Hi I configured 2 ldap modules, one using a clear-text password for PEAP-TLS with MS-CHAPv2 or only CHAP authentication, and one retrieving a Crypt-Password for using PAP-Authentication. radiusd.conf: ldap ldap-PEAP { server = "ip" port = 400 identity = "cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernberg,c=DE" password = xxxxxx basedn = "ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE" filter = "(Userid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "uid" #The mapping-file for PEAP: -> retrieves the cleartext-Password dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = "User-Password" timeout = 24 timelimit = 23 net_timeout = 1 ldap_debug = 5 } ldap ldap-PAP { server = "ip" port = 400 identity = "cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernberg,c=DE" password = xxxx basedn = "ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE" filter = "(Userid=%{Stripped-User-Name:-%{User-Name}})" access_attr = "uid" #The mapping-file for PAP: -> retrieves the User-Password dictionary_mapping = ${raddbdir}/ldap.attrmap.pap ldap_connections_number = 5 password_attribute = "User-Password" timeout = 24 timelimit = 23 net_timeout = 1 ldap_debug = 5 } In the authorize-section I have added "group", as told in configurable_failover: authorize { preprocess suffix chap mschap group { ldap-PAP { #first try ldap-PAP, only return if it succeeds notfound = 1 noop = 2 updated = 3 fail = 4 reject = 5 userlock = 6 invalid = 7 handled = 8 ok = return } ldap-PEAP{#then ldap-PEAP notfound = 1 noop = 2 updated = 3 fail = 4 reject = 5 userlock = 6 invalid = 7 handled = 8 ok = return } eap{ #then EAP notfound = 1 noop = 2 updated = 3 fail = 4 reject = 5 userlock = 6 invalid = 7 handled = 8 ok = return } files{#then files notfound = 1 noop = 2 updated = 3 fail = 4 reject = 5 userlock = 6 invalid = 7 handled = 8 ok = return } } But it only takes the first entry, and if I switch the order of ldap-PAP and ldap-PEAP, so it should take ldap-PAP, therefore retrieve an Crypt-Password from the ldap-PAP-section it wants to use ldap for authentication!?!?!? What do I wrong? Thanks in advance Flo -- -------------------------------------------------------------- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813
Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
I configured 2 ldap modules, one using a clear-text password for PEAP-TLS with MS-CHAPv2 or only CHAP authentication, and one retrieving a Crypt-Password for using PAP-Authentication.
Why? Just use the clear-text password to do all of the authentication. You're making work for yourself without any gain.
group { ...
You're listing EAP in that group. DON'T.
But it only takes the first entry, and if I switch the order of ldap-PAP and ldap-PEAP, so it should take ldap-PAP, therefore retrieve an Crypt-Password from the ldap-PAP-section it wants to use ldap for authentication!?!?!?
Yes.
What do I wrong?
You've made massive changes to the configuration files. Stop using two LDAP instances. You don't need them. Use the default configuration, with one LDAP module in the places shown by the default configuration. It WILL work. Alan DeKok.
Alan DeKok wrote:
Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
I configured 2 ldap modules, one using a clear-text password for PEAP-TLS with MS-CHAPv2 or only CHAP authentication, and one retrieving a Crypt-Password for using PAP-Authentication.
Why? Just use the clear-text password to do all of the authentication. You're making work for yourself without any gain.
But how can I do PAP with a clear-text password?
group {
...
You're listing EAP in that group. DON'T.
Sorry, didn`t wanna do that! But I want to achieve that the authentication is first trying CHAP, then PAP and so on.
But it only takes the first entry, and if I switch the order of ldap-PAP and ldap-PEAP, so it should take ldap-PAP, therefore retrieve an Crypt-Password from the ldap-PAP-section it wants to use ldap for authentication!?!?!?
Yes.
How can I change that? I thought radius is taking that kind of authentication which request is comming in?! So I sniffed and there are comming different request: PAP: User-Password CHAP: CHAP-Password So how can I tell the radius to take the proper authentication and therefore a specific password using the LDAP profile? In LDAP the clear-text password is given as well as the crypt one?
What do I wrong?
You've made massive changes to the configuration files.
Stop using two LDAP instances. You don't need them. Use the default configuration, with one LDAP module in the places shown by the default configuration. It WILL work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I am sorry, if I am annoying you, but I am kind of confused and do not know what to do anymore. Thanks Florian -- -------------------------------------------------------------- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813
Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
Why? Just use the clear-text password to do all of the authentication. You're making work for yourself without any gain.
But how can I do PAP with a clear-text password?
Are you joking? PAP *is* just the clear-text password!
You're listing EAP in that group. DON'T.
Sorry, didn`t wanna do that! But I want to achieve that the authentication is first trying CHAP, then PAP and so on.
