eDirectory Authentication

Brad Lachel stuff at d155.org
Thu Oct 11 15:36:35 CEST 2007 

We are currently using our RADIUS server to do one thing.  It is  
authenticating wireless users via Mac address through access points.   
Very clean, very simple.  We would like to increase the security a  
bit by having the users authenticate against eDirectory as well.  If  
a user tries to get on the network, his MAC is passed to the RADIUS  
server.  If the MAC is validated, the request is passed to the Novell  
Server, the user is asked to enter his password, and then he is  
allowed in.  I have setup my config files according to several  
eDirectory/FreeRADIUS FAQ articles that I have found, but I am still  
having a few issues.

1:  I am never asked for a password
2:  rlm_ldap:  When I attempt to get access, I get an error message  
"could not start TLS operations error"


Below are some clips from my configurations as well as the access  
messages as I receive:

ACCESS ATTEMPT:

rad_recv: Access-Request packet from host 172.16.14.23:1812, id=1,  
length=73
         User-Password = "xxxxxx"
         User-Name = "0016cb-b64f93"
         NAS-Identifier = "172.16.14.23"
         NAS-IP-Address = 172.16.14.23
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  '/usr/local/var/log/radius/radacct/172.16.14.23/auth- 
detail-20071011'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/ 
auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 
172.16.14.23/auth-detail-20071011
   modcall[authorize]: module "auth_log" returns ok for request 0
   modcall[authorize]: module "chap" returns noop for request 0
   modcall[authorize]: module "mschap" returns noop for request 0
     rlm_realm: No '@' in User-Name = "0016cb-b64f93", looking up  
realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 0
   rlm_eap: No EAP-Message, not doing EAP
   modcall[authorize]: module "eap" returns noop for request 0
     users: Matched entry DEFAULT at line 153
     users: Matched entry 0016cb-b64f93 at line 222
   modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 0016cb-b64f93
radius_xlat:  '(uid=0016cb-b64f93)'
radius_xlat:  'o=dist-155'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 172.16.13.10:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/ 
cacert.pem
rlm_ldap: setting TLS CACert Directory to /usr/local/etc/raddb/certs/
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Operations error
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns fail for request 0
modcall: leaving group authorize (returns fail) for request 0
Finished request 0
Going to the next request


RADIUSD.CONF

# MODULE CONFIGURATION
#
modules {
	#
	pap {
		encryption_scheme = crypt
		auto_header = yes
	}
	chap {
		authtype = CHAP
	}
	pam {
		pam_auth = radiusd
	}
	unix {
		cache = no
		cache_reload = 600
		#	passwd = /etc/passwd
		#	shadow = /etc/shadow
		#	group = /etc/group
		radwtmp = ${logdir}/radwtmp
	}
$INCLUDE ${confdir}/eap.conf
	mschap {
		#use_mppe = no
		#require_encryption = yes
		#require_strong = yes
		#with_ntdomain_hack = no
		#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=% 
{Stripped-User-Name:-%{User-Name:-None}} --challenge=% 
{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
	}
	ldap {
		server = 172.16.13.10
		identity = "cn=ProxyUser,ou=District,o=dist-155"
		password = "xxxxxx"
		basedn = "o=dist-155"
		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
		base_filter = "(objectclass=radiusprofile)"
		start_tls = yes
		tls_mode = yes
                 port = 636
		tls_cacertfile	= /usr/local/etc/raddb/certs/cacert.pem
		tls_cacertdir		= /usr/local/etc/raddb/certs/
		# tls_certfile		= /usr/local/etc/raddb/certs/radius.crt
		# tls_keyfile		= /usr/local/etc/raddb/certs/radius.key
		# tls_randfile		= /path/to/rnd
		tls_require_cert	= "demand"
		# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
		# profile_attribute = "radiusProfileDn"
		access_attr = "dialupAccess"
		dictionary_mapping = ${raddbdir}/ldap.attrmap
		ldap_connections_number = 10
		 Set:
			password_attribute = nspmPassword
		# password_attribute = userPassword
		edir_account_policy_check=yes
		# groupname_attribute = cn
		# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=% 
{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap- 
UserDn})))"
		# groupmembership_attribute = radiusGroupName
		timeout = 4
		timelimit = 3
		net_timeout = 1
		# compare_check_items = yes
		# do_xlat = yes
		# access_attr_used_for_allow = yes
		# set_auth_type = yes
	}

EAP.CONF

	eap {
		default_eap_type = peap
		timer_expire     = 60
		ignore_unknown_eap_types = no
		cisco_accounting_username_bug = no

		# Supported EAP-types

		md5 {
		}
		leap {
		}
		gtc {
			auth_type = PAP
		}

		## EAP-TLS
		tls {
			private_key_password = ch$d!s$
			private_key_file = ${raddbdir}/certs/cert-key.pem
			certificate_file = ${raddbdir}/certs/cert-srv.pem
			CA_file = ${raddbdir}/certs/demoCA/cacert.pem
			dh_file = ${raddbdir}/certs/dh
			random_file = ${raddbdir}/certs/random
			fragment_size = 1024
			include_length = yes
		#	check_crl = yes
		#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My  
Company Ltd"
		#	check_cert_cn = %{User-Name}
		#	cipher_list = "DEFAULT"
		}
		ttls {
			default_eap_type = md5
			copy_request_to_tunnel = yes
			use_tunneled_reply = yes
		}
		 peap {
			default_eap_type = mschapv2
		#	copy_request_to_tunnel = no
		#	use_tunneled_reply = no
		#	proxy_tunneled_request_as_eap = yes
		}
		mschapv2 {
		}
	}

USERS

#Dist - Lachel
"0016cb-b64f93" Auth-Type := Local, User-Password == "xxxxxx"


I am using freeRADIUS 1.1.7 on an OS X 10.4.10 Server machine.  My  
Access Points are currently Apple Airports, but we will be replacing  
those with Cisco 1131s.

Any help at getting this going would be greatly appreciated.

Thanks


Brad Lachel
Community High School District #155
stuff at d155.org





-----------------------------
All e-mail to and from this address is subject to the Acceptable Use Policies of Community High School District #155. All e-mail may be monitored and/or disclosed to third parties. Any views or opinions presented in an e-mail are solely those of the author and may not represent those of Community High School District #155.

Community High School District #155
http://www.d155.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071011/c0a1d9ef/attachment.html>

More information about the Freeradius-Users mailing list