problem with ldap authentication
hello I'm in trouble with a debian version of freeradius I've installed chillispot and freeradius packages but it won't work for LDAP users it fails with such error messages : Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: [xxxxxxxx/<CHAP-Password>] (from client localhost port 31 cli 00-13-02-AE-F1-01) Any help/idea welcome Thanks you .
Am 23.03.2009 um 16:46 schrieb Frank Bonnet:
hello
I'm in trouble with a debian version of freeradius I've installed chillispot and freeradius packages but it won't work for LDAP users it fails with such error messages :
Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: [xxxxxxxx/<CHAP- Password>] (from client localhost port 31 cli 00-13-02-AE-F1-01)
Any help/idea welcome
Be sure to assign passwords ( := ) and not to compare ( == ) passwords. Also check that the shared secret is really the same. Otherwise, I suppose that you will be asked to give the output of radiusd -X
Thanks you . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
Frank Bonnet wrote:
I'm in trouble with a debian version of freeradius I've installed chillispot and freeradius packages but it won't work for LDAP users it fails with such error messages :
Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: [xxxxxxxx/<CHAP-Password>] (from client localhost port 31 cli 00-13-02-AE-F1-01)
Is there any reason you're not running it in debugging mode, as suggested in the FAQ, README, INSTALL, "man" page, and nearly daily on this list? Alan DeKok.
I want to know what to configure in order to use ldap as freeradius database of users 2009/3/23, Alan DeKok <aland@deployingradius.com>:
Frank Bonnet wrote:
I'm in trouble with a debian version of freeradius I've installed chillispot and freeradius packages but it won't work for LDAP users it fails with such error messages :
Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: [xxxxxxxx/<CHAP-Password>] (from client localhost port 31 cli 00-13-02-AE-F1-01)
Is there any reason you're not running it in debugging mode, as suggested in the FAQ, README, INSTALL, "man" page, and nearly daily on this list?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok wrote:
Frank Bonnet wrote:
I'm in trouble with a debian version of freeradius I've installed chillispot and freeradius packages but it won't work for LDAP users it fails with such error messages :
Mon Mar 23 16:41:05 2009 : Auth: Login incorrect: [xxxxxxxx/<CHAP-Password>] (from client localhost port 31 cli 00-13-02-AE-F1-01)
Is there any reason you're not running it in debugging mode, as suggested in the FAQ, README, INSTALL, "man" page, and nearly daily on this list?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK here is the debug of one failed session thanks for your help Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:33076, id=0, length=217 User-Name = "xxxxxxx" CHAP-Challenge = 0x01464b2728f172473bf5dd5d64d71539 CHAP-Password = 0x00443c19722da8b5ac9799a1a5d39bc1af NAS-IP-Address = 127.0.0.1 Service-Type = Login-User Framed-IP-Address = 192.168.182.54 Calling-Station-Id = "00-19-D2-78-56-4D" Called-Station-Id = "00-12-79-90-10-21" NAS-Identifier = "nas01" Acct-Session-Id = "49c7b89400000034" NAS-Port-Type = Wireless-802.11 NAS-Port = 52 Message-Authenticator = 0x64d387cd750288b284dc8182e4f2dec6 WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "xxxxxxx", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 363 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for xxxxxxx radius_xlat: '(uid=xxxxxxxx)' radius_xlat: 'dc=esiee,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.esiee.fr:389, authentication 0 rlm_ldap: bind as / to ldap.esiee.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=esiee,dc=fr, with filter (uid=xxxxxxx) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [xxxxxxx/<CHAP-Password>] (from client localhost port 52 cli 00-19-D2-78-56-4D) Delaying request 0 for 1 seconds
Frank Bonnet wrote:
OK here is the debug of one failed session ... rlm_ldap: performing search in dc=esiee,dc=fr, with filter (uid=xxxxxxx) rlm_ldap: object not found or got ambiguous search result
Well, that's relatively clear. There's no such user, OR it got multiple responses. You need to fix the LDAP configuration so that it can find the user's clear-text password in LDAP. This can be awkward... and I'm not an LDAP expert. Alan DeKok.
Thank you iwill try it 2009/3/23, Alan DeKok <aland@deployingradius.com>:
Frank Bonnet wrote:
OK here is the debug of one failed session ... rlm_ldap: performing search in dc=esiee,dc=fr, with filter (uid=xxxxxxx) rlm_ldap: object not found or got ambiguous search result
Well, that's relatively clear.
There's no such user, OR it got multiple responses.
