R: Re: FREERADIUS WITH MULTIPLE LDAP AUTHENTICATION SOURCES
Because you listed both modules in the authorization section as:
authorize { ... domain1 domain2 ... }
The server doesn't know that the "domain1" module is for domain1.com. You have to tell it.
You are right, i've listed both , not in authorize section but under authenticate section
You can do regular expression matches on the User-Name:
if (User-Name =~ /@domain1.com/) { domain1 } elsif (User-Name =~ /@domain2.com/) { domain2 }
With your suggestion I tried radtest and works correctly, I then modified using (Realm == domain1) elseif (Realm ==domain2) and it works also in this way, thank you very much for your help I've another problem now, I need to use this with a captive portal that support only chap or ms-chapv2 and when a user try to login to captive portal configured with chap in freeradius log I have the error chap: ERROR: &control:Cleartext-Password is required for authentication or, if I set ms-chapv2 in captive portal, the error is (1) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (1) mschap: Creating challenge hash with username: xxx@xxx.com (1) mschap: Client is using MS-CHAPv2 (1) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (1) mschap: ERROR: MS-CHAP2-Response is incorrect It's possible to have chap (or ms-chapv2) and ldap working in freeradius? Thank's again for the support ------------------------------ INFORMATIVA PRIVACY (Reg.UE 2016/679 e D.Lgs.196/2003) Questa email ed i suoi eventuali allegati sono da considerarsi materiale riservato e di proprietà della scrivente società. Nel caso venisse ricevuta per errore non deve essere divulgata, copiata o distribuita per alcuna ragione. Le comunicazioni che transitano attraverso il presente indirizzo di posta elettronica hanno carattere e finalità prettamente lavorative, pertanto potranno essere conosciute all’interno dell’organizzazione aziendale. Qualsiasi dato personale sarà comunque trattato in conformità alle vigenti normative in materia di privacy e protezione dei dati personali. A tale riguardo potete esercitare tutti i diritti previsti dalla legge semplicemente rispondendo alla presente ed esplicitando la vostra richiesta. Maggiori info in materia di privacy: https://www.c2group.it/policy-privacy
On Dec 1, 2021, at 8:05 AM, Diego Forcella <diego.forcella@c2group.it> wrote:
With your suggestion I tried radtest and works correctly, I then modified using (Realm == domain1) elseif (Realm ==domain2) and it works also in this way, thank you very much for your help
That's fine.
I've another problem now, I need to use this with a captive portal that support only chap or ms-chapv2 and when a user try to login to captive portal configured with chap in freeradius log I have the error
chap: ERROR: &control:Cleartext-Password is required for authentication
or, if I set ms-chapv2 in captive portal, the error is
(1) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (1) mschap: Creating challenge hash with username: xxx@xxx.com (1) mschap: Client is using MS-CHAPv2 (1) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (1) mschap: ERROR: MS-CHAP2-Response is incorrect
It's possible to have chap (or ms-chapv2) and ldap working in freeradius?
It's not about LDAP. It's how you store the password in LDAP. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok.
I've another problem now, I need to use this with a captive portal that support only chap or ms-chapv2 and when a user try to login to captive portal configured with chap in freeradius log I have the error
chap: ERROR: &control:Cleartext-Password is required for authentication
or, if I set ms-chapv2 in captive portal, the error is
(1) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (1) mschap: Creating challenge hash with username: xxx@xxx.com (1) mschap: Client is using MS-CHAPv2 (1) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (1) mschap: ERROR: MS-CHAP2-Response is incorrect
It's possible to have chap (or ms-chapv2) and ldap working in freeradius?
