Alan DeKok schrieb:
Christian Frank wrote:
I have a big problem with my radius setup. I want to authenticate my users with peap+mschapv2. The radius backend is an ldap server.
Does the LDAP server contain a clear-text or NT hashed password for the user?
The ldap server contains a clear text password. I added it using jxplorer.
I have this setup working with Freeradius 1.0.1 on Redhat 4 ES.
But after upgrading to 1.1.7 this setup does not work anymore. I configured my radius/eap/client config file the same way like the old file was.
Are you sure? The configurations are similar, but not identical.
I will doublecheck this tomorrow morning. Maybe i haved missed something...
rlm_ldap: performing search in dc=rsel,dc=com, with filter (uid=cfra) rlm_ldap: checking if remote access for cfra is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user cfra authorized to use remote access
BUT there was no "known good" password for the user found in LDAP. That's why authentication is failing.
Mhhhh. Here is my ldap config from radiusd.conf ldap { #server = "ldap.your.domain" server = "150.150.40.241" # identity = "cn=admin,o=My Org,c=UA" identity = "cn=Manager,dc=rsel,dc=com" # password = mypass password = secret #basedn = "o=My Org,c=UA" basedn = "dc=rsel,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "uid" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # edir_account_policy_check=no # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes } The only thing i do not understand in this case is the password_header = "{clear}" directive. What is its prupose ? Maybe that is the problem ? Today i tried 2.0 pre 1 and it is working with this version (And the password_header thing seems to be changed in this version). I get a big warning about that "something with my known_good password was adjusted automatically in the config" ( I will post the full warning tomorrow morning) and that i should correct the problem with "Replace User-Password with Cleartext-Password in the config....", but i dont know what i should change ... Addiotnally it seems that the authentication is case sensitiv in 2.0. In 1.0.1 i used my username in lower and uppercase and it worked without problems. In 2.0 i have to use the username as it is setup in ldap (There my username is uppercase). So, did something change with the case sensitivity between the freeradius versions ? Cause my ldap setup did not change.. Many thanks, Christian Frank
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
**************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited. E-mail messages are not necessarily secure. Renesas does not accept responsibility for any changes made to this message after it was sent. Please note that this email message has been swept by Renesas for the presence of computer viruses. Renesas Semiconductor Europe (Landshut) GmbH Jenaer Strasse 1, 84034 Landshut Tel.: +49-(0)871-684-0, Fax: +49-(0)871-684-150 www.rsel.renesas.com GESCHAEFTSFUEHRER: Dipl.-Ing. YOSHIHARU KAKUI GESCHAEFTSFUEHRER: Dipl.-Phys. STEFAN SAUER Registergericht Landshut HRB 1464 Ust-ldNr.: DE 128953054 Steuer-Nr.: 132/136/30347 HypoVereinsbank, Landshut, Kto.-Nr. 3704 700 (BLZ 743 200 73) Mizuho Corporate Bank (Germany) AG, Frankfurt, Kto.-Nr. 200 733 (BLZ 503 308 00) ****************************************************************************