captive portal auth with freeradius
I am facing a issue that captive portial server is sending a auth request which is not a EAP message and hence freeradius server is rejecting , it goes to users file and found the last line Auth-Type: Reject Anyone can point how to fix this ? I guess if captive portal send a eap message , it will be looked into eap.conf and then a valid authenticate section can be chosen ?
On Wed, Apr 17, 2013 at 05:21:32PM +0530, Chitrang Srivastava wrote:
I am facing a issue that captive portial server is sending a auth request which is not a EAP message and hence freeradius server is rejecting , it goes to users file and found the last line Auth-Type: Reject
Anyone can point how to fix this ? I guess if captive portal send a eap message , it will be looked into eap.conf and then a valid authenticate section can be chosen ?
I'm not sure you really understand what's happening here. It's unlikely a captive portal will do EAP, although it's technically possible. It's more likely PAP, so you just need to supply a Cleartext-Password for each user. This can be from the users file, or a myriad of other different sources such as LDAP or SQL. Have you tried following the "initial tests" on the first page of the documentation: http://freeradius.org/doc/ ? Having added the entry to the users file, then try logging in with that username/password. To help further, we're going to need more information. Primarily, *complete* debugging output, generated by running in debug mode with "radiusd -X" Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi, Can you please revise your question and put it in better way, i am not clear, do some more typing. if captive portal (NAS) is CoovaChilli, this works for me. HS_RAD_PROTO=pap Thanks / Regards On Wed, Apr 17, 2013 at 11:51 AM, Chitrang Srivastava < chitrang.srivastava@gmail.com> wrote:
I am facing a issue that captive portial server is sending a auth request which is not a EAP message and hence freeradius server is rejecting , it goes to users file and found the last line Auth-Type: Reject
Anyone can point how to fix this ? I guess if captive portal send a eap message , it will be looked into eap.conf and then a valid authenticate section can be chosen ?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I am using LDAP server as datasource Attaching logs On Wed, Apr 17, 2013 at 5:58 PM, Russell Mike <radius.sir@gmail.com> wrote:
Hi,
Can you please revise your question and put it in better way, i am not clear, do some more typing. if captive portal (NAS) is CoovaChilli, this works for me.
HS_RAD_PROTO=pap
Thanks / Regards
On Wed, Apr 17, 2013 at 11:51 AM, Chitrang Srivastava < chitrang.srivastava@gmail.com> wrote:
I am facing a issue that captive portial server is sending a auth request which is not a EAP message and hence freeradius server is rejecting , it goes to users file and found the last line Auth-Type: Reject
Anyone can point how to fix this ? I guess if captive portal send a eap message , it will be looked into eap.conf and then a valid authenticate section can be chosen ?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 17.04.2013 14:32, Chitrang Srivastava wrote:
I am using LDAP server as datasource Attaching logs
You're doing PAP against LDAP. This is the ONLY situation where Auth-Type should be set to ldap looking at modules/ldap, we have # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes So freeradious *should* set auth-type to LDAP. We *should* see a "Setting Auth-Type = ldap" in the debug. Yet it don't do it. You messed the default *working* configuration provided with freeradius. There's a lot of stuff in your config that are just useless. Again, start with the default, working config, then change one thing after another. What you are trying to do works with the default configuration shipped with Freeradius. Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
Thanks , I am trying to MSCHAPv2 (TTLS or PEAP ) or GTC with LDAP I see that rlm_ldap.c will set Auth-Type as ldap based on set_auth_type =yes and 3 other flags, tried but it didn't worked , I will try from scratch On Wed, Apr 17, 2013 at 6:24 PM, Olivier Beytrison <olivier@heliosnet.org>wrote:
On 17.04.2013 14:32, Chitrang Srivastava wrote:
I am using LDAP server as datasource Attaching logs
You're doing PAP against LDAP.
This is the ONLY situation where Auth-Type should be set to ldap
looking at modules/ldap, we have
# # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes
So freeradious *should* set auth-type to LDAP. We *should* see a "Setting Auth-Type = ldap" in the debug. Yet it don't do it.