It's not about LDAP. It's how you store the password in LDAP.
http://deployingradius.com/documents/protocols/compatibility.html
The LDAP is Google Workspace (G Suite), I don't have idea how the password are stored But why with radtest works correctly? INFORMATIVA PRIVACY (Reg.UE 2016/679 e D.Lgs.196/2003) Questa email ed i suoi eventuali allegati sono da considerarsi materiale riservato e di proprietà della scrivente società. Nel caso venisse ricevuta per errore non deve essere divulgata, copiata o distribuita per alcuna ragione. Le comunicazioni che transitano attraverso il presente indirizzo di posta elettronica hanno carattere e finalità prettamente lavorative, pertanto potranno essere conosciute all’interno dell’organizzazione aziendale. Qualsiasi dato personale sarà comunque trattato in conformità alle vigenti normative in materia di privacy e protezione dei dati personali. A tale riguardo potete esercitare tutti i diritti previsti dalla legge semplicemente rispondendo alla presente ed esplicitando la vostra richiesta. Maggiori info in materia di privacy: https://www.c2group.it/policy-privacy
On Dec 1, 2021, at 9:03 AM, Diego Forcella <diego.forcella@c2group.it> wrote:
The LDAP is Google Workspace (G Suite), I don't have idea how the password are stored
Then it's impossible to do CHAP or MS-CHAP.
But why with radtest works correctly?
Because raddest is sending clear-text passwords. Which FreeRADIUS can then send to G Suite for checking. You can run radclient and have it send CHAP or MS-CHAP. That will show you the issue isn't radtest or radclient. The issue is the *format* of the authentication data. Alan DeKok.
The LDAP is Google Workspace (G Suite), I don't have idea how the password are stored
Then it's impossible to do CHAP or MS-CHAP.
But why with radtest works correctly?
Because raddest is sending clear-text passwords. Which FreeRADIUS can then send to G Suite for checking.
You can run radclient and have it send CHAP or MS-CHAP. That will show you the issue isn't radtest or radclient. The issue is the *format* of the authentication data.
I tried radtest both with -t chap and with -t mschap With -t chap I view CHAP-Password that is encrypted but with -t mschap I have MS-CHAP-Password that is clear-text and is the same of Cleartext-password , it's not possible mapping MS-CHAP-Password to Cleartext-Password? Excuse if maybe this is a stupid question for you but I'm a newbie, where you suggest that I can start to study this feature/configuration? Thanks again INFORMATIVA PRIVACY (Reg.UE 2016/679 e D.Lgs.196/2003) Questa email ed i suoi eventuali allegati sono da considerarsi materiale riservato e di proprietà della scrivente società. Nel caso venisse ricevuta per errore non deve essere divulgata, copiata o distribuita per alcuna ragione. Le comunicazioni che transitano attraverso il presente indirizzo di posta elettronica hanno carattere e finalità prettamente lavorative, pertanto potranno essere conosciute all’interno dell’organizzazione aziendale. Qualsiasi dato personale sarà comunque trattato in conformità alle vigenti normative in materia di privacy e protezione dei dati personali. A tale riguardo potete esercitare tutti i diritti previsti dalla legge semplicemente rispondendo alla presente ed esplicitando la vostra richiesta. Maggiori info in materia di privacy: https://www.c2group.it/policy-privacy
On Dec 1, 2021, at 9:48 AM, Diego Forcella <diego.forcella@c2group.it> wrote:
I tried radtest both with -t chap and with -t mschap
With -t chap I view CHAP-Password that is encrypted but with -t mschap I have MS-CHAP-Password that is clear-text and is the same of Cleartext-password , it's not possible mapping MS-CHAP-Password to Cleartext-Password?
Read the debug output on the *server*. The MS-CHAP-Password attribute is used internally by radclient. It's not sent in a RADIUS packet. If there was a way to do it, I would have told you. There's no need to ask the same question over and over. The answer won't change.
Excuse if maybe this is a stupid question for you but I'm a newbie, where you suggest that I can start to study this feature/configuration?
There's a ton of standards documents which explain how CHAP and MS-CHAP work. But there's no point in reading them. They'll give you technical information about how the protocols work. They won't help make CHAP / MS-CHAP work with Google LDAP. CHAP and MS-CHAP don't work with Google LDAP. That's it. It's that simple. There's nothing more to do. The reasons are complex, and buried inside of 40 page standards documents. Alan DeKok.
participants (2)
-
Alan DeKok -
Diego Forcella