Hello, I have a FreeRADIUS server authenticating against an LDAP back-end. Some of my applications (such as my SIP proxy server) currently require DIGEST-MD5 authentication and others (such as my E-Mail server, and my Cisco routers) do not. Ideally I'd like everything to work harmoneously. Since the SIP server requires DIGEST authentication, the Auth-Type attribute is present and it is set to DIGEST which forces FreeRADIUS to attempt a digest authentication. Once this fails an Access-Reject packet is sent back to the RADIUS client Is there a way to configure FreeRADIUS so it first attempts a DIGEST authentication, and when that fails, we go ahead and attempt normal authentication? Thanks. -Daniel
Daniel Corbe <daniel.junkmail@gmail.com> wrote:
Since the SIP server requires DIGEST authentication, the Auth-Type attribute is present and it is set to DIGEST which forces FreeRADIUS to attempt a digest authentication. Once this fails an Access-Reject packet is sent back to the RADIUS client
You don't say who's setting Auth-Type. In the example config, the "digest" module sets it. If you're setting it yourself, there's a high likelihood that something will go wrong.
Is there a way to configure FreeRADIUS so it first attempts a DIGEST authentication, and when that fails, we go ahead and attempt normal authentication?
No. That doesn't make sense. There IS a way to configure the server to try digest authentication only when the RADIUS packet contains digest attributes. Uncomment the lines referring to "digest" in radiusd.conf. Alan DeKok.
I'm manually setting Auth-Type to DIGEST on the LDAP Server. This is all radiusd.conf has to say about digest: # # The 'digest' module currently has no configuration. # # "Digest" authentication against a Cisco SIP server. # See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details # on performing digest authentication for Cisco SIP servers. # digest { } and # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section. digest Which does not help me much. Both entries aren't commented. -Daniel On 9/7/05, Alan DeKok <aland@ox.org> wrote:
Daniel Corbe <daniel.junkmail@gmail.com> wrote:
Since the SIP server requires DIGEST authentication, the Auth-Type attribute is present and it is set to DIGEST which forces FreeRADIUS to attempt a digest authentication. Once this fails an Access-Reject packet is sent back to the RADIUS client
You don't say who's setting Auth-Type. In the example config, the "digest" module sets it. If you're setting it yourself, there's a high likelihood that something will go wrong.
Is there a way to configure FreeRADIUS so it first attempts a DIGEST authentication, and when that fails, we go ahead and attempt normal authentication?
No. That doesn't make sense.
There IS a way to configure the server to try digest authentication only when the RADIUS packet contains digest attributes. Uncomment the lines referring to "digest" in radiusd.conf.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Daniel Corbe <daniel.junkmail@gmail.com> wrote:
I'm manually setting Auth-Type to DIGEST on the LDAP Server.
As I said, DON'T.
This is all radiusd.conf has to say about digest: ...
No. You missed one "digest" entry, in the "authenticate" section. The text you quoted tells you this:
# If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section.
Follow those instructions. Alan DeKok.
# # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. digest That? It's already uncommented. There's a seperate entry for Auth-Type LDAP { } in the authorize { } block. Should I do something along the lines of... authorize { Auth-Type LDAP { digest ldap } } ?? -Daniel On 9/7/05, Alan DeKok <aland@ox.org> wrote:
Daniel Corbe <daniel.junkmail@gmail.com> wrote:
I'm manually setting Auth-Type to DIGEST on the LDAP Server.
As I said, DON'T.
This is all radiusd.conf has to say about digest: ...
No. You missed one "digest" entry, in the "authenticate" section. The text you quoted tells you this:
# If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section.
Follow those instructions.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Also, please note; The SIP server is NOT sending the Auth-Type attribute. On 9/8/05, Daniel Corbe <daniel.junkmail@gmail.com> wrote:
# # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. digest
That?
It's already uncommented. There's a seperate entry for Auth-Type LDAP { } in the authorize { } block. Should I do something along the lines of...
authorize { Auth-Type LDAP { digest ldap } }
??
-Daniel
On 9/7/05, Alan DeKok <aland@ox.org> wrote:
Daniel Corbe <daniel.junkmail@gmail.com> wrote:
I'm manually setting Auth-Type to DIGEST on the LDAP Server.
As I said, DON'T.
