure freeradius to send TCP Keepalive messages over the connection, but these packets are just TCP packets, they don't content any ldap command, so openldap idle_timeout is still applied. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP keepalive
Angel L. Mateo wrote: Thank you. I have tried those options, but they doesn't work for me. The problem is that they configure freeradius to send TCP Keepalive messages over the connection, but these packets are just TCP packets, they don't content any ldap command, so openldap idle_timeout is still applied. Well... poke the server occasionally using radclient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and LDAP keepalive
Hello, I have a freeradius 2.1.10 running in a ubuntu (10.04) server. My users are in a ldap directory. The problem I have is that openldap server has an idle timeout (if there is more than this time with an idle connection, openldap closes the connection). So I want to know if there is some way to configure a keepalive on the ldap connection of freeradius. I have found in http://freeradius.1045715.n5.nabble.com/rlm-ldap-amp-TCP-KeepAlive-td2795077.html that it seems to be code to do this. I have checked this code with code from version 2.1.10 and it is there, but I think I have to configure something because connections are closed and I have logs like: Sep 7 12:12:51 vulpes22 freeradius[21497]: RADIUS Requested access: myuser@mydomain (0) Sep 7 12:12:51 vulpes22 freeradius[21497]: [ldap-email] ldap_search() failed: LDAP connection lost. Sep 7 12:12:51 vulpes22 freeradius[21497]: [ldap-email] Attempting reconnect Sep 7 12:12:51 vulpes22 freeradius[21497]: Login OK: [myuser@mydomain] (from client XXX port 1) freeradius is working (it reconnects with the ldap without any problem), but I want to avoid this error. Is there any way to configure this keepalive? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP keepalive
Angel L. Mateo wrote: I have a freeradius 2.1.10 running in a ubuntu (10.04) server. My users are in a ldap directory. The problem I have is that openldap server has an idle timeout (if there is more than this time with an idle connection, openldap closes the connection). So I want to know if there is some way to configure a keepalive on the ldap connection of freeradius. ... Is there any way to configure this keepalive? In 2.1.12, the keepalive configuration is documented in raddb/modules/ldap Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP keepalive
El 07/09/11 13:02, Alan DeKok escribió: Angel L. Mateo wrote: I have a freeradius 2.1.10 running in a ubuntu (10.04) server. My users are in a ldap directory. The problem I have is that openldap server has an idle timeout (if there is more than this time with an idle connection, openldap closes the connection). So I want to know if there is some way to configure a keepalive on the ldap connection of freeradius. ... Is there any way to configure this keepalive? In 2.1.12, the keepalive configuration is documented in raddb/modules/ldap I didn't find any 2.1.12 freeradius version (the latest version at freeradius web is 2.1.11). In 2.1.11 (and 2.1.10) the options I have found that could be related are: * ldap_connections_number: number of active ldap connections (although I have this value configured as 15, I can only see one active connection with netstat) * timeout: Timeout to finish a query * timelimit: Timeout that the ldap server has to finish the query * net_timetout: Seconds to wait for resopnse of the server As far as I understand, none of these values is for a keepalive. Is there any other parameter? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP keepalive
Angel L. Mateo wrote: I didn't find any 2.1.12 freeradius version (the latest version at freeradius web is 2.1.11). In 2.1.11 (and 2.1.10) the options I have found that could be related are: 2.1.12 will be released soon. * ldap_connections_number: number of active ldap connections (although I have this value configured as 15, I can only see one active connection with netstat) * timeout: Timeout to finish a query * timelimit: Timeout that the ldap server has to finish the query * net_timetout: Seconds to wait for resopnse of the server As far as I understand, none of these values is for a keepalive. Is there any other parameter? See https://github.com/alandekok/freeradius-server/tree/v2.1.x Download a tar file. It is a pre-release version of 2.1.12. Then see raddb/modules/ldap, as I suggested. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius authentification ldap and windows 7 (PEAP mschapv2)
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword not working - resolved
schilling wrote: Here is my radiusd -X output of a assumed successful login with peap. Would you please see whether this is working? Yes, the default with one ldap line commented out in site-enabled/inner-tunnel works. But it will not work once I have a virtual server in the radiusd.conf. I don't think it's quite that simple. The debug is done with default radius.configuration with only the following addition: I could add all the uncommented lines in site-enabled/default to this virtual server instance, I just want to see what exactly is my previous issue, so I reduced to minimum working configure I thought. Well, may be not. Exactly. It's not about commenting or uncomment lines. It's about understanding how the server works. If you don't understand it, you will remain confused, and you will not be able to solve the issue. ... Sending Access-Accept of id 205 to 128.186.252.11 port 32858 MS-MPPE-Recv-Key = 0x22e1319dea63f4410fe3ad33363dcca198536b1464c72ec70b83a73a1e1b0fab MS-MPPE-Send-Key = 0x9656612e871bcba6fe5057864962efd2fd0653971462962d4583b94a0216d3b8 EAP-Message = 0x031d0004 Message-Authenticator = 0x User-Name = sding So... it works. If the user doesn't get online, blame the AP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword not working - resolved
schilling wrote: Now whenever I try to have a virtual server for another instance, then it will have the same error as before. Then that virtual server is configured incorrectly. Then I copied the site-enabled/default content and put them within the virtual server, it's working again. The default configuration works. I then try to reduce to the minimum necessary configuration, Why? Just... why do people do this? the following is for the virtual server to work No. It won't work because LDAP is never used to find the known good password. I have no idea what you're doing, but the server is definitely misconfigured. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword not working
I asked the ldap admin to change the format of the ntPassword to prepend with 0x, now radius -X get the right hash, but it still have no known good password was found in LDAP. Nevertheless, the authorization is ok. What is the right format to put in our ldap ntPassword attribute? Should I ignore the error and focus on the Auth-Type error? I will reinstall 2.1.0 with all default, and try it again. Thanks, Schilling [ldap] looking for check items in directory... [ldap] ntPassword - NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user sding authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok On Thu, Nov 4, 2010 at 11:10 PM, Alan DeKok al...@deployingradius.com wrote: schilling wrote: Found Auth-Type = EAP WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. You have edited the default configuration and broken it. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword not working - resolved
I am able to have peap/mschpv2 work with ldap nt hash.
radtest -t mschap will not work for peap/mschapv2, the real windows
supplicant, wireless access point will work.
The format in ldap is not relevant, w/ or w/o the preceding 0x will work.
The configuration I changed from default are the following
clients.conf to add testing AP ip and secret
eap.conf to add the real certificate thing etc.
modules/ldap to add the ldap proxy account information.
site-enabled/inner-tunnel - uncomment the ldap line in authorize
authorize {
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap
}
Now whenever I try to have a virtual server for another instance, then
it will have the same error as before.
Then I copied the site-enabled/default content and put them within the
virtual server, it's working again. I then try to reduce to the
minimum necessary configuration, the following is for the virtual
server to work
server ldap_ntpassword_1814 {
listen {
type = auth
ipaddr = *
port = 1814
}
listen {
ipaddr = *
port = 1815
type = acct
}
authorize {
eap {
ok = return
}
}
authenticate {
eap
}
}
Thanks,
Schilling
On Fri, Nov 5, 2010 at 7:12 AM, schilling schilling2...@gmail.com wrote:
I asked the ldap admin to change the format of the ntPassword to
prepend with 0x, now radius -X get the right hash, but it still have
no known good password was found in LDAP. Nevertheless, the
authorization is ok. What is the right format to put in our ldap
ntPassword attribute? Should I ignore the error and focus on the
Auth-Type error?
