LDAP PEAPv0/MSCHAPv2 Authentication
Nicholas Cappelletti
nick at switchtower.org
Tue Aug 4 04:27:00 CEST 2009
So, apparently when I have LDAP turned off for authorization in sites-enabled/default I can authenticate properly, but when I uncomment it, I can't. To get LDAP working with FreeRADIUS 2.1.6, LDAP is currently being used for authorization in the inner-tunnels config file, BUT for authentication in the defaults file.
I'm currently not able to do a radtest, but the wireless supplicants work fine...
---
Nick Cappelletti
nick at switchtower.org
"Everyday is a gift and not a given right"
----- Original Message -----
From: "Nicholas Cappelletti" <nick at switchtower.org>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Monday, August 3, 2009 5:54:55 PM GMT -05:00 US/Canada Eastern
Subject: Re: LDAP PEAPv0/MSCHAPv2 Authentication
After a little trial and error, and not changing anything on the wireless client side, I got FreeRADIUS to use mschap, but I'm now getting this error:
[mschap] No MS-CHAP-Challenge in the request
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> nick
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
I didn't have anything in the LDAP database for the user, but once I added radiusAuthType mschap, I am not being rejected, which is better then nothing I guess.
Again, when I'm using the users file, I have no isssue authenticating. Is there something more I have to add to the users to allow this to work. Again, thank for the help and/or guidance.
--Nick
----- Original Message -----
From: "Nicholas Cappelletti" <nick at switchtower.org>
To: tnt at kalik.net, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Sunday, August 2, 2009 7:41:05 AM GMT -05:00 US/Canada Eastern
Subject: Re: LDAP PEAPv0/MSCHAPv2 Authentication
I thought that was interesting also. I did notice that. When my laptop makes a request to the server, when I'm using the users file, it sends the PEAP request as expected. When I enable LAP authentication/authorization, the default eap type is used instead.
I've read through other posts, concerning this matter, and it's suggest to leave the server as 'default' as possible, which I have done.
Would you, or anyone else, suggest changing the default eap type to peap then?
Ivan, I do, very much, appreciate your dedication to the alias and all the work you do on the freeradius project, it seems it's sometimes tireless. :)
--Nick
----- Original Message -----
From: "Ivan Kalik" <tnt at kalik.net>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Sunday, August 2, 2009 3:32:03 AM GMT -05:00 US/Canada Eastern
Subject: Re: LDAP PEAPv0/MSCHAPv2 Authentication
> Okay, 802.1x for wireless works great when I'm using the default config
> files. I use the automatically generated cert and create a few users in
> the users config file.
> And here is is when I configure the modules/ldap. This is with LDAP
> enabled for authentication in the sites-enabled/inner-tunnel with nothing
> else changed:
...
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type md5
> rlm_eap_md5: Issuing Challenge
> ++[eap] returns handled
...
Your server would disagree. It thinks that this is EAP-MD5, not PEAP request.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list