Problem with freeradius and LDAP: crypt and MD5 password

Stefan Paetow Stefan.Paetow at jisc.ac.uk
Mon Apr 13 11:29:25 CEST 2015


> One more cuestion, in freeradius 2.1.12, can I get the authentication
> result from the bind result?

What do you mean by 'can I get the authentication result'? If you can bind successfully to the LDAP directory with the username and password, then that's success. With FreeRADIUS 3.x, it's a *lot* simpler to use LDAP bind-as-user than with 2.1.12, and the article you referenced refers to FR 3.x. 

Look at your inner-tunnel file (in sites-enabled):

- What have you got in the 'authorize' section?

You should place something like this in it (after the pap entry):

if (User-Password) {
    update control {
        Auth-Type := ldap
        Ldap-UserDN := "uid=%{User-Name},ou=people,dc=unex,dc=es"
    }
}

- What have you got in the 'authenticate' section? Do you have something called 'Auth-Type PAP' there?

In that entry you have a single line: 'pap'. Comment it out, then put 'ldap' in its place.

You should also have a set of commented-out entries like so:

# Auth-Type LDAP {
#     ldap
# }

Remove the comment from the line that says 'ldap'.

Then, in the eap.conf file, look for the first 'default_eap_type' line. It may be set to 'md5'. Set that to 'ttls'. That sets the default type of EAP to TTLS. Then scroll down to find a line that starts with 'ttls {' (should be around line 500). There's another 'default_eap_type' there. That is probably also set to 'md5'. You can set that to 'gtc', which gives you EAP-GTC, which in turn gives you PAP.

Now, to test this, try the following on the FreeRADIUS server itself (while it is running in debug mode, i.e. 'radiusd -X'):

radtest -t pap aigallardo your_password 127.0.0.1:18120 1 testing123

You *should* see it bind correctly... If it binds correctly, then use eapol_test (see http://deployingradius.com/scripts/eapol_test/) to test the full end-to-end system. If it does not bind correctly, post the *full* debug output so we can have a look. 

:-)

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

jisc.ac.uk
 
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150413/c202a401/attachment.sig>


More information about the Freeradius-Users mailing list