Fwd: LDAP + CHAP

Adam Seed adamjseed at gmail.com
Mon Mar 3 11:21:12 CET 2014 

Hi Alan,

That same wiki says 'The ldap module can only work with PAP passwords since
it needs to send the clear text user password to the LDAP server to
authenticate the user.' I might be mis-understanding as im new to Radius,
but that doesnt sound to positive. Anyway... I'm hoping to find a workaround

So I checked my sites-enabled/default and it does have the LDAP module
listed:
(I striped out the comments and highlighted the bits I changed)
--------------------------------------------------------
authorize {
#       auth_log
        chap
        mschap
        digest
#       wimax
#       IPASS
        suffix
        eap {
                ok = return
        }
#       unix
*#       files*
#       sql
#       etc_smbpasswd
*        ldap*
#       daily
#       checkval

        expiration
        logintime
        pap
#       Autz-Type Status-Server {
#
#       }
}

authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
#       pam
        unix
*        Auth-Type LDAP {*
*                ldap*
*        }*
 Allow EAP authentication.
        eap
#       Auth-Type eap {
#               eap {
#                       handled = 1
#               }
#               if (handled && (Response-Packet-Type == Access-Challenge)) {
#                       attr_filter.access_challenge.post-auth
#               }
#       }
}
--------------------------------------------------------

In addition here is the output of my debug:
--------------------------------------------------------
rad_recv: Access-Request packet from host 10.x.x.100 port 62061, id=2,
length=50
        User-Name = "adamjseed"
        CHAP-Password = 0x84bafb904d422b61c5bd8dcf5c2d4xxxx
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "adamjseed", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for adamjseed
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> adamjseed
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=adamjseed)
[ldap]  expand: dc=example,dc=com -> dc=example,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=example,dc=com, with filter (uid=adamjseed)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header ==
"{MD5}1hkMdaNUxxbUu/hufTrjtQ=="
[ldap] looking for reply items in directory...
[ldap] user adamjseed authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "adamjseed" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> adamjseed
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 2 to 10.x.x.100 port 62061
--------------------------------------------------------

Any assistant is greatly welcomed.


On Mon, Mar 3, 2014 at 9:21 AM, Alan DeKok <aland at deployingradius.com>wrote:

> Adam Seed wrote:
> > I have a freeraidus server set up which uses an openLDAP back for its
> > users and groups while it works fine for PAP passwords, it seams most
> > clients are wanting to use CHAP. I have read that CHAP passwords will
> > not work
>
>   Where?
>
> > however on the faq its says; ' There are however provisions to
> > extract the user password from the LDAP and make it available to the
> > server core and the chap module' (http://wiki.freeradius.org/guide/faq).
> > How is this done/setup?
>
>   You configure the LDAP module, and make sure it's listed in
> sites-enabled/default, in the "authorize" section.
>
>   FreeRADIUS will pull the password from the database, and authenticate
> the user.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140303/fa6f9f53/attachment-0001.html>

More information about the Freeradius-Users mailing list