Freeradius + LDAP for WPA-Enterprise
Hello to all, I would like to use Freeradius to authenticate my wireless network using OpenWRT and Freeradius + LDAP. What I've done: First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. WORKED! Then I've configured ldap-Modul + added "ldap" in the authorize- and "Auth-Type LDAP { ldap }" in the authenticate-section. The test via radtest succeeded. But now the authentication using OpenWRT (EAP-TTLS) like the first try with files - now with ldap did not work. I do noticed the following comment # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } but I don't know what to change that it worked like my first try with the difference the users are in LDAP instead of a file. Hope to get any hints Best regards. MS
I'm barely a novice with FR, so take this with a grain of salt: You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the "Auth Type LDAP" - for now. You almost "never" want to set the Auth-Type directly, FR figures it out from the request. For testing and troubleshooting it's OK, and if you really know what the consequences are its OK, but generally speaking don't set the auth type. As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the "no clear text password" issue. Gary -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 11:06 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius + LDAP for WPA-Enterprise Hello to all, I would like to use Freeradius to authenticate my wireless network using OpenWRT and Freeradius + LDAP. What I've done: First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. WORKED! Then I've configured ldap-Modul + added "ldap" in the authorize- and "Auth-Type LDAP { ldap }" in the authenticate-section. The test via radtest succeeded. But now the authentication using OpenWRT (EAP-TTLS) like the first try with files - now with ldap did not work. I do noticed the following comment # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } but I don't know what to change that it worked like my first try with the difference the users are in LDAP instead of a file. Hope to get any hints Best regards. MS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Hello, I'm trying to do the same thing, I know I have to use winbind and samba to get it, but in reading the news I found this freeradius 2.1 Added " Password-With-Header == userPassword" to raddb / ldap.attrmap This Will automaticallyconvert more passwords []'s -- Vinicius Teixeira Coelho Registered Linux User #469313 The Ubuntu Counter Project - user number # 21463 On Fri, Feb 11, 2011 at 3:37 PM, Gary Gatten <Ggatten@waddell.com> wrote:
I'm barely a novice with FR, so take this with a grain of salt:
You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the "Auth Type LDAP" - for now.
You almost "never" want to set the Auth-Type directly, FR figures it out from the request. For testing and troubleshooting it's OK, and if you really know what the consequences are its OK, but generally speaking don't set the auth type.
As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the "no clear text password" issue.
Gary
-----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org[mailto: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 11:06 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius + LDAP for WPA-Enterprise
Hello to all,
I would like to use Freeradius to authenticate my wireless network using OpenWRT and Freeradius + LDAP. What I've done:
First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. WORKED! Then I've configured ldap-Modul + added "ldap" in the authorize- and "Auth-Type LDAP { ldap }" in the authenticate-section. The test via radtest succeeded.
But now the authentication using OpenWRT (EAP-TTLS) like the first try with files - now with ldap did not work. I do noticed the following comment
# Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap }
but I don't know what to change that it worked like my first try with the difference the users are in LDAP instead of a file.
