My apologies before hand if this is an easy fix, but I have been working on configuring a radius server on and off now for a few weeks. As a note, I have Radius 2.1.10 installed and I am trying to authenticate using Ldap as the user database. I have little to no experience in both Radius and Ldap, but I have been reading up and looking for documents that explain the process well. The majority of documents that I did find were on an older version of radius, or were not pertinent to my situation. The following is a copy of my screen when I try authenticating a remote device to the radius server, please let me know if this helps(or if you would like more information on my config) Thanks in advance, - James # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [files] users: Matched entry DEFAULT at line 58 ++[files] returns ok [ldap] performing user authorization for jwn6657 [ldap] expand: (samaccountname=%{User-Name}) -> (samaccountname=jwn6657) [ldap] expand: cn=Users,dc=ds,dc=saintjoe,dc=edu -> cn=Users,dc=ds,dc=saintjoe,dc=edu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with filter (samaccountname=jwn6657) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user jwn6657 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth # Executing group from file /etc/raddb/sites-enabled/default +- entering group ntlm_auth {...} [2010/12/03 10:14:58.799575, 1] param/loadparm.c:6494(map_parameter) Unknown parameter encountered: "idmap domains" [2010/12/03 10:14:58.799645, 0] param/loadparm.c:7588(lp_do_parameter) Ignoring unknown parameter "idmap domains" [2010/12/03 10:14:58.799870, 1] param/loadparm.c:6494(map_parameter) Unknown parameter encountered: "master browser" [2010/12/03 10:14:58.799883, 0] param/loadparm.c:7588(lp_do_parameter) Ignoring unknown parameter "master browser" Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 186 to 131.93.254.2 port 4844 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 186 with timestamp +452 Ready to process requests.
On 03/12/10 16:39, James Winter wrote:
My apologies before hand if this is an easy fix, but I have been working on configuring a radius server on and off now for a few weeks. As a note, I have Radius 2.1.10 installed and I am trying to authenticate using Ldap as the user database. I have little to no experience in both Radius and Ldap, but I have been reading up and looking for documents that explain the process well. The majority of documents that I did find were on an older version of radius, or were not pertinent to my situation. The following is a copy of my screen when I try authenticating a remote device to the radius server, please let me know if this helps(or if you would like more information on my config)
You haven't said what your problem is! The radius server is authenticating the user successfully:
Sending Access-Accept of id 186 to 131.93.254.2 port 4844 Finished request 3. Going to the next request
...so what's the problem?
On Dec 3, 2010, at 10:52 AM, Phil Mayers wrote:
You haven't said what your problem is
Sorry! My server tells me that it ldap did not find a correct matchup, but then returns true. [ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with filter (samaccountname=jwn6657) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user jwn6657 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok It also then continues to search through other forms of authentication, and then it seems to return false to the remote device if any of these are false. The remote device also told me that the authentication was invalid. I was able to successfully authenticate on this device by using the local users file(on the radius server).
The radius server is authenticating the user successfully:
Sending Access-Accept of id 186 to 131.93.254.2 port 4844 Finished request 3. Going to the next request
...so what's the problem? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Dec 03, 2010 at 02:43:50PM -0600, James Winter wrote:
On Dec 3, 2010, at 10:52 AM, Phil Mayers wrote:
You haven't said what your problem is
Sorry! My server tells me that it ldap did not find a correct matchup, but then returns true.
[ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with filter (samaccountname=jwn6657) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user jwn6657 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok
It also then continues to search through other forms of authentication, and then it seems to return false to the remote device if any of these are false.
The above log doesn't look like authentication; rather it's authorization. If you want your LDAP module instance to authenticate, too, call it from the 'authenticate' section? -- 2. That which causes joy or happiness.
The above log doesn't look like authentication; rather it's authorization. If you want your LDAP module instance to authenticate, too, call it from the 'authenticate' section?
I do include ldap in my authenticate section of sites-enabled/default, do i need to include any other lines in this area? - james
On Sat, Dec 04, 2010 at 03:42:33PM -0600, James Winter wrote:
The above log doesn't look like authentication; rather it's authorization. If you want your LDAP module instance to authenticate, too, call it from the 'authenticate' section?
I do include ldap in my authenticate section of sites-enabled/default, do i need to include any other lines in this area?
Ah. Then Phil's hint is correct - the log said 'Found Auth-Type = ntlm_auth' so the LDAP module deferred to that other configured authentication mechanism. Do you actually want/need ntlm_auth? If you don't, remove it? -- 2. That which causes joy or happiness.
On 12/03/2010 08:43 PM, James Winter wrote:
On Dec 3, 2010, at 10:52 AM, Phil Mayers wrote:
You haven't said what your problem is
Sorry! My server tells me that it ldap did not find a correct matchup, but then returns true.
