HI,

Im now trying your suggestions for getting FR and PEAP working together. Below is the result of a radtest that I did.

The password that is being supplied by radtest is in plain-text, should I be supplying it in ntPassword-encrypted format?

It looks to me like I have something wrong with my authenticate section.

My authorize section looks like:

authorize {

        preprocess

        chap

        mschap

        suffix

        eap

        Autz-Type Ldap1 {

                redundant-load-balance{

                        unbldap

                        unbldap2

                }

                mschap

        }

}

The radtest result is below:

rad_recv: Access-Request packet from host 127.0.0.1 port 32769, id=97, length=55

        User-Name = "mda"

        User-Password = "abc123"

        NAS-IP-Address = 127.0.0.1

        NAS-Port = 0

Tue Jun 10 10:07:34 2008 : Debug: +- entering group authorize

Tue Jun 10 10:07:34 2008 : Debug:   modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0

Tue Jun 10 10:07:34 2008 : Debug:   modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0

Tue Jun 10 10:07:34 2008 : Debug: ++[preprocess] returns ok

Tue Jun 10 10:07:34 2008 : Debug:   modsingle[authorize]: calling chap (rlm_chap) for request 0

Tue Jun 10 10:07:34 2008 : Debug:   modsingle[authorize]: returned from chap (rlm_chap) for request 0

Tue Jun 10 10:07:34 2008 : Debug: ++[chap] returns noop

Tue Jun 10 10:07:34 2008 : Debug:   modsingle[authorize]: calling mschap (rlm_mschap) for request 0

Tue Jun 10 10:07:34 2008 : Debug:   modsingle[authorize]: returned from mschap (rlm_mschap) for request 0

Tue Jun 10 10:07:34 2008 : Debug: ++[mschap] returns noop

Tue Jun 10 10:07:34 2008 : Debug:   modsingle[authorize]: calling suffix (rlm_realm) for request 0

Tue Jun 10 10:07:34 2008 : Debug:     rlm_realm: No '@' in User-Name = "mda", looking up realm NULL

Tue Jun 10 10:07:34 2008 : Debug:     rlm_realm: No such realm "NULL"

Tue Jun 10 10:07:34 2008 : Debug:   modsingle[authorize]: returned from suffix (rlm_realm) for request 0

Tue Jun 10 10:07:34 2008 : Debug: ++[suffix] returns noop

Tue Jun 10 10:07:34 2008 : Debug:   modsingle[authorize]: calling eap (rlm_eap) for request 0

Tue Jun 10 10:07:34 2008 : Debug:   rlm_eap: No EAP-Message, not doing EAP

Tue Jun 10 10:07:34 2008 : Debug:   modsingle[authorize]: returned from eap (rlm_eap) for request 0

Tue Jun 10 10:07:34 2008 : Debug: ++[eap] returns noop

Tue Jun 10 10:07:34 2008 : Debug:   modsingle[authorize]: calling files (rlm_files) for request 0

Tue Jun 10 10:07:34 2008 : Debug:   modsingle[authorize]: returned from files (rlm_files) for request 0

Tue Jun 10 10:07:34 2008 : Debug: ++[files] returns noop

Tue Jun 10 10:07:34 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user

Tue Jun 10 10:07:34 2008 : Debug: auth: Failed to validate the user.

Tue Jun 10 10:07:34 2008 : Auth: Login incorrect: [mda] (from client localhost port 0)

Tue Jun 10 10:07:34 2008 : Debug: Delaying reject of request 0 for 1 seconds

Tue Jun 10 10:07:34 2008 : Debug: Going to the next request

Tue Jun 10 10:07:34 2008 : Debug: Waking up in 0.9 seconds.

Tue Jun 10 10:07:35 2008 : Debug: Sending delayed reject for request 0

Sending Access-Reject of id 97 to 127.0.0.1 port 32769

Tue Jun 10 10:07:35 2008 : Debug: Waking up in 4.9 seconds.

Tue Jun 10 10:07:40 2008 : Debug: Cleaning up request 0 ID 97 with timestamp +17

Tue Jun 10 10:07:40 2008 : Debug: Ready to process requests.

Any assistance is appreciated.


Thanks

Matt

mda@unb.ca

-----Original Message-----
From: Thibault Le Meur [mailto:Thibault.LeMeur@supelec.fr]
Sent: Monday, May 26, 2008 11:00 AM
To: mda@unb.ca; FreeRadius users mailing list
Subject: Re: FR and PEAP question

Matt Ashfield a écrit :

>

> Hi,

>

> We’re looking into using PEAP with MSChapV2, instead of PAP (don’t

> want to use the SecureW2 client anymore) so are investigating ways to

> store the password in LDAP.

>

> According to

> http://deployingradius.com/documents/protocols/compatibility.html ,the

> options are storing the password in Clear-Text or in an NT Hash

> (ntlm_auth).

>

> In talking with our LDAP people, I was told the following:

>

> SunOne does not support nt-hash passwords. Supported formats are

> CLEAR, CRYPT, DES, NS-MTA-MD5 (Netscape MD5), SHA, and SSHA.

>

> Fedora Directory Server 1.1.0 supports CLEAR, CRYPT, DES, MD5,

> NS-MTA-MD5, SHA, SHA256, SHA384, SHA512, SSHA, SSHA256, SSHA384, and

> SSHA512.

>

This means that your userPassword attribute must contain your password

in the previously mentionned has forms. This userPassword attribute is

used internally by your LDAP directory in order to authenticate your

access (bind) to the LDAP server.

> It sounds to me like if we want to do PEAP/MSChapV2 we’d have to store

> the password in cleartext? I would just like to verify this via this list.

>

Not necessarily. You may _not_ want to use ldap binding as the

authentication process, but only use your LDAP directory as a database

backend in which FR will read a given ldap attribute (different from

'userPassword') and maps it to the NT-Hash version of the user password.

In other words (setup for FR1.7):

* in your LDAP directory entries add a new attribute (that will hold the

NT-Hash version of the user password)

* update the configuration file ldap.attrmap so that the new ldap

attribute maps to the radius NT-Password attribute

* setup your rlm_ldap module and use it in the authorize section (NOT

the authenticate section)

* don't forget to use the mschap module in your authorize section (after

the ldap one) so that the MS-CHAP Authentication will see the encrypted

user password and sets Auth-Type accordingly

Hope this helps,

Thibault




> Any advice is appreciated.

>

> Thanks

>

> Matt

>

> mda@unb.ca

>

> ------------------------------------------------------------------------

>

> -

> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html