Hope to get any hints
Best regards. MS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yeah, but that's SAMBA - not LDAP. (Added "Password-With-Header == userPassword" to raddb / ldap.attrmap ) sounds interesting! ________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Vinicius Teixeira Coelho Sent: Friday, February 11, 2011 12:09 PM To: FreeRadius users mailing list Subject: Re: Freeradius + LDAP for WPA-Enterprise Hello, I'm trying to do the same thing, I know I have to use winbind and samba to get it, but in reading the news I found this freeradius 2.1 Added "Password-With-Header == userPassword" to raddb / ldap.attrmap This Will automaticallyconvert more passwords []'s -- Vinicius Teixeira Coelho Registered Linux User #469313 The Ubuntu Counter Project - user number # 21463 On Fri, Feb 11, 2011 at 3:37 PM, Gary Gatten <Ggatten@waddell.com<mailto:Ggatten@waddell.com>> wrote: I'm barely a novice with FR, so take this with a grain of salt: You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the "Auth Type LDAP" - for now. You almost "never" want to set the Auth-Type directly, FR figures it out from the request. For testing and troubleshooting it's OK, and if you really know what the consequences are its OK, but generally speaking don't set the auth type. As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the "no clear text password" issue. Gary -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com<http://waddell.com>@lists.freeradius.org<http://lists.freeradius.org> [mailto:freeradius-users-bounces+ggatten<mailto:freeradius-users-bounces%2Bggatten>=waddell.com<http://waddell.com>@lists.freeradius.org<http://lists.freeradius.org>] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 11:06 AM To: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Freeradius + LDAP for WPA-Enterprise Hello to all, I would like to use Freeradius to authenticate my wireless network using OpenWRT and Freeradius + LDAP. What I've done: First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. WORKED! Then I've configured ldap-Modul + added "ldap" in the authorize- and "Auth-Type LDAP { ldap }" in the authenticate-section. The test via radtest succeeded. But now the authentication using OpenWRT (EAP-TTLS) like the first try with files - now with ldap did not work. I do noticed the following comment # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } but I don't know what to change that it worked like my first try with the difference the users are in LDAP instead of a file. Hope to get any hints Best regards. MS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Yes, but your samba is using the ldap []'s -- Vinicius Teixeira Coelho Registered Linux User #469313 The Ubuntu Counter Project - user number # 21463 On Fri, Feb 11, 2011 at 4:35 PM, Gary Gatten <Ggatten@waddell.com> wrote:
Yeah, but that’s SAMBA – not LDAP. (Added "Password-With-Header == userPassword" to raddb / ldap.attrmap ) sounds interesting!
------------------------------
*From:* freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org[mailto: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] *On Behalf Of *Vinicius Teixeira Coelho *Sent:* Friday, February 11, 2011 12:09 PM
*To:* FreeRadius users mailing list *Subject:* Re: Freeradius + LDAP for WPA-Enterprise
Hello, I'm trying to do the same thing, I know I have to use winbind and samba to get it, but in reading the news I found this freeradius 2.1 Added "Password-With-Header == userPassword" to raddb / ldap.attrmap This Will automaticallyconvert more passwords
[]'s -- Vinicius Teixeira Coelho
Registered Linux User #469313 The Ubuntu Counter Project - user number # 21463
On Fri, Feb 11, 2011 at 3:37 PM, Gary Gatten <Ggatten@waddell.com> wrote:
I'm barely a novice with FR, so take this with a grain of salt:
You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the "Auth Type LDAP" - for now.
You almost "never" want to set the Auth-Type directly, FR figures it out from the request. For testing and troubleshooting it's OK, and if you really know what the consequences are its OK, but generally speaking don't set the auth type.
As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the "no clear text password" issue.
Gary
-----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org[mailto: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 11:06 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius + LDAP for WPA-Enterprise
Hello to all,
I would like to use Freeradius to authenticate my wireless network using OpenWRT and Freeradius + LDAP. What I've done:
First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. WORKED! Then I've configured ldap-Modul + added "ldap" in the authorize- and "Auth-Type LDAP { ldap }" in the authenticate-section. The test via radtest succeeded.
But now the authentication using OpenWRT (EAP-TTLS) like the first try with files - now with ldap did not work. I do noticed the following comment
# Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap }
but I don't know what to change that it worked like my first try with the difference the users are in LDAP instead of a file.