Then use the default configuration. IT WORKS.
So how can I tell the radius to take the proper authentication and therefore a specific password using the LDAP profile?
You don't. The default configuration does this.
In LDAP the clear-text password is given as well as the crypt one?
Use the clear-text password. It's all you need to get everything to work.
I am sorry, if I am annoying you, but I am kind of confused and do not know what to do anymore.
If you don't know what the configuration file does, make as FEW changes as possible. All you need to do is take the default radiusd.conf, uncomment the references to "ldap", and configure the "ldap" module to point to your LDAP server. What you did wrong was to make massive changes to the configuration file without really understanding what the changes meant. Alan DeKok.
Hm, I am really stuck :-( Let me try to explain what I inted to do: 1.) PAP is just the clear-text password??? -> I thought pap is hashing the password with a challenge (MD-5). This means the client is then transmitting this Hash to the radius, which might hold the password in cleartext or as a MD-5-Hash as well. Either comparing the Hashes or the passwords. So I want to the server to hold a crypted Password (MD-5) for PAP, but retrieving that from the ldap server. 2.) I do not want to do any binding to the ldap for authentication! I just want to retrieve the information from the ldap, but then authenticate only by the radius itself!! 3.) For authentication I want to provide PAP, CHAP, and PEAP+TLS using MsCHAPv2. How can I do that? If use the radiusd.conf as it comes the radius wants to use ldap for authentication. If I use the ldap-Authentication-module with the pap-instruction instead of ldap: authenticate { ... ldap { pap } ... } it says "Login incorrect (rlm_pap: CRYPT password check failed)", but the password is correct, but not encrypted at the radius!! -> CHAP works fine! If I provide the encrypted password at the radius, PAP works fine (still trying ldap (i.e. PAP)) but CHAP fails, because the password do not match, of course not it is encrypted!! So what can I do?? I have both the encrypted and the clear-text password, but I can not tell the radius what to use when? Do I need a specific mapping in te ldap.attrmap? I map against the radius Password attribute, because this seems to be overruling everything!?! Thanks Florian Alan DeKok wrote:
Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
Why? Just use the clear-text password to do all of the authentication. You're making work for yourself without any gain.
But how can I do PAP with a clear-text password?
Are you joking? PAP *is* just the clear-text password!
You're listing EAP in that group. DON'T.
Sorry, didn`t wanna do that! But I want to achieve that the authentication is first trying CHAP, then PAP and so on.
Then use the default configuration. IT WORKS.
So how can I tell the radius to take the proper authentication and therefore a specific password using the LDAP profile?
You don't. The default configuration does this.
In LDAP the clear-text password is given as well as the crypt one?
Use the clear-text password. It's all you need to get everything to work.
I am sorry, if I am annoying you, but I am kind of confused and do not know what to do anymore.
If you don't know what the configuration file does, make as FEW changes as possible.
All you need to do is take the default radiusd.conf, uncomment the references to "ldap", and configure the "ldap" module to point to your LDAP server.
What you did wrong was to make massive changes to the configuration file without really understanding what the changes meant.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -------------------------------------------------------------- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813
Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
1.) PAP is just the clear-text password???
Yes.
-> I thought pap is hashing the password with a challenge (MD-5).
Stop worrying about it. PAP is the clear-text password.
So I want to the server to hold a crypted Password (MD-5) for PAP, but retrieving that from the ldap server.
If the LDAP server has a clear-text password for MS-CHAP, you might as well use it for PAP. Trying to make PAP use a crypt'd password is a waste of time, and doesn't gain anything.
2.) I do not want to do any binding to the ldap for authentication!
So... don't list "ldap" in the "authenticate" section.
3.) For authentication I want to provide PAP, CHAP, and PEAP+TLS using MsCHAPv2.
How can I do that? If use the radiusd.conf as it comes the radius wants to use ldap for authentication.
No, it doesn't. The default radiusd.conf doesn't use ldap at *all*.
authenticate { ... ldap { pap }
WTF? Don't do that! Alan DeKok.
Alan DeKok wrote:
Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
1.) PAP is just the clear-text password???
Yes.
-> I thought pap is hashing the password with a challenge (MD-5).
Stop worrying about it. PAP is the clear-text password.
Got it now, thanks!
So I want to the server to hold a crypted Password (MD-5) for PAP, but retrieving that from the ldap server.
If the LDAP server has a clear-text password for MS-CHAP, you might as well use it for PAP. Trying to make PAP use a crypt'd password is a waste of time, and doesn't gain anything.
OK, now I found the mistake: 1.) my head 2.) pap-section: was set to crypt!!!
2.) I do not want to do any binding to the ldap for authentication!
So... don't list "ldap" in the "authenticate" section.