You messed the default *working* configuration provided with freeradius. There's a lot of stuff in your config that are just useless.
Again, start with the default, working config, then change one thing after another. What you are trying to do works with the default configuration shipped with Freeradius.
Olivier --
Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 17.04.2013 15:37, Chitrang Srivastava wrote:
Thanks , I am trying to MSCHAPv2 (TTLS or PEAP ) or GTC with LDAP
MSCHAPv2 with EAP-TTLS or PEAP will NOT work with LDAP. as explained almost everywhere, and especially here : http://deployingradius.com/documents/protocols/compatibility.html You need a cleartext password or a NT_Hash to authenticate with MSCHAPv2. Only EAP-GTC will work with LDAP if I'm not mistaken. And by the way, your debug output show a request using PAP. PAP and EAP are two completly different things, which different requirements.
I see that rlm_ldap.c will set Auth-Type as ldap based on set_auth_type =yes and 3 other flags, tried but it didn't worked , I will try from scratch
This won't change that you can't authenticate with EAP-TTLS/PEAP and MSCHAPv2 against a LDAP directory. (Well, except if you're using Novell eDirectory with the Central Password management, but that's another story). Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
But its working fine with wifi authentication ( I am using ntlm auth for MSCHAPv2 with LDAP) only issue is with when request come from captive portal ..I needto see why PAP request comes On Wed, Apr 17, 2013 at 7:28 PM, Olivier Beytrison <olivier@heliosnet.org>wrote:
On 17.04.2013 15:37, Chitrang Srivastava wrote:
Thanks , I am trying to MSCHAPv2 (TTLS or PEAP ) or GTC with LDAP
MSCHAPv2 with EAP-TTLS or PEAP will NOT work with LDAP. as explained almost everywhere, and especially here : http://deployingradius.com/documents/protocols/compatibility.html
You need a cleartext password or a NT_Hash to authenticate with MSCHAPv2.
Only EAP-GTC will work with LDAP if I'm not mistaken.
And by the way, your debug output show a request using PAP. PAP and EAP are two completly different things, which different requirements.
I see that rlm_ldap.c will set Auth-Type as ldap based on set_auth_type =yes and 3 other flags, tried but it didn't worked , I will try from scratch
This won't change that you can't authenticate with EAP-TTLS/PEAP and MSCHAPv2 against a LDAP directory. (Well, except if you're using Novell eDirectory with the Central Password management, but that's another story).
Olivier --
Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What I found from wiki that we don't require to set Auth-Type freeradius will determine from request automatically , so I removed DEFAULT Auth-Type = Reject from users file , is that OK ? With this at-least radtest starts working but still request from captive portal didnt worked , What I found from radius logs this looks to be the difference *radtest* [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' *captive portal * ++[mschap] returns noop What could be missing ? On Wed, Apr 17, 2013 at 8:37 PM, Chitrang Srivastava < chitrang.srivastava@gmail.com> wrote:
But its working fine with wifi authentication ( I am using ntlm auth for MSCHAPv2 with LDAP) only issue is with when request come from captive portal ..I needto see why PAP request comes
On Wed, Apr 17, 2013 at 7:28 PM, Olivier Beytrison <olivier@heliosnet.org>wrote:
On 17.04.2013 15:37, Chitrang Srivastava wrote:
Thanks , I am trying to MSCHAPv2 (TTLS or PEAP ) or GTC with LDAP
MSCHAPv2 with EAP-TTLS or PEAP will NOT work with LDAP. as explained almost everywhere, and especially here : http://deployingradius.com/documents/protocols/compatibility.html
You need a cleartext password or a NT_Hash to authenticate with MSCHAPv2.
Only EAP-GTC will work with LDAP if I'm not mistaken.
And by the way, your debug output show a request using PAP. PAP and EAP are two completly different things, which different requirements.
