Hi Always start simple. Run radtest on the RADIUS server box using 127.0.0.1 ... THEN move to running against it from other systems once you've verified all authentication etc is working Note that it is port 1812 UDP alan
On 2013-06-22 at 16:41, Alan Buxey (A.L.M.Buxey@lboro.ac.uk) wrote:
Always start simple. Run radtest on the RADIUS server box using 127.0.0.1 ... THEN move to running against it from other systems once you've verified all authentication etc is working
Works on localhost. Trying to get radius to authenticate against an ldap serer.
Hi,
Always start simple. Run radtest on the RADIUS server box using 127.0.0.1 ... THEN move to running against it from other systems once you've verified all authentication etc is working
Works on localhost.
Trying to get radius to authenticate against an ldap serer.
if localhost works, then the authentications cannot get though to the server on its IP socket so you need to edit the host firewall (ad any other ACLs that might be blocking the traffic) iptables -L -n - check for UDP 1812 being allowed as for what you say you are doing and what you are doing...that radtest is simply sending RADIUS auths to a RADIUS server....then the server will use whatever methods you have configured for AAA - right now its doing absolutely nothing at all as the server is not receiving your packets - this has nothing to do with an LDAP server right now alan
On 2013-06-24 at 18:06, A.L.M.Buxey@lboro.ac.uk (A.L.M.Buxey@lboro.ac.uk) wrote:
Hi,
Always start simple. Run radtest on the RADIUS server box using 127.0.0.1 ... THEN move to running against it from other systems once you've verified all authentication etc is working
Works on localhost.
Trying to get radius to authenticate against an ldap server.
if localhost works, then the authentications cannot get though to the server on its IP socket so you need to edit the host firewall (ad any other ACLs that might be blocking the traffic)
iptables -L -n - check for UDP 1812 being allowed
iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1812 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
as for what you say you are doing and what you are doing...that radtest is simply sending RADIUS auths to a RADIUS server....then the server will use whatever methods you have configured for AAA - right now its doing absolutely nothing at all as the server is not receiving your packets - this has nothing to do with an LDAP server right now
Does this mean that: # radtest evergreen@plumgrid.com "Y0V2T2VAKI" 192.168.10.14 0 d1sc0verplum Is not sending my radius request to the ldap server (192.168.10.14)? In which case, how do I test that freeradius is working with ldap? Does this mean I need to set up say a WiFi router to use WPA2 Enterprise and send auth requests to the radius server and then the radius server passes requests to the ldap server. This is how I want it to work eventually, but I thought the steps should be: Test radius as localhost. Test radius to ldap. Test WPA2 Enterprise to radius server, which will pass username and password of user to ldap.
Hi,
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1812
you see this - TCP read a little about RADIUS it uses UDP change your rule to allow UDP port 1812
# radtest evergreen@plumgrid.com "Y0V2T2VAKI" 192.168.10.14 0 d1sc0verplum
Is not sending my radius request to the ldap server (192.168.10.14)?
we, it is....but there is NOTHING an LDAP server can do with a RADIUS request. you send RADIUS requests to a RADIUS server....the RADIUS server will then open up required connections to backend systems (eg LDAP to an LDAP server, SQL to an SQL server etC) to deal with AAA requirements. I dont use HTTP to talk to an SSH server
In which case, how do I test that freeradius is working with ldap?
you fire a RADIUS authentication against the RADIUS server radtest username password radius-server port secret
Does this mean I need to set up say a WiFi router to use WPA2 Enterprise and send auth requests to the radius server and then the radius server passes requests to the ldap server. This
yes. alan
On 2013-06-24 at 18:38, A.L.M.Buxey@lboro.ac.uk (A.L.M.Buxey@lboro.ac.uk) wrote:
Hi,
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1812
you see this - TCP
read a little about RADIUS it uses UDP
change your rule to allow UDP port 1812
I had it wide open. Someone suggested I add the tcp above. Now I have iptables wide open: iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination -----
# radtest evergreen@plumgrid.com "Y0V2T2VAKI" 192.168.10.14 0 d1sc0verplum
Is not sending my radius request to the ldap server (192.168.10.14)?
we, it is....but there is NOTHING an LDAP server can do with a RADIUS request.
I get that. What I want the RADIUS server to do is query the LDAP server, rather than say a database or the /etc/freeradius/users file.
you send RADIUS requests to a RADIUS server....the RADIUS server will then open up required connections to backend systems (eg LDAP to an LDAP server, SQL to an SQL server etC) to deal with AAA requirements.
Yes, I get that. I am trying to prove via radtest that the radius server can authenticate to the radius server, just as the users file can authenticate to the radius server.
I dont use HTTP to talk to an SSH server
Neither do I.
In which case, how do I test that freeradius is working with ldap?
you fire a RADIUS authentication against the RADIUS server
radtest username password radius-server port secret
Does this mean I need to set up say a WiFi router to use WPA2 Enterprise and send auth requests to the radius server and then the radius server passes requests to the ldap server. This
yes.
So, I can run radtest only using credentials in /etc/freeradius/users? -- "They: The makers of the Constitution: conferred, as against the government, the right to be let alone -- the most comprehensive of rights and the right most valued by civilized men." - Justice Louis D. Brandeis
Hi,
I had it wide open. Someone suggested I add the tcp above.
who suggested that? standard basic old fashioned RADIUS uses UDP ports 1812,1813 and 1814 - even older versions pre IANA adjustments would have used UDP 1645 and 1646
I get that. What I want the RADIUS server to do is query the LDAP server, rather than say a database or the /etc/freeradius/users file.
right. so first of all, send the radtest packets to the RADIUS server - or get an access point to do that. the see what is happening and configure the RADIUS server so that its using LDAP in the authorization/authentication sections - uncomment 'ldap' and then edit the LDAP module. the queries will then go to your LDAP server as configured in the LDAP module. then note what you CAN and CANT do with an LDAP server - what password storage mechanisms will work with PEAP being used by a WPA2 Enterprise client etc
Yes, I get that. I am trying to prove via radtest that the radius server can authenticate to the radius server, just as the users file can authenticate to the radius server.
the users file doesnt authenticate to the RADIUS server...you're getting things the wrong way around. the RADIUS server uses the users file as an oracle to check a username/password.....(and to set return values)
So, I can run radtest only using credentials in /etc/freeradius/users?
you can use radtest (or eapol_test from the wpa_supplicant package) to send an authentication request to the RADIUS server. the server is then configured to use whatever user/pass storage you want....there is NOTHING to force it only to use the users file when using radtest. some people use ActiveDirectory, some use SQL, some use LDAP, some use some RESTFUL API. very few use the users file for serious production use ;) alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Julian Macassey