I will reinstall 2.1.0 with all default, and try it again.
Thanks,
Schilling
[ldap] looking for check items in directory...
[ldap] ntPassword - NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user sding authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
On Thu, Nov 4, 2010 at 11:10 PM, Alan DeKok al...@deployingradius.com wrote:
schilling wrote:
Found Auth-Type = EAP
WARNING: Unknown value specified for Auth-Type. Cannot perform
requested action.
You have edited the default configuration and broken it. Don't do that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP w/ freeradius to LDAP storing ntPassword not working
Hi All,
We had ntPassword hash in our ldap server, now the authentication from
peap from windows computer and radtest -t mschap fail. Attached please
find the full debug information. My username is sding for the testing.
Thanks,
[r...@auth2 opt]# ./sbin/radiusd -X
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Nov 4
2010 at 13:04:32
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /opt/etc/raddb/radiusd.conf
including configuration file /opt/etc/raddb/clients.conf
including files in directory /opt/etc/raddb/modules/
including configuration file /opt/etc/raddb/modules/policy
including configuration file /opt/etc/raddb/modules/acct_unique
including configuration file /opt/etc/raddb/modules/unix
including configuration file /opt/etc/raddb/modules/chap
including configuration file /opt/etc/raddb/modules/preprocess
including configuration file /opt/etc/raddb/modules/expiration
including configuration file /opt/etc/raddb/modules/mac2vlan
including configuration file /opt/etc/raddb/modules/mschap
including configuration file /opt/etc/raddb/modules/ippool
including configuration file /opt/etc/raddb/modules/files
including configuration file /opt/etc/raddb/modules/krb5
including configuration file /opt/etc/raddb/modules/passwd
including configuration file /opt/etc/raddb/modules/radutmp
including configuration file /opt/etc/raddb/modules/attr_rewrite
including configuration file /opt/etc/raddb/modules/echo
including configuration file /opt/etc/raddb/modules/etc_group
including configuration file /opt/etc/raddb/modules/pap
including configuration file /opt/etc/raddb/modules/realm
including configuration file /opt/etc/raddb/modules/pam
including configuration file /opt/etc/raddb/modules/always
including configuration file /opt/etc/raddb/modules/exec
including configuration file /opt/etc/raddb/modules/logintime
including configuration file /opt/etc/raddb/modules/sql_log
including configuration file /opt/etc/raddb/modules/smbpasswd
including configuration file /opt/etc/raddb/modules/sradutmp
including configuration file /opt/etc/raddb/modules/counter
including configuration file /opt/etc/raddb/modules/ldap
including configuration file /opt/etc/raddb/modules/expr
including configuration file /opt/etc/raddb/modules/attr_filter
including configuration file /opt/etc/raddb/modules/checkval
including configuration file /opt/etc/raddb/modules/digest
including configuration file /opt/etc/raddb/modules/detail
including configuration file /opt/etc/raddb/modules/detail.log
including configuration file /opt/etc/raddb/modules/mac2ip
including configuration file /opt/etc/raddb/modules/detail.example.com
including configuration file /opt/etc/raddb/modules/inner-eap
including configuration file /opt/etc/raddb/modules/linelog
including configuration file /opt/etc/raddb/modules/otp
including configuration file /opt/etc/raddb/modules/perl
including configuration file /opt/etc/raddb/modules/smsotp
including configuration file /opt/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /opt/etc/raddb/modules/wimax
including configuration file /opt/etc/raddb/modules/cui
including configuration file /opt/etc/raddb/modules/dynamic_clients
including configuration file /opt/etc/raddb/modules/ntlm_auth
including configuration file /opt/etc/raddb/modules/opendirectory
including configuration file /opt/etc/raddb/eap.conf
including configuration file /opt/etc/raddb/sql.conf
including configuration file /opt/etc/raddb/sql/mysql/dialup.conf
including configuration file /opt/etc/raddb/policy.conf
including files in directory /opt/etc/raddb/sites-enabled/
including configuration file /opt/etc/raddb/sites-enabled/default
including configuration file /opt/etc/raddb/sites-enabled/inner-tunnel
including configuration file /opt/etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /opt/etc/raddb/dictionary
main {
prefix = /opt
localstatedir = /opt/var
logdir = /var/log/radius
libdir = /opt/lib
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /opt/var/run/radiusd/radiusd.pid
checkrad = /opt/sbin/checkrad
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
radiusd: Loading Clients
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator =
Re: PEAP w/ freeradius to LDAP storing ntPassword not working
I put the debug into the form
http://networkradius.com/freeradius.html
and got the following for the first packet.
My LDAP entry
dn: uid=sding,ou=People,dc=fsu,dc=edu
ntPassword: 771CFDFE02A8C15E15B3E0E4974602FA
smbencrypt of my password, they are the same as in ldap query.
LM Hash NT Hash
FC6252923272ADAEC6EBE8776A153FEB771CFDFE02A8C15E15B3E0E4974602FA
Radius debug interpreter output
[ldap] ntPassword - NT-Password ==
0x3737314346444645303241384331354531354233453045343937343630324641
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure
that the user is configured correctly?
Could someone kindly shed me some light on this please?
Thanks,
Schilling
Packet 0
rad_recv: Access-Request packet from host 127.0.0.1 port 35206,
id=243, length=113
User-Name = sding
NAS-IP-Address = 128.186.33.38
NAS-Port = 3
MS-CHAP-Challenge = 0x1f0a6708d52907ac
MS-CHAP-Response =
0x0001b521c0b0b7e69a6109b6b5a5ed5724222914a679acbb5208
server ldap_ntpassword_1814 {
# Executing section authorize from file /opt/etc/raddb/radiusd.conf
+- entering group authorize {...}
[ldap] performing user authorization for sding
[ldap] expand: ((uid=%u)(!(uid=lib-guest*))) -
((uid=sding)(!(uid=lib-guest*)))
[ldap] expand: dc=fsu,dc=edu - dc=fsu,dc=edu
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to mds.fsu.edu:389, authentication 0
[ldap] starting TLS
[ldap] bind as cn=radius-proxy,ou=proxy-users,dc=fsu,dc=edu/y0dayad0
to mds.fsu.edu:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=fsu,dc=edu, with filter
((uid=sding)(!(uid=lib-guest*)))
[ldap] looking for check items in directory...
[ldap] ntPassword - NT-Password ==
0x3737314346444645303241384331354531354233453045343937343630324641
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user sding authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
Found Auth-Type = MSCHAP
WARNING: Unknown value specified for Auth-Type. Cannot perform
requested action.
Failed to authenticate the user.
Login incorrect: [sding] (from client localhost port 3)
} # server ldap_ntpassword_1814
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
requested action.
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.6 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 243 to 127.0.0.1 port 35206
On Thu, Nov 4, 2010 at 2:41 PM, schilling schilling2...@gmail.com wrote:
Hi All,
We had ntPassword hash in our ldap server, now the authentication from
peap from windows computer and radtest -t mschap fail. Attached please
find the full debug information. My username is sding for the testing.
