EAP-PEAP with LDAP for 802.1x authentication

Mon Feb 25 12:08:39 CET 2008

Hello, 

I use FreeRadius with OpenLDAP to authenticate device using EAP-PEAP and it
works fine. The only problem I had was the encrypted password in my LDAP
database.
I by-passed this problem using clear-text Password in LDAP Database and it
works fine.
You can also have a look at this :
http://deployingradius.com/documents/protocols/compatibility.html

Regards, 

Nicolas SOULEMAN.

-----Message d'origine-----
De : freeradius-users-bounces+debug=afone.com at lists.freeradius.org
[mailto:freeradius-users-bounces+debug=afone.com at lists.freeradius.org] De la
part de freeradius-users-request at lists.freeradius.org
Envoyé : lundi 25 février 2008 11:59
À : freeradius-users at lists.freeradius.org
Objet : Freeradius-Users Digest, Vol 34, Issue 124

Send Freeradius-Users mailing list submissions to
	freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
	freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
	freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."

Today's Topics:

   1. rlm_dbm can not work? (Hangjun He)
   2. EAP-PEAP with LDAP for 802.1x authentication (Ryan)
   3. Re: EAP-PEAP with LDAP for 802.1x authentication
      (Arjuna Scagnetto)
   4. Re: rlm_dbm can not work? (A.L.M.Buxey at lboro.ac.uk)
   5. Re: EAP-PEAP with LDAP for 802.1x authentication (Ivan Kalik)
   6. Re: EAP-PEAP with LDAP for 802.1x authentication (Sergio Belkin)
   7. radius users update after NAS downing (Zahra Bahar)
   8. ldap configuration parameters in radiusd.conf file
      (Gopinath Reddy N)

----------------------------------------------------------------------

Message: 1
Date: Mon, 25 Feb 2008 11:15:38 +0800 (CST)
From: Hangjun He <elmerhe at yahoo.com.cn>
Subject: rlm_dbm can not work?
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <182021.24135.qm at web15107.mail.cnb.yahoo.com>
Content-Type: text/plain; charset="gb2312"

Hi,

  I am using freeRADIUS 1.1.6.  I can not let rlm_dbm work. 

  Result of rlm_dbm_cat:
  [root at Jack-Linux raddb]# pwd
/usr/local/etc/raddb
[root at Jack-Linux raddb]# rlm_dbm_cat -f users.db
"hhe4"              Cleartext-Password := "hhe123"
                    Reply-Message = "Hello"

"hhe123"            Cleartext-Password := "hhe123"
                    Reply-Message = "Hello"

[root at Jack-Linux raddb]#
[root at Jack-Linux raddb]# ls users.*
users.db.dir  users.db.pag
[root at Jack-Linux raddb]#

  Debug message:
  Module: Loaded dbm
 dbm: usersfile = "/usr/local/etc/raddb/users.db"
Module: Instantiated dbm (dbm)
Listening on authentication *:1812
Listening on accounting *:1813
ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:1033, id=26, length=58
        User-Name = "hhe123"
        User-Password = "hhe123"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
rlm_dbm: try open database file: /usr/local/etc/raddb/users.db
rlm_dbm: Call parse_user:
sm_parse_user.c: check for loops
Add hhe123 to user list
rlm_dbm: User <hhe123> not foud in database
Remove hhe123 from user list
sm_parse_user.c: check for loops
Add DEFAULT to user list
rlm_dbm: User <DEFAULT> not foud in database
Remove DEFAULT from user list
  modcall[authorize]: module "dbm" returns notfound for request 0
modcall: leaving group authorize (returns noop) for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Sending Access-Reject of id 26 to 127.0.0.1 port 1033
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 26 with timestamp 47c220be
Nothing to do.  Sleeping until we see a request.

  John.

---------------------------------
??????????????????? 
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/2008022
5/e76144cb/attachment-0001.html>

------------------------------

Message: 2
Date: Mon, 25 Feb 2008 14:58:11 +0800
From: Ryan <majereryan at gmail.com>
Subject: EAP-PEAP with LDAP for 802.1x authentication
To: freeradius-users at lists.freeradius.org
Message-ID:
	<99e642670802242258g78b569dapcd517c969fe03eb1 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi All,

Understand that it is not possible to authenticate using EAP-PEAP
against OpenLDAP due to encrypted password. Can someone advise on how
exactly OpenLDAP needs be configured so that it can be used in
EAP-PEAP?

I found out from http://vuksan.com/linux/dot1x/802-1x-LDAP.html that
to do so additional attributes needs to be added to LDAP. Is this the
only way?

Thanks/Regards,
Ryan

------------------------------

Message: 3
Date: Mon, 25 Feb 2008 08:59:26 +0100
From: "Arjuna Scagnetto" <arjuna.scagnetto at gmail.com>
Subject: Re: EAP-PEAP with LDAP for 802.1x authentication
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID:
	<4fb2bb140802242359x686441fch12f24211a888e3bf at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

reading from
http://deployingradius.com/documents/protocols/compatibility.html
 you can achive that there's no problem to make ldap work with
EAP-PEAP, the only thing you must take care is the hashing algorithm
for the password.

