Freeradius, EAP-PEAP, LDAP and users file...

Phil Mayers p.mayers at imperial.ac.uk
Wed Apr 2 18:41:25 CEST 2008


Marco Gaiarin wrote:
> [i'm not subscribed to this list, so, please, put me on CC]
> 
> I've just setup a 'test installation' of freeradius in a debian etch
> box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS).

Upgrade to 1.1.7 at least

> 
> In my environments there's ever a LDAP server that serve, among other
> thinks, also a samba3 server using standard stuff (smbldap-tools, ...).
> Clearly my users are mostly (ahem, totally ;( ) windows XPsp2.
> 
> 
> Firstly i've setup all the stuff using winbind/ntlm_auth to do the
> MS-CHAP auth, but because i know that in LDAP the NT-Password hare
> simply stored, and looking at the (deprecated) /etc/smbpasswd module
> with the aid of some google, i've finally reached a good (for me)
> working point: ldap module extract NT-Password and give it to mschap
> module for authentication, with the bonus of group filtering, all in
> LDAP (i've disabled 'unix')...

> 
> The strange, the only strangeness i've found, are that i was forced to
> insert an explicitly 'deny' rule in users file, eg my users are:
> 
>  DEFAULT Service-Type == Framed-User, Ldap-Group == "ced"
>  DEFAULT Service-Type == Framed-User, Ldap-Group == "diramm"
>  DEFAULT Service-Type == Framed-User, Ldap-Group == "ricerca"
>  DEFAULT Service-Type == Framed-User, Ldap-Group == "*", Auth-Type := Reject
>         Reply-Message = "Gruppo non autorizzato"
> 
> if i remove the last entry, user got authenticated.

Yes

> 
> 
> But users file was 'no match, no party'? What i'm missing?

What does "no match no party" mean?

In all probability, you've got something like:

authorize {
   preprocess
   eap
   mschap
   ldap
   files
}
authenticate {
   Auth-Type MSCHAP {
     mschap
   }
   eap
}

...if so, mschap (or eap, for the outer module) finds the relevant 
attributes, sets Auth-Type to itself, and processes the request; if the 
user has a password, they're authenticated. If you want to deny people 
you need to do that.

Since you're not subscribed to the mailing list and haven't read the 
documents, you have failed to see the advice repeated daily; namely, to 
run radiusd under debugging with "radiusd -X", examine the output and if 
you can't figure out what it's saying, post that output here.



More information about the Freeradius-Users mailing list