Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Please read the mailing list archives, this very question and setup is often mentioned alan
Hi Alan, I went through the archives and did some changes but still getting the error, appreciate of you can help me a bit here. I think I read that the ldap request must be proxied to the inner tunnel for it work, is that true? How can we do that? Thanks Wassim. From: Alan Buxey <A.L.M.Buxey@lboro.ac.uk> Date: Friday, April 20, 2012 9:30 AM To: Wassim Zaarour <wassim.zaarour@navlink.com>, "freeradius-users@lists.freeradius.org" <freeradius-users@lists.freeradius.org> Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. Please read the mailing list archives, this very question and setup is often mentioned alan
On Fri, Apr 20, 2012 at 2:09 PM, Wassim Zaarour <wassim.zaarour@navlink.com> wrote:
Hi Alan,
I went through the archives and did some changes but still getting the error, appreciate of you can help me a bit here.
I think I read that the ldap request must be proxied to the inner tunnel for it work, is that true? How can we do that?
Short version: you won't be able to get PEAP-MSCHAPv2 (i.e. what windows use) to work with your LDAP. Period. Long version: MSCHAPv2 (which also means PEAP-MSCHAPv2) needs either: - Cleartext-Password or NT-Hash available (in LDAP, sql, users file whatever), OR - an active directory If you don't have either, then it won't work. -- Fajar
On 4/20/12 10:15 AM, "Fajar A. Nugraha" <list@fajar.net> wrote:
On Fri, Apr 20, 2012 at 2:09 PM, Wassim Zaarour <wassim.zaarour@navlink.com> wrote:
Hi Alan,
I went through the archives and did some changes but still getting the error, appreciate of you can help me a bit here.
I think I read that the ldap request must be proxied to the inner tunnel for it work, is that true? How can we do that?
Short version: you won't be able to get PEAP-MSCHAPv2 (i.e. what windows use) to work with your LDAP. Period.
Long version: MSCHAPv2 (which also means PEAP-MSCHAPv2) needs either: - Cleartext-Password or NT-Hash available (in LDAP, sql, users file whatever), OR - an active directory
If you don't have either, then it won't work.
Hi Farja, Passwords are stored as clear text in my LDAP, that should make MSCHAPv2 work right? Wassim
On Fri, Apr 20, 2012 at 2:22 PM, Wassim Zaarour <wassim.zaarour@navlink.com> wrote:
On 4/20/12 10:15 AM, "Fajar A. Nugraha" <list@fajar.net> wrote:
Long version: MSCHAPv2 (which also means PEAP-MSCHAPv2) needs either: - Cleartext-Password or NT-Hash available (in LDAP, sql, users file whatever), OR - an active directory
If you don't have either, then it won't work.
Hi Farja,
Passwords are stored as clear text in my LDAP, that should make MSCHAPv2 work right?
Yes, if FR can find them. This part of the log says it can't: [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=pk) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? You might need to play around with the user used to login to LDAP, as some systems only give out passwords to admin accounts. Testing manual LDAP lookup using command line tool (e.g. ldapsearch) helps. If you CAN get your ldap server to return cleartext password with ldapsearch, then you should be able to configure FR to get that as well. -- Fajar
Hi Farja, I just checked with the ldap admin and he told me passwords are stored with SHA encryption and not cleartext. ( can't change them to clear text) Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it?? If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with the windows laptops as they have PEAP/MSCHAPv2 only. Any workaround? Thanks Wassim. On 4/20/12 10:30 AM, "Fajar A. Nugraha" <list@fajar.net> wrote:
On Fri, Apr 20, 2012 at 2:22 PM, Wassim Zaarour <wassim.zaarour@navlink.com> wrote:
On 4/20/12 10:15 AM, "Fajar A. Nugraha" <list@fajar.net> wrote:
Long version: MSCHAPv2 (which also means PEAP-MSCHAPv2) needs either: - Cleartext-Password or NT-Hash available (in LDAP, sql, users file whatever), OR - an active directory
If you don't have either, then it won't work.
Hi Farja,
Passwords are stored as clear text in my LDAP, that should make MSCHAPv2 work right?
Yes, if FR can find them. This part of the log says it can't:
[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=pk) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
You might need to play around with the user used to login to LDAP, as some systems only give out passwords to admin accounts. Testing manual LDAP lookup using command line tool (e.g. ldapsearch) helps. If you CAN get your ldap server to return cleartext password with ldapsearch, then you should be able to configure FR to get that as well.
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Apr 20, 2012 at 2:53 PM, Wassim Zaarour <wassim.zaarour@navlink.com> wrote:
I just checked with the ldap admin and he told me passwords are stored with SHA encryption and not cleartext. ( can't change them to clear text)
Figured as much :)
Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it??
Yes
If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with the windows laptops as they have PEAP/MSCHAPv2 only.
Any workaround?
No. Not unless you're willing to install 3rd-party supplicant on every windows client. -- Fajar
Wassim Zaarour wrote:
Hi Farja,
I just checked with the ldap admin and he told me passwords are stored with SHA encryption and not cleartext. ( can't change them to clear text)
Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it??
If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with the windows laptops as they have PEAP/MSCHAPv2 only.
Any workaround?
http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok.
Thanks Alan for the link, I just ran to it few minutes back and its clear :) Guess I'm gonna have to settle for a third party supplicant since I can't change in the LDAP password storage config. Thanks also for the other Alan and Farja. On 4/20/12 11:15 AM, "Alan DeKok" <aland@deployingradius.com> wrote:
Wassim Zaarour wrote:
Hi Farja,
I just checked with the ldap admin and he told me passwords are stored with SHA encryption and not cleartext. ( can't change them to clear text)
Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it??
If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with the windows laptops as they have PEAP/MSCHAPv2 only.
Any workaround?
http://deployingradius.com/documents/protocols/compatibility.html
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I just checked with the ldap admin and he told me passwords are stored with SHA encryption and not cleartext. ( can't change them to clear text)
is this LDAP or AD? if its AD then you can bind your FreeRADIUS box to the AD as per docs on deployingradius.com - then it can use ntlm_auth to do PEAP very happily for windows clients - its what we do for our 20k users for 802.1X alan
It's Sun Directory Server, hence LDAP not AD. Thanks anyways :) On 4/20/12 11:18 AM, "alan buxey" <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I just checked with the ldap admin and he told me passwords are stored with SHA encryption and not cleartext. ( can't change them to clear text)
is this LDAP or AD? if its AD then you can bind your FreeRADIUS box to the AD as per docs on deployingradius.com - then it can use ntlm_auth to do PEAP very happily for windows clients - its what we do for our 20k users for 802.1X
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan Buxey -
alan buxey -
Alan DeKok -
Fajar A. Nugraha -
Wassim Zaarour