PEAP with LDAP as authentication source
Hello, I need help. I'm using: FreeRADIUS Version 3.0.11, for host x86_64-pc-linux-gnu, built on May 26 2016 at 10:07:32 I don't know if I can use PEAP with LDAP as authentication source... The problem I found is that inner-tunnel server doesn't receive User-Password attributte, so the bind in authentication is not successful: (9) eap_peap: Sending tunneled request to eduroam-inner-tunnel (9) eap_peap: EAP-Message = 0x0209004d1a0209004831678809c2e1e7af9fae454407917654e20000000000000000d365e8f3b9d860ae2fe0ee6bc7c83938c49ac777fc41713600616967616c6c6172646f40756e65782e6573 (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = "aigallardo@unex.es" (9) eap_peap: State = 0x2af2ae6c2afbb4875ef1f60eaa5df0a2 (9) eap_peap: NAS-IP-Address = 127.0.0.1 (9) eap_peap: Calling-Station-Id := "02-00-00-00-00-01" (9) eap_peap: Framed-MTU = 1400 (9) eap_peap: NAS-Port-Type = Wireless-802.11 (9) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b" (9) Virtual server eduroam-inner-tunnel received request ... (9) Found Auth-Type = LDAP (9) # Executing group from file /etc/freeradius/sites-enabled/eduroam-inner-tunnel (9) Auth-Type LDAP { (9) redundant redundant_ldap_auten_email { (9) ldap1_auten_email: WARNING: You have set "Auth-Type := LDAP" somewhere (9) ldap1_auten_email: WARNING: ********************************************* (9) ldap1_auten_email: WARNING: * THAT CONFIGURATION IS WRONG. DELETE IT. (9) ldap1_auten_email: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING (9) ldap1_auten_email: WARNING: ********************************************* (9) ldap1_auten_email: ERROR: Attribute "User-Password" is required for authentication (9) [ldap1_auten_email] = invalid (9) } # redundant redundant_ldap_auten_email = invalid (9) } # Auth-Type LDAP = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject My configuration: peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } It is posible use PEAP with LDAP as authentication source? with TTLS-PAP or TTLS-MsCHAPv2 it works. Thank you very much and sorry for my english. -- :::::::::::::::::::::::::::::::::::: :: Ana Gallardo Gómez :: ::::::::::::::::::::::::::::::::::::
On Aug 29, 2016, at 5:06 AM, Ana Gallardo Gómez <anaougu@gmail.com> wrote:
I don't know if I can use PEAP with LDAP as authentication source...
Yes, you can. But you have to use LDAP as a *database*. You cannot do an LDAP bind.
The problem I found is that inner-tunnel server doesn't receive User-Password attributte, so the bind in authentication is not successful:
So don't do LDAP bind.
(9) Auth-Type LDAP { (9) redundant redundant_ldap_auten_email { (9) ldap1_auten_email: WARNING: You have set "Auth-Type := LDAP" somewhere (9) ldap1_auten_email: WARNING: ********************************************* (9) ldap1_auten_email: WARNING: * THAT CONFIGURATION IS WRONG. DELETE IT. (9) ldap1_auten_email: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING (9) ldap1_auten_email: WARNING: *********************************************
So... what is unclear about that message? Go fix your configuration so it doesn't force Auth-Type = LDAP. And post the FULL debug output.
It is posible use PEAP with LDAP as authentication source? with TTLS-PAP or TTLS-MsCHAPv2 it works.
If it works for TTLS-MSCHAPv2, then it should work for PEAP. Alan DeKok.
Alan, thank you for your response.
I don't know if I can use PEAP with LDAP as authentication source...
Yes, you can. But you have to use LDAP as a *database*. You cannot do an LDAP bind.
Ok, I can't becouse my passwords are store in crypt...
The problem I found is that inner-tunnel server doesn't receive
User-Password attributte, so the bind in authentication is not successful:
So don't do LDAP bind.
Ok, I needed to know if it was ok thah inner-tunnel didn't receive the User-Password or I had an error in my config...
(9) Auth-Type LDAP {
(9) redundant redundant_ldap_auten_email { (9) ldap1_auten_email: WARNING: You have set "Auth-Type := LDAP" somewhere (9) ldap1_auten_email: WARNING: ********************************************* (9) ldap1_auten_email: WARNING: * THAT CONFIGURATION IS WRONG. DELETE IT. (9) ldap1_auten_email: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING (9) ldap1_auten_email: WARNING: *********************************************
So... what is unclear about that message? Go fix your configuration so it doesn't force Auth-Type = LDAP.
Nothing is unclear, the log is perfect ;D
It is posible use PEAP with LDAP as authentication source? with TTLS-PAP or TTLS-MsCHAPv2 it works.
If it works for TTLS-MSCHAPv2, then it should work for PEAP.
Sorry, it didn't work with TTLS-MsCHAPv2... I was wrong. Thank you very much :::::::::::::::::::::::::::::::::::: :: Ana Gallardo Gómez :: ::::::::::::::::::::::::::::::::::::
Good morning, <http://www.unav.edu/web/it/> On Mon, Aug 29, 2016 at 2:02 PM, Ana Gallardo Gómez <anaougu@gmail.com> wrote:
I don't know if I can use PEAP with LDAP as authentication source...
Yes, you can. But you have to use LDAP as a *database*. You cannot do an LDAP bind.
Ok, I can't becouse my passwords are store in crypt...
In order to do MSCHAPv2 auth, you must store your passwords in LDAP as Cleartext passwd or NTpassword. And get them to let freeradius create mschapv2 hashes. See [1]. Otherwise, you can use ntlm_auth/winbind to let freeradius authenticate against a Windows Domain (samba/Active Directory). See [2] Regards, [1] http://deployingradius.com/documents/protocols/compatibility.html [2] http://deployingradius.com/documents/configuration/active_directory.html *Oscar Remírez de Ganuza Satrústegui* IT Services Universidad de Navarra Tel. +34 948425600 x803130 http://www.unav.edu/web/it/
participants (3)
-
Alan DeKok -
Ana Gallardo Gómez -
Óscar Remírez de Ganuza Satrústegui