Thanks,
[r...@auth2 opt]# ./sbin/radiusd -X
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Nov 4
2010 at 13:04:32
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /opt/etc/raddb/radiusd.conf
including configuration file /opt/etc/raddb/clients.conf
including files in directory /opt/etc/raddb/modules/
including configuration file /opt/etc/raddb/modules/policy
including configuration file /opt/etc/raddb/modules/acct_unique
including configuration file /opt/etc/raddb/modules/unix
including configuration file /opt/etc/raddb/modules/chap
including configuration file /opt/etc/raddb/modules/preprocess
including configuration file /opt/etc/raddb/modules/expiration
including configuration file /opt/etc/raddb/modules/mac2vlan
including configuration file /opt/etc/raddb/modules/mschap
including configuration file /opt/etc/raddb/modules/ippool
including configuration file /opt/etc/raddb/modules/files
including configuration file /opt/etc/raddb/modules/krb5
including configuration file /opt/etc/raddb/modules/passwd
including configuration file /opt/etc/raddb/modules/radutmp
including configuration file /opt/etc/raddb/modules/attr_rewrite
including configuration file /opt/etc/raddb/modules/echo
including configuration file /opt/etc/raddb/modules/etc_group
including configuration file /opt/etc/raddb/modules/pap
including configuration file
Re: PEAP w/ freeradius to LDAP storing ntPassword not working
schilling wrote: Found Auth-Type = EAP WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. You have edited the default configuration and broken it. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP w/ freeradius to LDAP storing ntPassword
Hi All, We are trying to use ldap as backend database for dot1x peap authentication thru freeradius. The following link has good explanation. http://vuksan.com/linux/dot1x/802-1x-LDAP.html But do we really need both ntpassword and lmpassword in the ldap directory? How the process work regarding ntpassword authentication. Is the following sequence in the right direction? windows client send username and ntpassword to NAS NAS send the username/ntpassword to radius in a tunnel radius unwrap the tunnel, using the username to fetch the ntpassword from ldap, do a comparison of ldap returned ntpassword and unwrapped ntpassword, if they are the same, authentication accept. Thanks, Schilling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword
schilling wrote: We are trying to use ldap as backend database for dot1x peap authentication thru freeradius. The following link has good explanation. http://vuksan.com/linux/dot1x/802-1x-LDAP.html Note it's 5 years old... But do we really need both ntpassword and lmpassword in the ldap directory? No. windows client send username and ntpassword to NAS NAS send the username/ntpassword to radius in a tunnel radius unwrap the tunnel, using the username to fetch the ntpassword from ldap, do a comparison of ldap returned ntpassword and unwrapped ntpassword, if they are the same, authentication accept. No. It's a *lot* more complicated than that. All you need to do is to uncomment ldap in raddb/sites-available/inner-tunnel, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword
There is smbencrypt radius-utils to generate LM Hash and NT Hash, Any known good perl script to do this? sd...@palm:/usr/bin$ smbencrypt schilling LM Hash NT Hash D134D8CD21607749DD4218F5E59DD23A AF8AC3EF6579FC768515F960FB2096AC Then which one is required? Any format requirement in the ldap? Or just copy the 32 character and put in the ldap? Thanks. Schilling On Wed, Oct 6, 2010 at 2:19 PM, Alan DeKok al...@deployingradius.com wrote: schilling wrote: We are trying to use ldap as backend database for dot1x peap authentication thru freeradius. The following link has good explanation. http://vuksan.com/linux/dot1x/802-1x-LDAP.html Note it's 5 years old... But do we really need both ntpassword and lmpassword in the ldap directory? No. windows client send username and ntpassword to NAS NAS send the username/ntpassword to radius in a tunnel radius unwrap the tunnel, using the username to fetch the ntpassword from ldap, do a comparison of ldap returned ntpassword and unwrapped ntpassword, if they are the same, authentication accept. No. It's a *lot* more complicated than that. All you need to do is to uncomment ldap in raddb/sites-available/inner-tunnel, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword
2010/10/6 schilling schilling2...@gmail.com There is smbencrypt radius-utils to generate LM Hash and NT Hash, Any known good perl script to do this? You can use Crypt::SmbHash (from CPAN). sd...@palm:/usr/bin$ smbencrypt schilling LM Hash NT Hash D134D8CD21607749DD4218F5E59DD23A AF8AC3EF6579FC768515F960FB2096AC Then which one is required? NT Hash is required. Any format requirement in the ldap? Or just copy the 32 character and put in the ldap? Just put the NT Hash in the sambaNTPassword field in LDAP. Thanks. Schilling On Wed, Oct 6, 2010 at 2:19 PM, Alan DeKok al...@deployingradius.com wrote: schilling wrote: We are trying to use ldap as backend database for dot1x peap authentication thru freeradius. The following link has good explanation. http://vuksan.com/linux/dot1x/802-1x-LDAP.html Note it's 5 years old... But do we really need both ntpassword and lmpassword in the ldap directory? No. windows client send username and ntpassword to NAS NAS send the username/ntpassword to radius in a tunnel radius unwrap the tunnel, using the username to fetch the ntpassword from ldap, do a comparison of ldap returned ntpassword and unwrapped ntpassword, if they are the same, authentication accept. No. It's a *lot* more complicated than that. All you need to do is to uncomment ldap in raddb/sites-available/inner-tunnel, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and LDAP from Nortel Switch
Phil, Fine It is working better. What a stupid error :-) Now I have to troubleshoot because the Freeradius send a Accept but the Switch is saying Invalid Password FR 2.1.9 Sending Access-Accept of id 169 to 192.168.250.64 port 4481 Switch Login: ebellier Password: Invalid Password. Many Thanks. Eric B. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius pap ldap
hi, i'm newbie on freeradius and i have some problems to configure my freeradius-2.1.9. i sucessfully configured my freeradius to authenticate using a mysql database, but i can't make it authenticate using a openLDAP server, i need to make my 3com 5800G switches to authenticate on freeradius server using macbased auth, if somebody have some experience with that or some documentation i'll appreciate. thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Hi,
You can add NT / LM pairs to each LDAP user object. You must include the
samba.schema into the ldap server schemas.
Ex:
sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C
sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE
You can create these passwords using smbencrypt tool (deployed with samba).
This way pptp MSCHAP auth will work.
Nelson Vale
On Monday 05 July 2010 16:59:08 Daniel Gomes wrote:
Dear list,
I know this is a question which has been thoroughly asked and answered,
but after spending several days configuring, debugging, searching the
internet, rec-configuring, etc, I still can't get my freeradius server
to properly authenticate users (for a pptd server).
First of all, on the pptpd server's side (which I know it's not your
jurisdiction, so I'll be fast here), I have the require-mschap-v2 and
require-mppe options enabled.
As for freeradius itself, a summarized sites-enabled/default reads:
authorize {
preprocess
pap
mschap
ldap
auth_log
eap {
ok = return
}
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
My modules/ldap contains all the necessary information, and my
modules/mschap has the options use_mppe, require_encryption and
require_strong enabled, like most tutorials state.
As for the results, radtest works fine (querying LDAP etc), but through
pptd it always fails with this error:
rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
length=151
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = dgomes
MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
MS-CHAP2-Response =
0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf6
8cb9686085635bd3b3083707eb3 Calling-Station-Id = 193.136.136.200
NAS-IP-Address = 193.136.136.40
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[ldap] performing user authorization for dgomes
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=dgomes)
expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt -
ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
gold.ipfn.ist.utl.pt:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
with filter (cn=dgomes)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user dgomes authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
%m%d - /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
expand: %t - Thu Jul 8 14:08:34 2010
++[auth_log] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} - dgomes
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
--
I know that the error should be enough for me to fix it (since it's
quite explanatory), but after trying many different configurations and
searching through dozens of old mailing lists posts, I still haven't
managed it...
