Captive portal: can I use chap or pap in conjunction with ntlm_auth?
Hi all, I am trying to get a captive portal working so my wireless users can enter their Windows domain credentials and get internet access. I've been working with chilispot/hotspotlogin.cgi and/or Copspot (an implementation of chilispot for IPCOP) both of which try to do CHAP with freeradius. Chili can also just hand a clear text password through. Either approach works fine if I put users in the users file, however I can't get this to work with my AD backend. NTLM auth does work if I use WPA2, however I am trying to push users through a TOS splash page and validate their domain credentials. I hope someone can help me figure out this out. Thanks! John Here's the output of from my attempts to authenticate: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/freeradius/freeradius.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.114.0.39 port 32772, id=0, length=216 User-Name = "flyboy" CHAP-Challenge = 0xd4a3fb75001e61f38b8216844306287c CHAP-Password = 0x00fcd3e064aa8829713fc8263c5b7e8303 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.8 Calling-Station-Id = "00-21-5C-15-6D-8B" Called-Station-Id = "00-50-DA-1A-EF-77" NAS-Identifier = "nas01" Acct-Session-Id = "4a6f716d00000000" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x452e7d3ec37b78ce9dc2d08eb447f6c9 WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "flyboy", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "flyboy" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> flyboy attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 0 to 10.114.0.39 port 32772 Waking up in 4.9 seconds
I am trying to get a captive portal working so my wireless users can enter their Windows domain credentials and get internet access.
I've been working with chilispot/hotspotlogin.cgi and/or Copspot (an implementation of chilispot for IPCOP) both of which try to do CHAP with freeradius. Chili can also just hand a clear text password through. Either approach works fine if I put users in the users file, however I can't get this to work with my AD backend.
No, you can't. http://deployingradius.com/documents/protocols/compatibility.html
NTLM auth does work if I use WPA2
Because that uses peap as authentication protocol. Ivan Kalik Kalik Informatika ISP
No, you can't.
http://deployingradius.com/documents/protocols/compatibility.html Thanks for this.
NTLM auth does work if I use WPA2
Because that uses peap as authentication protocol.
Do you have any ideas about getting chilispot to work with users who are retrieved from AD via winbind and ntlm_auth Is there a way for me to use pap with users stored in Active Directory? Thanks! John
Do you have any ideas about getting chilispot to work with users who are retrieved from AD via winbind and ntlm_auth
I don't know Chilispot, but if it can pass a cleartext password, then you can use ntlm_auth in a script to do the authentication. For other devices that send an A/D user and a cleartext password in User-Password, I use ldap in the authorization section and then: Auth-Type ldap { perl_ntlm } In the authentication section after ms-chap and eap. In the script you call ntlm_auth and parse the response.
Hi everyone, I have a problem concerning my configuration and I am wondering if somebody can help me. ----------------------------------------------------------------------------------------------------------------------------------- *freeradius-server-2.1.6* is installed without warning on* CentOS v5.3*...configured on localhost and tested. Everything's OK. For the authentication I d like to use openldap which is already ready. I tested it and it work(on *ldap.uae.ac.ma*: you can check it). I installed my freeradius in /usr/local/freeradius-server-2.1.6...So I edit the following files: *ldap* in */usr/local/freeradius-server.2.16/etc/raddb/modules/ldap* *raidusd.conf* in */usr/local/freeradius-server-2.1.6/etc/radiusd.conf* *default* in * /usr/local/freeradius-server-2.1.6/etc/raddb/sites-enabled/default* to have the appropriate configuration ... When I execute /usr/local/freeradius-server-2.1.6/sbin/radiusd -XXX to start(in debug mode) the server it gives the following error: *failed to link to module 'rlm_ldap':rlm_ldap.so:cannot open shared object file :No such file or directory* there are another errors after it but, if this one is solved so ...everything ll be ok. I am bored and I don't know what to do: I found in another topic that I'll have to rebuild and re-install my server ...Is that true?Is there another solution? thx.
participants (4)
-
Garber, Neal -
Ivan Kalik -
john -
RANDRIAMAMPIONONA José Johnny