captive portal auth with freeradius

Chitrang Srivastava chitrang.srivastava at gmail.com
Fri Apr 19 17:29:57 CEST 2013


I am using Microsoft 2003 Active Directory Server , the way wifi (MSCHAPv2)
works is with ntlm_auth , which does the authentication.
 - your LDAP module isn't setting Auth-Type for some reason
  This is happening because of
http://lists.freeradius.org/pipermail/freeradius-users/2008-May/027962.html
   and if I do the way its suggested , Auth Type get set to ldap_secondary.
   If this works, how this is going to solved because what I saw that it
still doesn't do mschapv2.

The way it works with wifi or radtest is , Auth-Type is set to EAP (it
refers to eap.conf ) , it goes to mschap modules(set up TLS channel and
then under that) , from there its told to use external program ntlm_auth ,
which does the authentication and tells radius if its OK or not.

What i was trying , is to get similar way working with captive portal as
well.



On Fri, Apr 19, 2013 at 7:29 PM, Matthew Newton <mcn4 at leicester.ac.uk>wrote:

> On Fri, Apr 19, 2013 at 06:15:09PM +0530, Chitrang Srivastava wrote:
> > tried what Matthew suggest  , in authorize section and it worked. Whole
> > issue is captive portal is sending a non-EAP message with User-Password
> set
> > , in this case we have to set auth type as ldap.
>
> It's obvious from your debug output that
>
>  - your LDAP module isn't setting Auth-Type for some reason
>  - your LDAP server isn't returning any sort of password (plain or
>    crypted)
>
> and therefore you probably need to try and do that horrible hack
> of binding to the LDAP server to auth. Really, Alan is right -
> LDAP is not an authentication server, even though lots of people
> seem to think it is.
>
> Hence the suggestion to "fix" your problem by setting Auth-Type,
> iff it has not already been set, when not doing EAP and
> User-Password is supplied.
>
> The best solution is to fixup your LDAP server to return the
> crypted password back to FreeRADIUS. Like already pointed out, if
> it's AD, this isn't likely to happen.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130419/dea1044b/attachment.html>


More information about the Freeradius-Users mailing list