EAP-TTLS-PAP using LDAP for authorization and PAM for authentication
Hello! I am trying to set up a simple Wlan-authentication using EAP-TTLS to avoid client certificates and PAM to use the server system authentication scheme. PAM doesn't know about users, and the users are situated in a LDAP database, which I think makes it logical to use rlm_ldap for authorization. I.e. I just want to check that users exist in LDAP and then move on to checking the password against PAM. The problem is that PAM is never used. This seems to be an artifact of the fact that rlm_ldap is supposed to fetch a "known good" password, but I don't have passwords in the LDAP database. rlm_ldap is indeed successful in authorizing, but there is no Auth-Type set to handle the authentication. If I for example force Auth-Type to PAM in the users file (not good, I know), TTLS-negotiation is never run. If I add Auth-Type LDAP { pam } to the authenticate section and let rlm_ldap set Auth-Type, it works with radtest, but fails using TTLS: pam_pass: function pam_acct_mgmt FAILED for <USERNAME>. Reason: Authentication service cannot retrieve authentication info My configuration is: FreeRADIUS 2.0.5 sites-enabled/default: authorize { preprocess auth_log eap { ok = return } files ldap pap } authenticate { Auth-Type PAP { pap } pam eap } Regards, Erik Karlsson.
The problem is that PAM is never used. This seems to be an artifact of the fact that rlm_ldap is supposed to fetch a "known good" password, but I don't have passwords in the LDAP database. rlm_ldap is indeed successful in authorizing, but there is no Auth-Type set to handle the authentication.
If I for example force Auth-Type to PAM in the users file (not good, I know), TTLS-negotiation is never run.
Don't set it in users file. Set it using unlang in authorize section of inner-tunnel virtual server. Ivan Kalik Kalik Informatika ISP
Hello friends, I was searching on the Internet and suggested that I upgrade my server freeradius and then jumped to the latest version I have everything seemingly well-configured to authenticate against Active Directory but I lack the parameters under which I use the default ntlm_auth module because I am against this authenticated users of the local server not on the server that contains the Active Directory any idea where it was agreed that force authentication on the other server? NOTE: Version 2 has the settings in a folder called / modules check everything and did not find anything to see if I need something to do, would be appreciated in advance Note : he is loading default pap module
I have everything seemingly well-configured to authenticate against Active Directory but I lack the parameters under which I use the default ntlm_auth module because I am against this authenticated users of the local server not on the server that contains the Active Directory
So you don't want to authenticate against AD? Why did you bother with that then? Authentication against local users is handled by unix module. You will need to force Auth-Type System (unlang or users file). Ivan Kalik Kalik Informatika ISP
--- El mar, 30/9/08, tnt@kalik.net <tnt@kalik.net> escribió: De: tnt@kalik.net <tnt@kalik.net> Asunto: Re: freeradius compiled version (lastest) against active directoryauthentication Para: freeradius-users@lists.freeradius.org Fecha: martes, 30 septiembre, 2008 2:14
I have everything seemingly well-configured to authenticate against Active Directory but I lack the parameters under which I use the default ntlm_auth module because I am against this authenticated users of the local server not on the server that contains the Active Directory
So you don't want to authenticate against AD? me-- OF course i do , i need to .. Why did you bother with that then? me-- the same as before , authenticate against AD. Authentication against local users is handled by unix module. aha ? You will need to force Auth-Type System (unlang or users file). me-- in what file is that to force Auth-Type ? thanks for the advise Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
luis a wrote:
I have everything seemingly well-configured to authenticate against Active Directory but I lack the parameters under which I use the default ntlm_auth module
What does that mean? Have you tried my web site (deployingradius.com) ? It has a "howto" for configuring authentication against Active Directory. Alan DeKok.
