Alan DeKok wrote:
Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
1.) PAP is just the clear-text password???
Yes.
-> I thought pap is hashing the password with a challenge (MD-5).
Stop worrying about it. PAP is the clear-text password.
Got it now, thanks!
So I want to the server to hold a crypted Password (MD-5) for PAP, but retrieving that from the ldap server.
If the LDAP server has a clear-text password for MS-CHAP, you might as well use it for PAP. Trying to make PAP use a crypt'd password is a waste of time, and doesn't gain anything.
OK, now I found the mistake: 1.) my head 2.) pap-section: was set to crypt!!!
2.) I do not want to do any binding to the ldap for authentication!
So... don't list "ldap" in the "authenticate" section.
Sorry, but I do not list ldap in the "authenticate" section! radiusd.conf: authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. # digest # # Pluggable Authentication Modules. # pam # # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # # unix # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # Auth-Type LDAP { # ldap # } # # Allow EAP authentication. eap } LOG: rad_recv: Access-Request packet from host 131.188.78.116:1967, id=58, length=47 User-Name = "unrz148" User-Password = "unrz148" Thu Jun 23 08:25:36 2005 : Debug: Processing the authorize section of radiusd.conf Thu Jun 23 08:25:36 2005 : Debug: modcall: entering group authorize for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "preprocess" returns ok for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "chap" returns noop for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "mschap" returns noop for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: - authorize Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: performing user authorization for unrz148 Thu Jun 23 08:25:36 2005 : Debug: radius_xlat: '(Userid=unrz148)' Thu Jun 23 08:25:36 2005 : Debug: radius_xlat: 'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE' Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter (Userid=unrz148) request 12 done Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: checking if remote access for unrz148 is allowed by uid Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: looking for check items in directory... Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: Adding fauUserid as Password, value unrz148 & op=21 Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: Adding ntPassword as NT-Password, value 925B509D0BD4D37992897EEEC91072C1 & op=21 Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: Adding lmPassword as LM-Password, value AC8398A336F64627FDCFC2AFB2D1BE34 & op=21 Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: looking for reply items in directory... Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: user unrz148 authorized to use remote access Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "ldap" returns ok for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: rlm_eap: No EAP-Message, not doing EAP Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "eap" returns noop for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 10 Thu Jun 23 08:25:36 2005 : Debug: rlm_realm: No '@' in User-Name = "unrz148", looking up realm NULL Thu Jun 23 08:25:36 2005 : Debug: rlm_realm: No such realm "NULL" Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "suffix" returns noop for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling files (rlm_files) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "files" returns notfound for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall: group authorize returns ok for request 10 Thu Jun 23 08:25:36 2005 : Debug: rad_check_password: Found Auth-Type LDAP <<<< Where does this come from? # I use the NTRadPing Test Utility Thu Jun 23 08:25:36 2005 : Debug: auth: type "LDAP" Thu Jun 23 08:25:36 2005 : Debug: ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. Thu Jun 23 08:25:36 2005 : Debug: auth: Failed to validate the user. Thu Jun 23 08:25:36 2005 : Auth: Login incorrect: [unrz148/unrz148] (from client Windows port 0) Thu Jun 23 08:25:36 2005 : Debug: Delaying request 10 for 1 seconds Thu Jun 23 08:25:36 2005 : Debug: Finished request 10 Thu Jun 23 08:25:36 2005 : Debug: Going to the next request Thu Jun 23 08:25:36 2005 : Debug: --- Walking the entire request list --- Thu Jun 23 08:25:36 2005 : Debug: Waking up in 1 seconds... Thu Jun 23 08:25:37 2005 : Debug: --- Walking the entire request list --- Thu Jun 23 08:25:37 2005 : Debug: Waking up in 1 seconds... Thu Jun 23 08:25:38 2005 : Debug: --- Walking the entire request list --- Sending Access-Reject of id 58 to 131.188.78.116:1967 Thu Jun 23 08:25:38 2005 : Debug: Waking up in 1 seconds... Thu Jun 23 08:25:39 2005 : Debug: --- Walking the entire request list --- Thu Jun 23 08:25:39 2005 : Debug: Cleaning up request 9 ID 57 with timestamp 42ba55dd
3.) For authentication I want to provide PAP, CHAP, and PEAP+TLS using MsCHAPv2.
How can I do that? If use the radiusd.conf as it comes the radius wants to use ldap for authentication.
No, it doesn't. The default radiusd.conf doesn't use ldap at *all*.
authenticate { ... ldap { pap }
WTF? Don't do that!
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -------------------------------------------------------------- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813