radius authentication fallback from ldap to local
Hi, I am trying to configure fallback of radius server form ldap to local file based authentication when the ldap server is not reachable. I have a wireless client which needs to be authenticated by the radius server on association. The wireless client uses EAP-PEAP authentication and PEAP-GTC as inner protocol. The authentication works fine with LDAP and Local files with separate configuration setting. However, I am unable to configure for the fallback mechanism. My freeradius version is 2.1.7. I did following modification for fallback. Radiusd.conf ------------- authorize { preprocessor ..... passwd ldap { fail = 1 } if(fail) { files } } eap.conf --------- eap { .... gtc { Challange = "Password" auth_type = ldap } .... } users -------- DEFAULT Auth-Type = Local Fall-Through = Yes With above settings the LDAP authentication works fine. Then ldap is disconnected the radius server fails to find ladp and fallback to file. However in fail in eap with following error.. ----->> [eap] Request found, released from the list [eap] EAP/gtc [eap] processing type gtc [gtc] +- entering group LDAP {...} [ldap] login attempt by "user1" with password "symbol123" [ldap] expand: (sAMAccountName=%{Stripped-User-Name}) -> (sAMAccountName=user1) [ldap] expand: DC=wlan,DC=com -> DC=wlan,DC=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail [eap] Handler failed in EAP/gtc [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. auth: Failed to validate the user.: [user1] (from client localhost port 1 cli 00-13-CE-F0-6E-32 via TLS tunnel) Login incorrect: [user1] (from client localhost port 1 cli 00-13-CE-F0-6E-32 via TLS tunnel) } # server [peap] Got tunneled reply code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE <<<--------- Complete log pasted here http://pastebin.com/PjDuvAvy. Packets 1-8 is when ldap is connected. Ldap is diconnected from Packet 9 onwards. The error is in Packet 17. The wireless client waits for Access-Accept. Latter, I changed the eap.conf as below eap { .... gtc { Challange = "Password" auth_type = Local } .... } With this configuration local fallback authentication works. However, when ldap is connected the ldap authentication successful only if the user credential is present in the password file. How to solve it?. I am newbie to radius, please guide if I miss some thing obvious. Regards, Satish
Hello, Server freeradius and authentification with user in file to use it is good but if authentification on openldap server then it does not work. Somebody has t it files modules / ldap and sites-enables / inner-serveur which work with openldap authentification. Because concerns it is the tunnel TLS which does not go(take) up between WiFi AP8600 and the customer seven Windows pro in PEAP / Mschapv2 Thank you for your help Cordially Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net
On Sat, May 7, 2011 at 5:34 PM, rene.gomez@laposte.net <rene.gomez@laposte.net> wrote:
Hello, Server freeradius and authentification with user in file to use it is good but if authentification on openldap server then it does not work. Somebody has t it files modules / ldap and sites-enables / inner-serveur which work with openldap authentification. Because concerns it is the tunnel TLS which does not go(take) up between WiFi AP8600 and the customer seven Windows pro in PEAP / Mschapv2 Thank you for your help Cordially
You're giving me a headache. What the heck is "TLS which does not go(take) up" or "seven Windows pro"? Try writing questions in the way that other people can understand them. Otherwise no one will be able to help you. As for your problem, try reading the FAQ first: http://wiki.freeradius.org/index.php/FAQ Don't forget the section "It still doesn't work" Another note that may help you, mschap requires that you have plain text password, or authenticate against Active Directory. So if you don't have plaintext password in your openldap schema, then it will never work. Period. -- Fajar
Hi, Got it resolved with following configuration radiusd.conf ------------ authorize { preprocessor ..... passwd ldap { fail = 1 } if(fail) { files } } authenticate { ..... Auth-Type FALLBACK_LDAP{ redundant { ldap pap } ...... } eap.conf -------- eap { .... gtc { Challange = "Password" auth_type = FALLBACK_LDAP } .... } users ------ DEFAULT Auth-Type = FALLBACK_LDAP Fall-Through = No Thanks -Satish -----Original Message----- From: freeradius-users-bounces+satish.chowdhury=motorolasolutions.com@lists.fr eeradius.org [mailto:freeradius-users-bounces+satish.chowdhury=motorolasolutions.com@ lists.freeradius.org] On Behalf Of Chowdhury Satish-NVF476 Sent: Saturday, May 07, 2011 12:51 PM To: freeradius-users@lists.freeradius.org Subject: radius authentication fallback from ldap to local Hi, I am trying to configure fallback of radius server form ldap to local file based authentication when the ldap server is not reachable. I have a wireless client which needs to be authenticated by the radius server on association. The wireless client uses EAP-PEAP authentication and PEAP-GTC as inner protocol. The authentication works fine with LDAP and Local files with separate configuration settings. However, I am unable to configure for the fallback mechanism. My freeradius version is 2.1.7. I did following modification for fallback. Radiusd.conf ------------- authorize { preprocessor ..... passwd ldap { fail = 1 } if(fail) { files } } eap.conf --------- eap { .... gtc { Challange = "Password" auth_type = ldap } .... } users -------- DEFAULT Auth-Type = Local Fall-Through = Yes With above settings the LDAP authentication works fine. When ldap is disconnected the radius server fails to find ladp and fallback to files module. However it fails in eap with following error.. ----->> [eap] Request found, released from the list [eap] EAP/gtc [eap] processing type gtc [gtc] +- entering group LDAP {...} [ldap] login attempt by "user1" with password "symbol123" [ldap] expand: (sAMAccountName=%{Stripped-User-Name}) -> (sAMAccountName=user1) [ldap] expand: DC=wlan,DC=com -> DC=wlan,DC=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail [eap] Handler failed in EAP/gtc [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. auth: Failed to validate the user.: [user1] (from client localhost port 1 cli 00-13-CE-F0-6E-32 via TLS tunnel) Login incorrect: [user1] (from client localhost port 1 cli 00-13-CE-F0-6E-32 via TLS tunnel) } # server [peap] Got tunneled reply code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE <<<--------- Complete log pasted here http://pastebin.com/PjDuvAvy. Packets 1-8 is when ldap is connected. Ldap is diconnected from Packet 9 onwards. The error is in Packet 17. The wireless client waits for Access-Accept. Latter, I changed the eap.conf as below eap { .... gtc { Challange = "Password" auth_type = Local } .... } With this configuration local fallback authentication works. However, when ldap is connected the ldap authentication is successful only if the user credential is present in the local password file. How to solve it?. I am newbie to radius, please guide if I miss some thing obvious. Regards, Satish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sat, May 7, 2011 at 7:17 PM, Chowdhury Satish-NVF476 <satish.chowdhury@motorolasolutions.com> wrote:
Hi,
Got it resolved with following configuration
Glad to hear it, thanks for sharing the solution.
radiusd.conf ------------ authorize {
ldap { fail = 1 } if(fail) { files } }
I think you should also be able to use redundant { ldap files } which is simpler, and more consistent with the style you used on authenticate section.
authenticate { ..... Auth-Type FALLBACK_LDAP{ redundant { ldap pap } ...... }
-- Fajar
participants (3)
-
Chowdhury Satish-NVF476 -
Fajar A. Nugraha -
rene.gomez@laposte.net