Hi all, Problem solved about CopSpot and Freeradius, it works against the user file (not OpenLDAP). Actually, I am wondering if I can do the authentication using eap-tls module. I enabled it and it gave me the following output: Tue Apr 27 11:12:19 2010 : Debug: radiusd: #### Loading Virtual Servers #### Tue Apr 27 11:12:19 2010 : Debug: server inner-tunnel { Tue Apr 27 11:12:19 2010 : Debug: modules { Tue Apr 27 11:12:19 2010 : Debug: Module: Checking authenticate {...} for more modules to load Tue Apr 27 11:12:19 2010 : Debug: (Loaded rlm_pap, checking if it's valid) Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to module rlm_pap Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating pap Tue Apr 27 11:12:19 2010 : Debug: pap { Tue Apr 27 11:12:19 2010 : Debug: encryption_scheme = "auto" Tue Apr 27 11:12:19 2010 : Debug: auto_header = no Tue Apr 27 11:12:19 2010 : Debug: } Tue Apr 27 11:12:19 2010 : Debug: (Loaded rlm_chap, checking if it's valid) Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to module rlm_chap Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating chap Tue Apr 27 11:12:19 2010 : Debug: (Loaded rlm_mschap, checking if it's valid) Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to module rlm_mschap Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating mschap Tue Apr 27 11:12:19 2010 : Debug: mschap { Tue Apr 27 11:12:19 2010 : Debug: use_mppe = yes Tue Apr 27 11:12:19 2010 : Debug: require_encryption = no Tue Apr 27 11:12:19 2010 : Debug: require_strong = no Tue Apr 27 11:12:19 2010 : Debug: with_ntdomain_hack = no Tue Apr 27 11:12:19 2010 : Debug: } Tue Apr 27 11:12:19 2010 : Debug: (Loaded rlm_unix, checking if it's valid) Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to module rlm_unix Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating unix Tue Apr 27 11:12:19 2010 : Debug: unix { Tue Apr 27 11:12:19 2010 : Debug: radwtmp = "/var/log/freeradius/radwtmp" Tue Apr 27 11:12:19 2010 : Debug: } Tue Apr 27 11:12:19 2010 : Debug: (Loaded rlm_eap, checking if it's valid) Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to module rlm_eap Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating eap Tue Apr 27 11:12:19 2010 : Debug: eap { Tue Apr 27 11:12:19 2010 : Debug: default_eap_type = "tls" Tue Apr 27 11:12:19 2010 : Debug: timer_expire = 60 Tue Apr 27 11:12:19 2010 : Debug: ignore_unknown_eap_types = no Tue Apr 27 11:12:19 2010 : Debug: cisco_accounting_username_bug = no Tue Apr 27 11:12:19 2010 : Debug: max_sessions = 4096 Tue Apr 27 11:12:19 2010 : Debug: } Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to sub-module rlm_eap_md5 Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating eap-md5 Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to sub-module rlm_eap_leap Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating eap-leap Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to sub-module rlm_eap_gtc Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating eap-gtc Tue Apr 27 11:12:19 2010 : Debug: gtc { Tue Apr 27 11:12:19 2010 : Debug: challenge = "Password: " Tue Apr 27 11:12:19 2010 : Debug: auth_type = "PAP" Tue Apr 27 11:12:19 2010 : Debug: } Tue Apr 27 11:12:19 2010 : Debug: Module: Linked to sub-module rlm_eap_tls Tue Apr 27 11:12:19 2010 : Debug: Module: Instantiating eap-tls Tue Apr 27 11:12:19 2010 : Debug: tls { Tue Apr 27 11:12:19 2010 : Debug: rsa_key_exchange = no Tue Apr 27 11:12:19 2010 : Debug: dh_key_exchange = yes Tue Apr 27 11:12:19 2010 : Debug: rsa_key_length = 512 Tue Apr 27 11:12:19 2010 : Debug: dh_key_length = 512 Tue Apr 27 11:12:19 2010 : Debug: verify_depth = 0 Tue Apr 27 11:12:19 2010 : Debug: pem_file_type = yes Tue Apr 27 11:12:19 2010 : Debug: private_key_file = "$/etc/freeradius/certs/serverd.pem" Tue Apr 27 11:12:19 2010 : Debug: certificate_file = "$/etc/freeradius/certs/serverd.pem" Tue Apr 27 11:12:19 2010 : Debug: CA_file = "$/etc/freeradius/certs/root.pem" Tue Apr 27 11:12:19 2010 : Debug: private_key_password = "whatever" Tue Apr 27 11:12:19 2010 : Debug: dh_file = "$/etc/freeradius/certs/dh" Tue Apr 27 11:12:19 2010 : Debug: random_file = "$/etc/freeradius/certs/random" Tue Apr 27 11:12:19 2010 : Debug: fragment_size = 1024 Tue Apr 27 11:12:19 2010 : Debug: include_length = yes Tue Apr 27 11:12:19 2010 : Debug: check_crl = yes Tue Apr 27 11:12:19 2010 : Debug: cipher_list = "DEFAULT" Tue Apr 27 11:12:19 2010 : Debug: make_cert_command = "$/etc/root/Workdir/bootstrap" Tue Apr 27 11:12:19 2010 : Debug: cache { Tue Apr 27 11:12:19 2010 : Debug: enable = no Tue Apr 27 11:12:19 2010 : Debug: lifetime = 24 Tue Apr 27 11:12:19 2010 : Debug: max_entries = 255 Tue Apr 27 11:12:19 2010 : Debug: } Tue Apr 27 11:12:19 2010 : Debug: } Tue Apr 27 11:12:19 2010 : Error: rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory Tue Apr 27 11:12:19 2010 : Error: rlm_eap_tls: Error reading certificate file $/etc/freeradius/certs/serverd.pem Tue Apr 27 11:12:19 2010 : Error: rlm_eap: Failed to initialize type tls Tue Apr 27 11:12:19 2010 : Error: /etc/freeradius/eap.conf[17]: Instantiation failed for module "eap" Tue Apr 27 11:12:19 2010 : Error: /etc/freeradius/sites-enabled/inner-tunnel[223]: Failed to find module "eap". Tue Apr 27 11:12:19 2010 : Error: /etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. serverd:~# Frankly, I don't know what the error means: is that the rlm_eap module was not found (and it's right, it is not present in my system) , if so how can I install it without reinstalling the whole freeradius ? Any Help will be appreciated. Best regards. On Fri, Apr 23, 2010 at 7:21 AM, Alan DeKok <aland@deployingradius.com>wrote:
Johnny R wrote:
* is the cipher login/password which comes from CopSpot(or any captive portal) deciphered before ipcop sends it to freeradius-server? (It's a kind of question which can not be asked here but ... never know)
I have no idea what that means.
* the authentication type set in ipcop is just "radius" (and its ip), so I don't understand why the packet contains CHAP?
<shrug> Go ask the ipcop people.
according to http://deployingradius.com/documents/configuration/active_directory.html, centralizing the authentication in samba will work fine, but I want to do it against ldap. I think, what's wrong here is that I added users by smbldap-useradd, not simply ldapadd (which won't work actually, it says: "invalid credentials") ...
* So how can I force freeradius to use pap
You can't. The NAS (ipcop) determines what to put in the Access-Request, not FreeRADIUS.
You need to put the clear-text password into the database. That's the only thing you can do to FreeRADIUS which will help.
(to be able to authenticate it against ldap) even the passwd/login is tls ciphered (from chilispot)????I m really convinced that that's not possible, even senseless but I have to know why ...
I have no idea what that means.
Finally, once again, I really want to thank the list for your availability, the freeradius dev. team, because this is a success for the open source community. Thanks,
It's what I do...
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ----------------------------------------------------------------- |JJohnny RANDRIAMAMPIONONA | | Phone: +212663682554 | | National School of Applied Sciences | | 1818 TANGIER 90000 | |----------------------------------------------------------------|