LDAP authorization - Attribute "User-Password" is required for authentication
I have now read many How-To's but don't seem to be able to find an answer, and I hope someone on the list can help. I am using a Netgear WAG102 Wireless access point to autorise to Radius, which in turn uses LDAP. radtest from the command line of the local host authenticates no problem, but I understand that it is a possibility that the Netgear passes the Mac address of the laptop through to use as a password. I am unable to understand how to map this in LDAP and keep getting : Attribute "User-Password" is required for authentication I am using the radiusProfile for each user in LDAP that I allow access via wireless. I am pretty new to Radius so am I sure I have some config wrong here somewhere. I am currently testing on Ubuntu 8.04, and have Freeradius 1.1.7. Thanks, Neil. rad_recv: Access-Request packet from host 192.168.0.232:1263, id=13, length=181 Message-Authenticator = 0x518adcf7d4427415acb16df56084b363 Service-Type = Framed-User User-Name = "test" Framed-MTU = 1488 Called-Station-Id = "001E2A10E483:UCL AP TEST BG" Calling-Station-Id = "0019E3021FD8" NAS-Identifier = "UCLAP" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201000d016e65696c6d61726a NAS-IP-Address = 192.168.0.232 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'dc=adastral rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=adastral filter (uid=test) rlm_ldap: checking if remote access for test is allowed by radiusFilterId rlm_ldap: Added password $1$GL8tD.Lb$fkslenzW4.q4Nzy2rQ726. in check items rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: Adding sambaNTPassword as NT-Password == 0x46343741374534567832456324435433936324537453141313236323538433441 rlm_ldap: Adding sambaLMPassword as LM-Password == 0x34443841324541424567883503945423134413342313038463346413643423644 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id == "0019e3021fd8" rlm_ldap: Adding radiusAuthType as Auth-Type == LDAP rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id = "0019E3021FD8" rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 1 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 1 modcall: leaving group LDAP (returns invalid) for request 1 auth: Failed to validate the user. Login incorrect: [test] (from client UCL port 1 cli 0019E3021FD8) Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.0.232:1263, id=13, length=181 Sending Access-Reject of id 13 to 192.168.0.232 port 1263 Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded LDAP ldap: server = "ldap4" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=nssldap,dc=adastral" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "HAHANotHERE" ldap: basedn = "dc=adastral" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "{crypt}" ldap: password_attribute = "userPassword" ldap: access_attr = "radiusFilterId" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = no ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP Calling-Station-Id mapped to RADIUS User-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0xb8082608 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. -- Neil Marjoram Systems Manager Adastral Park Campus University College London Ross Building Adastral Park Martlesham Heath Ipswich - Suffolk IP5 3RE Tel: 01473 663711 Fax: 01473 635199 Reclaim Your Inbox! http://www.mozilla.org/products/thunderbird
Neil Marjoram wrote:
I am using a Netgear WAG102 Wireless access point to autorise to Radius, which in turn uses LDAP. radtest from the command line of the local host authenticates no problem, but I understand that it is a possibility that the Netgear passes the Mac address of the laptop through to use as a password.
I am unable to understand how to map this in LDAP and keep getting : Attribute "User-Password" is required for authentication
You have forced "Auth-Type := LDAP" in your configuration. Don't do that. i.e. You have: rlm_ldap: Adding radiusAuthType as Auth-Type == LDAP DELETE the "radiusAuthType" from your LDAP configuration. It is NOT needed, and it's making authentication fail. It also looks like you've deleted most of the modules from the "authorize" section. Don't do that. Use the default configuration. It's there for a purpose: it works. It also looks like you haven't configured PEAP or TTLS. You MUST configure them for wireless authentication.
I am using the radiusProfile for each user in LDAP that I allow access via wireless.
I am pretty new to Radius so am I sure I have some config wrong here somewhere. I am currently testing on Ubuntu 8.04, and have Freeradius 1.1.7.
I understand why Ubuntu chose to use 1.1.7, but still.... Version 2.0.5 is much, much better. My recommendation for a quick fix: 1) Install 2.0.5. It's much better than 1.1.7. 2) start with default config 3) configure the LDAP module as you have done already (modules section, un-comment ldap in the "authorize" and "authenticate" sections of raddb/sites-available/* (use "grep ldap *". 4) do NOT set "radiusAuthType" in your LDAP directory. 5) Test with 'radtest'. It should work. 6) Test with a wireless client (un-check "validate server certificate) It should work. 2.0.5 makes it trivial to get PEAP and TTLS working. It's a lot harder to do that in 1.1.7. Alan DeKok.
Alan, Thanks, yes 2.0.5 ran out of box almost! Just got to customise the certs, sometime after testing. Still have a couple of issues I can't resolve, I'll post separately. Thanks, Neil. Alan DeKok wrote:
Neil Marjoram wrote:
I am using a Netgear WAG102 Wireless access point to autorise to Radius, which in turn uses LDAP. radtest from the command line of the local host authenticates no problem, but I understand that it is a possibility that the Netgear passes the Mac address of the laptop through to use as a password.
I am unable to understand how to map this in LDAP and keep getting : Attribute "User-Password" is required for authentication
You have forced "Auth-Type := LDAP" in your configuration. Don't do that. i.e. You have:
rlm_ldap: Adding radiusAuthType as Auth-Type == LDAP
DELETE the "radiusAuthType" from your LDAP configuration. It is NOT needed, and it's making authentication fail.
It also looks like you've deleted most of the modules from the "authorize" section. Don't do that. Use the default configuration. It's there for a purpose: it works.
It also looks like you haven't configured PEAP or TTLS. You MUST configure them for wireless authentication.
I am using the radiusProfile for each user in LDAP that I allow access via wireless.
I am pretty new to Radius so am I sure I have some config wrong here somewhere. I am currently testing on Ubuntu 8.04, and have Freeradius 1.1.7.
I understand why Ubuntu chose to use 1.1.7, but still.... Version 2.0.5 is much, much better.
My recommendation for a quick fix:
1) Install 2.0.5. It's much better than 1.1.7. 2) start with default config 3) configure the LDAP module as you have done already (modules section, un-comment ldap in the "authorize" and "authenticate" sections of raddb/sites-available/* (use "grep ldap *". 4) do NOT set "radiusAuthType" in your LDAP directory. 5) Test with 'radtest'. It should work. 6) Test with a wireless client (un-check "validate server certificate) It should work.
2.0.5 makes it trivial to get PEAP and TTLS working. It's a lot harder to do that in 1.1.7.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Neil Marjoram Systems Manager Adastral Park Campus University College London Ross Building Adastral Park Martlesham Heath Ipswich - Suffolk IP5 3RE Tel: 01473 663711 Fax: 01473 635199 Reclaim Your Inbox! http://www.mozilla.org/products/thunderbird
participants (2)
-
Alan DeKok -
Neil Marjoram