Freeradius 8021x with LDAP

[Alan DeKok]

Francesc Zacarias wrote:
> We're trying to set up Freeradius wtih 8021x. Freeradius should query
> a OpenLDAP server for autentication and check if the user belongs to
> certain groups and return different VLAN IDs depending on that.

  Those are two completely independent things.  Get them working
independently, they should work together.

> Unfortunately, we're having issues with the LDAP autentication part.

  So what did you configure?  Did you read
raddb/sites-available/default, and look for ldap"?

> I'm looking at the ldap queries performed by freeradius it is only
> checking if the user exists. No password check at all.

  Read it again.  It does this:

> [ldap] looking for check items in directory...
>   [ldap] userPassword -> Password-With-Header ==
"{SASL}testuser4 at SPOTIFY.NET"
> [ldap] looking for reply items in directory...

  Is that really the cleartext-password of the user?

  Really?

  Did you read raddb/sites-available/inner-tunnel, and follow the
instructions at the top (in 2.1.12)

> This the output of freeradius -X while using our test laptop:
>
> FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov
> 14 2010 at 21:12:30

  Well, upgrading wouldn't hurt.

> Notice the lines:
> 
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file
> /etc/freeradius/sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.

  You've said that the LDAP server contains cleartext passwords.  Yet
the debug log shows it doesn't.  And this entry shows the server doesn't
have the cleartext passwords.

  Fix that.

> I wonder what is this module doing.

  MSCHAP?

  Alan DeKok.