No. It says is found a match, but that:
[ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with filter (samaccountname=jwn6657) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
...there was no "userPassword" (or it wasn't readable)
[ldap] user jwn6657 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok
It also then continues to search through other forms of authentication, and then it seems to return false to the remote device if any of these are false.
Firstly, radius and the modules don't return "false". The modules return one of a number of error codes (e.g. "ok", above) and the server returns either an Access-Accept or Access-Reject. Secondly, the debug output you posted returns an "Access-Accept" because, although the LDAP module was unable to see a userPassword attribute on the LDAP entry, a later module sets the Auth-Type to "ntlm_auth" and your server then obeys that. This is all a non-standard config, so *someone* has configured the server - was it you?
The remote device also told me that the authentication was invalid. I
Well, FreeRadius sent an Access-Accept. What is the remote device? If you hadn't trimmed the debugging output I might be able to suggest more.
was able to successfully authenticate on this device by using the local users file(on the radius server).
So compare the reply in that case with the reply in this case, and configure the radius server to send the same attributes.
The radius server is authenticating the user successfully:
Sending Access-Accept of id 186 to 131.93.254.2 port 4844 Finished request 3. Going to the next request
Like I said - FreeRadius is sending an Access-Accept.
...there was no "userPassword" (or it wasn't readable)
I think I have a problem with Ldap reading the password correctly. If i have read correctly, it needs a clear text password....
Secondly, the debug output you posted returns an "Access-Accept" because, although the LDAP module was unable to see a userPassword attribute on the LDAP entry, a later module sets the Auth-Type to "ntlm_auth" and your server then obeys that.
I shall comment this line out, and try it out today
This is all a non-standard config, so *someone* has configured the server - was it you?
I have been working on configuring the server for a little bit now. I tried following several different online manuals before I consulted the group.
The remote device also told me that the authentication was invalid. I
Well, FreeRadius sent an Access-Accept. What is the remote device? If you hadn't trimmed the debugging output I might be able to suggest more.
The radius server would tell me Access-Accept, but then my remote device would not let me login. The current remote device is a hp pro- curve 5412.
was able to successfully authenticate on this device by using the local users file(on the radius server).
So compare the reply in that case with the reply in this case, and configure the radius server to send the same attributes.
Will try this today, thank you very much for the informative advice. - james
On 12/06/2010 02:06 PM, James Winter wrote:
I think I have a problem with Ldap reading the password correctly. If i have read correctly, it needs a clear text password....
If you want FreeRadius to extract information from LDAP, then the LDAP bindDN that FreeRadius uses must have the permission to read this information (and of course, the information must exist in LDAP) Whether you need a plaintext password depends on what authentication protocols you want to use. See: http://deployingradius.com/documents/protocols/compatibility.html
Secondly, the debug output you posted returns an "Access-Accept" because, although the LDAP module was unable to see a userPassword attribute on the LDAP entry, a later module sets the Auth-Type to "ntlm_auth" and your server then obeys that.
I shall comment this line out, and try it out today
See below
This is all a non-standard config, so *someone* has configured the server - was it you?
I have been working on configuring the server for a little bit now. I tried following several different online manuals before I consulted the group.
Oh dear. A lot of the online info is out-of-date or plain wrong. If you've made a lot of changes, and you're not sure exactly what youve changed and why, my advice would be to start again from scratch. Restore the default configs, and use the following system: 1. Check the config into version control 2. Make ONE and ONLY ONE change 3. Test it 4. Goto step 1 One of the new DVCSes like git/bzr/hg are ideal for this. The *first* change you want to make is adding a user to the "users" file username Cleartext-Password := "password" Check that what you want to do works with that user. Then you can move onto LDAP. Keeping a dump of the debug output at each step can be handy too - then you can compare them. Hope this helps.
Oh dear. A lot of the online info is out-of-date or plain wrong.
If you've made a lot of changes, and you're not sure exactly what youve changed and why, my advice would be to start again from scratch. Restore the default configs, and use the following system:
1. Check the config into version control 2. Make ONE and ONLY ONE change 3. Test it 4. Goto step 1
One of the new DVCSes like git/bzr/hg are ideal for this.
The *first* change you want to make is adding a user to the "users" file
username Cleartext-Password := "password"
Check that what you want to do works with that user. Then you can move onto LDAP. Keeping a dump of the debug output at each step can be handy too - then you can compare them.
Hope this helps.
Phil, Thank you very much the advice worked like a charm, and now I have everything up and running again... - james
participants (3)
-
James Winter -
Josip Rodin -
Phil Mayers