FreeRadius and Openldap authentication
Sébastien Cantos
scantos at technodiva.com
Mon Jan 2 13:18:03 CET 2006
Hi,
I would say that you can't test direcly your EAP auth using radtest because
radtest doesn't send a EAP-Message into its requests. You have two choices
here, use radclient with correct params to test EAP ou take a real windows
clients and configure auth to be EAP.
Regards,
--
Sebastien Cantos <scantos at technodiva.com>
Network / System Manager
Neopost DIVA
> -----Message d'origine-----
> De :
> freeradius-users-bounces+scantos=technodiva.com at lists.freeradi
> us.org
> [mailto:freeradius-users-bounces+scantos=technodiva.com at lists.
> freeradius.org] De la part de rwakim at mind-techno.fr
> Envoyé : lundi 2 janvier 2006 11:46
> À : freeradius-users at lists.freeradius.org
> Objet : FreeRadius and Openldap authentication
>
> Hello,
>
> I'm pretty new to ldap and radius, I try to put and 802.x
> authentication
> but I have difficulties setting it up correctly.
>
> Here is my problem:
>
> When I start the radtest binary:
>
> radtest "test" "supersecret" localhost 2 testing123
>
> Here is the result:
>
> Sending Access-Request of id 45 to 127.0.0.1:1812
> User-Name = "test"
> User-Password = "supersecret"
> NAS-IP-Address = lavoisier
> NAS-Port = 2
> rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=45,
> length=20
>
>
> Here is the log on the radius server (Started with radiusd -X):
>
> rad_recv: Access-Request packet from host 127.0.0.1:61292, id=50,
> length=56
> User-Name = "test"
> User-Password = "supersecret"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 2
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 3
> modcall[authorize]: module "preprocess" returns ok for request 3
> modcall[authorize]: module "chap" returns noop for request 3
> modcall[authorize]: module "mschap" returns noop for request 3
> rlm_realm: No '@' in User-Name = "test", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 3
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 3
> users: Matched entry DEFAULT at line 78
> users: Matched entry DEFAULT at line 160
> modcall[authorize]: module "files" returns ok for request 3
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for test
> radius_xlat: '(uid=test)'
> radius_xlat: 'dc=fr'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=fr, with filter (uid=test)
> rlm_ldap: checking if remote access for test is allowed by
> radiusFilterId
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: Adding radiusFilterId as Filter-Id, value
> Enterasys:version=1:policy=Enterprise User & op=11
> rlm_ldap: user test authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 3
> modcall: group authorize returns ok for request 3
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 3
> rlm_eap: EAP-Message not found
> rlm_eap: Malformed EAP Message
> modcall[authenticate]: module "eap" returns fail for request 3
> modcall: group authenticate returns fail for request 3
> auth: Failed to validate the user.
> Login incorrect: [test] (from client localhost port 2)
> Delaying request 3 for 1 seconds
> Finished request 3
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 50 to 127.0.0.1:61292
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 3 ID 50 with timestamp 43b8f992
> Nothing to do. Sleeping until we see a request.
>
>
> For the moment I have one box running Openldap on a
> debian/SPARC and one
> box running Freeradius on a FreeBSD 5.3/SPARC
>
> The LDAP user info:
>
> dn: cn=test,ou=users, dc=fr
> userPassword:: e1NIQX1jTWc1Y3dTazFuUEdMZW56UUw5UEdpV1pHSVU9
> ou: ou=mind-techno,dc=fr
> objectClass: top
> objectClass: person
> objectClass: pilotPerson
> objectClass: radiusProfile
> janetMailbox: test at mind-techno.fr
> sn: test
> cn: test
>
>
> The SLDAPD conf file:
>
> access to dn="cn=.*,dc=fr" attr=userPassword
> by dn="cn=admin,dc=fr" write
> by anonymous auth
> by self write
> by * none
>
>
>
> The RADIUS radiusd.conf file:
>
> ldap {
> server = "galilee.mind-techno.fr"
>
> identity = "cn=emanager,dc=fr"
> password = "XXXXXXXXXXXXXX"
>
> basedn = "dc=fr"
>
> filter = "(uid=%u)"
> # base_filter = "(objectclass=radiusprofile)"
>
> start_tls = no
>
> access_attr = "radiusFilterId"
>
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> #authtype = ldap
>
> ldap_connections_number = 5
>
> password_attribute = "userPassword"
> timeout = 4
> timelimit = 3
> net_timeout = 1
> }
>
>
>
> authenticate {
>
> # Uncomment it if you want to use ldap for authentication
> #
> # Note that this means "check plain-text password against
> # the ldap database", which means that EAP won't work,
> # as it does not supply a plain-text password.
> Auth-Type LDAP {
> ldap
> }
>
> #
> # Allow EAP authentication.
> eap
> }
>
> The RADIUS users file:
>
> DEFAULT Auth-Type := EAP
> Fall-Through = 1
> # Reply-Message = "LDAP"
>
>
>
> I must admit I'm pretty lost in all this, And that any help will be
> nice.
>
>
> I would be grateful if you had a how-to or tutorial on how to build a
> easy and working 802.x authentication with a Radius/LDAP system.
>
> Best regards,
>
> --
> M. Robert Wakim
> Mind Technologies
>
> 24 rue Victor Hugo
> 94220 Charenton-Le-Pont
> FRANCE
>
> tel : +33 (0)1 41 79 09 40
> Fax : +33 (0)1 43 68 80 32
>
> Email : rwakim at mind-techno.fr
> web : http://www.mind-techno.fr
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list