This is all radiusd.conf has to say about digest: ...
No. You missed one "digest" entry, in the "authenticate" section. The text you quoted tells you this:
# If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section.
Follow those instructions.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes.. what I did below worked. -Daniel On 9/8/05, Daniel Corbe <daniel.junkmail@gmail.com> wrote:
# # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. digest
That?
It's already uncommented. There's a seperate entry for Auth-Type LDAP { } in the authorize { } block. Should I do something along the lines of...
authorize { Auth-Type LDAP { digest ldap } }
??
-Daniel
On 9/7/05, Alan DeKok <aland@ox.org> wrote:
Daniel Corbe <daniel.junkmail@gmail.com> wrote:
I'm manually setting Auth-Type to DIGEST on the LDAP Server.
As I said, DON'T.
This is all radiusd.conf has to say about digest: ...
No. You missed one "digest" entry, in the "authenticate" section. The text you quoted tells you this:
# If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section.
Follow those instructions.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan, It achieved the desired effect. Quite simply, authentication against LDAP now works when DIGEST is present and when it is not. I've built my radiusd.conf file based off the examples provided with the default installation. I do not want a broken radius server on my hands as that will create more problems in the long run. I'm still unsure as to what the correct approach is. In the interests of finding the correct approach, I will undo what I have done and paste the results of the debug output. To Recap, here are exerpts from my radius config: modules { ldap { ldap_debug = 0x0028 server = "127.0.0.1" identity = "cn=Manager,dc=corbe,dc=net" password = "abcBABY123" basedn = "ou=People,dc=corbe,dc=net" filter = "(&(objectclass=posixAccount)(uid=dcorbe))" base_filter = "" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap ldap_connections_number = 5 # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = userPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # # edir_account_policy_check=no # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } # # The 'digest' module currently has no configuration. # # "Digest" authentication against a Cisco SIP server. # See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details # on performing digest authentication for Cisco SIP servers. # digest { } } authorize { # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section. digest # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap } authenticate { # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. digest Auth-Type LDAP { ldap } } And here is the end result: nrclient-67:~ root# radiusd -X su: radiusd: command not found nrclient-67:~ root# radiusd -X su: radiusd: command not found nrclient-67:~ root# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded DIGEST Module: Instantiated digest (digest) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "127.0.0.1" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=Manager,dc=corbe,dc=net" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "cgpe845Z" ldap: basedn = "ou=People,dc=corbe,dc=net" ldap: filter = "(&(objectclass=posixAccount)(uid=dcorbe))" ldap: base_filter = "" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "userPassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 40 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP userPassword mapped to RADIUS User-Password rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP userPassword mapped to RADIUS User-Password conns: 0x3b9970 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:63617, id=254, length=194 User-Name = "dcorbe@corbe.net" Digest-Attributes = 0x0a0864636f726265 Digest-Attributes = 0x010b636f7262652e6e6574 Digest-Attributes = 0x022a34333230383536323131353633633935656562343637396364326437646635393536323532323431 Digest-Attributes = 0x040f7369703a636f7262652e6e6574 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "8c76e68b3b48b7c0d15933657df7b0d8" Service-Type = Sip-Session Sip-Uri-User = "dcorbe" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "dcorbe" Digest-Realm = "corbe.net" Digest-Nonce = "4320856211563c95eeb4679cd2d7df5956252241" Digest-URI = "sip:corbe.net" Digest-Method = "REGISTER" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 0 rlm_realm: Looking up realm "corbe.net" for User-Name = "dcorbe@corbe.net" rlm_realm: No such realm "corbe.net" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 156 users: Matched entry DEFAULT at line 221 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for dcorbe@corbe.net radius_xlat: '(&(objectclass=posixAccount)(uid=dcorbe))' radius_xlat: 'ou=People,dc=corbe,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=corbe,dc=net/cgpe845Z to 127.0.0.1:389 rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=corbe,dc=net, with filter (&(objectclass=posixAccount)(uid=dcorbe)) request 2 done rlm_ldap: Added password cgpe845Z in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value cgpe845Z & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding userPassword as User-Password, value cgpe845Z & op=11 rlm_ldap: user dcorbe@corbe.net authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:63619, id=255, length=194 User-Name = "dcorbe@corbe.net" Digest-Attributes = 0x0a0864636f726265 Digest-Attributes = 0x010b636f7262652e6e6574 Digest-Attributes = 0x022a34333230383536323131353633633935656562343637396364326437646635393536323532323431 Digest-Attributes = 0x040f7369703a636f7262652e6e6574 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "8c76e68b3b48b7c0d15933657df7b0d8" Service-Type = Sip-Session Sip-Uri-User = "dcorbe" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "dcorbe" Digest-Realm = "corbe.net" Digest-Nonce = "4320856211563c95eeb4679cd2d7df5956252241" Digest-URI = "sip:corbe.net" Digest-Method = "REGISTER" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 1 rlm_realm: Looking up realm "corbe.net" for User-Name = "dcorbe@corbe.net" rlm_realm: No such realm "corbe.net" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 156 users: Matched entry DEFAULT at line 221 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for dcorbe@corbe.net radius_xlat: '(&(objectclass=posixAccount)(uid=dcorbe))' radius_xlat: 'ou=People,dc=corbe,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=corbe,dc=net, with filter (&(objectclass=posixAccount)(uid=dcorbe)) request 3 done rlm_ldap: Added password cgpe845Z in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value cgpe845Z & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding userPassword as User-Password, value cgpe845Z & op=11 rlm_ldap: user dcorbe@corbe.net authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 1 modcall: group Auth-Type returns invalid for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Sending Access-Reject of id 254 to 127.0.0.1:63617 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 255 to 127.0.0.1:63619 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 254 with timestamp 43208436 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 255 with timestamp 43208438 Nothing to do. Sleeping until we see a request. Thank You. -Daniel On 9/8/05, Alan DeKok <aland@ox.org> wrote:
Daniel Corbe <daniel.junkmail@gmail.com> wrote:
Yes.. what I did below worked.
It worked for reasons other than what you believe. The configuration you posted is, quite simply, wrong.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm not sure I understand why my approach is so incorrect. If I am wrong, please explain it to me. My understanding is we've AUTHORIZED the request by pulling the password information off of the LDAP server and storing it in memory. Then (according to my understanding of the radiusd.conf) in the authenticate {} block, we pick which modules in order will do the AUTHENTICATION part of the AAA session. One of the two modules will always fail. We first try the digest module and get this: Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 1 Then we move on to the next section of the Auth-Type LDAP configuration section of the authenticate {} block, and allow the LDAP module to take a crack at it and thus we have a sucessful authentication: rlm_ldap: - authenticate rlm_ldap: login attempt by "dcorbe" with password "cgpe845Z" rlm_ldap: user DN: uid=dcorbe,ou=People,dc=corbe,dc=net rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 rlm_ldap: bind as uid=dcorbe,ou=People,dc=corbe,dc=net/cgpe845Z to 127.0.0.1:389 rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: Bind was successful rlm_ldap: user dcorbe authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: group Auth-Type returns ok for request 1 Sending Access-Accept of id 129 to 127.0.0.1:63703 -Daniel On 9/8/05, Daniel Corbe <daniel.junkmail@gmail.com> wrote:
Alan,
It achieved the desired effect. Quite simply, authentication against LDAP now works when DIGEST is present and when it is not.
I've built my radiusd.conf file based off the examples provided with the default installation.
I do not want a broken radius server on my hands as that will create more problems in the long run. I'm still unsure as to what the correct approach is. In the interests of finding the correct approach, I will undo what I have done and paste the results of the debug output.
