Hi, I have an existing LDAP infrastructure which provides unified authentication for Windows and Linux (think Samba). I am trying to integrate WPA on a wireless access point with this using FreeRadius. The ultimate plan is that anyone who provides a valid username/password and whose account is not locked may connect through the wireless access point. I am using freeradius-1.0.5-r3. The problem I am having is that I cannot figure out how to get both the LDAP backend and the EAP parts working simultaneously. If I enable the "with_ntdomain_hack" option, LDAP works but EAP gives the "rlm_eap: Identity does not match User-Name, setting from EAP Identity." error. Removing the with_ntdomain_hack option results in the log below. The research I've done suggests I need something set up in the hints file, which I have: DEFAULT Prefix == "U4EATECH\" Hint = "EAP", Service-Type = Framed-User, Framed-Protocol = EAP LOG -------------------------------------------------------- rad_recv: Access-Request packet from host 172.30.10.40:1281, id=21, length=109 User-Name = "U4EATECH\\jamesc" NAS-IP-Address = 172.30.10.40 NAS-Identifier = "" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021500140155344541544543485c6a616d657363 Message-Authenticator = 0xad5561811aaffaf393b9c77ce04f5572 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/172.30.10.40/auth-detail-20060303' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.30.10.40/auth-detail-20060303 modcall[authorize]: module "auth_log" returns ok for request 0 rlm_eap: EAP packet type response id 21 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for U4EATECH\jamesc radius_xlat: '(uid=U4EATECH)' radius_xlat: 'ou=people,dc=u4eatech,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.u4eatech.com:389, authentication 0 rlm_ldap: bind as cn=smbadmin,dc=u4eatech,dc=com/N0pm4Ln0 to ldap.u4eatech.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=u4eatech,dc=com, with filter (uid=U4EATECH) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'U4EATECH\jamesc' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 21 to 172.30.10.40:1281 EAP-Message = 0x011600061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3f7167d39d5e06712574b4b38f69116b Finished request 0 Going to the next request ---------------------------------------------------------------- radiusd.conf prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } ldap { server = "ldap.u4eatech.com" identity = "cn=smbadmin,dc=u4eatech,dc=com" password = <HIDDEN> basedn = "ou=people,dc=u4eatech,dc=com" filter = "(uid=%u)" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = yes with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{Stripped-User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess files auth_log eap ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap }
James Cort <james.cort@u4eatech.com> wrote:
The problem I am having is that I cannot figure out how to get both the LDAP backend and the EAP parts working simultaneously. If I enable the "with_ntdomain_hack" option, LDAP works but EAP gives the "rlm_eap: Identity does not match User-Name, setting from EAP Identity." error. Removing the with_ntdomain_hack option results in the log below.
Ah, you have DOMAIN\user logging in, and your LDAP server knows about "user". Try the following in "hints": DEFAULT User-Name =~ "\\(.*)$" Menu = "%{1}" Then in radiusd.conf, do: ... ldap { ... filter = "(uid=%{Menu:-%u})" ... Yes, "menu' is a bad name, but it should work. The idea is to grab the "user" from "DOMAIN\user", and to stuff it into another attribute. Then, use that attribute as the username in the LDAP filter, rather than User-Name. Alan DeKok.
Alan DeKok wrote:
Ah, you have DOMAIN\user logging in, and your LDAP server knows about "user".
Try the following in "hints":
DEFAULT User-Name =~ "\\(.*)$" Menu = "%{1}"
Then in radiusd.conf, do:
... ldap { ... filter = "(uid=%{Menu:-%u})" ...
Yes, "menu' is a bad name, but it should work.
Many thanks. I had to write the username as "\\\\(.*)$" as the backslashes themselves needed escaping, but once that was done it's all working like a charm now. James.
James Cort <james.cort@u4eatech.com> wrote:
Many thanks.
Good to hear it works.
I had to write the username as "\\\\(.*)$" as the backslashes themselves needed escaping, but once that was done it's all working like a charm now.
You might also try using single quotes: '\\(.*)$', as that will prevent FreeRADIUS from interpreting the backslashes. Alan DeKok.
participants (2)
-
Alan DeKok -
James Cort