Hi everyone, I have a problem with my configuration, authorize is ok but authentication fail.I use freeradius 1.1.6 e openldap 2.2.13 and use windows xp for client with securew2. My access-point is Cisco aironet 1100. My radiusd.conf: .......... ldap { server = "localhost" identity = "cn=root,dc=teste,dc=pt" password = secret basedn = "dc=teste,dc=pt" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = no access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = no } .............. authorize { preprocess ldap pap } authenticate{ Auth-Type PAP { pap } Auth-Type LDAP { ldap } eap } My eap.conf: eap{ default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = yes md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. certificate_file = ${raddbdir}/certs/cert-srv.pem # Trusted Root CA list CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } ttls { default_eap_type = gtc use_tunneled_reply = yes } } The log: ............ rlm_ldap: - authorize rlm_ldap: performing user authorization for user_test radius_xlat: '(uid=user_test)' radius_xlat: 'dc=teste,dc=pt' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=teste,dc=pt, with filter (uid=user_test) Waking up in 1 seconds... Threads: total/active/spare threads = 5/1/4 rlm_ldap: checking if remote access for user_test is allowed by uid rlm_ldap: Added password {CRYPT}HkDWb49nxN4Zo in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value {CRYPT}HkDWb49nxN4Zo & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user gilberto authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 rlm_pap: No clear-text password in the request. Not performing PAP. modcall[authorize]: module "pap" returns noop for request 2 modcall: leaving group authorize (returns ok) for request 2 auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [user_test/<no User-Password attribute>] (from client 192.168.1.69 port 371 cli 0040.96a2.24f3) Delaying request 2 for 1 seconds Finished request 2 Going to the next request Thread 3 waiting to be assigned a request --- Walking the entire request list --- Waking up in 1 seconds... Threads: total/active/spare threads = 5/0/5 --- Walking the entire request list --- Sending Access-Reject of id 121 to 192.168.1.69 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 121 with timestamp 4669d1cd Nothing to do. Sleeping until we see a request. Anyone can help-me. Best regards -- /emmc
emmcosta wrote:
Hi everyone,
I have a problem with my configuration, authorize is ok but authentication fail.I use freeradius 1.1.6 e openldap 2.2.13 and use windows xp for client with securew2. My access-point is Cisco aironet 1100.
My radiusd.conf:
.......... ldap { server = "localhost" identity = "cn=root,dc=teste,dc=pt" password = secret basedn = "dc=teste,dc=pt" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = no access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = no } .............. authorize { preprocess ldap pap }
authenticate{ Auth-Type PAP { pap } Auth-Type LDAP { ldap } eap
}
My eap.conf:
eap{ default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = yes md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem
# If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. certificate_file = ${raddbdir}/certs/cert-srv.pem
# Trusted Root CA list CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } ttls { default_eap_type = gtc use_tunneled_reply = yes } }
The log:
............ rlm_ldap: - authorize rlm_ldap: performing user authorization for user_test radius_xlat: '(uid=user_test)' radius_xlat: 'dc=teste,dc=pt' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=teste,dc=pt, with filter (uid=user_test) Waking up in 1 seconds... Threads: total/active/spare threads = 5/1/4 rlm_ldap: checking if remote access for user_test is allowed by uid rlm_ldap: Added password {CRYPT}HkDWb49nxN4Zo in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value {CRYPT}HkDWb49nxN4Zo & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user gilberto authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 rlm_pap: No clear-text password in the request. Not performing PAP. modcall[authorize]: module "pap" returns noop for request 2 modcall: leaving group authorize (returns ok) for request 2 auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [user_test/<no User-Password attribute>] (from client 192.168.1.69 port 371 cli 0040.96a2.24f3) Delaying request 2 for 1 seconds Finished request 2 Going to the next request Thread 3 waiting to be assigned a request --- Walking the entire request list --- Waking up in 1 seconds... Threads: total/active/spare threads = 5/0/5 --- Walking the entire request list --- Sending Access-Reject of id 121 to 192.168.1.69 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 121 with timestamp 4669d1cd Nothing to do. Sleeping until we see a request.
Anyone can help-me.
Best regards
PAP Won't work with the windows XP supplicant (unless your doing chap authentication). Windows XP uses Protected EAP with MSCHAP v2 inner encryption. This means authentication is done with MSCHAP. MSCHAP works with two forms of stored password, either CLEARTEXT or NTHASH. You ldap lookup is pulling the users password out in CRYPT format, so it will not work. I recommend that you add an attribute in your LDAP schema called ntPassword, by default the ldap attribute map will create the RADIUS check item NT-Password which the MSCHAP module will use for authentication. There should be a binary in freeradius/bin , called smbencrypt which you can use to generate the NTHASH hashes. The other way is to write your passwords to the LDAP directory in cleartext (as opposed to crypt). So in summary, PAP won't work with XP Uncomment MSCHAP in authorise and authenticate. Add the attributes/ change your hashing scheme.
Does securew2 support EAP-GTC? Ivan Kalik Kalik Informatika ISP Dana 8/6/2007, "emmcosta" <emmcosta@gmail.com> piše:
Hi everyone,
I have a problem with my configuration, authorize is ok but authentication fail.I use freeradius 1.1.6 e openldap 2.2.13 and use windows xp for client with securew2. My access-point is Cisco aironet 1100.
