mschap and ldap auth-type together no more working
Hello, I had a problem with ippool, but it is a NAS problem. I wanted to do further checks so I upgrade to newer versions: freeradius 1.0.2-4sarge3 stable (I come from this one) freeradius 1.1.3-3 testing freeradius 1.1.2-1bpo1 sarge-backports Before, I was able to do LDAP or MSCHAP automatically. I had and entry in users lalot Auth-Type := ldap Framed-IP-Address = XXX, Framed-IP-Netmask = 255.255.255.0, Fall-Through = Yes If I put mschap in users, it's working for mschap.. The two new ones have the same problem. That's may ne due to an incomplete update.. I don't put all the logs: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=xxx,dc=fr, with filter (uid=lalot) rlm_ldap: looking for check items in directory... rlm_ldap: Adding supannaffectation as Pool-Name, value Pharo & op=21 rlm_ldap: Adding ntPassword as NT-Password, value XXX & op=21 rlm_ldap: Adding lmPassword as LM-Password, value XXX & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user lalot authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 11 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 11 modcall: leaving group authorize (returns ok) for request 11 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 11 and before: rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' modcall[authorize]: module "mschap" returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 2 rlm_mschap: Found LM-Password rlm_mschap: Found NT-Password You can notice the diff rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' and then rad_check_password: seems confused.. Any ideas?. Config: authorize { preprocess files ldap # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap } authenticate { Auth-Type LDAP { ldap } Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } } -- Dominique LALOT Ingenieur Systeme et Reseaux http://annuaire.univmed.fr/showuser.php?uid=lalot
LALOT Dominique wrote:
Before, I was able to do LDAP or MSCHAP automatically. I had and entry in users lalot Auth-Type := ldap
That will prevent MS-CHAP from working. See: http://deployingradius.com/documents/protocols/oracles.html The short answer is DON'T SET Auth-Type. And don't do LDAP "bind as user" if you can help it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Sorry, I didn't see your answer. I just got it via the archives. I explain a little bit more. We are using freeradius for VPN access, which can be done using PPTP or IPSEC PPTP is done using mschap IPSEC is done using a shared group secret, then a classic ldap user bind to check the identity. The ippool we use shall be common, so we can't split between to radius configs. Our radiusd.conf was working for that without any problem for years, just until we get a new release. freeradius 1.0.2-4sarge3 stable was OK Just moving, the behaviour changed I believe that there's somewhere a little difference that prevent a working config: NOK rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' then rad_check_password: Found Auth-Type ldap OK rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' Then rad_check_password: Found Auth-Type MS-CHAP I believe that mschap or MS-CHAP makes the difference. Dominique Alan DeKok a écrit :
LALOT Dominique wrote:
Before, I was able to do LDAP or MSCHAP automatically. I had and entry in users lalot Auth-Type := ldap
That will prevent MS-CHAP from working. See:
http://deployingradius.com/documents/protocols/oracles.html
The short answer is DON'T SET Auth-Type.
And don't do LDAP "bind as user" if you can help it.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Dominique LALOT Ingenieur Systeme et Reseaux http://annuaire.univmed.fr/showuser.php?uid=lalot
I cleaned the auth-type in users file. Everything is OK now on freeradius side. My second problem is the NAS sending a null port. That's not a freeradius problem. Thanks Dom LALOT Dominique a écrit :
Sorry,
I didn't see your answer. I just got it via the archives. I explain a little bit more. We are using freeradius for VPN access, which can be done using PPTP or IPSEC PPTP is done using mschap IPSEC is done using a shared group secret, then a classic ldap user bind to check the identity.
The ippool we use shall be common, so we can't split between to radius configs.
Our radiusd.conf was working for that without any problem for years, just until we get a new release. freeradius 1.0.2-4sarge3 stable was OK
Just moving, the behaviour changed I believe that there's somewhere a little difference that prevent a working config:
NOK rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' then rad_check_password: Found Auth-Type ldap
OK rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' Then rad_check_password: Found Auth-Type MS-CHAP
I believe that mschap or MS-CHAP makes the difference.
Dominique
Alan DeKok a écrit :
LALOT Dominique wrote:
Before, I was able to do LDAP or MSCHAP automatically. I had and entry in users lalot Auth-Type := ldap
That will prevent MS-CHAP from working. See:
http://deployingradius.com/documents/protocols/oracles.html
The short answer is DON'T SET Auth-Type.
And don't do LDAP "bind as user" if you can help it.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Dominique LALOT Ingenieur Systeme et Reseaux http://annuaire.univmed.fr/showuser.php?uid=lalot ------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Dominique LALOT Ingenieur Systeme et Reseaux http://annuaire.univmed.fr/showuser.php?uid=lalot
participants (2)
-
Alan DeKok -
LALOT Dominique