--- El mar, 30/9/08, Alan DeKok <aland@deployingradius.com> escribió: De: Alan DeKok <aland@deployingradius.com> Asunto: Re: freeradius compiled version (lastest) against active directory authentication Para: luis.azunet@yahoo.es, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Fecha: martes, 30 septiembre, 2008 3:07 luis a wrote:
I have everything seemingly well-configured to authenticate against Active Directory but I lack the parameters under which I use the default ntlm_auth module
What does that mean? Have you tried my web site (deployingradius.com) ? It has a "howto" for configuring authentication against Active Directory. i all ready read it and he does not work check it out the output ------------------------------------ Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 49964, id=37, length=72 User-Name = "luis" User-Password = "x" NAS-IP-Address = xx.xx.xx.x NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "luis", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] expand: %{Stripped-User-Name:-%{User-Name}} -> luis that warning apered after i added the line to the user config file DEFAULT Auth-Type = Local, Password == "stealme" .. WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "x" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. ------------------- and also when i remplace DEFAULT Auth-Type = System i get this message . rad_recv: Access-Request packet from host 127.0.0.1 port 50255, id=25, length=72 User-Name = "luis" User-Password = "x" NAS-IP-Address = xx.xx.xx.xx NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "luis", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] expand: %{Stripped-User-Name:-%{User-Name}} -> luis [files] users: Matched entry DEFAULT at line 205 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = System +- entering group authenticate {...} [unix] invalid password "luis" ++[unix] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> luis attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 25 to 127.0.0.1 port 50255 Waking up in 4.9 seconds. Cleaning up request 0 ID 25 with timestamp +4 Ready to process requests. Alan DeKok.
luis a wrote:
i all ready read it and he does not work
Nonsense. If you follow the instructions, it works.
check it out the output
You've edited the configuration files, and broken them. Don't do that. Start off with the default configuration files. THEN follow the instructions.
that warning apered after i added the line to the user config file DEFAULT Auth-Type = Local, Password == "stealme"
The instructions on my web site DON'T say to do that. So you're not following the instructions.
and also when i remplace DEFAULT Auth-Type = System
Can you explain why you're making nearly random changes to the configuration files rather than following the instructions on the web site? Alan DeKok.
Have you tried my web site (deployingradius.com) ? It has a "howto" for configuring authentication against Active Directory.
i all ready read it and he does not work
check it out the output
------------------------------------
Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 49964, id=37, length=72 User-Name = "luis" User-Password = "x" NAS-IP-Address = xx.xx.xx.x NAS-Port = 0
This is a pap request. ntlm_auth is configured in mschap. Send an mschap request. Or configure ldap "bind as user" if you are going to have pap requests.
------------------- and also when i remplace DEFAULT Auth-Type = System
i get this message .
..
Found Auth-Type = System +- entering group authenticate {...} [unix] invalid password "luis" ++[unix] returns reject Failed to authenticate the user.
That is OK. user "luis" was found but password was wrong. But it looks like (I still can't figure out what is it that you want to do) you don't actually want to authenticate against local users but AD. So what do you want to do: - authenticate against AD? - or against users of the local system? - or both? What type of requests are you going to recieve: - pap? - mschap (PEAP)? - both? Ivan Kalik Kalik Informatika ISP Ivan Kalik Kalik Informatika ISP
Erik Karlsson wrote:
I am trying to set up a simple Wlan-authentication using EAP-TTLS to avoid client certificates and PAM to use the server system authentication scheme. PAM doesn't know about users, and the users are situated in a LDAP database, which I think makes it logical to use rlm_ldap for authorization. I.e. I just want to check that users exist in LDAP and then move on to checking the password against PAM.
Why not also get the passwords from ldap? Why use PAM at all?
The problem is that PAM is never used. This seems to be an artifact of the fact that rlm_ldap is supposed to fetch a "known good" password, but I don't have passwords in the LDAP database. rlm_ldap is indeed successful in authorizing, but there is no Auth-Type set to handle the authentication.
If you want to use PAM, you have to force it via Auth-Type.
If I for example force Auth-Type to PAM in the users file (not good, I know), TTLS-negotiation is never run.
Because TTLS involves *two* authentication sessions. An outer one for EAP-TTLS, and an inner "tunneled" session where the real user-name && password is sent. Follow my web site (deployingradius.com) to get EAP-TTLS working. Once that's working, add LDAP authorization. Then, add PAM to the *inner* tunnel section. Alan DeKok.
Alan DeKok wrote:
Why not also get the passwords from ldap? Why use PAM at all?
Because LDAP isn't a very good solution for handling passwords, IMO. I prefer Kerberos in its simplicity.
If you want to use PAM, you have to force it via Auth-Type.
Thank you, the problem for me is that I don't know where to squeeze it in. :)
Because TTLS involves *two* authentication sessions. An outer one for EAP-TTLS, and an inner "tunneled" session where the real user-name && password is sent.
I am starting to understand that now.
Follow my web site (deployingradius.com) to get EAP-TTLS working. Once that's working, add LDAP authorization. Then, add PAM to the *inner* tunnel section.
I will. Thank you!
participants (4)
-
Alan DeKok -
Erik Karlsson -
luis a -
tnt@kalik.net