Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Jacob Jarick wrote: So the big question is, what Auth-Type do I use ? You have been told that you should not set it. That means You should not set it. It does not mean use another value. If LDAP is not permitted (still confuses me as I only need / want radius to authenticate against LDAP) what Auth-Type do I set in the users file so that Wireless users can authenticate using their ADS username and passwords. You're confused because you're not believing the messages on this list. LDAP is not an authentication server. When you say authenticate against LDAP, you are talking nonsense. Other people have FreeRADIUS authenticating against Active Directory. They have done so by carefully following the guides. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Alan, I try to understand I can only get answers from you guys when available so yes I do go off and try random howtos (literally anything I can find) I the hopes I learn a bit more. But yes, I am now 100% clear on not setting Auth-Type. Thanks again Alan. On 4/24/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: So the big question is, what Auth-Type do I use ? You have been told that you should not set it. That means You should not set it. It does not mean use another value. If LDAP is not permitted (still confuses me as I only need / want radius to authenticate against LDAP) what Auth-Type do I set in the users file so that Wireless users can authenticate using their ADS username and passwords. You're confused because you're not believing the messages on this list. LDAP is not an authentication server. When you say authenticate against LDAP, you are talking nonsense. Other people have FreeRADIUS authenticating against Active Directory. They have done so by carefully following the guides. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Jacob Jarick wrote: My problem is the ldap password retrieved from the windows client is not being sent to the ldap server. The problem is that you have configured Auth-Type := LDAP, and then sent the server an 802.1x authentication request. Do NOT set Auth-Type = LDAP. This is repeated all over the place in the configuration files, the documentation, and on this list. In fact, just delete ldap from the authenticate section. If you can get PAP working with that setup, then 802.1x EAP should work, too. Make sure that FreeRADIUS is retrieving the password from LDAP. If you have FreeRADIUS doing bind as user to LDAP, then it is NOT retrieving the password from LDAP. See: http://deployingradius.com/documents/protocols/ And the two other web pages linked to from that page. The weird thing is It was working fine friday. Because you were doing PAP authentication. I'm half inclined to remove ldap bind as user from the server entirely. It confuses too many people, and causes too many problems. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Jacob Jarick wrote: Thanks again Alan, For reference the oriellys LDAP book instructs you to set Auth-Type := LDAP so thats where I got the bad reference (perhaps other people to). Yes. There is a LOT of documentation (web pages, etc.) that say to do the wrong thing. It's unfortunate that the people writing those don't read the FreeRADIUS docs first, and don't ask us to review their configuration. Now lets see if I understood the tables correctly. PAP is the only method that will support LDAP bind as user ? It's the other way around. LDAP bind as user only works with PAP. When Using PAP - LDAP will I still have to map userPassword to User-Password ? No. I've added some more code that will go into 1.1.7 2.0. If the LDAP module succeeds in retrieving a password from LDAP, it does NOT set Auth-Type to LDAP. Will there be extra configuration required on free radius to make use of pap - ADS ldap or will it work automatically because ldap is configured in the modules {} section. I would ask what other authentication protocols you need to support before suggesting to set Auth-Type to LDAP. Wont using PAP mean plain text password from client - cisco wap - radius - ADS server ? No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible with Auth-Type = LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Forgive the newbie questions but I think its best to clear up confusion. client - cisco - FR server = eap FR - ADS 2003 = pap Is that correct or am I way off track. On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Thanks again Alan, For reference the oriellys LDAP book instructs you to set Auth-Type := LDAP so thats where I got the bad reference (perhaps other people to). Yes. There is a LOT of documentation (web pages, etc.) that say to do the wrong thing. It's unfortunate that the people writing those don't read the FreeRADIUS docs first, and don't ask us to review their configuration. Now lets see if I understood the tables correctly. PAP is the only method that will support LDAP bind as user ? It's the other way