FreeRadius and Openldap authentication
Hello, I'm pretty new to ldap and radius, I try to put and 802.x authentication but I have difficulties setting it up correctly. Here is my problem: When I start the radtest binary: radtest "test" "supersecret" localhost 2 testing123 Here is the result: Sending Access-Request of id 45 to 127.0.0.1:1812 User-Name = "test" User-Password = "supersecret" NAS-IP-Address = lavoisier NAS-Port = 2 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=45, length=20 Here is the log on the radius server (Started with radiusd -X): rad_recv: Access-Request packet from host 127.0.0.1:61292, id=50, length=56 User-Name = "test" User-Password = "supersecret" NAS-IP-Address = 255.255.255.255 NAS-Port = 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 3 users: Matched entry DEFAULT at line 78 users: Matched entry DEFAULT at line 160 modcall[authorize]: module "files" returns ok for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=fr, with filter (uid=test) rlm_ldap: checking if remote access for test is allowed by radiusFilterId rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value Enterasys:version=1:policy=Enterprise User & op=11 rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message modcall[authenticate]: module "eap" returns fail for request 3 modcall: group authenticate returns fail for request 3 auth: Failed to validate the user. Login incorrect: [test] (from client localhost port 2) Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 50 to 127.0.0.1:61292 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 50 with timestamp 43b8f992 Nothing to do. Sleeping until we see a request. For the moment I have one box running Openldap on a debian/SPARC and one box running Freeradius on a FreeBSD 5.3/SPARC The LDAP user info: dn: cn=test,ou=users, dc=fr userPassword:: e1NIQX1jTWc1Y3dTazFuUEdMZW56UUw5UEdpV1pHSVU9 ou: ou=mind-techno,dc=fr objectClass: top objectClass: person objectClass: pilotPerson objectClass: radiusProfile janetMailbox: test@mind-techno.fr sn: test cn: test The SLDAPD conf file: access to dn="cn=.*,dc=fr" attr=userPassword by dn="cn=admin,dc=fr" write by anonymous auth by self write by * none The RADIUS radiusd.conf file: ldap { server = "galilee.mind-techno.fr" identity = "cn=emanager,dc=fr" password = "XXXXXXXXXXXXXX" basedn = "dc=fr" filter = "(uid=%u)" # base_filter = "(objectclass=radiusprofile)" start_tls = no access_attr = "radiusFilterId" dictionary_mapping = ${raddbdir}/ldap.attrmap #authtype = ldap ldap_connections_number = 5 password_attribute = "userPassword" timeout = 4 timelimit = 3 net_timeout = 1 } authenticate { # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } # # Allow EAP authentication. eap } The RADIUS users file: DEFAULT Auth-Type := EAP Fall-Through = 1 # Reply-Message = "LDAP" I must admit I'm pretty lost in all this, And that any help will be nice. I would be grateful if you had a how-to or tutorial on how to build a easy and working 802.x authentication with a Radius/LDAP system. Best regards, -- M. Robert Wakim Mind Technologies 24 rue Victor Hugo 94220 Charenton-Le-Pont FRANCE tel : +33 (0)1 41 79 09 40 Fax : +33 (0)1 43 68 80 32 Email : rwakim@mind-techno.fr web : http://www.mind-techno.fr
On Monday 02 January 2006 05:46, rwakim@mind-techno.fr wrote:
Here is my problem:
When I start the radtest binary:
radtest "test" "supersecret" localhost 2 testing123
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=45, length=20
You have set your server to do EAP. radtest does not do EAP use radeapclient for testing.
Here is the log on the radius server (Started with radiusd -X):
rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value Enterasys:version=1:policy=Enterprise User & op=11 rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: group authorize returns ok for request 3
LDAP seems to be working.
The RADIUS users file:
DEFAULT Auth-Type := EAP Fall-Through = 1 # Reply-Message = "LDAP"
Don't set Auth-Type in the users file. Let the server figure it out.
I would be grateful if you had a how-to or tutorial on how to build a easy and working 802.x authentication with a Radius/LDAP system.
Documentation and how-tos are available in your source doc directory, www.freeradius.org and wiki.freeradius.org. Zoltan Ori
-----Message d'origine----- De : freeradius-users-bounces+rwakim=mind-techno.fr@lists.freeradius.org [mailto:freeradius-users-bounces+rwakim=mind- techno.fr@lists.freeradius.org] De la part de Zoltan A. Ori Envoyé : lundi 2 janvier 2006 12:51 À : FreeRadius users mailing list Objet : Re: FreeRadius and Openldap authentication
On Monday 02 January 2006 05:46, rwakim@mind-techno.fr wrote:
Here is my problem:
When I start the radtest binary:
radtest "test" "supersecret" localhost 2 testing123
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=45, length=20
You have set your server to do EAP. radtest does not do EAP use radeapclient for testing.
Thanks for the answer, I've tried radeapclient but it keeps segfaulting. I've browsed google to find a windows eap-md5 test client without any success. Here is the output of radeapclient: #radeapclient -x localhost auth testing123 User-Name = "test" EAP-MD5-Password = "supersecret" NAS-IP-Address = lavoisier EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = "test" Message-Authenticator = 0x00 NAS-Port = 0 +++> About to send encoded packet: User-Name = "test" EAP-MD5-Password = "supersecret" NAS-IP-Address = lavoisier EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = "test" Message-Authenticator = 0x00 NAS-Port = 0 radeapclient in free(): error: modified (chunk-) pointer Abort (core dumped) Do you have any advices on how to test the whole system?