Reading carefully from http://vuksan.com/linux/dot1x/802-1x-LDAP.html

"It is important depending what kind of password information you have
stored in your LDAP database"

So nobody says you can't make work togher openldap and freeradius. :)

Reading carefully 802-1x.LDAP.html you'll be able to set a working
enviroment.

On Mon, Feb 25, 2008 at 7:58 AM, Ryan <majereryan at gmail.com> wrote:
> Hi All,
>
>  Understand that it is not possible to authenticate using EAP-PEAP
>  against OpenLDAP due to encrypted password. Can someone advise on how
>  exactly OpenLDAP needs be configured so that it can be used in
>  EAP-PEAP?
>
>  I found out from http://vuksan.com/linux/dot1x/802-1x-LDAP.html that
>  to do so additional attributes needs to be added to LDAP. Is this the
>  only way?
>
>  Thanks/Regards,
>  Ryan
>  -
>  List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>

-- 
they don't own your box, but they have you

------------------------------

Message: 4
Date: Mon, 25 Feb 2008 09:48:20 +0000
From: A.L.M.Buxey at lboro.ac.uk
Subject: Re: rlm_dbm can not work?
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <20080225094819.GA28074 at lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii

Hi,

> [root at Jack-Linux raddb]# rlm_dbm_cat -f users.db
> "hhe4"              Cleartext-Password := "hhe123"
>                     Reply-Message = "Hello"
>                      
> "hhe123"            Cleartext-Password := "hhe123"
>                     Reply-Message = "Hello"

i have a theory of the entries - remove the quotes from around
your userid's in that database file.

alan

------------------------------

Message: 5
Date: Mon, 25 Feb 2008 11:15:30 +0100
From: "Ivan Kalik" <tnt at kalik.net>
Subject: Re: EAP-PEAP with LDAP for 802.1x authentication
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID: <DbMklX8t.1203934530.1122440.tnt at kalik.co.yu>
Content-Type: text/plain; charset=ISO-8859-2

>Understand that it is not possible to authenticate using EAP-PEAP
>against OpenLDAP due to encrypted password. Can someone advise on how
>exactly OpenLDAP needs be configured so that it can be used in
>EAP-PEAP?
>

Don't use encrypted password. Or use nt hash and NT-Password. There is
nothing to add - those attributes are already in ldap.attrmap.

Ivan Kalik
Kalik Informatika ISP

------------------------------

Message: 6
Date: Mon, 25 Feb 2008 08:34:27 -0200
From: "Sergio Belkin" <sebelk at gmail.com>
Subject: Re: EAP-PEAP with LDAP for 802.1x authentication
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID:
	<8c6f7f450802250234q1e20e1a1o2b6600a78274e0bd at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

2008/2/25, Ryan <majereryan at gmail.com>:
> Hi All,
>
>  Understand that it is not possible to authenticate using EAP-PEAP
>  against OpenLDAP due to encrypted password. Can someone advise on how
>  exactly OpenLDAP needs be configured so that it can be used in
>  EAP-PEAP?
>
>  I found out from http://vuksan.com/linux/dot1x/802-1x-LDAP.html that
>  to do so additional attributes needs to be added to LDAP. Is this the
>  only way?
>
>  Thanks/Regards,
>
> Ryan
>  -
>  List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
I think that the easiest way is using EAP-TTLS if you use encrypted
password into OpenLDAP, you should use PAP. The problem is that
Windows has not native PAP support, so you should  use something like
securew2. The other option is that the Ivan Kalikmention it (something
that I asked many times :)  )
-- 
-- 
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -

------------------------------

Message: 7
Date: Mon, 25 Feb 2008 14:27:56 +0330 (IRST)
From: Zahra Bahar <zahra_bahar at ec.iut.ac.ir>
Subject: radius users update after NAS downing
To: freeradius-users at lists.freeradius.org
Message-ID: <32074850.440031203937076495.JavaMail.root at mta.iut.ac.ir>
Content-Type: text/plain; charset=utf-8

Hi,
We have a freeradius server for accounting of AS5300 dial users. there is a
problem:
Some users stay in accounting list when AS is restarted, and they not go to
stop then can't dial after that until admin makes them out of list .
why this happen?  

------------------------------

Message: 8
Date: Mon, 25 Feb 2008 16:28:29 +0530
From: "Gopinath Reddy N" <gnreddy at gmail.com>
Subject: ldap configuration parameters in radiusd.conf file
To: freeradius-users at lists.freeradius.org
Message-ID:
	<c71dd3900802250258o4654150cwa60a643a284e67e4 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi,

Does any body has idea whether the below parameters are mandatory in
radiusd.conf file ldap section.

groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUnique
Names)(uniquemember==%{Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName

Iam trying to see whether ldap group search functionality can be avoided
using radiusd.conf file.

Thanks in advance.
regards
-gnr
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/2008022
5/d4ec9a80/attachment.html>

------------------------------

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

End of Freeradius-Users Digest, Vol 34, Issue 124
*************************************************