<div dir="ltr">Hi Alan,<div><br></div><div>That same wiki says 'T<span style="color:rgb(51,51,51);font-family:helvetica,arial,freesans,clean,sans-serif;font-size:13px;line-height:21.3439998626709px">he ldap module can only work with PAP passwords since it needs to send the clear text user password to the LDAP server to authenticate the user.' I might be mis-understanding as im new to Radius, but that doesnt sound to positive. Anyway... I'm hoping to find a workaround</span></div>
<div><span style="color:rgb(51,51,51);font-family:helvetica,arial,freesans,clean,sans-serif;font-size:13px;line-height:21.3439998626709px"><br></span></div><div><span style="color:rgb(51,51,51);font-family:helvetica,arial,freesans,clean,sans-serif;font-size:13px;line-height:21.3439998626709px">So I checked my sites-enabled/default and it does have the LDAP module listed:</span></div>
<div><span style="color:rgb(51,51,51);font-family:helvetica,arial,freesans,clean,sans-serif;font-size:13px;line-height:21.3439998626709px">(I striped out the comments and highlighted the bits I changed) </span></div><div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px">--------------------------------------------------------</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px">authorize {</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># auth_log</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> chap</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> mschap</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> digest</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># wimax</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># IPASS</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> suffix</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> eap {</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> ok = return</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> }</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># unix</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"><b><u># files</u></b></span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># sql</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># etc_smbpasswd</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"><b> <u>ldap</u></b></span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># daily</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># checkval</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"><br>
</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> expiration</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> logintime</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> pap</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># Autz-Type Status-Server {</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px">#</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># }</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px">}</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"><br>
</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px">authenticate {</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> Auth-Type PAP {</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> pap</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> }</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> Auth-Type CHAP {</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> chap</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> }</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> Auth-Type MS-CHAP {</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> mschap</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> }</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># pam</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> unix</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"><b> <u>Auth-Type LDAP</u> {</b></span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"><b> <u>ldap</u></b></span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"><b> }</b></span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> Allow EAP authentication.</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"> eap</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># Auth-Type eap {</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># eap {</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># handled = 1</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># }</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># if (handled && (Response-Packet-Type == Access-Challenge)) {</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># attr_filter.access_challenge.post-auth</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># }</span></font></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"># }</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px">}</span></font></div>
</div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px">--------------------------------------------------------</span><br></font></div><div><br></div>
<div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px">In addition here is the output of my debug:</span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px">--------------------------------------------------------</span><br>
</font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"><div>rad_recv: Access-Request packet from host 10.x.x.100 port 62061, id=2, length=50</div>
<div> User-Name = "adamjseed"</div><div> CHAP-Password = 0x84bafb904d422b61c5bd8dcf5c2d4xxxx</div><div># Executing section authorize from file /etc/freeradius/sites-enabled/default</div><div>+- entering group authorize {...}</div>
<div>++[preprocess] returns ok</div><div>[chap] Setting 'Auth-Type := CHAP'</div><div>++[chap] returns ok</div><div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "adamjseed", looking up realm NULL</div>
<div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] No EAP-Message, not doing EAP</div><div>++[eap] returns noop</div><div>[ldap] performing user authorization for adamjseed</div>
<div>[ldap] expand: %{Stripped-User-Name} -></div><div>[ldap] ... expanding second conditional</div><div>[ldap] expand: %{User-Name} -> adamjseed</div><div>[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=adamjseed)</div>
<div>[ldap] expand: dc=example,dc=com -> dc=example,dc=com</div><div> [ldap] ldap_get_conn: Checking Id: 0</div><div> [ldap] ldap_get_conn: Got Id: 0</div><div> [ldap] performing search in dc=example,dc=com, with filter (uid=adamjseed)</div>
<div>[ldap] No default NMAS login sequence</div><div>[ldap] looking for check items in directory...</div><div> [ldap] userPassword -> Password-With-Header == "{MD5}1hkMdaNUxxbUu/hufTrjtQ=="</div><div>[ldap] looking for reply items in directory...</div>
<div>[ldap] user adamjseed authorized to use remote access</div><div> [ldap] ldap_release_conn: Release Id: 0</div><div>++[ldap] returns ok</div><div>++[expiration] returns noop</div><div>++[logintime] returns noop</div>
<div>[pap] WARNING: Auth-Type already set. Not setting to PAP</div><div>++[pap] returns noop</div><div>Found Auth-Type = CHAP</div><div># Executing group from file /etc/freeradius/sites-enabled/default</div><div>+- entering group CHAP {...}</div>
<div>[chap] login attempt by "adamjseed" with CHAP password</div><div>[chap] Cleartext-Password is required for authentication</div><div>++[chap] returns invalid</div><div>Failed to authenticate the user.</div><div>
Using Post-Auth-Type Reject</div><div># Executing group from file /etc/freeradius/sites-enabled/default</div><div>+- entering group REJECT {...}</div><div>[attr_filter.access_reject] expand: %{User-Name} -> adamjseed</div>
<div> attr_filter: Matched entry DEFAULT at line 11</div><div>++[attr_filter.access_reject] returns updated</div><div>Delaying reject of request 2 for 1 seconds</div><div>Going to the next request</div><div>Waking up in 0.9 seconds.</div>
<div>Sending delayed reject for request 2</div><div>Sending Access-Reject of id 2 to 10.x.x.100 port 62061</div></span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px">--------------------------------------------------------</span><br>
</font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px"><br></span></font></div><div><font color="#333333" face="helvetica, arial, freesans, clean, sans-serif"><span style="line-height:21.3439998626709px">Any assistant is greatly welcomed.</span></font></div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Mar 3, 2014 at 9:21 AM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="">Adam Seed wrote:<br>
> I have a freeraidus server set up which uses an openLDAP back for its<br>
> users and groups while it works fine for PAP passwords, it seams most<br>
> clients are wanting to use CHAP. I have read that CHAP passwords will<br>
> not work<br>
<br>
</div> Where?<br>
<div class=""><br>
> however on the faq its says; ' There are however provisions to<br>
> extract the user password from the LDAP and make it available to the<br>
> server core and the chap module' (<a href="http://wiki.freeradius.org/guide/faq" target="_blank">http://wiki.freeradius.org/guide/faq</a>).<br>
> How is this done/setup?<br>
<br>
</div> You configure the LDAP module, and make sure it's listed in<br>
sites-enabled/default, in the "authorize" section.<br>
<br>
FreeRADIUS will pull the password from the database, and authenticate<br>
the user.<br>
<span class=""><font color="#888888"><br>
Alan DeKok.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</font></span></blockquote></div><br></div></div>