Radius Server and Ldap Server
Hello all, I am trying to set up a radius server to perform authentication for wifi login against the user with password database in LDAP. I have no right to get the password back from LDAP, and the only reply information from LDAP server is the I login in success. However, I need to login wifi by a user name and password stored in LDAP server, without the reply password from LDAP, how can the radius server check whether the password I have provided is correct. I have tried many ways, but none of them work. I need help from you. Thanks. Best Regards Li
On 13 Jan 2014, at 09:15, 李亚坤 <liyakun127@hotmail.com> wrote:
Hello all,
I am trying to set up a radius server to perform authentication for wifi login against the user with password database in LDAP.
I have no right to get the password back from LDAP, and the only reply information from LDAP server is the I login in success.
However, I need to login wifi by a user name and password stored in LDAP server, without the reply password from LDAP, how can the radius server check whether the password I have provided is correct.
By attempting to bind as the user. authorize { if (User-Password) { update control { Auth-Type := LDAP } } } authenticate { Auth-Type LDAP { ldap } } -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi, Thanks for your help. After apply the configuration you recommend to the inner-tunnel file, the debug information no process for searching ldap server, and user from ldap database still can not be authenticated. There are also infomation about /***********************************************************************/ [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: liy1 [mschap] Client is using MS-CHAPv2 for liy1, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. /***********************************************************************/ I have changed the ldap.attrmap to: checkitem Cleartext-Password userpassword Thanks, waiting for your reply. Subject: Re: Radius Server and Ldap Server From: a.cudbardb@freeradius.org Date: Mon, 13 Jan 2014 09:50:39 +0000 To: freeradius-users@lists.freeradius.org On 13 Jan 2014, at 09:15, 李亚坤 <liyakun127@hotmail.com> wrote:
Hello all,
I am trying to set up a radius server to perform authentication for wifi login against the user with password database in LDAP.
I have no right to get the password back from LDAP, and the only reply information from LDAP server is the I login in success.
However, I need to login wifi by a user name and password stored in LDAP server, without the reply password from LDAP, how can the radius server check whether the password I have provided is correct.
By attempting to bind as the user. authorize { if (User-Password) { update control { Auth-Type := LDAP } } } authenticate { Auth-Type LDAP { ldap } } -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I go this to work by changing the format that ldap stores the password. I changed it to clear text. Its not ideal but it works for me From: freeradius-users-bounces+midnightsteel=msn.com@lists.freeradius.org [mailto:freeradius-users-bounces+midnightsteel=msn.com@lists.freeradius.org] On Behalf Of ??? Sent: Monday, January 13, 2014 5:24 AM To: FreeRadius users mailing list Subject: RE: Radius Server and Ldap Server Hi, Thanks for your help. After apply the configuration you recommend to the inner-tunnel file, the debug information no process for searching ldap server, and user from ldap database still can not be authenticated. There are also infomation about /***********************************************************************/ [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: liy1 [mschap] Client is using MS-CHAPv2 for liy1, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. /***********************************************************************/ I have changed the ldap.attrmap to: checkitem Cleartext-Password userpassword Thanks, waiting for your reply. Subject: Re: Radius Server and Ldap Server From: a.cudbardb@freeradius.org <mailto:a.cudbardb@freeradius.org> Date: Mon, 13 Jan 2014 09:50:39 +0000 To: freeradius-users@lists.freeradius.org <mailto:freeradius-users@lists.freeradius.org> On 13 Jan 2014, at 09:15, 李亚坤 <liyakun127@hotmail.com <mailto:liyakun127@hotmail.com> > wrote:
Hello all,
I am trying to set up a radius server to perform authentication for wifi login against the user with password database in LDAP.
I have no right to get the password back from LDAP, and the only reply information from LDAP server is the I login in success.
However, I need to login wifi by a user name and password stored in LDAP server, without the reply password from LDAP, how can the radius server check whether the password I have provided is correct.
