I'm new to FreeRadius and trying to setup the server to authenticate using LDAP. I'm having some problem and hope to get some help from the list. I'm trying to setup AP->FR->LDAP. Both FreeRadius and LDAP are new installation on CentOS. I tried to follow the installation for FR and test each steps. test accounts are created in both user file and LDAP database. radtest are successful with both accounts. The problem is when I try to authenticate through AP. The debug log shows Failed to authenticate the user. here is the log file. # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = "julietest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for julietest [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> julietest [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=julietest) [ldap] expand: ou=xxx,dc=xxxx,dc=xxx,dc=xxx -> ou=xxx,dc=xxx,dc=xxx,dc=xxx [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=xxx,dc=xxx,dc=xxx,dc=xxx, with filter (uid=julietest) [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{crypt}$1$svVH/H.V$S02th.oBG7iQV0UtFBcVx1" [ldap] looking for reply items in directory... [ldap] user julietest authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: julietest [mschap] Told to do MS-CHAPv2 for julietest with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 MS-CHAP-Error = "\202E=691 R=1" [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} Thank you very much for your time and help. Best, Julie -- View this message in context: http://freeradius.1045715.n5.nabble.com/AP-FR-LDAP-authentication-tp5572785p... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Julie wrote:
The problem is when I try to authenticate through AP. The debug log shows Failed to authenticate the user. here is the log file. ... [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ... [ldap] userPassword -> Password-With-Header == "{crypt}$1$svVH/H.V$S02th.oBG7iQV0UtFBcVx1"
You CANNOT do MS-CHAP with crypt'd passwords. It's impossible. Alan DeKok.
Yes, I understand that. But I'm having little problem figure out right configuration. Would someone please advice on the configuration file? [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel I'm using the default inner-tunnel just added ldap at the authorize. Thanks Julie ________________________________________ From: freeradius-users-bounces+chenj=ssc.ucla.edu@lists.freeradius.org [freeradius-users-bounces+chenj=ssc.ucla.edu@lists.freeradius.org] on behalf of Alan DeKok [aland@deployingradius.com] Sent: Friday, March 16, 2012 8:02 PM To: FreeRadius users mailing list Subject: Re: AP->FR->LDAP authentication Julie wrote:
The problem is when I try to authenticate through AP. The debug log shows Failed to authenticate the user. here is the log file. ... [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ... [ldap] userPassword -> Password-With-Header == "{crypt}$1$svVH/H.V$S02th.oBG7iQV0UtFBcVx1"
You CANNOT do MS-CHAP with crypt'd passwords. It's impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sat, Mar 17, 2012 at 11:54 AM, Julie Chen <chenj@ssc.ucla.edu> wrote:
Yes, I understand that. But I'm having little problem figure out right configuration. Would someone please advice on the configuration file?
I'd start with reading this: http://wiki.freeradius.org/Protocol%20Compatibility (or the original page in deplyingradius.com). Since you have crypt password, you can only use PAP, EAP-GTC, or TTLS-PAP.
[pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP
The client chooses what authentication method to use. You need to tell the client NOT to use EAP-PEAP-MSCHAPv2 (which is the default one that windows client would use), and use TTLS-PAP or EAP-GTC instead. The bad news is that none of those two is natively supported by windows <=7. You need to either: - get a third-party supplicant (e.g. windows version of wpa-supplicant, xsupplicant, or securew2). OR - use another method to store your users crededential, either storing the password in plain text or NT-HASH, or use AD.
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
I'm using the default inner-tunnel just added ldap at the authorize.
That's the correct way to configure the server. No need to change that. -- Fajar
Fajar A. Nugraha wrote:
I'd start with reading this: http://wiki.freeradius.org/Protocol%20Compatibility (or the original page in deplyingradius.com).
Please don't copy my content into the Wiki. The deployingradius.com link has been around for years. It's the authoritative source. Copying it to the wiki means that it will get edited, and will then be *wrong*. Alan DeKok.
Julie Chen wrote:
Yes, I understand that.
Apparently you don't.
But I'm having little problem figure out right configuration.
What part of "impossible" is unclear?
Would someone please advice on the configuration file?
There is no configuration to change. You need to store the passwords in LDAP in a format *other* than crypt. Nothing else will work. No amount of poking the FreeRADIUS configuration files will help. No amount of reading the debug output will help. Alan DeKok.
Hi,
I'm new to FreeRadius and trying to setup the server to authenticate using LDAP. I'm having some problem and hope to get some help from the list.
if your clients are doing EAP-TTLS/PAP then this will work - the PAP module can deal the requirements. if, as i suspect, you are using PEAP (PEAPv0/MSCHAPv2) then you cannot use {crypt} from the LDAP - you will either have to expose the passwords as cleartext in LDAP or use NT HASH instead (i'd personally go for the latter). what is your backend system - AD? as you might be going about it the wrong way...if its AD, then bind the FR server into your AD (following the plenty of examples eg www.deployingradius.com ) - and use ntlm_auth in the mschap module to do the authentication - you can still use LDAP for finding what group people belong to for eg VLAN override... alan
if your clients are doing EAP-TTLS/PAP then this will work - the PAP module can deal the requirements.
I'm trying to setup the EAP-TTLS/PAP. I'm testing with Mac Lion. Just saw someone posted online saying Lion support only MSChapV2 in the inner-tunnel part. Trying to figure out how to change this configuration now. My backend is LDAP. Maybe I should change the backend system to AD. Thank you all for your time and help. Best, Julie Chen -- View this message in context: http://freeradius.1045715.n5.nabble.com/AP-FR-LDAP-authentication-tp5572785p... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
I’m trying to setup the EAP-TTLS/PAP. I’m testing with Mac Lion. Just saw someone posted online saying Lion support only MSChapV2 in the inner-tunnel part. Trying to figure out how to change this configuration now.
huh? OSX lion can do whatever you have told it to do using the mobileconfig tool (iPhone configuraton utility can generate such). now, far be it from me to shout from the rooftops....but i wouldnt rely on some unsubstantiated result found by google. if you do the legwork you'll find it CAN do what you are after..... and I've even attached a screenshot from the apple enterprise deployment tool that you need to configure Lion with http://www.apple.com/support/iphone/enterprise/ alan
huh? OSX lion can do whatever you have told it to do using the mobileconfig tool (iPhone configuraton utility can generate such). now, far be it from me to shout from the rooftops....but i wouldnt rely on some unsubstantiated result found by google. if you do the legwork you'll find it CAN do what you are after..... and I've even attached a screenshot from the apple enterprise deployment tool that you need to configure Lion with You are right on the point. ☺ Yes, I got the iPhone configuration utility and configured the Mac to do use EAP-TTLS/PAP instead of default one. It works perfect with my radius setup and LDAP accounts. Now I need to decide and possibly make changes to my plan (use LDAP as backend to authenticate) since we also need to use other campus radius server for different realm. Thank you very much for your help. Julie -- View this message in context: http://freeradius.1045715.n5.nabble.com/AP-FR-LDAP-authentication-tp5572785p... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (5)
-
Alan Buxey -
Alan DeKok -
Fajar A. Nugraha -
Julie -
Julie Chen