You need to fix the LDAP configuration so that it can find the user's clear-text password in LDAP. This can be awkward... and I'm not an LDAP expert.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok wrote:
Frank Bonnet wrote:
OK here is the debug of one failed session ... rlm_ldap: performing search in dc=esiee,dc=fr, with filter (uid=xxxxxxx) rlm_ldap: object not found or got ambiguous search result
Well, that's relatively clear.
There's no such user, OR it got multiple responses.
You need to fix the LDAP configuration so that it can find the user's clear-text password in LDAP. This can be awkward... and I'm not an LDAP expert.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is it possible to use freeradius with NIS instead of LDAP ? thanks
Alan DeKok wrote:
Frank Bonnet wrote:
is it possible to use freeradius with NIS instead of LDAP ? thanks
Yes. NIS is just a different way of getting users to "seem" to be in /etc/passwd. So there shouldn't be anything to do. Just install the server, and it should work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK thanks a lot
Alan DeKok wrote:
Frank Bonnet wrote:
is it possible to use freeradius with NIS instead of LDAP ? thanks
Yes. NIS is just a different way of getting users to "seem" to be in /etc/passwd. So there shouldn't be anything to do. Just install the server, and it should work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
you mean uncomment the /etc/passwd in this section in radiusd.conf file right ? # Unix /etc/passwd style authentication
is it possible to use freeradius with NIS instead of LDAP ? thanks
Yes. NIS is just a different way of getting users to "seem" to be in /etc/passwd. So there shouldn't be anything to do. Just install the server, and it should work.
Alan DeKok.
you mean uncomment the /etc/passwd in this section in radiusd.conf file right ?
# Unix /etc/passwd style authentication
No, exactly what he said - if you install current server version it will work by default. If you made changes from default configuration and commented unix out, uncomment it again. In old server version you needed to force Auth-Type System, now it "just works". Ivan Kalik Kalik Informatika ISP
Frank Bonnet wrote:
Alan DeKok wrote:
Frank Bonnet wrote:
is it possible to use freeradius with NIS instead of LDAP ? thanks Yes. NIS is just a different way of getting users to "seem" to be in /etc/passwd. So there shouldn't be anything to do. Just install the server, and it should work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
you mean uncomment the /etc/passwd in this section in radiusd.conf file right ?
# Unix /etc/passwd style authentication
OK now I'm still in trouble ... even after removing LDAP statements here is the log of the session, how to setup the User-password to the right value to use /etc/passwd file ? thanks rad_recv: Access-Request packet from host 127.0.0.1:32817, id=0, length=214 User-Name = "bonj" CHAP-Challenge = 0xbba7f4f69dfb6cf2342f1cbba4e7e482 CHAP-Password = 0x00f7fbe0aa077445403b77c55ab120f811 NAS-IP-Address = 127.0.0.1 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "00-15-AF-8E-7C-E4" Called-Station-Id = "00-12-79-90-10-21" NAS-Identifier = "nas01" Acct-Session-Id = "49c8b43400000030" NAS-Port-Type = Wireless-802.11 NAS-Port = 48 Message-Authenticator = 0x9dfa1ebe41cae3090fd9d919498bb04c WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "bonj", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". modcall[authenticate]: module "unix" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0
OK now I'm still in trouble ... even after removing LDAP statements here is the log of the session, how to setup the User-password to the right value to use /etc/passwd file ? thanks
rad_recv: Access-Request packet from host 127.0.0.1:32817, id=0, length=214 User-Name = "bonj" CHAP-Challenge = 0xbba7f4f69dfb6cf2342f1cbba4e7e482 CHAP-Password = 0x00f7fbe0aa077445403b77c55ab120f811
OK. Now read what's written in radiusd.conf unix section about using /etc/passwd with chap. Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
OK now I'm still in trouble ... even after removing LDAP statements here is the log of the session, how to setup the User-password to the right value to use /etc/passwd file ? thanks
rad_recv: Access-Request packet from host 127.0.0.1:32817, id=0, length=214 User-Name = "bonj" CHAP-Challenge = 0xbba7f4f69dfb6cf2342f1cbba4e7e482 CHAP-Password = 0x00f7fbe0aa077445403b77c55ab120f811
OK. Now read what's written in radiusd.conf unix section about using /etc/passwd with chap.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello I KNOW we cannot use /etc/passwd for chap authentication my question is HOW to use /etc/passwd with freeradius ? I only want to use users and /etc/passwd files and NO other source to authenticate my users. Thank you for help
I KNOW we cannot use /etc/passwd for chap authentication my question is HOW to use /etc/passwd with freeradius ?