By attempting to bind as the user. authorize { if (User-Password) { update control { Auth-Type := LDAP } } } authenticate { Auth-Type LDAP { ldap } } -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org <mailto:a.cudbardb@freeradius. org> > FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users. html
I have no right to change the setting of ldap server, and it will not reply me with a psssword. It only give me the accept message. From: midnightsteel@msn.com To: freeradius-users@lists.freeradius.org Subject: RE: Radius Server and Ldap Server Date: Mon, 13 Jan 2014 05:31:45 -0500 I go this to work by changing the format that ldap stores the password. I changed it to clear text. Its not ideal but it works for me From: freeradius-users-bounces+midnightsteel=msn.com@lists.freeradius.org [mailto:freeradius-users-bounces+midnightsteel=msn.com@lists.freeradius.org] On Behalf Of ??? Sent: Monday, January 13, 2014 5:24 AM To: FreeRadius users mailing list Subject: RE: Radius Server and Ldap Server Hi, Thanks for your help. After apply the configuration you recommend to the inner-tunnel file, the debug information no process for searching ldap server, and user from ldap database still can not be authenticated. There are also infomation about /***********************************************************************/ [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: liy1 [mschap] Client is using MS-CHAPv2 for liy1, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. /***********************************************************************/ I have changed the ldap.attrmap to: checkitem Cleartext-Password userpassword Thanks, waiting for your reply. Subject: Re: Radius Server and Ldap Server From: a.cudbardb@freeradius.org Date: Mon, 13 Jan 2014 09:50:39 +0000 To: freeradius-users@lists.freeradius.org On 13 Jan 2014, at 09:15, 李亚坤 <liyakun127@hotmail.com> wrote:
Hello all,
I am trying to set up a radius server to perform authentication for wifi login against the user with password database in LDAP.
I have no right to get the password back from LDAP, and the only reply information from LDAP server is the I login in success.
However, I need to login wifi by a user name and password stored in LDAP server, without the reply password from LDAP, how can the radius server check whether the password I have provided is correct.
By attempting to bind as the user. authorize { if (User-Password) { update control { Auth-Type := LDAP } } } authenticate { Auth-Type LDAP { ldap } } -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 13 Jan 2014, at 10:47, 李亚坤 <liyakun127@hotmail.com> wrote:
I have no right to change the setting of ldap server, and it will not reply me with a psssword. It only give me the accept message.
Then you can't do what you want. You'll need to use TTLS-PAP or another EAP method that provides the plaintext password. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi, Arran Thanks for your reply, I changed authentication method to TTLS-PAP, there is a fail information "rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication", not sure it is the reason because of ldap server no password return or others, Thanks Li Subject: Re: Radius Server and Ldap Server From: a.cudbardb@freeradius.org Date: Mon, 13 Jan 2014 11:20:05 +0000 To: freeradius-users@lists.freeradius.org On 13 Jan 2014, at 10:47, 李亚坤 <liyakun127@hotmail.com> wrote:
I have no right to change the setting of ldap server, and it will not reply me with a psssword. It only give me the accept message.
Then you can't do what you want. You'll need to use TTLS-PAP or another EAP method that provides the plaintext password. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I am not sure without ldap reply with a password(even plaintext password) can authentication be success? Subject: Re: Radius Server and Ldap Server From: a.cudbardb@freeradius.org Date: Mon, 13 Jan 2014 11:20:05 +0000 To: freeradius-users@lists.freeradius.org On 13 Jan 2014, at 10:47, 李亚坤 <liyakun127@hotmail.com> wrote:
I have no right to change the setting of ldap server, and it will not reply me with a psssword. It only give me the accept message.
