LDAP authorization - Attribute "User-Password" is required for authentication

Neil Marjoram n.marjoram at adastral.ucl.ac.uk
Tue Jun 17 16:12:00 CEST 2008 

Alan,

Thanks, yes 2.0.5 ran out of box almost! Just got to customise the 
certs, sometime after testing. Still have a couple of issues I can't 
resolve, I'll post separately.

Thanks,

Neil.

Alan DeKok wrote:
> Neil Marjoram wrote:
>> I am using a Netgear WAG102 Wireless access point to autorise to Radius,
>> which in turn uses LDAP. radtest from the command line of the local host
>> authenticates no problem, but I understand that it is a possibility that
>> the Netgear passes the Mac address of the laptop through to use as a
>> password.
>>
>> I am unable to understand how to map this in LDAP and keep getting :
>>  Attribute "User-Password" is required for authentication
> 
>   You have forced "Auth-Type := LDAP" in your configuration.  Don't do
> that.  i.e.  You have:
> 
> rlm_ldap: Adding radiusAuthType as Auth-Type == LDAP
> 
>   DELETE the "radiusAuthType" from your LDAP configuration.  It is NOT
> needed, and it's making authentication fail.
> 
>   It also looks like you've deleted most of the modules from the
> "authorize" section.  Don't do that.  Use the default configuration.
> It's there for a purpose: it works.
> 
>   It also looks like you haven't configured PEAP or TTLS.  You MUST
> configure them for wireless authentication.
> 
>> I am using the radiusProfile for each user in LDAP that I allow access
>> via wireless.
>>
>> I am pretty new to Radius so am I sure I have some config wrong here
>> somewhere. I am currently testing on Ubuntu 8.04, and have Freeradius
>> 1.1.7.
> 
>   I understand why Ubuntu chose to use 1.1.7, but still.... Version
> 2.0.5 is much, much better.
> 
>   My recommendation for a quick fix:
> 
> 1) Install 2.0.5.  It's much better than 1.1.7.
> 2) start with default config
> 3) configure the LDAP module as you have done already (modules section,
> un-comment ldap in the "authorize" and "authenticate" sections of
> raddb/sites-available/* (use "grep ldap *".
> 4) do NOT set "radiusAuthType" in your LDAP directory.
> 5) Test with 'radtest'.  It should work.
> 6) Test with a wireless client (un-check "validate server certificate)
>    It should work.
> 
>   2.0.5 makes it trivial to get PEAP and TTLS working.  It's a lot
> harder to do that in 1.1.7.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Neil Marjoram
Systems Manager
Adastral Park Campus
University College London
Ross Building
Adastral Park
Martlesham Heath
Ipswich - Suffolk
IP5 3RE

Tel: 01473 663711
Fax: 01473 635199


Reclaim Your Inbox!
http://www.mozilla.org/products/thunderbird

More information about the Freeradius-Users mailing list