To Recap, here are exerpts from my radius config:
modules { ldap { ldap_debug = 0x0028 server = "127.0.0.1" identity = "cn=Manager,dc=corbe,dc=net" password = "abcBABY123" basedn = "ou=People,dc=corbe,dc=net" filter = "(&(objectclass=posixAccount)(uid=dcorbe))" base_filter = ""
# set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no
# tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap_connections_number = 5
# # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap_connections_number = 5 # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = userPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # # edir_account_policy_check=no # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes }
# # The 'digest' module currently has no configuration. # # "Digest" authentication against a Cisco SIP server. # See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details # on performing digest authentication for Cisco SIP servers. # digest { } }
authorize { # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section. digest
# # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap }
authenticate { # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. digest Auth-Type LDAP { ldap } }
And here is the end result:
nrclient-67:~ root# radiusd -X su: radiusd: command not found nrclient-67:~ root# radiusd -X su: radiusd: command not found nrclient-67:~ root# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded DIGEST Module: Instantiated digest (digest) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "127.0.0.1" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=Manager,dc=corbe,dc=net" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "cgpe845Z" ldap: basedn = "ou=People,dc=corbe,dc=net" ldap: filter = "(&(objectclass=posixAccount)(uid=dcorbe))" ldap: base_filter = "" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "userPassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 40 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP userPassword mapped to RADIUS User-Password rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP userPassword mapped to RADIUS User-Password conns: 0x3b9970 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:63617, id=254, length=194 User-Name = "dcorbe@corbe.net" Digest-Attributes = 0x0a0864636f726265 Digest-Attributes = 0x010b636f7262652e6e6574 Digest-Attributes = 0x022a34333230383536323131353633633935656562343637396364326437646635393536323532323431 Digest-Attributes = 0x040f7369703a636f7262652e6e6574 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "8c76e68b3b48b7c0d15933657df7b0d8" Service-Type = Sip-Session Sip-Uri-User = "dcorbe" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "dcorbe" Digest-Realm = "corbe.net" Digest-Nonce = "4320856211563c95eeb4679cd2d7df5956252241" Digest-URI = "sip:corbe.net" Digest-Method = "REGISTER" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 0 rlm_realm: Looking up realm "corbe.net" for User-Name = "dcorbe@corbe.net" rlm_realm: No such realm "corbe.net" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 156 users: Matched entry DEFAULT at line 221 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for dcorbe@corbe.net radius_xlat: '(&(objectclass=posixAccount)(uid=dcorbe))' radius_xlat: 'ou=People,dc=corbe,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=corbe,dc=net/cgpe845Z to 127.0.0.1:389 rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=corbe,dc=net, with filter (&(objectclass=posixAccount)(uid=dcorbe)) request 2 done rlm_ldap: Added password cgpe845Z in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value cgpe845Z & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding userPassword as User-Password, value cgpe845Z & op=11 rlm_ldap: user dcorbe@corbe.net authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:63619, id=255, length=194 User-Name = "dcorbe@corbe.net" Digest-Attributes = 0x0a0864636f726265 Digest-Attributes = 0x010b636f7262652e6e6574 Digest-Attributes = 0x022a34333230383536323131353633633935656562343637396364326437646635393536323532323431 Digest-Attributes = 0x040f7369703a636f7262652e6e6574 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "8c76e68b3b48b7c0d15933657df7b0d8" Service-Type = Sip-Session Sip-Uri-User = "dcorbe" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "dcorbe" Digest-Realm = "corbe.net" Digest-Nonce = "4320856211563c95eeb4679cd2d7df5956252241" Digest-URI = "sip:corbe.net" Digest-Method = "REGISTER" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 1 rlm_realm: Looking up realm "corbe.net" for User-Name = "dcorbe@corbe.net" rlm_realm: No such realm "corbe.net" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 156 users: Matched entry DEFAULT at line 221 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for dcorbe@corbe.net radius_xlat: '(&(objectclass=posixAccount)(uid=dcorbe))' radius_xlat: 'ou=People,dc=corbe,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=corbe,dc=net, with filter (&(objectclass=posixAccount)(uid=dcorbe)) request 3 done rlm_ldap: Added password cgpe845Z in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value cgpe845Z & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding userPassword as User-Password, value cgpe845Z & op=11 rlm_ldap: user dcorbe@corbe.net authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 1 modcall: group Auth-Type returns invalid for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Sending Access-Reject of id 254 to 127.0.0.1:63617 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 255 to 127.0.0.1:63619 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 254 with timestamp 43208436 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 255 with timestamp 43208438 Nothing to do. Sleeping until we see a request.
Thank You.
-Daniel
On 9/8/05, Alan DeKok <aland@ox.org> wrote:
Daniel Corbe <daniel.junkmail@gmail.com> wrote:
Yes.. what I did below worked.
It worked for reasons other than what you believe. The configuration you posted is, quite simply, wrong.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Daniel Corbe <daniel.junkmail@gmail.com> wrote:
I'm not sure I understand why my approach is so incorrect. If I am wrong, please explain it to me.