So yeah, of you could help me out,
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). Go read the debug log. It's not finding the password for the user. Fix that. So yeah, of you could help me out, I'd appreciate it! All I want is pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP is not even a requirement for me here, since both services are on the same machine, so there's not even the need for safe connections. So long as it works, I really don't care about any particular configuration! A simple LDAP query for the user is *not* returning a password. That's the problem. Does the user even have a password in LDAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Hey there, first of all, thanks for all the tips! Commenting them, in the order in which they came: @peter lambrechtsen: I actually had tried PAP before, but I gave up then because pptpd was refusing clients without even consulting the RADIUS server... But I noticed (a couple of minutes ago) that I had the client (ie. Windows) configured to try MS-CHAP and not PAP... @ nf-vale: nice detailed description on how to fix it, but I ended up using peter's solution, as it seemed easier. @ana dekok (inline comments): Em 09-07-2010 11:23, Alan DeKok escreveu: Daniel Gomes wrote: I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). Go read the debug log. It's not finding the password for the user. Fix that. So yeah, of you could help me out, I'd appreciate it! All I want is pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP is not even a requirement for me here, since both services are on the same machine, so there's not even the need for safe connections. So long as it works, I really don't care about any particular configuration! A simple LDAP query for the user is *not* returning a password. That's the problem. Does the user even have a password in LDAP? From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Anyway, once again, thanks for all the tips! It seems to be working fine with PAP, so I guess I'll go with it! Cheers, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Let me guess: it's Active Directory. Active Directory is *not* a real LDAP server. In order to authenticate users with MS-CHAP, you will need to install Samba. See the Active Directory howto on http://deployingradius.com/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Wrong guess, i'ts OpenLDAP :) Em 09-07-2010 13:04, Alan DeKok escreveu: Daniel Gomes wrote: From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Let me guess: it's Active Directory. Active Directory is *not* a real LDAP server. In order to authenticate users with MS-CHAP, you will need to install Samba. See the Active Directory howto on http://deployingradius.com/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: Wrong guess, i'ts OpenLDAP :) Then fix it so that it returns a password to FreeRADIUS. It's an LDAP server. If it doesn't return a password when an LDAP client queries it for a password, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. So the problem wasn't in the LDAP server itself, because it does return a password when an LDAP client queries it for a password (as I also mentioned it, we are currently and successfully using it to authenticate other services). The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Em 09-07-2010 13:35, Alan DeKok escreveu: Daniel Gomes wrote: Wrong guess, i'ts OpenLDAP :) Then fix it so that it returns a password to FreeRADIUS. It's an LDAP server. If it doesn't return a password when an LDAP client queries it for a password, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. No, it wasn't returning a password to FreeRADIUS. Go *read* the debug output. It will prove this. When using PAP, the LDAP module looks for a password. If it doesn't get one, it then tries to do bind as user. That is, it hands the username password to the LDAP server, and asks are these OK? When this happens, you're making your LDAP server do user authentication. This is wrong. LDAP is a database. RADIUS is an authentication server. So the problem wasn't in the LDAP server itself, because it does return a password when an LDAP client queries it for a password (as I also mentioned it, we are currently and successfully using it to authenticate other services).\ Using PAP passwords. The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Yes. For the reasons outlined above. Your situation *isn't* the first time someone has had this issue. We're familiar with the problem solution, where you are clearly not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Em 09-07-2010 13:59, Alan DeKok escreveu: Daniel Gomes wrote: Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. No, it wasn't returning a password to FreeRADIUS. Go *read* the debug output. It will prove this. When using PAP, the LDAP module looks for a password. If it doesn't get one, it then tries to do bind as user. That is, it hands the username password to the LDAP server, and asks are these OK? When this happens, you're making your LDAP server do user authentication. This is wrong. LDAP is a database. RADIUS is an authentication server. Ok, thanks, now I see the difference. I did read the debug output, and again, I understood that FreeRADIUS was having problems getting the userPassword, I just couldn't understand why. For a layman such as myself, if it worked with radtest it followed that it should work with MS-CHAP too. With this explanation, now I understand why it didn't. So the problem wasn't in the LDAP server itself, because it does return a password when an LDAP client queries it for a password (as I also mentioned it, we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Yes. For the reasons outlined above. Your situation *isn't* the first time someone has had this issue. We're familiar with the problem solution, where you are clearly not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! Cheers, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. sigh That's what I meant. Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. OpenLDAP has documentation on how to make it return passwords when an LDAP client asks for them. We don't tend to copy that documentation here. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Sorry... but when you ask for help, you shouldn't argue with the answers. Especially when it's clear that you're asking for help because you don't know what's going wrong. Education can be a painful process. Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! That's good to hear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Em 09-07-2010 17:12, Alan DeKok escreveu: Daniel Gomes wrote: we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. sigh That's what I meant. Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. OpenLDAP has documentation on how to make it return passwords when an LDAP client asks for them. We don't tend to copy that documentation here. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Sorry... but when you ask for help, you shouldn't argue with the answers. Especially when it's clear that you're asking for help because you don't know what's going wrong. Education can be a painful process. Mate, I wasn't arguing in the sense of you're wrong, I was just trying to understand why were you saying that LDAP wasn't working, when it clearly looked like it was. After you explained the difference between PAP and MS-CHAP on the previous email, I could finally understand just that. So thanks once again for the explanation! And yeah, I didn't know what was going on, but that was my reason to come here in the first place! Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! That's good to hear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the patience, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with LDAP backend for pptpd (via MS-CHAP)
Dear list,
I know this is a question which has been thoroughly asked and answered,
but after spending several days configuring, debugging, searching the
internet, rec-configuring, etc, I still can't get my freeradius server
to properly authenticate users (for a pptd server).
First of all, on the pptpd server's side (which I know it's not your
jurisdiction, so I'll be fast here), I have the require-mschap-v2 and
require-mppe options enabled.
As for freeradius itself, a summarized sites-enabled/default reads:
authorize {
preprocess
pap
mschap
ldap
auth_log
eap {
ok = return
}
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
My modules/ldap contains all the necessary information, and my
modules/mschap has the options use_mppe, require_encryption and
require_strong enabled, like most tutorials state.
As for the results, radtest works fine (querying LDAP etc), but through
pptd it always fails with this error:
rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
length=151
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = dgomes
MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
MS-CHAP2-Response =
0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf68cb9686085635bd3b3083707eb3
Calling-Station-Id = 193.136.136.200
NAS-IP-Address = 193.136.136.40
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[ldap] performing user authorization for dgomes
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=dgomes)
expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt -
ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
gold.ipfn.ist.utl.pt:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
with filter (cn=dgomes)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user dgomes authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
%m%d - /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
expand: %t - Thu Jul 8 14:08:34 2010
++[auth_log] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} - dgomes
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
--
I know that the error should be enough for me to fix it (since it's
quite explanatory), but after trying many different configurations and
searching through dozens of old mailing lists posts, I still haven't
managed it...
So yeah, of you could help me out, I'd appreciate it! All I want is
pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
is not even a requirement for me here, since both services are on the
same machine, so there's not even the need for safe connections. So long
as it works, I really don't care about any particular configuration!