Hope to get any hints
Best regards. MS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I don't think ntlm_auth makes any ldap calls. From: Vinicius Teixeira Coelho [mailto:vinicius.ti@gmail.com] Sent: Friday, February 11, 2011 12:41 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Freeradius + LDAP for WPA-Enterprise Yes, but your samba is using the ldap []'s -- Vinicius Teixeira Coelho Registered Linux User #469313 The Ubuntu Counter Project - user number # 21463 On Fri, Feb 11, 2011 at 4:35 PM, Gary Gatten <Ggatten@waddell.com<mailto:Ggatten@waddell.com>> wrote: Yeah, but that’s SAMBA – not LDAP. (Added "Password-With-Header == userPassword" to raddb / ldap.attrmap ) sounds interesting! ________________________________ From: freeradius-users-bounces+ggatten=waddell.com<http://waddell.com>@lists.freeradius.org<http://lists.freeradius.org> [mailto:freeradius-users-bounces+ggatten<mailto:freeradius-users-bounces%2Bggatten>=waddell.com<http://waddell.com>@lists.freeradius.org<http://lists.freeradius.org>] On Behalf Of Vinicius Teixeira Coelho Sent: Friday, February 11, 2011 12:09 PM To: FreeRadius users mailing list Subject: Re: Freeradius + LDAP for WPA-Enterprise Hello, I'm trying to do the same thing, I know I have to use winbind and samba to get it, but in reading the news I found this freeradius 2.1 Added "Password-With-Header == userPassword" to raddb / ldap.attrmap This Will automaticallyconvert more passwords []'s -- Vinicius Teixeira Coelho Registered Linux User #469313 The Ubuntu Counter Project - user number # 21463 On Fri, Feb 11, 2011 at 3:37 PM, Gary Gatten <Ggatten@waddell.com<mailto:Ggatten@waddell.com>> wrote: I'm barely a novice with FR, so take this with a grain of salt: You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the "Auth Type LDAP" - for now. You almost "never" want to set the Auth-Type directly, FR figures it out from the request. For testing and troubleshooting it's OK, and if you really know what the consequences are its OK, but generally speaking don't set the auth type. As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the "no clear text password" issue. Gary -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com<http://waddell.com>@lists.freeradius.org<http://lists.freeradius.org> [mailto:freeradius-users-bounces+ggatten<mailto:freeradius-users-bounces%2Bggatten>=waddell.com<http://waddell.com>@lists.freeradius.org<http://lists.freeradius.org>] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 11:06 AM To: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Freeradius + LDAP for WPA-Enterprise Hello to all, I would like to use Freeradius to authenticate my wireless network using OpenWRT and Freeradius + LDAP. What I've done: First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. WORKED! Then I've configured ldap-Modul + added "ldap" in the authorize- and "Auth-Type LDAP { ldap }" in the authenticate-section. The test via radtest succeeded. But now the authentication using OpenWRT (EAP-TTLS) like the first try with files - now with ldap did not work. I do noticed the following comment # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } but I don't know what to change that it worked like my first try with the difference the users are in LDAP instead of a file. Hope to get any hints Best regards. MS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I >don't THINK you can authenticate EAP requests against LDAP directly because of the "no clear text password" issue.
I think he is right ... I know that we had to use the ntlm_auth exec module ... is there a reason you are doing EAP instead of PEAP? PEAP/MSCHAPv2 or PEAP/TTLS work great with Linux hosts ... even MACs (which are nothing more that bastardized Linux boxes) Windows hosts require a bit of configuring on the client to make it work but then they work too. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -----Original Message----- From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Friday, February 11, 2011 11:37 AM To: 'FreeRadius users mailing list' Subject: RE: Freeradius + LDAP for WPA-Enterprise I'm barely a novice with FR, so take this with a grain of salt: You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the "Auth Type LDAP" - for now. You almost "never" want to set the Auth-Type directly, FR figures it out from the request. For testing and troubleshooting it's OK, and if you really know what the consequences are its OK, but generally speaking don't set the auth type. As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the "no clear text password" issue. Gary -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 11:06 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius + LDAP for WPA-Enterprise Hello to all, I would like to use Freeradius to authenticate my wireless network using OpenWRT and Freeradius + LDAP. What I've done: First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. WORKED! Then I've configured ldap-Modul + added "ldap" in the authorize- and "Auth-Type LDAP { ldap }" in the authenticate-section. The test via radtest succeeded. But now the authentication using OpenWRT (EAP-TTLS) like the first try with files - now with ldap did not work. I do noticed the following comment # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } but I don't know what to change that it worked like my first try with the difference the users are in LDAP instead of a file. Hope to get any hints Best regards. MS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Gary Gatten wrote:
You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the "Auth Type LDAP" - for now.
