Hi, I set my freeradius with linksys and EAP, and when i use cert. that work fine. But when i want to use ldap without cert. in logs i see: rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=119 User-Name = "rka" NAS-IP-Address = 192.168.1.245 Called-Station-Id = "001217694588" Calling-Station-Id = "0014a41e7112" NAS-Identifier = "001217694588" NAS-Port = 61 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000801726b61 Message-Authenticator = 0x935d96fb44fccc41767e4667570ff8f2 All is oki, but my ldap need User-password, and next i see: Auth: Login incorrect: [rka/<no User-Password attribute>] (from client linksys port 61 cli 0014a41e7112) What i must change in ldap or ever to auth. users from wifi in ldap without User-password or with Password? BR, -- Rafal Kaminski http://blstream.com email: rafal.kaminski@blstream.com jid: rka@im.blstream.com
Rafał Kamiński wrote:
Hi,
I set my freeradius with linksys and EAP, and when i use cert. that work fine. But when i want to use ldap without cert. in logs i see:
rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=119 User-Name = "rka" NAS-IP-Address = 192.168.1.245 Called-Station-Id = "001217694588" Calling-Station-Id = "0014a41e7112" NAS-Identifier = "001217694588" NAS-Port = 61 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000801726b61 Message-Authenticator = 0x935d96fb44fccc41767e4667570ff8f2
All is oki, but my ldap need User-password, and next i see:
Auth: Login incorrect: [rka/<no User-Password attribute>] (from client linksys port 61 cli 0014a41e7112)
What i must change in ldap or ever to auth. users from wifi in ldap without User-password or with Password?
BR,
Assuming you want the most common EAP type, PEAP/MS-CHAP, your LDAP server must contain the users plaintext password or NT/LM hash, and you must configure FreeRadius to extract this information and add it to the configure items for a given request. If your LDAP server does not contain a plaintext password or NT/LM hashes, or you are unable to extract it, you cannot use EAP.
Phil Mayers napisał(a):
Assuming you want the most common EAP type, PEAP/MS-CHAP, your LDAP server must contain the users plaintext password or NT/LM hash, and you must configure FreeRadius to extract this information and add it to the configure items for a given request.
Hi, Can you tell me how configure FreeRadius to extract this information and add it to the configure items for request ? A set clear password in ldap and still i have that in debug mode: Login incorrect: [rka/<no User-Password attribute>] - rka is my user BR, -- Rafal Kaminski http://blstream.com email: rafal.kaminski@blstream.com jid: rka@im.blstream.com
Rafał Kamiński wrote:
Phil Mayers napisał(a):
Assuming you want the most common EAP type, PEAP/MS-CHAP, your LDAP server must contain the users plaintext password or NT/LM hash, and you must configure FreeRadius to extract this information and add it to the configure items for a given request.
Hi,
Can you tell me how configure FreeRadius to extract this information and add it to the configure items for request ?
You need the correct values in the "ldap.attrmap" file. The default file comes with (amongst other) mappings: checkItem LM-Password lmPassword checkItem NT-Password ntPassword
A set clear password in ldap and still i have that in debug mode:
Login incorrect: [rka/<no User-Password attribute>] - rka is my user
BR,
You'll need to add the relevant mapping e.g. if your cleartext password is in "clearPassword" you would use: checkItem User-Password clearPassword Modify as appropriate.