I see that rlm_ldap.c will set Auth-Type as ldap based on set_auth_type =yes and 3 other flags, tried but it didn't worked , I will try from scratch
This won't change that you can't authenticate with EAP-TTLS/PEAP and MSCHAPv2 against a LDAP directory. (Well, except if you're using Novell eDirectory with the Central Password management, but that's another story).
Olivier --
Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chitrang Srivastava wrote:
What I found from wiki that we don't require to set Auth-Type freeradius will determine from request automatically , so I removed DEFAULT Auth-Type = Reject from users file , is that OK ?
With this at-least radtest starts working but still request from captive portal didnt worked , What I found from radius logs this looks to be the difference
*radtest* [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' *captive portal * ++[mschap] returns noop
What could be missing ?
The debug log as suggested in the FAQ, "man" pages, web pages, and daily on this list. If you're not going to follow instructions, you shouldn't be on this list. Alan DeKok.
debug log are attched in earlier reply, Please see On Thu, Apr 18, 2013 at 6:49 PM, Alan DeKok <aland@deployingradius.com>wrote:
Chitrang Srivastava wrote:
What I found from wiki that we don't require to set Auth-Type freeradius will determine from request automatically , so I removed DEFAULT Auth-Type = Reject from users file , is that OK ?
With this at-least radtest starts working but still request from captive portal didnt worked , What I found from radius logs this looks to be the difference
*radtest* [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' *captive portal * ++[mschap] returns noop
What could be missing ?
The debug log as suggested in the FAQ, "man" pages, web pages, and daily on this list.
If you're not going to follow instructions, you shouldn't be on this list.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attaching Auth Type is MSCHAPv2 (TTLS) Data source is on LDAP radtest is working wifi authentication is also working ( configured the access point to use TTLS-MSCHAPv2) open wifi with captive portal (lightttpd) is *not * working What I found is captive portal server is sending a non-EAP message and as suggested in wiki I am not using setting auth type anywhere (EAP message will determine automatically) On Thu, Apr 18, 2013 at 8:03 PM, Alan DeKok <aland@deployingradius.com>wrote:
Chitrang Srivastava wrote:
debug log are attched in earlier reply, Please see
No, they're not.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Apr 18, 2013 at 09:37:06PM +0530, Chitrang Srivastava wrote:
radtest is working wifi authentication is also working ( configured the access point to use TTLS-MSCHAPv2)
ok.
open wifi with captive portal (lightttpd) is *not * working
right.
What I found is captive portal server is sending a non-EAP message and as suggested in wiki I am not using setting auth type anywhere (EAP message will determine automatically)
Captive portal is doing PAP. I guess you want to try and auth this by binding to the ldap server. I've not done this recently, but I think the following might work. For some reason, even though
Module: Instantiating module "ldap_secondary" from file /etc/raddb/radiusd.conf ldap ldap_secondary { ... set_auth_type = yes ... }
is set, it's not setting auth_type. That's clear from
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Try this at the bottom of the authorize {} section: authorize { ... # not EAP, is PAP, and no other Auth-Type set, so assume ldap if (!EAP-Message && User-Password) { update control { Auth-Type = ldap_secondary } } } and then in the authenticate section: authenticate { Auth-Type ldap_secondary { ldap_secondary } } and see what you get. Again, post output of radiusd -X if there are still problems (new output, not the same as last time :) ). I don't know enough about the ldap module to know why it's not setting Auth-Type (and too ill at present to go digging to find out). Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Thanks , setting *set_auth_type =yes* still not setting Auth-Type-ldap_secondary , to solve this I followed the solution suggested in this thread http://lists.freeradius.org/pipermail/freeradius-users/2008-May/027962.html After that it started working i.e. auth by binding to the ldap server But my question is auth by binding to ldap server is good enough to authenticate ? because I expected authentication via mschapv2 or gtc (whatever i configured) , radtest and wifi authenticate like that . I guess its not in control of radius since captive portal is not sending EAP message. Does all other captive portal server works like that with radius ? On Fri, Apr 19, 2013 at 4:34 AM, Matthew Newton <mcn4@leicester.ac.uk>wrote:
On Thu, Apr 18, 2013 at 09:37:06PM +0530, Chitrang Srivastava wrote:
radtest is working wifi authentication is also working ( configured the access point to use TTLS-MSCHAPv2)
ok.
open wifi with captive portal (lightttpd) is *not * working
right.