I would suggest reading the existing samples and documentation for how to configure the server. They explain the correct way to do things. The number of incorrect ways to do things is almost infinite.
My understanding is we've AUTHORIZED the request by pulling the password information off of the LDAP server and storing it in memory.
Yes.
Then (according to my understanding of the radiusd.conf) in the authenticate {} block, we pick which modules in order will do the AUTHENTICATION part of the AAA session. One of the two modules will always fail.
If, and ONLY if, you list BOTH modules in an "Auth-Type {}" section in "authenticate". The solution is DON'T DO THAT. List them separately, as shown in the default config. Again, I'm a little surprised that this is so hard to configure, given that the default config shows how to do it. It takes additional effort to create a different configuration, which will then not work.
We first try the digest module and get this: Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 1
Then we move on to the next section of the Auth-Type LDAP configuration section of the authenticate {} block, and allow the LDAP module to take a crack at it and thus we have a sucessful authentication:
Yes. Your configuration seems to work, but it's inefficient and unnecessary. Rather that following the existing examples, you appear to have randomly added hacks until it "works", with little understanding of how the server is supposed to be configured. Please, use the default configuration where possible. It works, and it was designed by people who understand LDAP, digest, and the server. Your hacks may appear to work, but they are based on misunderstandings and confusion. They WILL NOT be maintainable by you, or anyone else going into the future. Alan DeKok.
I didn't pull this configuration file out of my ass. I *AM* using default configs. More to follow... On 9/8/05, Alan DeKok <aland@ox.org> wrote:
Daniel Corbe <daniel.junkmail@gmail.com> wrote:
I'm not sure I understand why my approach is so incorrect. If I am wrong, please explain it to me.
I would suggest reading the existing samples and documentation for how to configure the server. They explain the correct way to do things. The number of incorrect ways to do things is almost infinite.
My understanding is we've AUTHORIZED the request by pulling the password information off of the LDAP server and storing it in memory.
Yes.
Then (according to my understanding of the radiusd.conf) in the authenticate {} block, we pick which modules in order will do the AUTHENTICATION part of the AAA session. One of the two modules will always fail.
If, and ONLY if, you list BOTH modules in an "Auth-Type {}" section in "authenticate".
The solution is DON'T DO THAT.
List them separately, as shown in the default config.
Again, I'm a little surprised that this is so hard to configure, given that the default config shows how to do it. It takes additional effort to create a different configuration, which will then not work.
We first try the digest module and get this: Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 1
Then we move on to the next section of the Auth-Type LDAP configuration section of the authenticate {} block, and allow the LDAP module to take a crack at it and thus we have a sucessful authentication:
Yes. Your configuration seems to work, but it's inefficient and unnecessary. Rather that following the existing examples, you appear to have randomly added hacks until it "works", with little understanding of how the server is supposed to be configured.
Please, use the default configuration where possible. It works, and it was designed by people who understand LDAP, digest, and the server. Your hacks may appear to work, but they are based on misunderstandings and confusion. They WILL NOT be maintainable by you, or anyone else going into the future.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I see where I err in my ways. I'm setting the Auth-Type to LDAP specifically in the users file as I have a Fall-Through configured: DEFAULT Auth-Type := LDAP Fall-Through = 1 and the ldap_howto suggests using LDAP groups instead. I'm going to go back and set this up "the right way" instead of "the wrong way" -Daniel On 9/8/05, Daniel Corbe <daniel.junkmail@gmail.com> wrote:
I didn't pull this configuration file out of my ass. I *AM* using default configs.
More to follow...
On 9/8/05, Alan DeKok <aland@ox.org> wrote:
Daniel Corbe <daniel.junkmail@gmail.com> wrote:
I'm not sure I understand why my approach is so incorrect. If I am wrong, please explain it to me.
I would suggest reading the existing samples and documentation for how to configure the server. They explain the correct way to do things. The number of incorrect ways to do things is almost infinite.
My understanding is we've AUTHORIZED the request by pulling the password information off of the LDAP server and storing it in memory.
Yes.
Then (according to my understanding of the radiusd.conf) in the authenticate {} block, we pick which modules in order will do the AUTHENTICATION part of the AAA session. One of the two modules will always fail.
