FreeRADIUS + OpenLDAP for Wireless authentication
Hello, I have configured FreeRADIUS to work with OpenLDAP. Created user in OpenLDAP. Radtest from localhost works perfect. But I can't connect from other devices (android phone, etc..). In logs I get: [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user radiusas authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok I think it is problem in plain text password or something? # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } If I uncoment these lines, radtest stops working too. What can I do?
Hi,
I have configured FreeRADIUS to work with OpenLDAP. Created user in OpenLDAP. Radtest from localhost works perfect. But I can't connect from other devices (android phone, etc..). In logs I get:
how is the password stored in the LDAP? what authentication methods (eg EAP type) are you using on those devices? have you ensured that ldap is enabled in the inner-tunnel virtual server? - EAP methods move into the inner-tunnel - and thus you need to ensure its configured! radtest is just PAP....so only hits, by default, the default virtual server which I suspect you've edited to get things working that far. alan
Mantas Šiurkus wrote:
I have configured FreeRADIUS to work with OpenLDAP. Created user in OpenLDAP. Radtest from localhost works perfect. But I can't connect from other devices (android phone, etc..). In logs I get:
[ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
If FreeRADIUS can't find the user's password, then one of two things is true: a) you've misconfigured FreeRADIUS to look in the wrong place or b) the user doesn't have a password in LDAP.
I think it is problem in plain text password or something?
The problem is in the error message above. Why look somewhere else? Is the debug log *lying* to you?
What can I do?
Ensure that FreeRADIUS is configured correctly. Ensure that the rlm_ldap configuration is correct. Ensure that the "known good" password is found in ldap. Alan DeKok.
On 2013.05.22 21:13, Alan DeKok wrote:
Mantas Šiurkus wrote:
I have configured FreeRADIUS to work with OpenLDAP. Created user in OpenLDAP. Radtest from localhost works perfect. But I can't connect from other devices (android phone, etc..). In logs I get:
[ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? If FreeRADIUS can't find the user's password, then one of two things is true:
a) you've misconfigured FreeRADIUS to look in the wrong place
or
b) the user doesn't have a password in LDAP.
I think it is problem in plain text password or something? The problem is in the error message above. Why look somewhere else? Is the debug log *lying* to you?
What can I do? Ensure that FreeRADIUS is configured correctly. Ensure that the rlm_ldap configuration is correct. Ensure that the "known good" password is found in ldap.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you for the replay. Sorry I am new in freeradius and openldap. I uncommented two lines in freeradius/modules/ldap identity = "cn=admin,dc=my,dc=domain" password = myldappass And now freeradius debuging logs changed. When I am connecting from android phone where - "EAP method : PEAP" and "phase 2 authetication: MSCHAPV2" I got thease logs: [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "pass123" [ldap] looking for reply items in directory... [ldap] user radiusas authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Failed to decode Password-With-Header = "pass123" [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: radiusas [mschap] Told to do MS-CHAPv2 for radiusas with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\006E=691 R=1" EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 When I put user in freeradius/users than it connect. But via LDAP wont connect. Thank You for help.
Mantas Šiurkus wrote:
I uncommented two lines in freeradius/modules/ldap
That helps.
[ldap] userPassword -> Password-With-Header == "pass123"
That's not the standard format for a password. However... if you're doing to store plain-text passwords in LDAP, you can edit raddb/ldap.attrmap. Find the line: checkitem Password-With-Header userPassword And change it to: checkitem Cleartext-Password userPassword That should fix it. Alan DeKok.
On 05/23/2013 01:02 AM, Alan DeKok wrote:
Mantas Šiurkus wrote:
I uncommented two lines in freeradius/modules/ldap That helps.
[ldap] userPassword -> Password-With-Header == "pass123" That's not the standard format for a password. However... if you're doing to store plain-text passwords in LDAP, you can edit raddb/ldap.attrmap. Find the line:
checkitem Password-With-Header userPassword
And change it to:
checkitem Cleartext-Password userPassword
That should fix it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank You Alan. Now when I changed this line everything works. Now can connect from android and from Windows OS. Very fast and good solution. Thanks again.
Very good mailing list.
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Mantas Šiurkus