Thanks in advance,
Daniel Gomes
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Why not setup your NAS to use PAP, instead of MS-CHAP.
If you use MS-CHAP you will need to have NT Hash'es in your LDAP directory.
It would be far easier to have PAP authentication enabled on your NAS, then
it should work fine.
On Tue, Jul 6, 2010 at 3:59 AM, Daniel Gomes dgo...@ipfn.ist.utl.pt wrote:
Dear list,
I know this is a question which has been thoroughly asked and answered,
but after spending several days configuring, debugging, searching the
internet, rec-configuring, etc, I still can't get my freeradius server
to properly authenticate users (for a pptd server).
First of all, on the pptpd server's side (which I know it's not your
jurisdiction, so I'll be fast here), I have the require-mschap-v2 and
require-mppe options enabled.
As for freeradius itself, a summarized sites-enabled/default reads:
authorize {
preprocess
pap
mschap
ldap
auth_log
eap {
ok = return
}
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
My modules/ldap contains all the necessary information, and my
modules/mschap has the options use_mppe, require_encryption and
require_strong enabled, like most tutorials state.
As for the results, radtest works fine (querying LDAP etc), but through
pptd it always fails with this error:
rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
length=151
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = dgomes
MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
MS-CHAP2-Response =
0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf68cb9686085635bd3b3083707eb3
Calling-Station-Id = 193.136.136.200
NAS-IP-Address = 193.136.136.40
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[ldap] performing user authorization for dgomes
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=dgomes)
expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt -
ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
gold.ipfn.ist.utl.pt:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
with filter (cn=dgomes)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user dgomes authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
%m%d - /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
expand: %t - Thu Jul 8 14:08:34 2010
++[auth_log] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} - dgomes
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
--
I know that the error should be enough for me to fix it (since it's
quite explanatory), but after trying many different configurations and
searching through dozens of old mailing lists posts, I still haven't
managed it...
So yeah, of you could help me out, I'd appreciate it! All I want is
pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
is not even
Re: Fw: freeradius and ldap using chap
When I remove ldap-Vpn from authenticate part error is:
rlm_chap: login attempt by test with CHAP password
rlm_chap: Could not find clear text password for user test
Login incorrect (rlm_chap: Clear text password not available): [test] (from
client vpntist port 128 cli 10.10.10.24)
what is wrong in my config?any help?
--- On Sun, 2/21/10, Eric Eric eric121...@yahoo.com wrote:
From: Eric Eric eric121...@yahoo.com
Subject: Fw: freeradius and ldap using chap
To: freeradius-users@lists.freeradius.org
Date: Sunday, February 21, 2010, 1:33 PM
Hi
I want to change authentication pap to chap. The users with clear passwords are
in ldap server. The error is :
rlm_ldap: - authenticate
rlm_ldap: Attribute User-Password is required for authentication. Cannot use
CHAP-Password.
Login incorrect (rlm_chap: Clear text password not available):
I saw the problem in faq but I didn't find what is my mistake. The config is:
in users :
DEFAULT Client-IP-Address ==
10.10.10.2 , Auth-Type := Vpn, Autz-Type := Vpn, Post-Auth-Type := Vpn,
Session-type := Vpn
in radius.conf:
ldap ldap-Vpn{
password_attribute =
userPassword
password_header = {clear}
}
authorize {
chap
Autz-Type Vpn{
ldap-Vpn
chap
}
}
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type Vpn{
chap
ldap-Vpn
}
}
what is my mistake? should I do any other config or change in ldap.attrmap?
-Inline Attachment Follows-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: freeradius and ldap using chap
Hi
I want to change authentication pap to chap. The users with clear passwords are
in ldap server. The error is :
rlm_ldap: - authenticate
rlm_ldap: Attribute User-Password is required for authentication. Cannot use
CHAP-Password.
Login incorrect (rlm_chap: Clear text password not available):
I saw the problem in faq but I didn't find what is my mistake. The config is:
in users :
DEFAULT Client-IP-Address == 10.10.10.2 , Auth-Type := Vpn, Autz-Type := Vpn,
Post-Auth-Type := Vpn, Session-type := Vpn
in radius.conf:
ldap ldap-Vpn{
password_attribute =
userPassword
password_header = {clear}
}
authorize {
chap
Autz-Type Vpn{
ldap-Vpn
chap
}
}
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type Vpn{
chap
ldap-Vpn
}
}
what is my mistake? should I do any other config or change in ldap.attrmap?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP backend (PAP works but CHAP or any other modules does not work), help please
You're password needs to be readable in cleartext by FR for anything other than PAP to work. That way FR can hash/encrypt the password out of LDAP on the server side and compare against the hash it gets passed from the client. On Sun, Oct 4, 2009 at 6:07 PM, Ryaz Khan rk...@ezesolve.com wrote: Hi Guys, I am glad to say that I was able to setup *FreeRADIUS ver. 2.1.7* with *LDAP (slapd)* authentication after a continuous research of a whole week. I can authenticate user via LDAP but it only works for PAP, *radtest* tool works, *NTRadPing* works but only when using PAP (un-checking CHAP). I tried every possible option/combination I can think of, but unfortunately none of them worked. I would appreciate if some of you can help me with that or can guide me to the right path Thx guys Ryaz Khan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP backend (PAP works but CHAP or any other modules does not work), help please
I am glad to say that I was able to setup FreeRADIUS ver. 2.1.7 with LDAP (slapd) authentication after a continuous research of a whole week. I can authenticate user via LDAP but it only works for PAP, radtest tool works, NTRadPing works but only when using PAP (un-checking CHAP). If you have read the comments in ldap module (raddb/modules/ldap) you needn't of wasted your time. Ldap authentication works *only* for PAP. http://deployingradius.com/documents/protocols/oracles.html I would appreciate if some of you can help me with that or can guide me to the right path Use ldap as database and not authentication system. Pass the password from it to freeradius and let freeradius authenticate the user. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS with LDAP backend (PAP works but CHAP or any other modules does not work), help please
Hi Guys, I am glad to say that I was able to setup FreeRADIUS ver. 2.1.7 with LDAP (slapd) authentication after a continuous research of a whole week. I can authenticate user via LDAP but it only works for PAP, radtest tool works, NTRadPing works but only when using PAP (un-checking CHAP). I tried every possible option/combination I can think of, but unfortunately none of them worked. I would appreciate if some of you can help me with that or can guide me to the right path Thx guys Ryaz Khan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - Getting Educated Now
Ivan, Thanks for the url link to the missing documentation. Very helpful. Ldap is not going to work for EAP. Now I am facing a dilemma - deciding what WEP protocol to use based on my test setup. After reading the 'sites' and 'modules' files it seems that some WEP or EAP protocols are weaker than others, some not suggested for use. Here's what my test router and machines can handle. Router can provide - WEP 40/128 shared key, WEP Personal, WEP Enterprise Chiper: TKIP or AES Workstation:WEP 40/128 shared key, Leap, Dynamic WEP, WPA WPA2 Personal Enterprise Older Laptop: WEP 40/128 shared key, 802.1 Cisco LEAP or EAP FAST --this may be the limiting machine. I need to rely on list users experience for suggested paths to pursue? Steven -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - Getting Educated Now
Now I am facing a dilemma - deciding what WEP protocol to use based on my test setup. After reading the 'sites' and 'modules' files it seems that some WEP or EAP protocols are weaker than others, some not suggested for use. Here's what my test router and machines can handle. Router can provide - WEP 40/128 shared key, WEP Personal, WEP Enterprise Chiper: TKIP or AES Workstation:WEP 40/128 shared key, Leap, Dynamic WEP, WPA WPA2 Personal Enterprise Older Laptop: WEP 40/128 shared key, 802.1 Cisco LEAP or EAP FAST --this may be the limiting machine. Use WPA2 Enterprise (PEAP) on the workstation and LEAP for older laptop. Server should support both in default configuration. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - Getting Educated Now
Hi, Now I am facing a dilemma - deciding what WEP protocol to use based on my test setup. After reading the 'sites' and 'modules' files it seems that some WEP or EAP protocols are weaker than others, some not suggested for use. dont use WEP. ever. Router can provide - WEP 40/128 shared key, WEP Personal, WEP Enterprise Chiper: TKIP or AES surely you mean WPA personal and WPA enterprise (TKIP or AES)? I would say WPA enterprise with AES. its the bext you can get currently on your kit Older Laptop: WEP 40/128 shared key, 802.1 Cisco LEAP or EAP FAST --this may be the limiting machine. the limiting factor here is most likely the software on the system - use a different tool to control the wireless authentication alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - User settings