Great. So, you are aware it's not going to work with chap. And what do you do:
rad_recv: Access-Request packet from host 127.0.0.1:32817, id=0, length=214 User-Name = "bonj" CHAP-Challenge = 0xbba7f4f69dfb6cf2342f1cbba4e7e482 CHAP-Password = 0x00f7fbe0aa077445403b77c55ab120f811
You send a chap request!!!
I only want to use users and /etc/passwd files and NO other source to authenticate my users.
You are using it. Send a request it can be used for(not chap, mschap). Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
I KNOW we cannot use /etc/passwd for chap authentication my question is HOW to use /etc/passwd with freeradius ?
Great. So, you are aware it's not going to work with chap. And what do you do:
rad_recv: Access-Request packet from host 127.0.0.1:32817, id=0, length=214 User-Name = "bonj" CHAP-Challenge = 0xbba7f4f69dfb6cf2342f1cbba4e7e482 CHAP-Password = 0x00f7fbe0aa077445403b77c55ab120f811
You send a chap request!!!
Believe me ... if I knew how not to send I would do it My question is how to instruct freeradius et use /etc/passwd in the configuration file thanks
rad_recv: Access-Request packet from host 127.0.0.1:32817, id=0, length=214 User-Name = "bonj" CHAP-Challenge = 0xbba7f4f69dfb6cf2342f1cbba4e7e482 CHAP-Password = 0x00f7fbe0aa077445403b77c55ab120f811
You send a chap request!!!
Believe me ... if I knew how not to send I would do it
My question is how to instruct freeradius et use /etc/passwd in the configuration file
You say:
I KNOW we cannot use /etc/passwd for chap authentication
It can't be done for a chap request! What part of that sentence don't you understand? If you are going to send chap requests you can't use passwords from /etc/passwd. If you are going to use passwords from /etc/passwd - don't send chap requests. If you don't know how to adjust your NAS - read a manual. Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
rad_recv: Access-Request packet from host 127.0.0.1:32817, id=0, length=214 User-Name = "bonj" CHAP-Challenge = 0xbba7f4f69dfb6cf2342f1cbba4e7e482 CHAP-Password = 0x00f7fbe0aa077445403b77c55ab120f811 You send a chap request!!! Believe me ... if I knew how not to send I would do it
My question is how to instruct freeradius et use /etc/passwd in the configuration file
You say:
I KNOW we cannot use /etc/passwd for chap authentication
It can't be done for a chap request! What part of that sentence don't you understand?
If you are going to send chap requests you can't use passwords from /etc/passwd. If you are going to use passwords from /etc/passwd - don't send chap requests. If you don't know how to adjust your NAS - read a manual.
OK could you give a link to a manual Thanks
Frank Bonnet wrote:
Believe me ... if I knew how not to send I would do it
Fix the NAS. You bought it, you know what make/model it is, so you can find documentation for it. Maybe try asking the vendor for documentation?
My question is how to instruct freeradius et use /etc/passwd in the configuration file
Install the server. Put a user in /etc/passwd (or NIS). Send a PAP request to the server. Authentication will work. If it doesn't work, it's because: a) You're sending CHAP, not PAP b) you edited the configuration files, and broke system authentication Alan DeKok.
Alan DeKok wrote:
Frank Bonnet wrote:
Believe me ... if I knew how not to send I would do it
Fix the NAS. You bought it, you know what make/model it is, so you can find documentation for it. Maybe try asking the vendor for documentation?
My question is how to instruct freeradius et use /etc/passwd in the configuration file
Install the server. Put a user in /etc/passwd (or NIS). Send a PAP request to the server. Authentication will work.
If it doesn't work, it's because:
a) You're sending CHAP, not PAP
b) you edited the configuration files, and broke system authentication
freeradius is used by chillispot on the machine, does your answer means chillispot is sending a CHAP request ? thanks
Alan DeKok wrote:
Frank Bonnet wrote:
freeradius is used by chillispot on the machine, does your answer means chillispot is sending a CHAP request ?
Yes.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK thanks for your (constructive ;-)) answer
Alan DeKok wrote:
Frank Bonnet wrote:
freeradius is used by chillispot on the machine, does your answer means chillispot is sending a CHAP request ?
Yes.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
For information the problem is located in the cgi script called hotspotlogin.cgi that comes with chillispot. Once the problem is corrected users authenticate well, even against our LDAP server. Frank
participants (5)
-
Alan DeKok -
David N'DAKPAZE -
Frank Bonnet -
Nicolas Goutte -
tnt@kalik.net