What I found is captive portal server is sending a non-EAP message and as suggested in wiki I am not using setting auth type anywhere (EAP message will determine automatically)
Captive portal is doing PAP. I guess you want to try and auth this by binding to the ldap server. I've not done this recently, but I think the following might work.
For some reason, even though
Module: Instantiating module "ldap_secondary" from file /etc/raddb/radiusd.conf ldap ldap_secondary { ... set_auth_type = yes ... }
is set, it's not setting auth_type. That's clear from
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Try this at the bottom of the authorize {} section:
authorize {
...
# not EAP, is PAP, and no other Auth-Type set, so assume ldap if (!EAP-Message && User-Password) { update control { Auth-Type = ldap_secondary } } }
and then in the authenticate section:
authenticate { Auth-Type ldap_secondary { ldap_secondary } }
and see what you get. Again, post output of radiusd -X if there are still problems (new output, not the same as last time :) ).
I don't know enough about the ldap module to know why it's not setting Auth-Type (and too ill at present to go digging to find out).
Cheers,
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chitrang Srivastava wrote:
After that it started working i.e. auth by binding to the ldap server
So... the LDAP server is probably active directory. Or, there are security settings on it which means FreeRADIUS can't read the password from LDAP. Which one is it?
But my question is auth by binding to ldap server is good enough to authenticate ?
No. That's the whole reason people use FreeRADIUS. Because it authenticates people. LDAP is a database, not an authentication server.
because I expected authentication via mschapv2 or gtc (whatever i configured) , radtest and wifi authenticate like that . I guess its not in control of radius since captive portal is not sending EAP message. Does all other captive portal server works like that with radius ?
No. Alan DeKok.
LDAP server or AD , has password stored as NTLM-Hash, and that's why I set PEAP-MSCHAPv2 as auth type (finally using ntlm_auth to authenticate), All this works fine when a wifi acces point is configured to do MSCHAPv2 or even with radtest it worked. Only when access point is open and captive portal method is enabled , having issue. tried what Matthew suggest , in authorize section and it worked. Whole issue is captive portal is sending a non-EAP message with User-Password set , in this case we have to set auth type as ldap. if (!EAP-Message && User-Password) { update control { Auth-Type = ldap_secondary } } Check http://community.arubanetworks.com/t5/Authentication-and-Access/RADIUS-vs-LD... Though unrelated to freeradius , I guess this is what happening for my issue. On Fri, Apr 19, 2013 at 5:34 PM, Alan DeKok <aland@deployingradius.com>wrote:
Chitrang Srivastava wrote:
After that it started working i.e. auth by binding to the ldap server
So... the LDAP server is probably active directory. Or, there are security settings on it which means FreeRADIUS can't read the password from LDAP.
Which one is it?
But my question is auth by binding to ldap server is good enough to authenticate ?
No. That's the whole reason people use FreeRADIUS. Because it authenticates people. LDAP is a database, not an authentication server.
because I expected authentication via mschapv2 or gtc (whatever i configured) , radtest and wifi authenticate like that . I guess its not in control of radius since captive portal is not sending EAP message. Does all other captive portal server works like that with radius ?
No.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Apr 19, 2013 at 06:15:09PM +0530, Chitrang Srivastava wrote:
tried what Matthew suggest , in authorize section and it worked. Whole issue is captive portal is sending a non-EAP message with User-Password set , in this case we have to set auth type as ldap.
