LDAP with CHAP - can't seem to make it work

Alan DeKok aland at deployingradius.com
Fri Apr 15 13:56:17 CEST 2016 

On Apr 15, 2016, at 3:26 AM, Wein Michael <Michael.Wein at lotto-rlp.de> wrote:
> 
> We have been using freeradius to authenticate about 1000 network users for quite some years without any issues. Last week we experienced problems with one of the NAS our network providers use. Please be aware of the fact that we do not have direct influence on the configuration of this machine. While roughly 100 NASs use PAP for authentication against our LDAP-datastore getting an access accept, this NAS uses CHAP, leading radius to reject the request. In consequence the network users frequenting this NAS fall back on a more expensive means of connection, creating additional cost for us. 
> 
> In parallel to requesting the provider to fix this issue we are investigating now how to make LDAP work with CHAP. We followed FAQ to this link and others in this section 
> 
> http://wiki.freeradius.org/guide/FAQ#how-do-i_how-do-i-make-chap-work-with-ldap     
> 
> but found no real clue. We recreated the scenario in our testing environment and one guess so far is :
> ...
>        if ((ok || updated) && (User-Password || CHAP-Password)) {
>                update {
>                    control:Auth-Type = LDAP
>                }

  Don't do that.  It's not necessary.

> Doing the same with CHAP instead leads to a reject
> 
> client:

  Don't post that.  It's not necessary.

> server :

  It helps if you *read* the debug output.

> (3) Found Auth-Type = LDAP
> (3) # Executing group from file /etc/raddb/sites-enabled/vt1pppoe_localhost
> (3)  Auth-Type LDAP {
> (3) WARNING: ldap : You have set "Auth-Type := LDAP" somewhere.
> (3) WARNING: ldap : *********************************************
> (3) WARNING: ldap : * THAT CONFIGURATION IS WRONG.  DELETE IT.
> (3) WARNING: ldap : * YOU ARE PREVENTING THE SERVER FROM WORKING.
> (3) WARNING: ldap : *********************************************
> (3) ERROR: ldap : Attribute "User-Password" is required for authentication.

  What part of that isn't clear?
  
  LDAP is a database.  Use it as a database.  Don't use it as an authentication server.

  FreeRADIUS is an authentication server.  Let it authenticate users.

  Just list "ldap" in the "authorize" section, and let FreeRADIUS figure out how to authenticate users.  Be sure you have "pap" and "chap" listed in *both* the "authorize" and "authenticate" sections.

  And the default configuration works.  If you use the default configuration and configure the "ldap" module, CHAP authentication and LDAP will work.

  So... you put a lot of work into breaking the server.

  Don't do that.

  Alan DeKok.

More information about the Freeradius-Users mailing list