Problem with freeradius and LDAP: crypt and MD5 password
Stefan Paetow
Stefan.Paetow at jisc.ac.uk
Mon Apr 13 11:29:25 CEST 2015
> One more cuestion, in freeradius 2.1.12, can I get the authentication
> result from the bind result?
What do you mean by 'can I get the authentication result'? If you can bind successfully to the LDAP directory with the username and password, then that's success. With FreeRADIUS 3.x, it's a *lot* simpler to use LDAP bind-as-user than with 2.1.12, and the article you referenced refers to FR 3.x.
Look at your inner-tunnel file (in sites-enabled):
- What have you got in the 'authorize' section?
You should place something like this in it (after the pap entry):
if (User-Password) {
update control {
Auth-Type := ldap
Ldap-UserDN := "uid=%{User-Name},ou=people,dc=unex,dc=es"
}
}
- What have you got in the 'authenticate' section? Do you have something called 'Auth-Type PAP' there?
In that entry you have a single line: 'pap'. Comment it out, then put 'ldap' in its place.
You should also have a set of commented-out entries like so:
# Auth-Type LDAP {
# ldap
# }
Remove the comment from the line that says 'ldap'.
Then, in the eap.conf file, look for the first 'default_eap_type' line. It may be set to 'md5'. Set that to 'ttls'. That sets the default type of EAP to TTLS. Then scroll down to find a line that starts with 'ttls {' (should be around line 500). There's another 'default_eap_type' there. That is probably also set to 'md5'. You can set that to 'gtc', which gives you EAP-GTC, which in turn gives you PAP.
Now, to test this, try the following on the FreeRADIUS server itself (while it is running in debug mode, i.e. 'radiusd -X'):
radtest -t pap aigallardo your_password 127.0.0.1:18120 1 testing123
You *should* see it bind correctly... If it binds correctly, then use eapol_test (see http://deployingradius.com/scripts/eapol_test/) to test the full end-to-end system. If it does not bind correctly, post the *full* debug output so we can have a look.
:-)
Stefan Paetow
Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150413/c202a401/attachment.sig>
More information about the Freeradius-Users
mailing list