freeradius eap-ttls pap ldap

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Sat Jun 9 00:21:47 CEST 2007


emmcosta wrote:
> Hi everyone,
>
> I have a problem with my configuration, authorize is ok but
> authentication fail.I use freeradius 1.1.6 e openldap 2.2.13 and use
> windows xp for client with securew2.
> My access-point is Cisco aironet 1100.
>
> My radiusd.conf:
>
> ..........
>         ldap {
>                 server = "localhost"
>                 identity = "cn=root,dc=teste,dc=pt"
>                 password = secret
>                 basedn = "dc=teste,dc=pt"
>                 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>                 base_filter = "(objectclass=radiusprofile)"
>                 start_tls = no
>                 access_attr = "uid"
>                 dictionary_mapping = ${raddbdir}/ldap.attrmap
>                 ldap_connections_number = 5
>                 password_attribute = userPassword
>                 timeout = 4
>                 timelimit = 3
>                 net_timeout = 1
>                  set_auth_type = no
>         }
> ..............
> authorize {
>             preprocess
>            ldap
>            pap
> }
>
> authenticate{
>         Auth-Type PAP {
>                 pap
>         }
>         Auth-Type LDAP {
>                 ldap
>         }
>         eap
>
> }
>
> My eap.conf:
>
> eap{
>                 default_eap_type = ttls
>                 timer_expire     = 60
>                 ignore_unknown_eap_types = no
>                 cisco_accounting_username_bug = yes
>                 md5 {
>                 }
>                 leap {
>                 }
>                 gtc {
>                         auth_type = PAP
>                 }
>                 tls {
>                         private_key_password = whatever
>                         private_key_file = ${raddbdir}/certs/cert-srv.pem
>
>                         #  If Private key & Certificate are located in
>                         #  the same file, then private_key_file &
>                         #  certificate_file must contain the same file
>                         #  name.
>                         certificate_file = ${raddbdir}/certs/cert-srv.pem
>
>                         #  Trusted Root CA list
>                         CA_file = ${raddbdir}/certs/demoCA/cacert.pem
>
>                         dh_file = ${raddbdir}/certs/dh
>                         random_file = ${raddbdir}/certs/random
>              }
>                 ttls {
>                         default_eap_type = gtc
>                         use_tunneled_reply = yes
>                 }
> }
>
> The log:
>
> ............
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for user_test
> radius_xlat:  '(uid=user_test)'
> radius_xlat:  'dc=teste,dc=pt'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=teste,dc=pt, with filter (uid=user_test)
> Waking up in 1 seconds...
> Threads: total/active/spare threads = 5/1/4
> rlm_ldap: checking if remote access for user_test is allowed by uid
> rlm_ldap: Added password {CRYPT}HkDWb49nxN4Zo in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding userPassword as User-Password, value
> {CRYPT}HkDWb49nxN4Zo & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user gilberto authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 2
> rlm_pap: No clear-text password in the request.  Not performing PAP.
>   modcall[authorize]: module "pap" returns noop for request 2
> modcall: leaving group authorize (returns ok) for request 2
> auth: No User-Password or CHAP-Password attribute in the request
> auth: Failed to validate the user.
> Login incorrect: [user_test/<no User-Password attribute>] (from client
> 192.168.1.69 port 371 cli 0040.96a2.24f3)
> Delaying request 2 for 1 seconds
> Finished request 2
> Going to the next request
> Thread 3 waiting to be assigned a request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> Threads: total/active/spare threads = 5/0/5
> --- Walking the entire request list ---
> Sending Access-Reject of id 121 to 192.168.1.69 port 1645
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 2 ID 121 with timestamp 4669d1cd
> Nothing to do.  Sleeping until we see a request.
>
>
> Anyone can help-me.
>
> Best regards
>
>   
PAP Won't work with the windows XP supplicant (unless your doing chap 
authentication).
Windows XP uses Protected EAP with MSCHAP v2 inner encryption. This 
means authentication is done with MSCHAP.

MSCHAP works with two forms of stored password, either CLEARTEXT or 
NTHASH. You ldap lookup is pulling the users password out in CRYPT 
format, so it will not work.

I recommend that you add an attribute in your LDAP schema called 
ntPassword, by default the ldap attribute map will create the RADIUS 
check item NT-Password which the MSCHAP module will use for authentication.

There should be a binary in freeradius/bin , called smbencrypt which you 
can use to generate the NTHASH hashes.

The other way is to write your passwords to the LDAP directory in 
cleartext (as opposed to crypt).

So in summary,

PAP won't work with XP
Uncomment MSCHAP in authorise and authenticate.
Add the attributes/ change your hashing scheme.



More information about the Freeradius-Users mailing list