around. LDAP bind as user only works with PAP. When Using PAP - LDAP will I still have to map userPassword to User-Password ? No. I've added some more code that will go into 1.1.7 2.0. If the LDAP module succeeds in retrieving a password from LDAP, it does NOT set Auth-Type to LDAP. Will there be extra configuration required on free radius to make use of pap - ADS ldap or will it work automatically because ldap is configured in the modules {} section. I would ask what other authentication protocols you need to support before suggesting to set Auth-Type to LDAP. Wont using PAP mean plain text password from client - cisco wap - radius - ADS server ? No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible with Auth-Type = LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
So the big question is, what Auth-Type do I use ? If LDAP is not permitted (still confuses me as I only need / want radius to authenticate against LDAP) what Auth-Type do I set in the users file so that Wireless users can authenticate using their ADS username and passwords. On 4/23/07, Jacob Jarick [EMAIL PROTECTED] wrote: Forgive the newbie questions but I think its best to clear up confusion. client - cisco - FR server = eap FR - ADS 2003 = pap Is that correct or am I way off track. On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Thanks again Alan, For reference the oriellys LDAP book instructs you to set Auth-Type := LDAP so thats where I got the bad reference (perhaps other people to). Yes. There is a LOT of documentation (web pages, etc.) that say to do the wrong thing. It's unfortunate that the people writing those don't read the FreeRADIUS docs first, and don't ask us to review their configuration. Now lets see if I understood the tables correctly. PAP is the only method that will support LDAP bind as user ? It's the other way around. LDAP bind as user only works with PAP. When Using PAP - LDAP will I still have to map userPassword to User-Password ? No. I've added some more code that will go into 1.1.7 2.0. If the LDAP module succeeds in retrieving a password from LDAP, it does NOT set Auth-Type to LDAP. Will there be extra configuration required on free radius to make use of pap - ADS ldap or will it work automatically because ldap is configured in the modules {} section. I would ask what other authentication protocols you need to support before suggesting to set Auth-Type to LDAP. Wont using PAP mean plain text password from client - cisco wap - radius - ADS server ? No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible with Auth-Type = LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Alan, my test pc only supports PEAP over wireless and setup has to be wireless. Removing ldap from the authenticate section causes an EAP error, so I guess there is more configuration than simply removing / commenting that section out. I dont know how to not bind as a user when using FR + LDAP, no document I have seen so far seems to cover it. What encryption do you use for the ldap password in radius.conf ? so that anonymous searches are not needed. On 4/24/07, Jacob Jarick [EMAIL PROTECTED] wrote: So the big question is, what Auth-Type do I use ? If LDAP is not permitted (still confuses me as I only need / want radius to authenticate against LDAP) what Auth-Type do I set in the users file so that Wireless users can authenticate using their ADS username and passwords. On 4/23/07, Jacob Jarick [EMAIL PROTECTED] wrote: Forgive the newbie questions but I think its best to clear up confusion. client - cisco - FR server = eap FR - ADS 2003 = pap Is that correct or am I way off track. On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Thanks again Alan, For reference the oriellys LDAP book instructs you to set Auth-Type := LDAP so thats where I got the bad reference (perhaps other people to). Yes. There is a LOT of documentation (web pages, etc.) that say to do the wrong thing. It's unfortunate that the people writing those don't read the FreeRADIUS docs first, and don't ask us to review their configuration. Now lets see if I understood the tables correctly. PAP is the only method that will support LDAP bind as user ? It's the other way around. LDAP bind as user only works with PAP. When Using PAP - LDAP will I still have to map userPassword to User-Password ? No. I've added some more code that will go into 1.1.7 2.0. If the LDAP module succeeds in retrieving a password from LDAP, it does NOT set Auth-Type to LDAP. Will there be extra configuration required on free radius to make use of pap - ADS ldap or will it work automatically because ldap is configured in the modules {} section. I would ask what other authentication protocols you need to support before suggesting to set Auth-Type to LDAP. Wont using PAP mean plain text password from client - cisco wap - radius - ADS server ? No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible with Auth-Type = LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html