It's obvious from your debug output that - your LDAP module isn't setting Auth-Type for some reason - your LDAP server isn't returning any sort of password (plain or crypted) and therefore you probably need to try and do that horrible hack of binding to the LDAP server to auth. Really, Alan is right - LDAP is not an authentication server, even though lots of people seem to think it is. Hence the suggestion to "fix" your problem by setting Auth-Type, iff it has not already been set, when not doing EAP and User-Password is supplied. The best solution is to fixup your LDAP server to return the crypted password back to FreeRADIUS. Like already pointed out, if it's AD, this isn't likely to happen. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
I am using Microsoft 2003 Active Directory Server , the way wifi (MSCHAPv2) works is with ntlm_auth , which does the authentication. - your LDAP module isn't setting Auth-Type for some reason This is happening because of http://lists.freeradius.org/pipermail/freeradius-users/2008-May/027962.html and if I do the way its suggested , Auth Type get set to ldap_secondary. If this works, how this is going to solved because what I saw that it still doesn't do mschapv2. The way it works with wifi or radtest is , Auth-Type is set to EAP (it refers to eap.conf ) , it goes to mschap modules(set up TLS channel and then under that) , from there its told to use external program ntlm_auth , which does the authentication and tells radius if its OK or not. What i was trying , is to get similar way working with captive portal as well. On Fri, Apr 19, 2013 at 7:29 PM, Matthew Newton <mcn4@leicester.ac.uk>wrote:
On Fri, Apr 19, 2013 at 06:15:09PM +0530, Chitrang Srivastava wrote:
tried what Matthew suggest , in authorize section and it worked. Whole issue is captive portal is sending a non-EAP message with User-Password set , in this case we have to set auth type as ldap.
It's obvious from your debug output that
- your LDAP module isn't setting Auth-Type for some reason - your LDAP server isn't returning any sort of password (plain or crypted)
and therefore you probably need to try and do that horrible hack of binding to the LDAP server to auth. Really, Alan is right - LDAP is not an authentication server, even though lots of people seem to think it is.
Hence the suggestion to "fix" your problem by setting Auth-Type, iff it has not already been set, when not doing EAP and User-Password is supplied.
The best solution is to fixup your LDAP server to return the crypted password back to FreeRADIUS. Like already pointed out, if it's AD, this isn't likely to happen.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Apr 19, 2013 at 08:59:57PM +0530, Chitrang Srivastava wrote:
I am using Microsoft 2003 Active Directory Server , the way wifi (MSCHAPv2) works is with ntlm_auth , which does the authentication.
OK, finally the information that's needed.
The way it works with wifi or radtest is , Auth-Type is set to EAP (it refers to eap.conf ) , it goes to mschap modules(set up TLS channel and then under that) , from there its told to use external program ntlm_auth , which does the authentication and tells radius if its OK or not.
What i was trying , is to get similar way working with captive portal as well.
There's an example in raddb/modules/ntlm_auth. Configure that file, and then do something like this: authorize { ... if (!EAP-Message && User-Password) { update control { Auth-Type = PAP } } } authenticate { Auth-Type PAP { # pap <-- comment out ntlm_auth } } Then it should take your User-Name and User-Password, check them using the ntlm_auth utility rather than the pap module (the ntlm_auth "module" is just an instantiation of exec). Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Ok I will try that out, ntlm_auth module is already configured and works for radtest and wifi. So ntlm_auth with captive portal , is that the way to go , as told by you ? All other captive portal portal server we have to do like that ? On Fri, Apr 19, 2013 at 9:56 PM, Matthew Newton <mcn4@leicester.ac.uk>wrote:
On Fri, Apr 19, 2013 at 08:59:57PM +0530, Chitrang Srivastava wrote:
I am using Microsoft 2003 Active Directory Server , the way wifi (MSCHAPv2) works is with ntlm_auth , which does the authentication.
OK, finally the information that's needed.
The way it works with wifi or radtest is , Auth-Type is set to EAP (it refers to eap.conf ) , it goes to mschap modules(set up TLS channel and then under that) , from there its told to use external program ntlm_auth , which does the authentication and tells radius if its OK or not.
What i was trying , is to get similar way working with captive portal as well.