Ivan, Based on your advice I need to set myself up as a user and start testing from my workstation. Since it seems I am missing the docs supplied in source (used packaged file) can you give me some guidance on minimum setting. 1. RADIUS server Shared Secret Where is the best place to set my RADIUS server Shared Secret? or can I use a default Shared Secret in Free Radius? 2. Users I will be using WPA Enterprise on my workstation and not sure of the following settings on in the 'users. DHCP is used for wireless users. If needed I could reserve an test address and place it here? Not sure if that's needed or practical. Here's what I gleaned from the users file I assume: steven Cleartext-Password := xx Service-Type = what is used here for local wireless network ??? Anything else? Thanks Steven -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - Getting Educated Now
Thanks Alan, WPA Enterprise with AES, I will do some more reading to understand the benefits of AES. As for the older laptop - I choose this unit because if represents the oldest of technologies that will be accessing the network. This IBM Thinkpad uses a Cisco (Calexico) internal wireless card using current Windows XP (SP3) card drivers (from IBM / Lenovo). So unless there is a better solution for controlling this wireless card I am stuck with dealing with its offerings: WEP, Cisco Leap and EAP FAST. Steven -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap. - Getting Educated Now
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/08/2009 16:50, Steven Sprague wrote: Thanks Alan, WPA Enterprise with AES, I will do some more reading to understand the benefits of AES. TKIP is semi-broken, in that you can do ARP poisoning attacks without needing the PMK. Were mandating WPA2-AES for this academic year. - -- Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqX/rcACgkQcaklux5oVKKx8gCgiovBkbrreyYeujZJtKqQFW5w UPoAoJHW3K0eFB/BTeoMIRppdzzQHjVM =d5FR -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting FreeRadius and Ldap.
Hello All My needs are simple. Use an exiting LDAP server to communicate with FreeRadius. After reading a number of sources (including the FAQ) I am a bit confused as to what is required? I will start out simple with WPA using LEAP - since all my client boxes can use it. Questions: Do I need any special schema for ldap to use this plan? Y/N If YES, where can I find example? If NO, what other settings need to be set on the client, ldap and FreeRadius server for testing. I need a simple systematic step by step would be great. _:) Sorry, my only book - LDAP by O'Reilly is a bit dated and incomplete. My test setup is one access point (D-LInk DIR-655), two RHEL servers and one workstation client for testing. Server 1 - DNS FreeRadius Server 2 - LDAP,Postfix,Dovecot,Apache,Squid. ** They are on the same network. I appreciate any advice to get me moving the right direction. Steven -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap.
Questions: Do I need any special schema for ldap to use this plan? Y/N No. If NO, what other settings need to be set on the client, ldap and FreeRadius server for testing. Configure ldap module (raddb/modules/ldap, instructions in doc/rlm_ldap) and uncomment ldap in authorize section of default virtual server (raddb/sites-enabled/default). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap.
tnt, Made the changes you suggested but could not locate the doc/rlm_ldap. Do you have any simple tests for the settings I changed? Steven -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting FreeRadius and Ldap.
tnt, I loaded FreeRadius in terminal using -X to see what is loading. Here's what comes back - you will notice one complaint below - in the rlm_ldap section: rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the authenticate section. [r...@ns1 ~]# radiusd -X FreeRADIUS Version 2.1.6, for host i386-redhat-linux-gnu, built on Jun 2 2009 at 17:33:54 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/expiration[r...@ns1 ~]# radiusd -X FreeRADIUS Version 2.1.6, for host i386-redhat-linux-gnu, built on Jun 2 2009 at 17:33:54 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory
freeradius and ldap
Hi, I installed freeradius-server-2.1.6. It is related with a LDAP server.when run radiusd -X there is this error: /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': /usr/lib/rlm_ldap.so: undefined symbol: librad_errstr Is it needed to install freeradius-ldap or my config may have error? I downloded freeradius-ldap-2.1.3-1.fc10.i386.rpm. when I want to install it needs libldap_r-2.4.so.2. and searching this file gives openldap that its installing needs dependencies too. What is my mistake? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ldap
I installed freeradius-server-2.1.6. It is related with a LDAP server.when run radiusd -X there is this error: /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': /usr/lib/rlm_ldap.so: undefined symbol: librad_errstr Is it needed to install freeradius-ldap or my config may have error? Yes, if you want to use ldap. I downloded freeradius-ldap-2.1.3-1.fc10.i386.rpm. when I want to install it needs libldap_r-2.4.so.2. and searching this file gives openldap that its installing needs dependencies too. What is my mistake? You are not using yum? This is an OS question, so direct it to them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ldap
Yum install freeradius-ldap sends this needed too. I installed freeradius-server-2.1.6. It is related with a LDAP server.when run radiusd -X there is this error: /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': /usr/lib/rlm_ldap.so: undefined symbol: librad_errstr Is it needed to install freeradius-ldap or my config may have error? Yes, if you want to use ldap. I downloded freeradius-ldap-2.1.3-1.fc10.i386.rpm. when I want to install it needs libldap_r-2.4.so.2. and searching this file gives openldap that its installing needs dependencies too. What is my mistake? You are not using yum? This is an OS question, so direct it to them. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ldap
Hi, I installed freeradius-server-2.1.6. It is related with a LDAP server.when run radiusd -X there is this error: /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': /usr/lib/rlm_ldap.so: undefined symbol: librad_errstr Is it needed to install freeradius-ldap or my config may have error? I downloded freeradius-ldap-2.1.3-1.fc10.i386.rpm. when I want to install it needs libldap_r-2.4.so.2. and searching this file gives openldap that its installing needs dependencies too. What is my mistake? if you installed freeradius from YUM it looks like it didnt pull in dependencies. for LDAP functionality, you'll need to install openldap and all of its dependencies. if you built from source, you'll also need the openldap-devel package too alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ldap
Yes but yum install version 1.1.3 and I want to use reply-name item that is in version 2.1.6. if you installed freeradius from YUM it looks like it didnt pull in dependencies. for LDAP functionality, you'll need to install openldap and all of its dependencies. if you built from source, you'll also need the openldap-devel package too alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ldap
Yes but yum install version 1.1.3 and I want to use reply-name item that is in version 2.1.6. http://wiki.freeradius.org/Red_Hat_FAQ Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.6: LDAP connect
Hello there! Hope you can help. I´m running freeradius 2.1.6 on sles 11 and do LDAP-Authentificaiton on Radius. EAP/TTLS with cleartext-password against ldap works fine. PEAP/MSCHAP with universal password retrieval works fine. Ldap-Groups work fine. Load-Balancing with multiple ldap-servers also work fine. The only problem is: From time to time! the radius-debug fpr rlm_ldap says: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in c=de, with filter ((objectClass=inetOrgPerson)(uid=abc12345)) rlm_ldap: object not found So, radius doesn´t know the dn and can´t go on. The difference between other ldap searches and the one with this error is, that there is no new connect to the ldap-server and no new bind. Also, this never happens with the first access-request. Besides: A trace on my ldap servers shows no communication in that case (looks like radius doesntt ask after all) ... and: same problem appears with freeradius 2.1.1. Any ideas...??? Thank you very much... Kind regards Anja - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Christopher Sheldon wrote: Does anyone else who subscribes to the list specifically read every email Alan sends just to chuckle at him berating the poor, confused people seeking help? My unhelpful comments are directed at the people who don't read (a) the documentation I already wrote, or (b) the debugging messages I already wrote. Perhaps you could take over the role of cut paste master, where you would cut and paste the existing documentation onto this list for certain people. Failing that, perhaps you could try another method of positive contribution that doesn't involve complaining about me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
daverum...@boothcreek.com wrote: So funny you say that, I was just talking about that with a co worker. I almost find myself searching for his emails and thinking that poor person who is looking for help. Asking people to read the debug log, as suggested in the FAQ, README, INSTALL, man page, every single howto, and daily on this list? For shame. It's really quite simple. It's a choice. People DON'T read the documentation. They DON'T follow instructions. They DON'T read the debug log. But they get incensed when they get told to read it, and they get incensed when told to follow instructions. Happily, there is a solution. Along with Christopher, you're now the new cut paste master. Please spend a few short hours every day answering questions on this list by cutting pasting answers from the existing documentation. Also, you will need to explain to people that they should run the server in debugging mode. Feel free to *continue* explaining why this is necessary after they have gotten angry at you for not immediately solving their problem. Complaining about *my* behavior is not an option until you've contributed something to the project. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: freeradius 2.1.6 ldap + mschapv2 to authenticate
