Hi, after testing and reading a lot of documentation, I have some questions. First my szenario: I want to use a freeradiusserver fpr authentication. The Users are stored in a LDAP-service. I have different user classes: 1.) Dialin-users: using PAP 2.) VPN-users: using PAP 3.) WLAN-Users: should work with EAP-TTLS/PEAP and MSCHAPV2 of PAP Why PAP? because I have an unix-community to supply and we do not want to have cleartext-passwords anywhere in our network (I know with PAP the cleartextpassword is sent to the radiusserver! But the radiusserver has none!) With MSCHAP we are using the NT-password ( I know it is not realy crypted, but still better than cleartext!) Now, how can I use PAP authentication with EAP-TTLS? - I read some mail before, but I still cannot get it working!! Meaning if I have an local user, defined in the useres.conf it works, but if I try to get the Informations from the LDAP-Server, the following error occours: rlm_ldap: user unrz148 authorized to use remote access Thu Aug 4 08:44:33 2005 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Thu Aug 4 08:44:33 2005 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 5 Thu Aug 4 08:44:33 2005 : Debug: modcall[authorize]: module "ldap" returns ok for request 5 Thu Aug 4 08:44:33 2005 : Debug: modcall: group authorize returns ok for request 5 Thu Aug 4 08:44:33 2005 : Debug: rad_check_password: Found Auth-Type LDAP Thu Aug 4 08:44:33 2005 : Debug: auth: type "LDAP" Thu Aug 4 08:44:33 2005 : Debug: ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. Thu Aug 4 08:44:33 2005 : Debug: auth: Failed to validate the user. Any hints for me? Also I have the problem with the difference between local and LDAP informations in generell. If I use a local-user everything works fine. If I use a LDAP-user he/she can authenticate, but later on the wpa_supplicant (supplicant fpr teh WLAN-users trying to do WPA) is accepting the authentication but not initiating the WPA-connection? With local-users and the same client-configuration everything works fine? Is it a problem within freeradius or wpa-supplicant?? Thanks Florian -------------------------------------------------------------- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813
Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
With MSCHAP we are using the NT-password ( I know it is not realy crypted, but still better than cleartext!)
That's a common misconception.
Now, how can I use PAP authentication with EAP-TTLS?
Tell the client to use it. The server has NO control over whether the client uses PAP or not.
Thu Aug 4 08:44:33 2005 : Debug: rad_check_password: Found Auth-Type LDAP Thu Aug 4 08:44:33 2005 : Debug: auth: type "LDAP" Thu Aug 4 08:44:33 2005 : Debug: ERROR: Unknown value specified for Auth-Type. Cannot perform requested action.
Yeah, the LDAP module sets Auth-Type itself, and it can end up causing problems. The work-around is to set Auth-Type to PAP. i.e. DEFAULT Auth-Type = PAP Alan DeKok.
Alan DeKok wrote:
Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
With MSCHAP we are using the NT-password ( I know it is not realy crypted, but still better than cleartext!)
That's a common misconception.
Now, how can I use PAP authentication with EAP-TTLS?
Tell the client to use it. The server has NO control over whether the client uses PAP or not.
Thu Aug 4 08:44:33 2005 : Debug: rad_check_password: Found Auth-Type LDAP Thu Aug 4 08:44:33 2005 : Debug: auth: type "LDAP" Thu Aug 4 08:44:33 2005 : Debug: ERROR: Unknown value specified for Auth-Type. Cannot perform requested action.
Yeah, the LDAP module sets Auth-Type itself, and it can end up causing problems. The work-around is to set Auth-Type to PAP. i.e.