checkItem User-Password clearPassword
HI, I set in ldap.attrmap checkItem User-Password userPassword because my admin say me that password in ldap schema is set by userPassword in authorize and auth. i have: authorize { preprocess chap mschap ldap eap } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } eap } And when i try connect to linksys with windows client - i write user-name and password i see log - add on bottom of mail :) I think that is crazy, because i see: rlm_ldap: user rka authorized to use remote access And why debug mode still write: Auth: Login incorrect: [rka/<no User-Password attribute>] (from client linksys port 61 cli 0014a41e7112) Maybe error isn't in ldap connection, maybe in driffrent place :( Can somebody help me ? BR, ////DEBUG MODE rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=167 User-Name = "rka" NAS-IP-Address = 192.168.1.245 Called-Station-Id = "001217694588" Calling-Station-Id = "0014a41e7112" NAS-Identifier = "001217694588" NAS-Port = 61 Framed-MTU = 1400 State = 0xf8bfced1a046e6c05d5ddcdee6c66a43 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600261900170301001b6e9e46686e68b4189ee83563818eaad43d267262ed5ac48a0026a0 Message-Authenticator = 0x67e2d4387ffb387664c87ef24add26e9 Tue Jan 23 12:58:10 2007 : Debug: Processing the authorize section of radiusd.conf Tue Jan 23 12:58:10 2007 : Debug: modcall: entering group authorize for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modcall[authorize]: module "preprocess" returns ok for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modcall[authorize]: module "chap" returns noop for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modcall[authorize]: module "mschap" returns noop for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: - authorize Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: performing user authorization for rka Tue Jan 23 12:58:10 2007 : Debug: radius_xlat: '(uid=rka)' Tue Jan 23 12:58:10 2007 : Debug: radius_xlat: 'ou=Users,dc=blstream' Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: performing search in ou=Users,dc=blstream, with filter (uid=rka) Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: checking if remote access for rka is allowed by uid Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: looking for check items in directory... Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: looking for reply items in directory... Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: user rka authorized to use remote access Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modcall[authorize]: module "ldap" returns ok for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: rlm_eap: EAP packet type response id 6 length 38 Tue Jan 23 12:58:10 2007 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modcall[authorize]: module "eap" returns updated for request 19 Tue Jan 23 12:58:10 2007 : Debug: modcall: leaving group authorize (returns updated) for request 19 Tue Jan 23 12:58:10 2007 : Debug: rad_check_password: Found Auth-Type EAP Tue Jan 23 12:58:10 2007 : Debug: auth: type "EAP" Tue Jan 23 12:58:10 2007 : Debug: Processing the authenticate section of radiusd.conf Tue Jan 23 12:58:10 2007 : Debug: modcall: entering group authenticate for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: rlm_eap: Request found, released from the list Tue Jan 23 12:58:10 2007 : Debug: rlm_eap: EAP/peap Tue Jan 23 12:58:10 2007 : Debug: rlm_eap: processing type peap Tue Jan 23 12:58:10 2007 : Debug: rlm_eap_peap: Authenticate Tue Jan 23 12:58:10 2007 : Debug: rlm_eap_tls: processing TLS Tue Jan 23 12:58:10 2007 : Debug: eaptls_verify returned 7 Tue Jan 23 12:58:10 2007 : Debug: rlm_eap_tls: Done initial handshake Tue Jan 23 12:58:10 2007 : Debug: eaptls_process returned 7 Tue Jan 23 12:58:10 2007 : Debug: rlm_eap_peap: EAPTLS_OK Tue Jan 23 12:58:10 2007 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. PEAP tunnel data in 0000: 02 06 00 0b 21 80 03 00 02 00 02 Tue Jan 23 12:58:10 2007 : Debug: rlm_eap_peap: Received EAP-TLV response. Tue Jan 23 12:58:10 2007 : Debug: rlm_eap_peap: Tunneled data is valid. Tue Jan 23 12:58:10 2007 : Debug: rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. Tue Jan 23 12:58:10 2007 : Debug: rlm_eap: Handler failed in EAP/peap Tue Jan 23 12:58:10 2007 : Debug: rlm_eap: Failed in EAP select Tue Jan 23 12:58:10 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modcall[authenticate]: module "eap" returns invalid for request 19 Tue Jan 23 12:58:10 2007 : Debug: modcall: leaving group authenticate (returns invalid) for request 19 Tue Jan 23 12:58:10 2007 : Debug: auth: Failed to validate the user. Tue Jan 23 12:58:10 2007 : Auth: Login incorrect: [rka/<no User-Password attribute>] (from client linksys port 61 cli 0014a41e7112) Tue Jan 23 12:58:10 2007 : Debug: Delaying request 19 for 1 seconds Tue Jan 23 12:58:10 2007 : Debug: Finished request 19 Tue Jan 23 12:58:10 2007 : Debug: Going to the next request Tue Jan 23 12:58:10 2007 : Debug: rl_next: returning NULL Tue Jan 23 12:58:10 2007 : Debug: Waking up in 6 seconds... Tue Jan 23 12:58:16 2007 : Debug: --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.245 port 3072 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 -- Rafal Kaminski http://blstream.com email: rafal.kaminski@blstream.com jid: rka@im.blstream.com
Rafał Kamiński wrote:
because my admin say me that password in ldap schema is set by userPassword
Your users don't seem to have passwords in LDAP.
And why debug mode still write:
Auth: Login incorrect: [rka/<no User-Password attribute>] (from client linksys port 61 cli 0014a41e7112)
Because the password it's trying to print is the password in the RADIUS packet/
Maybe error isn't in ldap connection, maybe in driffrent place :(
The error is in LDAP.
Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: performing search in ou=Users,dc=blstream, with filter (uid=rka) Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: checking if remote access for rka is allowed by uid Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: looking for check items in directory... Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: looking for reply items in directory...