I would be grateful if you had a how-to or tutorial on how to build a easy and working 802.x authentication with a Radius/LDAP system.
Documentation and how-tos are available in your source doc directory, www.freeradius.org and wiki.freeradius.org.
Thanks Regards, -- M. Robert Wakim Mind Technologies 24 rue Victor Hugo 94220 Charenton-Le-Pont FRANCE tel : +33 (0)1 41 79 09 40 Fax : +33 (0)1 43 68 80 32 Email : rwakim@mind-techno.fr web : http://www.mind-techno.fr
On Monday 02 January 2006 10:11, Robert WAKIM wrote:
Thanks for the answer, I've tried radeapclient but it keeps segfaulting. I've browsed google to find a windows eap-md5 test client without any success.
Sorry, I can't help with radeapclient.
Do you have any advices on how to test the whole system?
If they are convenient for you to get at, use one of your Enterasys switches. Set the RADIUS servers, set up any ports that you are going to test on. Set all other ports to 'forced authenticated'. Take care with the host data port (system management) so that you don't lock yourself out. Procedure varies with type of switch and firmware revision. Zoltan Ori
Hi, I would say that you can't test direcly your EAP auth using radtest because radtest doesn't send a EAP-Message into its requests. You have two choices here, use radclient with correct params to test EAP ou take a real windows clients and configure auth to be EAP. Regards, -- Sebastien Cantos <scantos@technodiva.com> Network / System Manager Neopost DIVA
-----Message d'origine----- De : freeradius-users-bounces+scantos=technodiva.com@lists.freeradi us.org [mailto:freeradius-users-bounces+scantos=technodiva.com@lists. freeradius.org] De la part de rwakim@mind-techno.fr Envoyé : lundi 2 janvier 2006 11:46 À : freeradius-users@lists.freeradius.org Objet : FreeRadius and Openldap authentication
Hello,
I'm pretty new to ldap and radius, I try to put and 802.x authentication but I have difficulties setting it up correctly.
Here is my problem:
When I start the radtest binary:
radtest "test" "supersecret" localhost 2 testing123
Here is the result:
Sending Access-Request of id 45 to 127.0.0.1:1812 User-Name = "test" User-Password = "supersecret" NAS-IP-Address = lavoisier NAS-Port = 2 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=45, length=20
Here is the log on the radius server (Started with radiusd -X):
rad_recv: Access-Request packet from host 127.0.0.1:61292, id=50, length=56 User-Name = "test" User-Password = "supersecret" NAS-IP-Address = 255.255.255.255 NAS-Port = 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 3 users: Matched entry DEFAULT at line 78 users: Matched entry DEFAULT at line 160 modcall[authorize]: module "files" returns ok for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=fr, with filter (uid=test) rlm_ldap: checking if remote access for test is allowed by radiusFilterId rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value Enterasys:version=1:policy=Enterprise User & op=11 rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message modcall[authenticate]: module "eap" returns fail for request 3 modcall: group authenticate returns fail for request 3 auth: Failed to validate the user. Login incorrect: [test] (from client localhost port 2) Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 50 to 127.0.0.1:61292 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 50 with timestamp 43b8f992 Nothing to do. Sleeping until we see a request.
For the moment I have one box running Openldap on a debian/SPARC and one box running Freeradius on a FreeBSD 5.3/SPARC
The LDAP user info:
dn: cn=test,ou=users, dc=fr userPassword:: e1NIQX1jTWc1Y3dTazFuUEdMZW56UUw5UEdpV1pHSVU9 ou: ou=mind-techno,dc=fr objectClass: top objectClass: person objectClass: pilotPerson objectClass: radiusProfile janetMailbox: test@mind-techno.fr sn: test cn: test
The SLDAPD conf file:
access to dn="cn=.*,dc=fr" attr=userPassword by dn="cn=admin,dc=fr" write by anonymous auth by self write by * none
The RADIUS radiusd.conf file:
ldap { server = "galilee.mind-techno.fr"
identity = "cn=emanager,dc=fr" password = "XXXXXXXXXXXXXX"
basedn = "dc=fr"
filter = "(uid=%u)" # base_filter = "(objectclass=radiusprofile)"
start_tls = no
access_attr = "radiusFilterId"
dictionary_mapping = ${raddbdir}/ldap.attrmap #authtype = ldap
ldap_connections_number = 5
password_attribute = "userPassword" timeout = 4 timelimit = 3 net_timeout = 1 }
authenticate {
# Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap }
# # Allow EAP authentication. eap }
The RADIUS users file:
DEFAULT Auth-Type := EAP Fall-Through = 1 # Reply-Message = "LDAP"
I must admit I'm pretty lost in all this, And that any help will be nice.
I would be grateful if you had a how-to or tutorial on how to build a easy and working 802.x authentication with a Radius/LDAP system.
Best regards,
-- M. Robert Wakim Mind Technologies
24 rue Victor Hugo 94220 Charenton-Le-Pont FRANCE
tel : +33 (0)1 41 79 09 40 Fax : +33 (0)1 43 68 80 32
Email : rwakim@mind-techno.fr web : http://www.mind-techno.fr
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Robert WAKIM -
rwakim@mind-techno.fr -
S�bastien Cantos -
Zoltan A. Ori -
Zoltan Ori