DEFAULT Auth-Type = PAP
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hm, ok, if I set PAP for the client it still does not work! I got an User-Password by ldap.attrmap, The passwords match! But the radius-server doesnot see the password-attribute. With an local user (configured in the users-file) and the same client-setup everything works fine. So I think there must be a problem with the ldap-intercation? Any help pwould be great, thankx Florian radius-log: rad_recv: Access-Request packet from host 131.188.4.191:20000, id=158, length=140 244 NAS-Port-Id = "5/1" 245 Calling-Station-Id = "00-20-A6-4D-2C-56" 246 Called-Station-Id = "00-0B-0E-2F-E2-C0:FAU-SEC" 247 Service-Type = Framed-User 248 EAP-Message = 0x0201000c01756e727a313438 249 User-Name = "unrz148" 250 NAS-Identifier = "Trapeze" 251 NAS-Port-Type = Wireless-802.11 252 NAS-IP-Address = 131.188.4.191 253 Message-Authenticator = 0xa761418a4abdbb324b10b31c653fed52 254 Mon Aug 8 10:58:12 2005 : Debug: Processing the authorize section of radiusd.conf 255 Mon Aug 8 10:58:12 2005 : Debug: modcall: entering group authorize for request 0 256 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 257 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 258 Mon Aug 8 10:58:12 2005 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 259 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 260 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 261 Mon Aug 8 10:58:12 2005 : Debug: modcall[authorize]: module "chap" returns noop for request 0 262 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 263 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 264 Mon Aug 8 10:58:12 2005 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 265 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 266 Mon Aug 8 10:58:12 2005 : Debug: rlm_realm: No '@' in User-Name = "unrz148", looking up realm NULL 267 Mon Aug 8 10:58:12 2005 : Debug: rlm_realm: No such realm "NULL" 268 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 269 Mon Aug 8 10:58:12 2005 : Debug: modcall[authorize]: module "suffix" returns noop for request 0 270 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 271 Mon Aug 8 10:58:12 2005 : Debug: rlm_eap: EAP packet type response id 1 length 12 272 Mon Aug 8 10:58:12 2005 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation 273 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 274 Mon Aug 8 10:58:12 2005 : Debug: modcall[authorize]: module "eap" returns updated for request 0 275 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 276 Mon Aug 8 10:58:12 2005 : Debug: users: Matched entry DEFAULT at line 40 277 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 278 Mon Aug 8 10:58:12 2005 : Debug: modcall[authorize]: module "files" returns ok for request 0 279 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 280 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: - authorize 281 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: performing user authorization for unrz148 282 Mon Aug 8 10:58:12 2005 : Debug: radius_xlat: '(Userid=unrz148)' 283 Mon Aug 8 10:58:12 2005 : Debug: radius_xlat: 'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE' 284 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 285 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 286 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: attempting LDAP reconnection 287 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: (re)connect to 131.188.3.53:400, authentication 0 288 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: bind as cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernb erg,c=DE/xaver to 131.188.3.53:400 289 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: waiting for bind result ... 290 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: Bind was successful 291 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE , with filter (Userid=unrz148) 292 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: checking if remote access for unrz148 is allowed by uid 293 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: looking for check items in directory... 294 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: Adding fauUserid as Password, value unrz148 & op=21 295 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: Adding description as NT-Password, value 0x925B509D0BD4D37992897EEEC91 072C1 & op=21 296 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: Adding lmPassword as LM-Password, value AC8398A336F64627FDCFC2AFB2D1BE 34 & op=21 297 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: looking for reply items in directory... 298 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: user unrz148 authorized to use remote access 299 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 300 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 301 Mon Aug 8 10:58:12 2005 : Debug: modcall[authorize]: module "ldap" returns ok for request 0 302 Mon Aug 8 10:58:12 2005 : Debug: modcall: group authorize returns updated for request 0 303 Mon Aug 8 10:58:12 2005 : Debug: rad_check_password: Found Auth-Type pap 304 Mon Aug 8 10:58:12 2005 : Debug: auth: type "PAP" 305 Mon Aug 8 10:58:12 2005 : Debug: Processing the authenticate section of radiusd.conf 306 Mon Aug 8 10:58:12 2005 : Debug: modcall: entering group Auth-Type for request 0 307 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 0 308 Mon Aug 8 10:58:12 2005 : Auth: rlm_pap: Attribute "Password" is required for authentication. 309 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 0 310 Mon Aug 8 10:58:12 2005 : Debug: modcall[authenticate]: module "pap" returns invalid for request 0 311 Mon Aug 8 10:58:12 2005 : Debug: modcall: group Auth-Type returns invalid for request 0 312 Mon Aug 8 10:58:12 2005 : Debug: auth: Failed to validate the user. 313 Mon Aug 8 10:58:12 2005 : Auth: Login incorrect: [unrz148/<no User-Password attribute>] (from client airbrush por t 0 cli 00-20-A6-4D-2C-56) 314 Mon Aug 8 10:58:12 2005 : Debug: Delaying request 0 for 1 seconds 315 Mon Aug 8 10:58:12 2005 : Debug: Finished request 0 -- -------------------------------------------------------------- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813
Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
ok, if I set PAP for the client it still does not work!
Because the client is sending EAP packets, which the PAP module doesn't understand. The solution is to NOT tell the server to do PAP when the client is asking for EAP. I'm a little surprised that it's so hard to configure the server, given that the default configuration *works*. Alan DeKok.
participants (2)
-
Alan DeKok -
Florian Prester