Greetings. I am extremely green to both 802.1x and radius and am trying to set this system up quickly as students arrive on campus in a couple of weeks so please forgive me if I ask questions that have been answered or exist in the documentation. I need to authenticate windows and osx wireless users using Cisco AP's to the freeradius server using our OSX ldap directory as the backend. I can use radtest from another host and authenticate an LDAP user via the freeradius server and get an Access-Accept packet from the server. When I attempt to connect via a windows or osx client to the AP I get error messages about User-Password being required and the Access- Request packet does not have the User-Password attribute. Many of the settings are the default. The settings I have changed have been from several online tutorials none of which talked about both 802.1x and LDAP. I'm embarrassed not to have read all the documentation but I'm really in a time pinch here. Again I beg your indulgence. Cian Phillips Director Network & Systems California College of the Arts Phone: (510) 594-3745 Cell: (510) 719-0091 Fax: (510) 594-3758 email: cian@cca.edu <<<<<<<<<<<< OUTPUT of freeradius -X >>>>>>>>>>>>>>>> radius:/etc# freeradius -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "ldap-sf.cca.edu" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "cn=users,dc=cca,dc=edu" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "uidNumber" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member= %{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=% {Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling- Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed- Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX- Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination- Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed- AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed- AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed- AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x81165c0 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/freeradius/certs/cert-srv.pem" tls: certificate_file = "/etc/freeradius/certs/cert-srv.pem" tls: CA_file = "/etc/freeradius/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/freeradius/certs/dh" tls: random_file = "/etc/freeradius/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP- Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 209.40.86.47:1024, id=130, length=154 User-Name = "cian" Calling-Station-Id = "00:11:24:2D:9C:29" Called-Station-Id = "00:0B:85:53:62:D0:cca" NAS-Port = 1 NAS-IP-Address = 209.40.86.47 NAS-Identifier = "OaklandWC4200" Vendor-14179-Attr-1 = 0x00000001 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000009016369616e Message-Authenticator = 0xdf9fb47d83d3b3f473d7812ae43cfa16 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "cian", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 216 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for cian radius_xlat: '(uid=cian)' radius_xlat: 'cn=users,dc=cca,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap-sf.cca.edu:389, authentication 0 rlm_ldap: bind as / to ldap-sf.cca.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in cn=users,dc=cca,dc=edu, with filter (uid=cian) rlm_ldap: checking if remote access for cian is allowed by uidNumber rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user cian authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [cian/<no User-Password attribute>] (from client wireless port 1 cli 00:11:24:2D:9C:29) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 209.40.86.47:1024, id=130, length=154 Sending Access-Reject of id 130 to 209.40.86.47:1024 --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 130 with timestamp 43060ecc Nothing to do. Sleeping until we see a request.
Cian Phillips wrote:
Many of the settings are the default. The settings I have changed have been from several online tutorials none of which talked about both 802.1x and LDAP.
Seems to me you didn't search well enough... http://www.google.com/search?hl=nl&q=freeradius+802.1x+ldap+howto -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: thor.spruyt@telenet.be W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be
Sorry, I should have mentioned the pages I have already tried to follow. http://www.bughost.org/ipw/docs/freeRadius_configuration_HOWTO.TXT http://www.kevan.net/cisco_freeradius_tls_peap_auth.php http://mattzz.dyndns.org/twiki/bin/view/Projects/ FreeRadiusAuthentication http://www.missl.cs.umd.edu/wireless/eaptls/ http://lists.freeradius.org/mailman/htdig/freeradius-users/2004-June/ 033143.html http://vuksan.com/linux/dot1x/802-1x-LDAP.html#Set_up_OpenLDAP http://www.sas.upenn.edu/~omar/wireless/work_freeradius.html#freeradius http://tldp.org/HOWTO/html_single/8021X-HOWTO/ With each of these I still have the problem where the Access-Request packet doesn't contain a User-Password attribute. I am guessing that there is something very fundamental that I am not understanding.. like "there isn't supposed to be a User-Password attribute coming from the AP" but if that's the case then I really don't understand how we authenticate against the LDAP directory without a password. I have tried a bunch of different "how-to's" and haven't had any success.. if someone could say they were certain that one of them worked that in itself would be a great deal of help. I guess I should also mention that I have searched the list for "rlm_ldap: Attribute "User-Password" is required for authentication." and some other permutations of that string but didn't find anything that seemed especially conclusive or applicable.. The problem is that I'm not sure I would know if I saw it. Again my apologies for trying to get up to speed in a couple of hours.. and many thanks for attempting to help me find a solution. Cian Phillips Director Network & Systems California College of the Arts Phone: (510) 594-3745 Cell: (510) 719-0091 Fax: (510) 594-3758 email: cian@cca.edu On Aug 19, 2005, at 10:30 AM, Thor Spruyt wrote:
Cian Phillips wrote:
Many of the settings are the default. The settings I have changed have been from several online tutorials none of which talked about both 802.1x and LDAP.
Seems to me you didn't search well enough... http://www.google.com/search?hl=nl&q=freeradius+802.1x+ldap+howto
-- Groeten, Regards, Salutations,
Thor Spruyt M: +32 (0)475 67 22 65 E: thor.spruyt@telenet.be W: www.thor-spruyt.com
www.salesguide.be www.telenethotspot.be
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Cian Phillips <cian@cca.edu> wrote:
With each of these I still have the problem where the Access-Request packet doesn't contain a User-Password attribute. I am guessing that there is something very fundamental that I am not understanding.. like "there isn't supposed to be a User-Password attribute coming from the AP" but if that's the case then I really don't understand how we authenticate against the LDAP directory without a password.
You don't. LDAP is a database, not an authentication server. FreeRADIUS is an authentication server. It pulls the password from LDAP, and uses that to authenticate the user.
I have tried a bunch of different "how-to's" and haven't had any success.. if someone could say they were certain that one of them worked that in itself would be a great deal of help.
If you're looking for details of how the authentication protocols work, the HOWTO's won't help you. They tell you how to get it to work, and they assume that you don't care about the internal design details of the system. If you DO really care about the design details of the authentication protocols, read the RFC's. They're in doc/rfc/*. Otherwise, configure the system as per the HOWTO's, and it *will* work. Alan DeKok.
FreeRadius users mailing list <freeradius-users@lists.freeradius.org> on August 19, 2005 at 10:54 -0800 wrote:
With each of these I still have the problem where the Access-Request packet doesn't contain a User-Password attribute. I am guessing that there is something very fundamental that I am not understanding.. like "there isn't supposed to be a User-Password attribute coming from the AP" but if that's the case then I really don't understand how we authenticate against the LDAP directory without a password.
Hi there, Do some reasearch on configuring TTLS with FreeRadius -- there's a howto around somewhere. Once you get TTLS/PAP working (with the auth info in the users file), you can easily make LDAP work. An understanding of the tunnelling system used with most 802.1x auth protocols would be helpful for you -- the trouble is that the password is inside the tunnel, and your FreeRadius config isn't understanding your tunnel. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)
Cian Phillips wrote:
rlm_ldap: performing search in cn=users,dc=cca,dc=edu, with filter (uid=cian) rlm_ldap: checking if remote access for cian is allowed by uidNumber rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user cian authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0
It appears in your users file you are setting Auth-Type to LDAP. It should be EAP or just leave it blank. FreeRADIUS will set it to EAP. What you also need to do is set the client to use PAP authentication in the inner tunnel. http://vuksan.com/linux/dot1x/wpa-client-config.html Vladimir
participants (5)
-
Alan DeKok -
Cian Phillips -
Kris Benson -
Thor Spruyt -
Vladimir Vuksan