Not only I have to thank Alan for this or that hint and the great software. Nowadays I find his answers amusing. They sound like a mantra: Read the documentation, post the debug output, don't change too much in the default configuration What is wrong with that answer? And knowing that one might get this kind of answer: Maybe one thinks twice and reads a bit more through the docs before posting a question. In my opinion there are worse things than thinking twice. I know people that behave exactly this way just for that reason. And they solved most of their problems this way. FreeRADIUS is a project with a comprehensive documentation. Many -if not most - of the questions on the list could be answered by reading the wiki and the rest of the documentation. Knowing this I personally would find it hard to impossible to answer the same questions over and over again. Thanks Alan. Norbert Wegener Von: freeradius-users-bounces+norbert.wegener=siemens@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=siemens@lists.freeradius.org] im Auftrag von Alan DeKok [al...@deployingradius.com] Gesendet: Donnerstag, 25. Juni 2009 08:20 An: daverum...@boothcreek.com; FreeRadius users mailing list Betreff: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate daverum...@boothcreek.com wrote: So funny you say that, I was just talking about that with a co worker. I almost find myself searching for his emails and thinking that poor person who is looking for help. Asking people to read the debug log, as suggested in the FAQ, README, INSTALL, man page, every single howto, and daily on this list? For shame. It's really quite simple. It's a choice. People DON'T read the documentation. They DON'T follow instructions. They DON'T read the debug log. But they get incensed when they get told to read it, and they get incensed when told to follow instructions. Happily, there is a solution. Along with Christopher, you're now the new cut paste master. Please spend a few short hours every day answering questions on this list by cutting pasting answers from the existing documentation. Also, you will need to explain to people that they should run the server in debugging mode. Feel free to *continue* explaining why this is necessary after they have gotten angry at you for not immediately solving their problem. Complaining about *my* behavior is not an option until you've contributed something to the project. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: freeradius 2.1.6 ldap + mschapv2 to authenticate
Wegener, Norbert wrote: Not only I have to thank Alan for this or that hint and the great software. Nowadays I find his answers amusing. They sound like a mantra: Read the documentation, post the debug output, don't change too much in the default configuration What is wrong with that answer? And knowing that one might get this kind of answer: Maybe one thinks twice and reads a bit more through the docs before posting a question. In my opinion there are worse things than thinking twice. I know people that behave exactly this way just for that reason. And they solved most of their problems this way. FreeRADIUS is a project with a comprehensive documentation. Many -if not most - of the questions on the list could be answered by reading the wiki and the rest of the documentation. Knowing this I personally would find it hard to impossible to answer the same questions over and over again. Thanks Alan. I have to FULLY agree. Every single time someone has had a resonable request, Alan responded immediately. Personally I did not even know what the three a's in aaa meant when I got involved with freeradius. I got ALL the info I needed from the docs. I configured a perfectly working solution without ONE question to this list. (A fairly complicated one - all the docs are there!!) I started posting when I had a feature that did not quote work as exepected. (dynamic clients). Alan even went to the trouble to commit some code to git just to help me. I certainly cannot fault his behaviour. I personally run about 8 technicians. Whenever someone asks me for advice, I always ask them. What is the exact error? After asking for it the 100th time, I also get rude. You should NOT have to say the same thing over and over again!!! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Alan often replies immediately with useful information, often for questions which are constantly repeated. I'm personally impressed with his tireless dedication, not only in being one of the primary help desk roles but also in developing the software, both of which you're getting for *free*. I think Alan (and some others) deserve a note of thanks from this community. Folks, get real, this is open source. That means it's a community of volunteers. In open source if you think something is deficient your job is to step up to the plate and contribute for the betterment of everyone. But if instead you feel you need to complain and not contribute then please walk away. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 2.1.6 ldap + mschapv2 to authenticate
-Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of John Dennis Sent: Thursday, June 25, 2009 8:54 AM To: FreeRadius users mailing list Subject: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate Alan often replies immediately with useful information, often for questions which are constantly repeated. I'm personally impressed with his tireless dedication, not only in being one of the primary help desk roles but also in developing the software, both of which you're getting for *free*. I think Alan (and some others) deserve a note of thanks from this community. Folks, get real, this is open source. That means it's a community of volunteers. In open source if you think something is deficient your job is to step up to the plate and contribute for the betterment of everyone. But if instead you feel you need to complain and not contribute then please walk away. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I agree wholeheartedly. The documentation is more than adequate. Surprising how much you'll learn by reading it. If you'd prefer Alan spend time answering already answered questions rather than refining/developing freeradius Mearl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Thanks for your help. I'm pretty new on freeradius. I've been read many how's to, but only in this post I've discovered many things. Alan DeKok-2 wrote: jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24187153.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Does anyone else who subscribes to the list specifically read every email Alan sends just to chuckle at him berating the poor, confused people seeking help? It's like reality TV. ;-) Chris. Alan DeKok wrote: jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Chris, So funny you say that, I was just talking about that with a co worker. I almost find myself searching for his emails and thinking that poor person who is looking for help. I hope to post a link giving exact details on how to do auth with ldap using freeradius 2. I also plan to add how to do group auth with unlang. So tired of finding bits and pieces and no one quite giving a how to do in this mailing list. --Original Message-- From: Christopher Sheldon Sender: freeradius-users-bounces+daverummel=boothcreek@lists.freeradius.org To: FreeRadius users mailing list ReplyTo: FreeRadius users mailing list Subject: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate Sent: Jun 24, 2009 5:36 PM Does anyone else who subscribes to the list specifically read every email Alan sends just to chuckle at him berating the poor, confused people seeking help? It's like reality TV. ;-) Chris. Alan DeKok wrote: jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sent on the Now Network� from my Sprint® BlackBerry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 2.1.6 ldap + mschapv2 to authenticate
We should start collecting the Best of Alan posts. Any nominations? Tim -Original Message- From: freeradius-users- bounces+tim.sylvester=networkradius@lists.freeradius.org [mailto:freeradius-users- bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf Of daverum...@boothcreek.com Sent: Wednesday, June 24, 2009 7:56 PM To: FreeRadius users mailing list Subject: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate Chris, So funny you say that, I was just talking about that with a co worker. I almost find myself searching for his emails and thinking that poor person who is looking for help. I hope to post a link giving exact details on how to do auth with ldap using freeradius 2. I also plan to add how to do group auth with unlang. So tired of finding bits and pieces and no one quite giving a how to do in this mailing list. --Original Message-- From: Christopher Sheldon Sender: freeradius-users- bounces+daverummel=boothcreek@lists.freeradius.org To: FreeRadius users mailing list ReplyTo: FreeRadius users mailing list Subject: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate Sent: Jun 24, 2009 5:36 PM Does anyone else who subscribes to the list specifically read every email Alan sends just to chuckle at him berating the poor, confused people seeking help? It's like reality TV. ;-) Chris. Alan DeKok wrote: jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sent on the Now Network from my Sprint® BlackBerry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.1.6 ldap + mschapv2 to authenticate
Hi everyone.
