an infamous LDAP-FreeRadius question
Hi All, I know this has been discussed at length on this list, but it's kinda confusing reading through the archive and making sense of all the threaded discussions. What I didn't see (and I apologize if it's there) is if anyone has a HowTo or something similar on how to configure Freeradius for authentication against LDAP (not active directory) which has usernames and password stored on it in cleartext. Presumably I'd be using PEAP for this. If anyone has this or can give a hand offline from this mailing list, that would be much appreciated. Thanks Matt mda@unb.ca
Hi all, I have a simple question . I installed FreeRadius without rpm package. I want FreeRadius to start automatically when System boots up. Thanks Wazb
Hi,
Hi all,
I have a simple question . I installed FreeRadius without rpm package. I want FreeRadius to start automatically when System boots up.
It'd be far more useful if you could tell us what distribution you are using - heck, even if you are using Linux at all would be a useful bit of information. you running on Tru64/Alpha or Solaris x86?? you could be! we need the basic info! alan
we should really know your operating system. but on most systems you have to write a small rc script (shell scirpt) with a start and stop command. unter redhat you can hang in the script in your system with the tool chkconfig greets marco Wasif schrieb:
Hi all,
I have a simple question . I installed FreeRadius without rpm package. I want FreeRadius to start automatically when System boots up.
Thanks
Wazb
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Matt Ashfield" <mda@unb.ca> wrote:
What I didn't see (and I apologize if it's there) is if anyone has a HowTo or something similar on how to configure Freeradius for authentication against LDAP (not active directory) which has usernames and password stored on it in cleartext. Presumably I'd be using PEAP for this.
The O'Reilly LDAP book has a good chapter on this. Other than that, just configure LDAP. It should read the passwords automatically (see ldap.attrmap). If you can get CHAP to work against LDAP, PEAP should follow immediately. Alan DeKok.
I have LDAP configured and can do a cleartext radius authentication using username/passwords (using radtest). What I'd like to do is take the next step and do 802.1x authentication for my windows clients and I suppose that's where I was hoping to find some cleancut instructions on this as I've seen quite a bit of threads concerning this but as mentioned in my initial email, they can be tough to follow. Thanks Matt Ashfield mda@unb.ca -----Original Message----- From: aland@nitros9.org [mailto:aland@nitros9.org] Sent: July 10, 2006 4:51 PM To: mda@unb.ca; FreeRadius users mailing list Subject: Re: an infamous LDAP-FreeRadius question "Matt Ashfield" <mda@unb.ca> wrote:
What I didn't see (and I apologize if it's there) is if anyone has a HowTo or something similar on how to configure Freeradius for authentication against LDAP (not active directory) which has usernames and password stored on it in cleartext. Presumably I'd be using PEAP for this.
The O'Reilly LDAP book has a good chapter on this. Other than that, just configure LDAP. It should read the passwords automatically (see ldap.attrmap). If you can get CHAP to work against LDAP, PEAP should follow immediately. Alan DeKok.
On Tuesday 11 July 2006 07:24, Matt Ashfield wrote:
I have LDAP configured and can do a cleartext radius authentication using username/passwords (using radtest). What I'd like to do is take the next step and do 802.1x authentication for my windows clients and I suppose that's where I was hoping to find some cleancut instructions on this as I've seen quite a bit of threads concerning this but as mentioned in my initial email, they can be tough to follow.
There is no shortage of information available. There are links to HOW TO on www.freeradius.org main page for 802.1x and EAP http://www.freeradiuos.org/doc/EAPTLS.pdf http://www.tldp.org/HOWTO/8021X-HOWTO/ Read the docs on rlm_eap which has LDAP info. That can be found in your sources as well as on the wiki. Also, see this document http://vuksan.com/linux/dot1x/802-1x-LDAP.html Zoltan Ori
Thanks for the links. I've seen a few before and have gone over them again this morning. I'm not sure where I have misconfigured something. When I try to connect via 802.1x from a wireless client my Radius server debgging looks like below. Obviously the TLS session is not being setup correctly. I'm wondering about the private_key_password attribute. I just set it to "whatever" but that needs to correspond to a user on the LDAP server doesn't it? I'm not sure that's been set up. Any helpful ideas/comments are greatly appreciated. Thanks! Matt mda@unb.ca rad_recv: Access-Request packet from host x.x.x.201:6001, id=4, length=117 User-Name = "mda" NAS-IP-Address = x.x.x.201 Called-Station-Id = "00-02-2d-47-01-c4" Calling-Station-Id = "00-0e-35-36-48-f2" NAS-Identifier = "AP3WJD" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02040008016d6461 Message-Authenticator = 0x3453e92189034ccc69804159f1c574e6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "mda", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 4 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched DEFAULT at 153 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for mda radius_xlat: '(uid=mda)' radius_xlat: 'ou=xxx,dc=xxx,dc=xxx' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserver2:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/20060206_ldap2_xxx_xxx.crt rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Connect error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 0 modcall: group authorize returns fail for request 0 Finished request 0 Going to the next request Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 mda@unb.ca -----Original Message----- From: Zoltan Ori [mailto:z.ori@morehead-st.edu] Sent: July 11, 2006 10:44 AM To: mda@unb.ca; FreeRadius users mailing list Subject: Re: an infamous LDAP-FreeRadius question On Tuesday 11 July 2006 07:24, Matt Ashfield wrote:
I have LDAP configured and can do a cleartext radius authentication using username/passwords (using radtest). What I'd like to do is take the next step and do 802.1x authentication for my windows clients and I suppose that's where I was hoping to find some cleancut instructions on this as I've seen quite a bit of threads concerning this but as mentioned in my initial email, they can be tough to follow.
