Freeradius + LDAP for WPA-Enterprise

Gary Gatten Ggatten at waddell.com
Fri Feb 11 19:49:55 CET 2011


I don't think ntlm_auth makes any ldap calls.

From: Vinicius Teixeira Coelho [mailto:vinicius.ti at gmail.com]
Sent: Friday, February 11, 2011 12:41 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Freeradius + LDAP for WPA-Enterprise

Yes, but your samba is using the ldap

[]'s
--
Vinicius Teixeira Coelho

Registered Linux User #469313
The Ubuntu Counter Project - user number # 21463


On Fri, Feb 11, 2011 at 4:35 PM, Gary Gatten <Ggatten at waddell.com<mailto:Ggatten at waddell.com>> wrote:
Yeah, but that’s SAMBA – not LDAP.  (Added "Password-With-Header == userPassword" to raddb / ldap.attrmap ) sounds interesting!

________________________________
From: freeradius-users-bounces+ggatten=waddell.com<http://waddell.com>@lists.freeradius.org<http://lists.freeradius.org> [mailto:freeradius-users-bounces+ggatten<mailto:freeradius-users-bounces%2Bggatten>=waddell.com<http://waddell.com>@lists.freeradius.org<http://lists.freeradius.org>] On Behalf Of Vinicius Teixeira Coelho
Sent: Friday, February 11, 2011 12:09 PM

To: FreeRadius users mailing list
Subject: Re: Freeradius + LDAP for WPA-Enterprise

Hello, I'm trying to do the same thing, I know I have to use winbind and samba to get it, but in reading the news I found this freeradius 2.1 Added "Password-With-Header == userPassword" to raddb / ldap.attrmap This Will automaticallyconvert more passwords

[]'s
--
Vinicius Teixeira Coelho

Registered Linux User #469313
The Ubuntu Counter Project - user number # 21463

On Fri, Feb 11, 2011 at 3:37 PM, Gary Gatten <Ggatten at waddell.com<mailto:Ggatten at waddell.com>> wrote:
I'm barely a novice with FR, so take this with a grain of salt:

You forced ALL Authentication requests to use LDAP.  EAP / LDAP don't play well together.  Remove the "Auth Type LDAP" - for now.

You almost "never" want to set the Auth-Type directly, FR figures it out from the request.  For testing and troubleshooting it's OK, and if you really know what the consequences are its OK, but generally speaking don't set the auth type.

As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough.  But, I don't THINK you can authenticate EAP requests against LDAP directly because of the "no clear text password" issue.

Gary


-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com<http://waddell.com>@lists.freeradius.org<http://lists.freeradius.org> [mailto:freeradius-users-bounces+ggatten<mailto:freeradius-users-bounces%2Bggatten>=waddell.com<http://waddell.com>@lists.freeradius.org<http://lists.freeradius.org>] On Behalf Of Max Schröder
Sent: Friday, February 11, 2011 11:06 AM
To: freeradius-users at lists.freeradius.org<mailto:freeradius-users at lists.freeradius.org>
Subject: Freeradius + LDAP for WPA-Enterprise

Hello to all,

I would like to use Freeradius to authenticate my wireless network using
OpenWRT and Freeradius + LDAP. What I've done:

First Authenticated Users in WLan using EAP-TTLS and files in
Freeradius. WORKED! Then I've configured ldap-Modul + added "ldap" in
the authorize- and "Auth-Type LDAP { ldap }" in the
authenticate-section. The test via radtest succeeded.

But now the authentication using OpenWRT (EAP-TTLS) like the first try
with files - now with ldap did not work. I do noticed the following comment

# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
Auth-Type LDAP { ldap }

but I don't know what to change that it worked like my first try with
the difference the users are in LDAP instead of a file.

Hope to get any hints

Best regards.
MS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

"This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110211/e6b42eb7/attachment.html>


More information about the Freeradius-Users mailing list