If I remove that the radtest failed for a LDAP-User. It returns a rejected Message.
As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the "no clear text password" issue.
How else would you authenticate a WPA(2)-Enterprise with Radius using LDAP-Accounts?
We just started using WPA2-Enterprise. We use SAMBA / ntlm_auth / AD. I honestly don't know if / how you can do it using pure LDAP. Someone else posted something about new LDAP attributes that may work, but that's way over my head. Maybe if you use certs instead of uname/passwords it will work with pure LDAP? Sorry I can't help much.... G -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 2:31 PM To: FreeRadius users mailing list Subject: Re: Freeradius + LDAP for WPA-Enterprise Gary Gatten wrote:
You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the "Auth Type LDAP" - for now.
If I remove that the radtest failed for a LDAP-User. It returns a rejected Message.
As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the "no clear text password" issue.
How else would you authenticate a WPA(2)-Enterprise with Radius using LDAP-Accounts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
PS: We also use ntlm_auth for 802.1x. All the docs I read and the comments within the various FR files say EAP and LDAP won't work - for Authentication. Authorization should be fine. G -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 2:31 PM To: FreeRadius users mailing list Subject: Re: Freeradius + LDAP for WPA-Enterprise Gary Gatten wrote:
You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the "Auth Type LDAP" - for now.
If I remove that the radtest failed for a LDAP-User. It returns a rejected Message.
As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the "no clear text password" issue.
How else would you authenticate a WPA(2)-Enterprise with Radius using LDAP-Accounts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
If you want to use ldap as authentication source, either you have plaintext password in ldap or ntPassword hash stored in ldap. You can search the list of my name, I just got both eap/peap against Active Directory w/ ntlm_auth and against ldap w/ ntPassword recently. I posted my configuration on the list. I am using peap because of we don't want to install a third party supplicant. Schilling On Fri, Feb 11, 2011 at 3:44 PM, Gary Gatten <Ggatten@waddell.com> wrote:
PS: We also use ntlm_auth for 802.1x. All the docs I read and the comments within the various FR files say EAP and LDAP won't work - for Authentication. Authorization should be fine.
G
-----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 2:31 PM To: FreeRadius users mailing list Subject: Re: Freeradius + LDAP for WPA-Enterprise
Gary Gatten wrote:
You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the "Auth Type LDAP" - for now.
If I remove that the radtest failed for a LDAP-User. It returns a rejected Message.
As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the "no clear text password" issue.
How else would you authenticate a WPA(2)-Enterprise with Radius using LDAP-Accounts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
this is great, i will search. Enviado via iPhone Em 11/02/2011, às 19:04, schilling <schilling2006@gmail.com> escreveu:
If you want to use ldap as authentication source, either you have plaintext password in ldap or ntPassword hash stored in ldap. You can search the list of my name, I just got both eap/peap against Active Directory w/ ntlm_auth and against ldap w/ ntPassword recently. I posted my configuration on the list. I am using peap because of we don't want to install a third party supplicant.
Schilling
On Fri, Feb 11, 2011 at 3:44 PM, Gary Gatten <Ggatten@waddell.com> wrote:
PS: We also use ntlm_auth for 802.1x. All the docs I read and the comments within the various FR files say EAP and LDAP won't work - for Authentication. Authorization should be fine.
G
-----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Max Schröder Sent: Friday, February 11, 2011 2:31 PM To: FreeRadius users mailing list Subject: Re: Freeradius + LDAP for WPA-Enterprise
Gary Gatten wrote:
You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well together. Remove the "Auth Type LDAP" - for now.
If I remove that the radtest failed for a LDAP-User. It returns a rejected Message.
As for accomplishing your goal, unfortunately others will have to help you with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you can authenticate EAP requests against LDAP directly because of the "no clear text password" issue.
How else would you authenticate a WPA(2)-Enterprise with Radius using LDAP-Accounts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Gary Gatten -
Max Schröder -
Sallee, Stephen (Jake) -
schilling -
Vinicius Teixeira Coelho