There is no shortage of information available. There are links to HOW TO on www.freeradius.org main page for 802.1x and EAP http://www.freeradiuos.org/doc/EAPTLS.pdf http://www.tldp.org/HOWTO/8021X-HOWTO/ Read the docs on rlm_eap which has LDAP info. That can be found in your sources as well as on the wiki. Also, see this document http://vuksan.com/linux/dot1x/802-1x-LDAP.html Zoltan Ori
On Tuesday 11 July 2006 10:10, Matt Ashfield wrote:
rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserver2:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/20060206_ldap2_xxx_xxx.crt rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Connect error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 0
Apparently your LDAP server is not accepting TLS/SSL connections on port 389. You'll need to fix that. See the docs on rlm_ldap for specifying the correct port for your ldaps connection. I think it is as simple as 'port = 636'. Zoltan Ori
On Tuesday 11 July 2006 10:10, Matt Ashfield wrote:
When I try to connect via 802.1x from a wireless client my Radius server debgging looks like below. Obviously the TLS session is not being setup correctly. I'm wondering about the private_key_password attribute. I just set it to "whatever" but that needs to correspond to a user on the LDAP server doesn't it? I'm not sure that's been set up.
You might try not using an ldaps connection if your LDAP server allows it. Comment out all the TLS in the ldap section. This TLS/SSL connection to your LDAP server is a separate issue from 802.1x. That's just between the RADIUS server and LDAP. Once you've got everything else going, go back and work with the ldaps. The main thing is to change only one thing at a time. Then you'll know exactly what broke it and what didn't. I believe you had LDAP working before, didn't you? Zoltan Ori
Actually, I only have the ldap -to- radius authentication when doing a radtest. There's no eap involved at that point. I think my issue of adding the EAP/802.1x stuff is where I'm hitting the snag. Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 mda@unb.ca -----Original Message----- From: Zoltan Ori [mailto:z.ori@morehead-st.edu] Sent: July 11, 2006 12:33 PM To: mda@unb.ca; 'FreeRadius users mailing list' Subject: Re: an infamous LDAP-FreeRadius question On Tuesday 11 July 2006 10:10, Matt Ashfield wrote:
When I try to connect via 802.1x from a wireless client my Radius server debgging looks like below. Obviously the TLS session is not being setup correctly. I'm wondering about the private_key_password attribute. I just set it to "whatever" but that needs to correspond to a user on the LDAP server doesn't it? I'm not sure that's been set up.
You might try not using an ldaps connection if your LDAP server allows it. Comment out all the TLS in the ldap section. This TLS/SSL connection to your LDAP server is a separate issue from 802.1x. That's just between the RADIUS server and LDAP. Once you've got everything else going, go back and work with the ldaps. The main thing is to change only one thing at a time. Then you'll know exactly what broke it and what didn't. I believe you had LDAP working before, didn't you? Zoltan Ori
Well, I think my TLS session is getting created. From what I can tell, it's the password part of it that's hurting me. I've attached output of my radius server debugging and my eap.conf file as well in hopes that someone could tell me what I'm doing wrong. Any helpful comments are appreaciated. Thanks Matt mda@unb.ca -----Original Message----- From: Zoltan Ori [mailto:z.ori@morehead-st.edu] Sent: July 11, 2006 12:33 PM To: mda@unb.ca; 'FreeRadius users mailing list' Subject: Re: an infamous LDAP-FreeRadius question On Tuesday 11 July 2006 10:10, Matt Ashfield wrote:
When I try to connect via 802.1x from a wireless client my Radius server debgging looks like below. Obviously the TLS session is not being setup correctly. I'm wondering about the private_key_password attribute. I just set it to "whatever" but that needs to correspond to a user on the LDAP server doesn't it? I'm not sure that's been set up.
You might try not using an ldaps connection if your LDAP server allows it. Comment out all the TLS in the ldap section. This TLS/SSL connection to your LDAP server is a separate issue from 802.1x. That's just between the RADIUS server and LDAP. Once you've got everything else going, go back and work with the ldaps. The main thing is to change only one thing at a time. Then you'll know exactly what broke it and what didn't. I believe you had LDAP working before, didn't you? Zoltan Ori
Matt Ashfield wrote:
I have LDAP configured and can do a cleartext radius authentication using username/passwords (using radtest). What I'd like to do is take the next step and do 802.1x authentication for my windows clients and I suppose that's where I was hoping to find some cleancut instructions on this as I've seen quite a bit of threads concerning this but as mentioned in my initial email, they can be tough to follow.
It's really very simple. If you have users of the form: dn: cn=username,ou=whatever,dc=domain,dc=com objectClass: inetOrgPerson-or-whatever cn: username userPassword: theplaintextpass ...just set FR like so: modules { ldap { server = foo basedn = bar # other attributes password_attribute = userPassword } } authorize { preprocess chap mschap eap ldap } authenticate { Auth-Type MS-CHAP { mschap } Auth-Type CHAP { chap } eap } If your userPassword are something like: userPassword: {crypt}=3115313652 clearTextPass: {clear}theplaintext ..you would use modules { ldap { password_header = "{clear}" password_attribute = clearTextPass } } ...and so on.
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Marco Fretz -
Matt Ashfield -
Phil Mayers -
Wasif -
Zoltan Ori