If, and ONLY if, you list BOTH modules in an "Auth-Type {}" section in "authenticate".
The solution is DON'T DO THAT.
List them separately, as shown in the default config.
Again, I'm a little surprised that this is so hard to configure, given that the default config shows how to do it. It takes additional effort to create a different configuration, which will then not work.
We first try the digest module and get this: Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 1
Then we move on to the next section of the Auth-Type LDAP configuration section of the authenticate {} block, and allow the LDAP module to take a crack at it and thus we have a sucessful authentication:
Yes. Your configuration seems to work, but it's inefficient and unnecessary. Rather that following the existing examples, you appear to have randomly added hacks until it "works", with little understanding of how the server is supposed to be configured.
Please, use the default configuration where possible. It works, and it was designed by people who understand LDAP, digest, and the server. Your hacks may appear to work, but they are based on misunderstandings and confusion. They WILL NOT be maintainable by you, or anyone else going into the future.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So that worked, group authentication. Thank you for pointing me in the right direction. BTW I do know how RADIUS and LDAP work. I'm not new to the technology, just FreeRADIUS in general. Thanks again. -Daniel On 9/8/05, Daniel Corbe <daniel.junkmail@gmail.com> wrote:
I see where I err in my ways. I'm setting the Auth-Type to LDAP specifically in the users file as I have a Fall-Through configured:
DEFAULT Auth-Type := LDAP Fall-Through = 1
and the ldap_howto suggests using LDAP groups instead.
I'm going to go back and set this up "the right way" instead of "the wrong way"
-Daniel
On 9/8/05, Daniel Corbe <daniel.junkmail@gmail.com> wrote:
I didn't pull this configuration file out of my ass. I *AM* using default configs.
More to follow...
On 9/8/05, Alan DeKok <aland@ox.org> wrote:
Daniel Corbe <daniel.junkmail@gmail.com> wrote:
I'm not sure I understand why my approach is so incorrect. If I am wrong, please explain it to me.
I would suggest reading the existing samples and documentation for how to configure the server. They explain the correct way to do things. The number of incorrect ways to do things is almost infinite.
My understanding is we've AUTHORIZED the request by pulling the password information off of the LDAP server and storing it in memory.
Yes.
Then (according to my understanding of the radiusd.conf) in the authenticate {} block, we pick which modules in order will do the AUTHENTICATION part of the AAA session. One of the two modules will always fail.
If, and ONLY if, you list BOTH modules in an "Auth-Type {}" section in "authenticate".
The solution is DON'T DO THAT.
List them separately, as shown in the default config.
Again, I'm a little surprised that this is so hard to configure, given that the default config shows how to do it. It takes additional effort to create a different configuration, which will then not work.
We first try the digest module and get this: Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 1
Then we move on to the next section of the Auth-Type LDAP configuration section of the authenticate {} block, and allow the LDAP module to take a crack at it and thus we have a sucessful authentication:
Yes. Your configuration seems to work, but it's inefficient and unnecessary. Rather that following the existing examples, you appear to have randomly added hacks until it "works", with little understanding of how the server is supposed to be configured.
Please, use the default configuration where possible. It works, and it was designed by people who understand LDAP, digest, and the server. Your hacks may appear to work, but they are based on misunderstandings and confusion. They WILL NOT be maintainable by you, or anyone else going into the future.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Daniel Corbe <daniel.junkmail@gmail.com> wrote:
To Recap, here are exerpts from my radius config: ... And here is the end result: ... rlm_digest: Adding Auth-Type = DIGEST ... rad_check_password: Found Auth-Type LDAP
There appears to be some discrepancy. Find out what's setting Auth-Type to LDAP, and delete that. It's breaking digest authentication. Alan DeKok.
Daniel Corbe <daniel.junkmail@gmail.com> wrote:
That?
It's already uncommented.
<sigh> It would help if you had said that in your original message. Posting PART of what you've done makes it sound like the problem is caused by only doing part of the work, rather than all o fit. And please post the debug output. Nothing else will help solve the problem.
It's already uncommented. There's a seperate entry for Auth-Type LDAP { } in the authorize { } block. Should I do something along the lines of...
authorize { Auth-Type LDAP { digest
No. Alan DeKok.
participants (2)
-
Alan DeKok -
Daniel Corbe