And there is nothing printed out about finding "userPassword". Therefore, the RADIUS server does not know what the "known good" password is for the user, and cannot authenticate the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Rafał Kamiński wrote:
checkItem User-Password clearPassword
HI,
I set in ldap.attrmap
checkItem User-Password userPassword
because my admin say me that password in ldap schema is set by userPassword
Maybe. But your radius server isn't finding it. Check that the bind DN has permissions to see that attribute - use the "ldapsearch" utility.
Hi, I have another problem with that LDAP auth. I set clearPassword - userPassword, and i see that ldap auth.user: rlm_ldap: user rka authorized to use remote access but after i see: rlm_eap_peap: Received EAP-TLV response. Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Tunneled data is valid. Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. why ? what is wrong ? BR, /////Debug mode///// User-Name = "rka" NAS-IP-Address = 192.168.1.245 Called-Station-Id = "000f66a0643e" Calling-Station-Id = "0014a41e7112" NAS-Identifier = "000f66a0643e" NAS-Port = 61 Framed-MTU = 1400 State = 0x3e33510f9407a5ab3618886708f0a7ab NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700261900170301001bac20ee16475c5840e93722613a0e23156a7025d2aa5bfa24846b31 Message-Authenticator = 0x0581c287817e870b2d4c1eb38f2b257f Fri Jan 26 10:18:13 2007 : Debug: rad_lowerpair: User-Name now 'rka' Fri Jan 26 10:18:13 2007 : Debug: Processing the authorize section of radiusd.conf Fri Jan 26 10:18:13 2007 : Debug: modcall: entering group authorize for request 7 Fri Jan 26 10:18:13 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 7 Fri Jan 26 10:18:13 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 7 Fri Jan 26 10:18:13 2007 : Debug: modcall[authorize]: module "mschap" returns noop for request 7 Fri Jan 26 10:18:13 2007 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 7 Fri Jan 26 10:18:13 2007 : Debug: rlm_ldap: - authorize Fri Jan 26 10:18:13 2007 : Debug: rlm_ldap: performing user authorization for rka Fri Jan 26 10:18:13 2007 : Debug: radius_xlat: '(uid=rka)' Fri Jan 26 10:18:13 2007 : Debug: radius_xlat: 'ou=Users,dc=blstream' Fri Jan 26 10:18:13 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Fri Jan 26 10:18:13 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Fri Jan 26 10:18:13 2007 : Debug: rlm_ldap: performing search in ou=Users,dc=blstream, with filter (uid=rka) Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: checking if remote access for rka is allowed by uid Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: Added password {CLEAR} dupa in check items Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: looking for check items in directory... Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: Adding userPassword as User-Password, value {CLEAR} dupa & op=21 Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: looking for reply items in directory... Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: user rka authorized to use remote access Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Fri Jan 26 10:18:14 2007 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 7 Fri Jan 26 10:18:14 2007 : Debug: modcall[authorize]: module "ldap" returns ok for request 7 Fri Jan 26 10:18:14 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 7 Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: EAP packet type response id 7 length 38 Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Fri Jan 26 10:18:14 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 7 Fri Jan 26 10:18:14 2007 : Debug: modcall[authorize]: module "eap" returns updated for request 7 Fri Jan 26 10:18:14 2007 : Debug: modcall: leaving group authorize (returns updated) for request 7 Fri Jan 26 10:18:14 2007 : Debug: rad_check_password: Found Auth-Type EAP Fri Jan 26 10:18:14 2007 : Debug: auth: type "EAP" Fri Jan 26 10:18:14 2007 : Debug: Processing the authenticate section of radiusd.conf Fri Jan 26 10:18:14 2007 : Debug: modcall: entering group authenticate for request 7 Fri Jan 26 10:18:14 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 7 Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: Request found, released from the list Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: EAP/peap Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: processing type peap Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Authenticate Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_tls: processing TLS Fri Jan 26 10:18:14 2007 : Debug: eaptls_verify returned 7 Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_tls: Done initial handshake Fri Jan 26 10:18:14 2007 : Debug: eaptls_process returned 7 Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: EAPTLS_OK Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. PEAP tunnel data in 0000: 02 07 00 0b 21 80 03 00 02 00 02 Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Received EAP-TLV response. Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Tunneled data is valid. Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: Handler failed in EAP/peap Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: Failed in EAP select Fri Jan 26 10:18:14 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 7 Fri Jan 26 10:18:14 2007 : Debug: modcall[authenticate]: module "eap" returns invalid for request 7 -- Rafal Kaminski http://blstream.com email: rafal.kaminski@blstream.com jid: rka@im.blstream.com
Rafał Kamiński wrote:
rlm_eap_peap: Received EAP-TLV response. Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Tunneled data is valid. Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session.
why ? what is wrong ?
The message tells you to look EARLIER in the debug log to see why the user was rejected. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (3)
-
Alan DeKok -
Phil Mayers -
Rafał Kamiński