My radiusd.conf:
........... ldap { server = "localhost" identity = "cn=root,dc=teste,dc=pt" password = secret basedn = "dc=teste,dc=pt" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = no access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = no } ............... authorize { preprocess ldap pap }
authenticate{ Auth-Type PAP { pap } Auth-Type LDAP { ldap } eap
}
My eap.conf:
eap{ default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = yes md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem
# If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. certificate_file = ${raddbdir}/certs/cert-srv.pem
# Trusted Root CA list CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } ttls { default_eap_type = gtc use_tunneled_reply = yes } }
The log:
............. rlm_ldap: - authorize rlm_ldap: performing user authorization for user_test radius_xlat: '(uid=user_test)' radius_xlat: 'dc=teste,dc=pt' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=teste,dc=pt, with filter (uid=user_test) Waking up in 1 seconds... Threads: total/active/spare threads = 5/1/4 rlm_ldap: checking if remote access for user_test is allowed by uid rlm_ldap: Added password {CRYPT}HkDWb49nxN4Zo in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value {CRYPT}HkDWb49nxN4Zo & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user gilberto authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 rlm_pap: No clear-text password in the request. Not performing PAP. modcall[authorize]: module "pap" returns noop for request 2 modcall: leaving group authorize (returns ok) for request 2 auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [user_test/<no User-Password attribute>] (from client 192.168.1.69 port 371 cli 0040.96a2.24f3) Delaying request 2 for 1 seconds Finished request 2 Going to the next request Thread 3 waiting to be assigned a request --- Walking the entire request list --- Waking up in 1 seconds... Threads: total/active/spare threads = 5/0/5 --- Walking the entire request list --- Sending Access-Reject of id 121 to 192.168.1.69 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 121 with timestamp 4669d1cd Nothing to do. Sleeping until we see a request.
Anyone can help-me.
Best regards
-- /emmc
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tnt@kalik.co.yu wrote:
Does securew2 support EAP-GTC?
Ivan Kalik Kalik Informatika ISP
Dana 8/6/2007, "emmcosta" <emmcosta@gmail.com> piše:
Hi everyone,
I have a problem with my configuration, authorize is ok but authentication fail.I use freeradius 1.1.6 e openldap 2.2.13 and use windows xp for client with securew2. My access-point is Cisco aironet 1100.
My radiusd.conf:
........... ldap { server = "localhost" identity = "cn=root,dc=teste,dc=pt" password = secret basedn = "dc=teste,dc=pt" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = no access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = no } ............... authorize { preprocess ldap pap }
authenticate{ Auth-Type PAP { pap } Auth-Type LDAP { ldap } eap
}
My eap.conf:
eap{ default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = yes md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem
# If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. certificate_file = ${raddbdir}/certs/cert-srv.pem
# Trusted Root CA list CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } ttls { default_eap_type = gtc use_tunneled_reply = yes } }
The log:
............. rlm_ldap: - authorize rlm_ldap: performing user authorization for user_test radius_xlat: '(uid=user_test)' radius_xlat: 'dc=teste,dc=pt' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=teste,dc=pt, with filter (uid=user_test) Waking up in 1 seconds... Threads: total/active/spare threads = 5/1/4 rlm_ldap: checking if remote access for user_test is allowed by uid rlm_ldap: Added password {CRYPT}HkDWb49nxN4Zo in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value {CRYPT}HkDWb49nxN4Zo & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user gilberto authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 rlm_pap: No clear-text password in the request. Not performing PAP. modcall[authorize]: module "pap" returns noop for request 2 modcall: leaving group authorize (returns ok) for request 2 auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [user_test/<no User-Password attribute>] (from client 192.168.1.69 port 371 cli 0040.96a2.24f3) Delaying request 2 for 1 seconds Finished request 2 Going to the next request Thread 3 waiting to be assigned a request --- Walking the entire request list --- Waking up in 1 seconds... Threads: total/active/spare threads = 5/0/5 --- Walking the entire request list --- Sending Access-Reject of id 121 to 192.168.1.69 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 121 with timestamp 4669d1cd Nothing to do. Sleeping until we see a request.
Anyone can help-me.
Best regards
-- /emmc
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I saw in the forum of securew2 that is no free dor windows plataforms. -- /emmc
Hi,
I saw in the forum of securew2 that is no free dor windows plataforms.
Of course it is. About one year ago, someone hijacked the site and tried for a few hours to make a quick buck "selling" copies. I guess that's where the forum discussions came from. The supplicant is open source and doesn't cost anything. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
emmcosta wrote:
Hi everyone,
I have a problem with my configuration, authorize is ok but authentication fail.I use freeradius 1.1.6 e openldap 2.2.13 and use windows xp for client with securew2.
Oops didn't see you were using securew2 Just checked through the manual. Your right it supports PAP , though it would appear from your debug output that the User-Password wasn't been included in the request, which is why authentication is failing. Looks like outer encryption is always EAP-TTLS and you have a choice of either PAP or offloading the inner encryption to another module. I'll have a look on monday when i'm back at work, as I should really investigate it for our upcoming RADIUs roll out.
participants (4)
-
Arran Cudbard-Bell -
emmcosta -
Stefan Winter -
tnt@kalik.co.yu