Re: FreeRADIUS + OpenLDAP + MSCHAPv2
ntlm_auth line is commented out by default.
Ok, I see that.
From what I understand, MSCHAPv2 needs access to the unencrypted user password, and OpenLDAP doesn't offer that. I'm guessing I'll have to add an unencrypted password field to the LDAP server to make this work, but that's not been made clear in any documentation.
And, how do you tell the FreeRADIUS eap/peap/MSCHAPv2 client to use the LDAP server as opposed to text files or PAM? I'm attaching my radiusd.conf to this e-mail, any comments would be greatly appreciated. I stripped out all the comments and removed the modules I wasn't using (like SQL stuff and unix/PAM/etc). Tim Gustafson SOE Webmaster UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354
ntlm_auth line is commented out by default.
Ok, I see that.
From what I understand, MSCHAPv2 needs access to the unencrypted user password, and OpenLDAP doesn't offer that. I'm guessing I'll have to add an unencrypted password field to the LDAP server to make this work, but that's not been made clear in any documentation.
Yes, it needs clear text or NT hashed password. You can store plain text in userPassword. http://deployingradius.com/documents/protocols/compatibility.html
And, how do you tell the FreeRADIUS eap/peap/MSCHAPv2 client to use the LDAP server as opposed to text files or PAM?
By listing ldap in authorize.
I'm attaching my radiusd.conf to this e-mail, any comments would be greatly appreciated. I stripped out all the comments and removed the modules I wasn't using (like SQL stuff and unix/PAM/etc).
And so much more (peap is misconfigured, as is ldap, mschap auth type is gone, there is nothing to get the password from ...). That will not work. Get the server working with the default configuration. Remove one thing at the time, testing that the server can start and authenticate users (and reject when needed). You have also removed all the logging and accounting so you will have no idea what is server doing. And use current version. This is something old. Ivan Kalik Kalik Informatika ISP
And so much more (peap is misconfigured, as is ldap, mschap auth type is gone, there is nothing to get the password from ...). That will not work.
I have fixed that; the copy that I sent you was indeed broken. I can now authenticate using standard (non-MSCHAP) authentication against the LDAP server. I haven't been able to get the radeapclient program working yet - it keeps crashing with an error that apparently was fixed in 1.1.5, but I don't have that version.
And use current version. This is something old.
radiusd: FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu, built on May 10 2007 at 12:30:17 This is what was provided when I did a "yum install freeradius" on a new CentOS 5.2 box. Because of the nature of the network here, I'm strongly discouraged from using anything other than Yum and the base CentOS repositories to install packages, since there are a dozen or so people here that all have to be able to administer these machines over the long-term. I'll try to e-mail the package maintainers for CentOS, but I'm not holding my breath. Tim Gustafson SOE Webmaster UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354
Tim Gustafson wrote:
I have fixed that; the copy that I sent you was indeed broken. I can now authenticate using standard (non-MSCHAP) authentication against the LDAP server. I haven't been able to get the radeapclient program working yet - it keeps crashing with an error that apparently was fixed in 1.1.5, but I don't have that version.
Run eapol_test from wpa_supplicant instead of radeapclient. It'd better. See my web site for instructions on doing this.
And use current version. This is something old.
radiusd: FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu, built on May 10 2007 at 12:30:17
This is what was provided when I did a "yum install freeradius" on a new CentOS 5.2 box. Because of the nature of the network here, I'm strongly discouraged from using anything other than Yum and the base CentOS repositories to install packages, since there are a dozen or so people here that all have to be able to administer these machines over the long-term. I'll try to e-mail the package maintainers for CentOS, but I'm not holding my breath.
If you're not paying someone for CentOS support, install FreeRADIUS 2.1.1. That's really the only version *we* can support. Alan DeKok.
participants (3)
-
Alan DeKok -
Tim Gustafson -
tnt@kalik.net