Then you can't do what you want. You'll need to use TTLS-PAP or another EAP method that provides the plaintext password. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You can. Modify the ldap module and set “set_auth_type” = yes. This will set LDAP authentication if no other authentication type will accept your style of authentication, and then bind to LDAP using the username and password that has been passed to FreeRADIUS. See http://wiki.freeradius.org/modules/Rlm_ldap for details. In order to use this style of authentication you MUST have PAP or EAP-TTLS/PAP, which I believe Alan Buxey has already made you set. Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac.uk@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac.uk@lists.freeradius.org] On Behalf Of ??? Sent: 13 January 2014 14:17 To: FreeRadius users mailing list Subject: RE: Radius Server and Ldap Server I am not sure without ldap reply with a password(even plaintext password) can authentication be success? Subject: Re: Radius Server and Ldap Server From: a.cudbardb@freeradius.org<mailto:a.cudbardb@freeradius.org> Date: Mon, 13 Jan 2014 11:20:05 +0000 To: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> On 13 Jan 2014, at 10:47, 李亚坤 <liyakun127@hotmail.com<mailto:liyakun127@hotmail.com>> wrote:
I have no right to change the setting of ldap server, and it will not reply me with a psssword. It only give me the accept message.
Then you can't do what you want. You'll need to use TTLS-PAP or another EAP method that provides the plaintext password. Arran Cudbard-Bell <a.cudbardb@freeradius.org<mailto:a.cudbardb@freeradius.org>> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 13 Jan 2014, at 15:48, <stefan.paetow@diamond.ac.uk> <stefan.paetow@diamond.ac.uk> wrote:
You can.
Modify the ldap module and set “set_auth_type” = yes. This will set LDAP authentication if no other authentication type will accept your style of authentication, and then bind to LDAP using the username and password that has been passed to FreeRADIUS.
Not if you're using FreeRADIUS 3.0.x. The method I described works for 2/3. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi,
Hi, Thanks for your help. After apply the configuration you recommend to the inner-tunnel file, the debug information no process for searching ldap server, and user from ldap database still can not be authenticated. There are also infomation about
PEAP doesnt provide the password. its challenge response...so you either need the LDAP server to provide you the password in a format that can be used (plain or NTLM hash) or use EAP-TTLS/PAP alan
Hi, alan Thanks for your help. The situation is that I can use radtest with the username and password in the ldap database, "radtest username password 127.0.0.1 0 testing123" but with "radtest -t mschap username password 127.0.0.1 0 testing123" test failure. I also can not login by a mobile phone with the user name and password in the ldap database. So, I thought it might be the reason that the ldap server not send with a password. However, my manager want me to find a way to achieve the authentication by the successful information replyed from the ldap server. I am new to radius and ldap, so I am not sure whether this is possible. Thanks again.
Date: Mon, 13 Jan 2014 10:36:07 +0000 From: A.L.M.Buxey@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: Radius Server and Ldap Server
Hi,
Hi, Thanks for your help. After apply the configuration you recommend to the inner-tunnel file, the debug information no process for searching ldap server, and user from ldap database still can not be authenticated. There are also infomation about
PEAP doesnt provide the password. its challenge response...so you either need the LDAP server to provide you the password in a format that can be used (plain or NTLM hash) or use EAP-TTLS/PAP
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
李亚坤 wrote:
However, my manager want me to find a way to achieve the authentication by the
successful information replyed from the ldap server. I am new to radius and ldap, so I am not sure whether this is possible.
Your questions are answered here: http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok.
Hi, Alan Thanks for your reply, I changed authentication method to TTLS-PAP, there is a fail information "rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication", not sure it is the reason because of ldap server no password return or others, Thanks Li
Date: Mon, 13 Jan 2014 07:21:57 -0500 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Radius Server and Ldap Server
李亚坤 wrote:
However, my manager want me to find a way to achieve the authentication by the
successful information replyed from the ldap server. I am new to radius and ldap, so I am not sure whether this is possible.
Your questions are answered here:
http://deployingradius.com/documents/protocols/compatibility.html
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
username and password in the ldap database,
"radtest username password 127.0.0.1 0 testing123"
yep. thats PAP
"radtest -t mschap username password 127.0.0.1 0 testing123" test failure. I also can not login by a mobile phone with the user name and password in the ldap database.
yep, thats challenge response. your LDAP is just a storage mechanism, it cannot receive challenges and provide responses.
I am not sure whether this is possible.
http://deployingradius.com/documents/protocols/oracles.html alan
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Maurice James -
stefan.paetow@diamond.ac.uk -
李亚坤