There's an example in raddb/modules/ntlm_auth. Configure that file, and then do something like this:
authorize { ... if (!EAP-Message && User-Password) { update control { Auth-Type = PAP } } }
authenticate { Auth-Type PAP { # pap <-- comment out ntlm_auth } }
Then it should take your User-Name and User-Password, check them using the ntlm_auth utility rather than the pap module (the ntlm_auth "module" is just an instantiation of exec).
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Apr 19, 2013 at 10:42:04PM +0530, Chitrang Srivastava wrote:
Ok I will try that out, ntlm_auth module is already configured and works for radtest and wifi.
In the mschap/eap modules using mschap keys.
So ntlm_auth with captive portal , is that the way to go , as told by you ? All other captive portal portal server we have to do like that ?
There are two ways of calling ntlm_auth. First with MSCHAP keys, the other with username and password. The mschap module takes the mschap keys from RADIUS and passes them to ntlm_auth for checking against AD. e.g. EAP-TTLS/MSCHAPv2, or just plain mschap. The eap module extracts the mschap keys from the EAP (EAP-MSCHAP-V2) data and passes them internally to the mschap module which passes them to ntlm_auth for auth. e.g. PEAP/EAP-MSCHAPv2 These are what you've been doing so far, from what I can tell. We've not seen radiusd -X output for an auth success for wifi or radtest, so nobody can really be sure. The second method is to pass ntlm_auth a username and password, and ask it to authenticate for you. This has *nothing* to do with the mschap or eap modules, which deal with keys and NT hashes. It's essentially another auth method for PAP. The PAP module can't do it for you, as it knows nothing about the ntlm_auth utility, so you have to call it yourself, using something like the config I gave you just now. Matthew
On Fri, Apr 19, 2013 at 9:56 PM, Matthew Newton <mcn4@leicester.ac.uk>wrote:
On Fri, Apr 19, 2013 at 08:59:57PM +0530, Chitrang Srivastava wrote:
I am using Microsoft 2003 Active Directory Server , the way wifi (MSCHAPv2) works is with ntlm_auth , which does the authentication.
OK, finally the information that's needed.
The way it works with wifi or radtest is , Auth-Type is set to EAP (it refers to eap.conf ) , it goes to mschap modules(set up TLS channel and then under that) , from there its told to use external program ntlm_auth , which does the authentication and tells radius if its OK or not.
What i was trying , is to get similar way working with captive portal as well.
There's an example in raddb/modules/ntlm_auth. Configure that file, and then do something like this:
authorize { ... if (!EAP-Message && User-Password) { update control { Auth-Type = PAP } } }
authenticate { Auth-Type PAP { # pap <-- comment out ntlm_auth } }
Then it should take your User-Name and User-Password, check them using the ntlm_auth utility rather than the pap module (the ntlm_auth "module" is just an instantiation of exec).
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
hi, from the output: [ldap_secondary] rlm_ldap: performing user authorization for symbol [ldap_secondary] expand: (sAMAccountName=%{Stripped-User-Name}) -> (sAMAccountName=symbol) [ldap_secondary] expand: cn=Users,DC=MotorolaSymbol,dc=local -> cn=Users,DC=MotorolaSymbol,dc=local [ldap_secondary] ldap_get_conn: Checking Id: 0 [ldap_secondary] ldap_get_conn: Got Id: 0 [ldap_secondary] performing search in cn=Users,DC=MotorolaSymbol,dc=local, with filter (sAMAccountName=symbol) [ldap_secondary] looking for check items in directory... [ldap_secondary] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? so it couldnt find the required password in LDAP as an oracle of auth...or you havent set up the correct required pairing in your LDAP. find in LDAP what you need.....how is the password stored in the LDAP? plain, encrypted? alan
Hi,
I am facing a issue that captive portial server is sending a auth request which is not a EAP message and hence freeradius server is rejecting , it goes to users file and found the last line Auth-Type: Reject
send output of 'radiusd -X' - things will be quite clear in that so we can advise on how to proceed. alan
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Chitrang Srivastava -
Matthew Newton -
Olivier Beytrison -
Russell Mike