Authentication with ldap support

Marco MIGLIETTA marco.miglietta at unisalento.it
Wed Mar 31 00:51:24 CEST 2021 

Thank you Michael, I gave a look to ldap config file. I think that it could
be ok.
However I made a test that fails and in debug mode I had the following
result in the final part with error...

mschap: ERROR: MS-CHAP2-Response is incorrect

I have just known that passwords are stored in md5 format in the ldap's db
and problably this is the problem... but also its end (and mine) :-)

What do you think ?
Thanks.
Marco.


(41)       [ldap] = ok
(41)       [expiration] = noop
(41)       [logintime] = noop
(41) pap: WARNING: Auth-Type already set.  Not setting to PAP
(41)       [pap] = noop
(41)     } # authorize = updated
(41)   Found Auth-Type = eap
(41)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(41)     authenticate {
(41) eap: Expiring EAP session with state 0xc9668664c96f9c89
(41) eap: Finished EAP session with state 0xc9668664c96f9c89
(41) eap: Previous EAP request found for state 0xc9668664c96f9c89, released
from the list
(41) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(41) eap: Calling submodule eap_mschapv2 to process data
(41) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(41) eap_mschapv2:   authenticate {
(41) mschap: Found Cleartext-Password, hashing to create NT-Password
(41) mschap: Found Cleartext-Password, hashing to create LM-Password
(41) mschap: Creating challenge hash with username:
marco.miglietta at unisalento.it
(41) mschap: Client is using MS-CHAPv2
(41) mschap: ERROR: MS-CHAP2-Response is incorrect
(41)     [mschap] = reject
(41)   } # authenticate = reject




Il giorno mar 30 mar 2021 alle ore 12:40 Michael Schwartzkopff <ms at sys4.de>
ha scritto:

> On 30.03.21 12:25, Marco Miglietta wrote:
> > Thank you Alan. I hope in a short time to become a little expert with
> > freeradius while I try to solve daily problems.
> > I would to use freeradius for authentication and only  to verify user
> > password with the one that is in external ldap that I bind.
> > Where have I to operate, what are the involved config files ?
> > Do you have any suggestions ?
> > Thank you v.m.
> >
> > Marco.
> >
> Hi,
>
>
> freeradius has a nice LDAP module. Please read the comments in the
> config file. Then try a ldapseach manually. If that succeeds, you know
> all parameters that you have to configure in the ldap module of freeradius.
>
> Doc also:
> https://networkradius.com/doc/3.0.10/raddb/mods-available/ldap.html
>
>
> Greetings,
>
>
> Michael
>
>
> >
> >
> > Il 24/03/21 12:39, Alan DeKok ha scritto:
> >> On Mar 24, 2021, at 7:15 AM, Marco Miglietta
> >> <marco.miglietta at unisalento.it> wrote:
> >>> In order to solve the problem in passing VLAN related attribute
> >>> during 802.1x authentication with Aruba AP, I found the post below
> >>> useful.
> >>> But this caused problems with VLAN assignment on Junipers switches
> >>> during the 802.1x authentication process.
> >>> What is a way to solve the problem? The solutions seem to be
> >>> mutually exclusive.
> >>    There is not a unique "the problem" which is being solved.
> >> Instead, there is a whole grab-bag of issues.
> >>
> >>    IF you want to apply policies based on "real" name, THEN for PEAP
> >> / TTLS, that real name is only available in the inner tunnel.  AND
> >> THEN you have to apply the policies in the inner tunnel, and then
> >> copy the results to the outer reply.
> >>
> >>    IF you want to apply policies based on things like MAC addresses,
> >> THEN those addresses are always available (you don't need
> >> inner-tunnel). AND THEN you can just apply policies in the "default"
> >> outer virtual server.
> >>
> >>    There is no "magic set of incantations" which will make FreeRADIUS
> >> do what you want.  You have to understand what's going on, including
> >> understanding how FreeRADIUS works.  And only then can you configure
> >> the server to do it.
> >>
> >>    Alan DeKok.
> >>
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >
> >
>
> Mit freundlichen Grüßen,
>
> --
>
> [*] sys4 AG
>
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

--

More information about the Freeradius-Users mailing list