I've trying to setup a freeradius 2.1.6 with Ldap and mschapv2 to
authenticate.
when I send test from my console, this works fine.
client:
$ radtest user pass 10.14.56.26 0 secret.
server in debug mode:
Ready to process requests.
rad_recv: Access-Request packet from host 172.24.104.12 port 39285, id=52,
length=69
User-Name = user
User-Password = pass
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = user, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
[ldap] performing user authorization for user
[ldap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[ldap] expand:
((SamAccountName=%{Stripped-User-Name:-%{User-Name})(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
-
((SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] expand: OU=Groups,DC=it,DC=test,DC=com -
OU=Groups,DC=it,DC=test,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.14.56.100:389, authentication 0
rlm_ldap: bind as ad...@it.test.com/adminpass to 10.14.56.100:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in OU=Groups,DC=it,DC=test,DC=com, with filter
((SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = ldap
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = ldap
+- entering group authenticate {...}
[ldap] login attempt by user with password pass
[ldap] user DN: CN=user,OU=General Group,OU=Users,DC=it,DC=test,DC=com
rlm_ldap: (re)connect to 10.14.56.100:389, authentication 1
rlm_ldap: bind as CN=user,OU=General
Group,OU=Users,DC=it,DC=test,DC=com/pass to 10.14.56.100:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap] user user authenticated succesfully
++[ldap] returns ok
Login OK: [user/pass] (from client redprivada1 port 0)
Sending Access-Accept of id 52 to 172.24.104.12 port 39285
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 52 with timestamp +10
But when I try to connect.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=174,
length=189
User-Name = user
Calling-Station-Id = 00-24-2C-83-AA-92
Called-Station-Id = 00-21-A1-9E-F9-30:redprivada1
NAS-Port = 1
NAS-IP-Address = 10.14.56.33
NAS-Identifier = acces-ponit-wlc
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020e0016016a75616e7061626c6f5f72616d6972657a
Message-Authenticator = 0x76c7af8be679e0867bb2c06d1146d7e6
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = user, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
[ldap] performing user authorization for user
[ldap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[ldap] expand:
((SamAccountName=%{Stripped-User-Name:-%{User-Name})(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
-
((SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] expand: OU=Groups,DC=it,DC=test,DC=com -
OU=Groups,DC=it,DC=test,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Groups,DC=it,DC=test,DC=com, with filter
((SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
usersfile = /etc/freeradius/users
acctusersfile = /etc/freeradius/acct_users
preproxy_usersfile = /etc/freeradius/preproxy_users
compat = no
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = /var/log/freeradius
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
I've trying to setup a freeradius 2.1.6 with Ldap and mschapv2 to authenticate. when I send test from my console, this works fine. But when I try to connect. I don't know what I'm missing. here is my radiusd.conf: Why did you find it necessary to butcher default configuration? Use default radiusd.conf, configure ldap in modules (raddb/modules/ldap) and watch it work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Thanks for your response.
Now I'm using the defaults files and configure the access in modules
(raddb/modules/ldap).
Now seems like the solution is closer,
When I test this appear in my server in debug mode:
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for unsupported type 25
[eap] No common EAP types found.
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 189 to 10.14.56.33 port 32768
EAP-Message = 0x040c0004
Message-Authenticator = 0x
Waking up in 3.9 seconds.
Cleaning up request 1 ID 188 with timestamp +30
Waking up in 1.0 seconds.
Cleaning up request 2 ID 189 with timestamp +30
Ready to process requests.
I think is problem on mi eap.conf file but I'm no sure what exactly I have
to do.
Any idea?
Ivan Kalik wrote:
I've trying to setup a freeradius 2.1.6 with Ldap and mschapv2 to
authenticate.
when I send test from my console, this works fine.
But when I try to connect.
I don't know what I'm missing.
here is my radiusd.conf:
Why did you find it necessary to butcher default configuration? Use
default radiusd.conf, configure ldap in modules (raddb/modules/ldap) and
watch it work.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
View this message in context:
http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24170971.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Thanks for your response. Now I'm using the defaults files and configure the access in modules (raddb/modules/ldap). Now seems like the solution is closer, When I test this appear in my server in debug mode: ... [eap] EAP NAK [eap] NAK asked for unsupported type 25 [eap] No common EAP types found. Well, type 25 is PEAP, and that is defined in eap.conf by default. As are a few others. I think is problem on mi eap.conf file but I'm no sure what exactly I have to do. Any idea? Have you done some strange things to eap.conf or are you using the default one? Default configuration works. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Ivan Kalik wrote:
Have you done some strange things to eap.conf or are you using the default
one? Default configuration works.
I replace eap.conf with the Default eap.conf file
and this is my debug:
++[ldap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 198 to 10.14.56.33 port 32768
EAP-Message = 0x040d0004
Message-Authenticator = 0x
Waking up in 3.6 seconds.
Cleaning up request 1 ID 190 with timestamp +51
Cleaning up request 2 ID 191 with timestamp +51
Cleaning up request 3 ID 192 with timestamp +51
Cleaning up request 4 ID 193 with timestamp +51
Cleaning up request 5 ID 194 with timestamp +51
Cleaning up request 6 ID 195 with timestamp +51
Cleaning up request 7 ID 196 with timestamp +51
Cleaning up request 8 ID 197 with timestamp +51
Waking up in 1.0 seconds.
Cleaning up request 9 ID 198 with timestamp +51
I'm missing something?
--
View this message in context:
http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24173891.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