Sorry, but I do not list ldap in the "authenticate" section! radiusd.conf: authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. # digest # # Pluggable Authentication Modules. # pam # # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # # unix # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # Auth-Type LDAP { # ldap # } # # Allow EAP authentication. eap } LOG: rad_recv: Access-Request packet from host 131.188.78.116:1967, id=58, length=47 User-Name = "unrz148" User-Password = "unrz148" Thu Jun 23 08:25:36 2005 : Debug: Processing the authorize section of radiusd.conf Thu Jun 23 08:25:36 2005 : Debug: modcall: entering group authorize for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "preprocess" returns ok for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "chap" returns noop for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "mschap" returns noop for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: - authorize Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: performing user authorization for unrz148 Thu Jun 23 08:25:36 2005 : Debug: radius_xlat: '(Userid=unrz148)' Thu Jun 23 08:25:36 2005 : Debug: radius_xlat: 'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE' Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter (Userid=unrz148) request 12 done Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: checking if remote access for unrz148 is allowed by uid Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: looking for check items in directory... Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: Adding fauUserid as Password, value unrz148 & op=21 Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: Adding ntPassword as NT-Password, value 925B509D0BD4D37992897EEEC91072C1 & op=21 Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: Adding lmPassword as LM-Password, value AC8398A336F64627FDCFC2AFB2D1BE34 & op=21 Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: looking for reply items in directory... Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: user unrz148 authorized to use remote access Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "ldap" returns ok for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: rlm_eap: No EAP-Message, not doing EAP Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "eap" returns noop for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 10 Thu Jun 23 08:25:36 2005 : Debug: rlm_realm: No '@' in User-Name = "unrz148", looking up realm NULL Thu Jun 23 08:25:36 2005 : Debug: rlm_realm: No such realm "NULL" Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "suffix" returns noop for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling files (rlm_files) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "files" returns notfound for request 10 Thu Jun 23 08:25:36 2005 : Debug: modcall: group authorize returns ok for request 10 Thu Jun 23 08:25:36 2005 : Debug: rad_check_password: Found Auth-Type LDAP <<<< Where does this come from? # I use the NTRadPing Test Utility Thu Jun 23 08:25:36 2005 : Debug: auth: type "LDAP" Thu Jun 23 08:25:36 2005 : Debug: ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. Thu Jun 23 08:25:36 2005 : Debug: auth: Failed to validate the user. Thu Jun 23 08:25:36 2005 : Auth: Login incorrect: [unrz148/unrz148] (from client Windows port 0) Thu Jun 23 08:25:36 2005 : Debug: Delaying request 10 for 1 seconds Thu Jun 23 08:25:36 2005 : Debug: Finished request 10 Thu Jun 23 08:25:36 2005 : Debug: Going to the next request Thu Jun 23 08:25:36 2005 : Debug: --- Walking the entire request list --- Thu Jun 23 08:25:36 2005 : Debug: Waking up in 1 seconds... Thu Jun 23 08:25:37 2005 : Debug: --- Walking the entire request list --- Thu Jun 23 08:25:37 2005 : Debug: Waking up in 1 seconds... Thu Jun 23 08:25:38 2005 : Debug: --- Walking the entire request list --- Sending Access-Reject of id 58 to 131.188.78.116:1967 Thu Jun 23 08:25:38 2005 : Debug: Waking up in 1 seconds... Thu Jun 23 08:25:39 2005 : Debug: --- Walking the entire request list --- Thu Jun 23 08:25:39 2005 : Debug: Cleaning up request 9 ID 57 with timestamp 42ba55dd
3.) For authentication I want to provide PAP, CHAP, and PEAP+TLS using MsCHAPv2.
How can I do that? If use the radiusd.conf as it comes the radius wants to use ldap for authentication.
No, it doesn't. The default radiusd.conf doesn't use ldap at *all*.
authenticate { ... ldap { pap }
WTF? Don't do that!
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -------------------------------------------------------------- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813
Alan DeKok wrote:
Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
Thu Jun 23 08:25:36 2005 : Debug: rad_check_password: Found Auth-Type LDAP <<<< Where does this come from? # I use the NTRadPing Test Utility
You're using an old version of the server. Install 1.0.4.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry for that, but it is still looking for ldap-Authentication, even with 1.0.4. Of course it says in the Authorization-section: # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap But how can I retrieve the ldap-Information if I do not uncomment the ldap-key in the authorization-section? Because if I uncomment it, it wants to authenticate via LDAP like it says, but vice versa it cannot find the user???? Thanks Flo -- -------------------------------------------------------------- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813
Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
Because if I uncomment it, it wants to authenticate via LDAP like it says, but vice versa it cannot find the user????
Then set Auth-Type to PAP in the "users" file, and the LDAP module won't set Auth-Type to LDAP. Alan DeKok.
participants (2)
-
Alan DeKok -
Florian Prester