Freeradius with EAP and LDAP
Hello, We have Freeradius server 3.0.16 up and running and it'll authenticate Our test users successfully via default and inner-tunnel with PAP against Our test LDAP-server. But when we try to authenticate those same test users against that very same LDAP-server from/via Meraki (Cisco) Wifi-endpoints with EAP we'll have rejected auths. We have also created some test users in Freeradius db, and if we disable LDAP from Our configs those users can authenticate without problems against Freeradius itself. I'm just a newbie with Freeradius (and radius in general as well), so can anyone help and give a hint what We are missing? All help will be appreciated. -Jarkko
On Dec 19, 2019, at 11:09 AM, Juntunen, Jarkko <jarkko.juntunen@bitkompisab.fi> wrote:
We have Freeradius server 3.0.16 up and running and it'll authenticate Our test users successfully via default and inner-tunnel with PAP against Our test LDAP-server. But when we try to authenticate those same test users against that very same LDAP-server from/via Meraki (Cisco) Wifi-endpoints with EAP we'll have rejected auths.
Run in debug mode, as suggested in the FAQ, "man" page, documentation, web pages, and nearly daily on this list. Read this web page, too. The "welcome to the list" message suggested the same thing. http://wiki.freeradius.org/list-help And for reading the debug output: http://wiki.freeradius.org/radiusd-X it's generally not difficult, despite the huge amounts of text. Look for "error" or "warning", as those messages tend to be important.
We have also created some test users in Freeradius db, and if we disable LDAP from Our configs those users can authenticate without problems against Freeradius itself.
I'm just a newbie with Freeradius (and radius in general as well), so can anyone help and give a hint what We are missing?
All help will be appreciated.
All of this is extensively documented, including instructions saying what we need to help you. Alan DeKok.
W dniu 19.12.2019 o 17:09, Juntunen, Jarkko pisze:
Hello, We have Freeradius server 3.0.16 up and running and it'll authenticate Our test users successfully via default and inner-tunnel with PAP against Our test LDAP-server. But when we try to authenticate those same test users against that very same LDAP-server from/via Meraki (Cisco) Wifi-endpoints with EAP we'll have rejected auths.
We have also created some test users in Freeradius db, and if we disable LDAP from Our configs those users can authenticate without problems against Freeradius itself.
I'm just a newbie with Freeradius (and radius in general as well), so can anyone help and give a hint what We are missing?
All help will be appreciated.
-Jarkko -
Dear Jarkko, please follow Alan's instructions to debug, but also bear in mind that to get PEAP with MSCHAP working you probably need either Cleartext-Password or hashed NT-Password available for users. -- Marek Zarychta
Thanks for Your advice. We have run Freeradius in debug mode couple of hours and the problem seems to be ( at least in my opinion) missing of password in case of EAP authentication. And the problem is that I have no clue how to have Cleartext-password out of EAP-MSCHAP auth. to 19. jouluk. 2019 klo 18.23 Marek Zarychta (zarychtam@plan-b.pwste.edu.pl) kirjoitti:
W dniu 19.12.2019 o 17:09, Juntunen, Jarkko pisze:
Hello, We have Freeradius server 3.0.16 up and running and it'll authenticate Our test users successfully via default and inner-tunnel with PAP against Our test LDAP-server. But when we try to authenticate those same test users against that very same LDAP-server from/via Meraki (Cisco) Wifi-endpoints with EAP we'll have rejected auths.
We have also created some test users in Freeradius db, and if we disable LDAP from Our configs those users can authenticate without problems against Freeradius itself.
I'm just a newbie with Freeradius (and radius in general as well), so can anyone help and give a hint what We are missing?
All help will be appreciated.
-Jarkko -
Dear Jarkko,
please follow Alan's instructions to debug, but also bear in mind that to get PEAP with MSCHAP working you probably need either Cleartext-Password or hashed NT-Password available for users.
-- Marek Zarychta
On Dec 19, 2019, at 12:09 PM, Juntunen, Jarkko <jarkko.juntunen@bitkompisab.fi> wrote:
Thanks for Your advice. We have run Freeradius in debug mode couple of hours and the problem seems to be ( at least in my opinion) missing of password in case of EAP authentication. And the problem is that I have no clue how to have Cleartext-password out of EAP-MSCHAP auth.
You can't. It's impossible. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok.
On 19.12.19 18:09, Juntunen, Jarkko wrote:
Thanks for Your advice. We have run Freeradius in debug mode couple of hours and the problem seems to be ( at least in my opinion) missing of password in case of EAP authentication. And the problem is that I have no clue how to have Cleartext-password out of EAP-MSCHAP auth.
You don't get a cleartext password like with PAP from the NAS with *any* CHAP authentication method. That is the whole point of a Challange Handshake Authentication Protocol. If you want to use MSCHAP, you *have* to have the password of the user in the clear or as NT-Hash in your database. There is no way around it. Please don't ask, how to make this use with SHA passwords from LDAP. It cannot be done. Grüße, Sven.
participants (4)
-
Alan DeKok -
Juntunen, Jarkko -
Marek Zarychta -
Sven Hartge