Hi.. Using FB 6.0 FR 1.0.5 trying to configure EAP-MD5 with LDAP backend... But it keep reporting: rlm_ldap: Attribute "User-Password" is required for authentication. No EAP been processed... please see full debug log below.. Below is my config with multiple DEFAULT entry... for Wireless services & normal Dialup authentication i) users ===== DEFAULT NAS-Identifier == "Wireless-802.11", Autz-Type := Y5, Auth-Type :=Y5 DEFAULT Autz-Type := LDAP, Auth-Type := LDAP ii) eap.conf ======== eap { default_eap_type = md5 } md5 { } } iii) radiusd.conf ============ $INCLUDE ${confdir}/eap.conf authorize { eap Autz-Type LDAP { ldap1 } Autz-Type Y5 { ldapy51 } } authenticate { Auth-Type LDAP { ldap1 } Auth-Type Y5 { ldapy51 } eap } ldap ldap1 { server = "localhost" identity = "cn=root,dc=jaring,dc=my" password = xxxxxx basedn = "ou=RADIUS,ou=People,dc=jaring,dc=my" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } ldap ldapy51 { server = "localhost" identity = "cn=root,dc=jaring,dc=my" password = xxxxxx basedn = "ou=Y5,ou=People,dc=jaring,dc=my" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } rad_recv: Access-Request packet from host 202.73.10.12:1814, id=133, length=197 Framed-MTU = 1466 NAS-IP-Address = 10.220.0.2 NAS-Identifier = "OCEPOP" User-Name = "jaroce" Service-Type = Framed-User NAS-Port = 129 NAS-Port-Type = Ethernet NAS-Port-Id = "ether9_129" Called-Station-Id = "00-11-95-e1-ce-8a" Calling-Station-Id = "00-13-46-86-c3-93" Connect-Info = "CONNECT Ethernet 2Mbps Full duplex" EAP-Message = 0x02020015016a61726f6365406d793031352e636f6d Message-Authenticator = 0x6d5b3fff40ff4c920b88d100ed80a209 Proxy-State = 0x3433 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '/' in User-Name = "jaroce", skipping NULL due to config. modcall[authorize]: module "IPASS" returns noop for request 1 rlm_realm: No '@' in User-Name = "jaroce", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "jaroce" rlm_realm: Proxying request from user jaroce to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 68 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 Processing the authorize section of radiusd.conf modcall: entering group Autz-Type for request 1 modcall: entering group redundant for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for jaroce radius_xlat: '(uid=jaroce)' radius_xlat: 'ou=RADIUS,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with filter (uid=jaroce) rlm_ldap: checking if remote access for jaroce is allowed by dialupAccess rlm_ldap: Added password j4r1ng in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP & op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: user jaroce authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap1" returns ok for request 1 modcall: group redundant returns ok for request 1 modcall: group Autz-Type returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap1" returns invalid for request 1 modcall: group redundant returns invalid for request 1 modcall: group Auth-Type returns invalid for request 1 auth: Failed to validate the user. Login incorrect: [jaroce] (from client OCE_JARING port 129 cli 00-13-46-86-c3-93)
Hi,
trying to configure EAP-MD5 with LDAP backend...
rlm_ldap: Attribute "User-Password" is required for authentication.
oh, a classic. You are trying to use a backend that requires to have the clear text password, but are instead feeding it with a one-way crypted password. This won't work out-of-the-box. What you *might* be able to do is retrieve the user's password during authorize with an administrator account, and then during authenticate let the server compare things themselves, without calling ldap during authenticate. Never done that, but it seems possible to me. Good luck. Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg
Rohaizam Abu Bakar wrote:
Hi..
Using FB 6.0 FR 1.0.5
trying to configure EAP-MD5 with LDAP backend...
But it keep reporting:
rlm_ldap: Attribute "User-Password" is required for authentication.
EAP-MD5 requires you have the plaintext password (in the LDAP server, in this case). If you do not, you cannot do EAP-MD5. If you do, configure the LDAP server to give the plaintext password to the radius server (usually in userPassword) and the radius server to map that into User-Password (done by default) and it will work.
After searching for solution.. found one comment from Alan that advise not to set Auth-Type :=LDAP because LDAP do not do authentication.. EAP does.. let server figure out itself... In case of EAP, LDAP just extract password for EAP to do authentication. But the problem is, my radius need to serve a few services... such as ADSL, Wifi, Dial up .. etc. Each services have their own LDAP tree for better management. So in radiusd.conf, there will be a few ldap modules.. See below:- How do i set in users file in order for WIFI user to perform EAP but get LDAP info from certain LDAP tree without having to set Auth-Type ???? i) users ===== DEFAULT ???? (not to set Auth-Type but need to direct to certain LDAP tree) ii) radiusd.conf ========== ldap adsl { basedn=ou=ADSL, ou=People... } ldap wifi { basedn=ou=wifi, ou=People... } Then .. in authenticate and authorize section :- authorize { eap Autz-Type=ADSL { adsl } Autz-Type=WIFI { wifi } } authenticate { Auth-Type=ADSL { adsl } Auth-Type=WIFI { wifi } eap } iii) eap.conf ... some config... ----- Original Message ----- From: "Phil Mayers" <p.mayers@imperial.ac.uk> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Saturday, June 24, 2006 5:37 PM Subject: Re: EAP-MD5 with LDAP
Rohaizam Abu Bakar wrote:
Hi..
Using FB 6.0 FR 1.0.5
trying to configure EAP-MD5 with LDAP backend...
But it keep reporting:
rlm_ldap: Attribute "User-Password" is required for authentication.
EAP-MD5 requires you have the plaintext password (in the LDAP server, in this case). If you do not, you cannot do EAP-MD5. If you do, configure the LDAP server to give the plaintext password to the radius server (usually in userPassword) and the radius server to map that into User-Password (done by default) and it will work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can I set Autz-Type in users? but leave EAP to set Auth-Type?? --haizam ----- Original Message ----- From: "Alan DeKok" <aland@nitros9.org> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Sunday, June 25, 2006 10:48 PM Subject: Re: EAP-MD5 with LDAP
"Rohaizam Abu Bakar" <haizam@myjaring.net> wrote:
How do i set in users file in order for WIFI user to perform EAP but get LDAP info from certain LDAP tree without having to set Auth-Type ????
The EAP module will take care of setting Auth-Type. You don't have to.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can I set Autz-Type in users? but leave EAP to set Auth-Type??
Sure. Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
participants (4)
-
Alan DeKok -
Phil Mayers -
Rohaizam Abu Bakar -
Stefan Winter