Cleartext-Password not found + CHAP and LDAP
ouioui.bambin
ouioui.bambin at laposte.net
Tue Sep 1 15:36:51 CEST 2009
Hi there
I'm trying to configure my Freeradius (v 1.272) to work with an LDAP server (for a mac-based authentication). Unfortunately, switchs of the LAN send only Access-request to the RADIUS with a CHAP password, so I have to choose CHAP authentication.
I get the mac address from the LDAP and I map it in Cleartext-Password for the CHAP authentication.
LDAP mac addresses are like this "ethernet 00:11:22:33:44" so I have to modify Cleartext-Password before the authentication.
To do this, I have the following configuration:
ldap.attrmap:
...
checkItem Cleartext-Password dhcpHWAddress
...
(dhcpHWAddress being the attribute wich contains the mac-address in the LDAP)
------------------------------------------------------------------------------
sites-enabled/default:
authorize{
chap
ldap
...}
anthenticate{
...
Auth-Type CHAP {
#update control {
# Cleartext-Password := "%{User-Name}"
#}
if ( Cleartext-Password =~ /ethernet ([1-9a-zA-Z:]*)/i ) {
update control {
Cleartext-Password := "%{1}"
}
}
chap
}...
And the right configuration in the radiusd.conf.
My problem is the Cleartext-Password is unknow ("not found") when I want to modify it, but after, during the anthentication, it has its value. Here is the debug (by freeradius -X):
...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=XXX,dc=fr, with filter (XXXXX)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute dhcpHWAddress as RADIUS attribute Cleartext-Password == "ethernet 00:11:XX:XX:XX:XX"
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute dhcpVlan as RADIUS attribute Tunnel-Private-Group-Id:0 = "XXX"
rlm_ldap: user 00:11:XX:XX:XX:XX authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
+- entering group CHAP
++? if (Cleartext-Password =~ /ethernet ([1-9a-ZA-Z:]*)/i )
(Attribute Cleartext-Password was not found)
rlm_chap: login attempt by "00:11:XX:XX:XX:XX" with CHAP password
rlm_chap: Using clear text password "ethernet 00:11:XX:XX:XX:XX" for user 00:11:XX:XX:XX:XX authentication.
rlm_chap: Password check failed
...
Of course if I remove the # before:
#update control {
# Cleartext-Password := "%{User-Name}"
#}
Cleartext-Password takes a new value and all is fine...
I don't understand why the Cleartext-Password take a value from the LDAP, then is not found, and finally contains the value from the LDAP for the authentication...
Could you help me, please?
Thanks
pfaf
----------------------------------------------------------------------------
Laposte.net fête ses 10 ans !
Gratuite, garantie à vie et déjà utilisée par des millions d'internautes...
vous aussi, pour votre adresse e-mail, choisissez laposte.net.
Laposte.net, bien + qu'une messagerie
----------------------------------------------------------------------------
More information about the Freeradius-Users
mailing list