Authentication with ldap support

Michael Schwartzkopff ms at sys4.de
Wed Mar 31 08:59:27 CEST 2021


On 31.03.21 00:51, Marco MIGLIETTA wrote:
> Thank you Michael, I gave a look to ldap config file. I think that it could
> be ok.
> However I made a test that fails and in debug mode I had the following
> result in the final part with error...
>
> mschap: ERROR: MS-CHAP2-Response is incorrect
>
> I have just known that passwords are stored in md5 format in the ldap's db
> and problably this is the problem... but also its end (and mine) :-)
>
> What do you think ?
> Thanks.
> Marco.

Hashed passwords do not work with CHAP mech. See:

http://deployingradius.com/documents/protocols/compatibility.html




>
> (41)       [ldap] = ok
> (41)       [expiration] = noop
> (41)       [logintime] = noop
> (41) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (41)       [pap] = noop
> (41)     } # authorize = updated
> (41)   Found Auth-Type = eap
> (41)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (41)     authenticate {
> (41) eap: Expiring EAP session with state 0xc9668664c96f9c89
> (41) eap: Finished EAP session with state 0xc9668664c96f9c89
> (41) eap: Previous EAP request found for state 0xc9668664c96f9c89, released
> from the list
> (41) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (41) eap: Calling submodule eap_mschapv2 to process data
> (41) eap_mschapv2: # Executing group from file
> /etc/raddb/sites-enabled/inner-tunnel
> (41) eap_mschapv2:   authenticate {
> (41) mschap: Found Cleartext-Password, hashing to create NT-Password
> (41) mschap: Found Cleartext-Password, hashing to create LM-Password
> (41) mschap: Creating challenge hash with username:
> marco.miglietta at unisalento.it
> (41) mschap: Client is using MS-CHAPv2
> (41) mschap: ERROR: MS-CHAP2-Response is incorrect
> (41)     [mschap] = reject
> (41)   } # authenticate = reject
>
>
>
>
> Il giorno mar 30 mar 2021 alle ore 12:40 Michael Schwartzkopff <ms at sys4.de>
> ha scritto:
>
>> On 30.03.21 12:25, Marco Miglietta wrote:
>>> Thank you Alan. I hope in a short time to become a little expert with
>>> freeradius while I try to solve daily problems.
>>> I would to use freeradius for authentication and only  to verify user
>>> password with the one that is in external ldap that I bind.
>>> Where have I to operate, what are the involved config files ?
>>> Do you have any suggestions ?
>>> Thank you v.m.
>>>
>>> Marco.
>>>
>> Hi,
>>
>>
>> freeradius has a nice LDAP module. Please read the comments in the
>> config file. Then try a ldapseach manually. If that succeeds, you know
>> all parameters that you have to configure in the ldap module of freeradius.
>>
>> Doc also:
>> https://networkradius.com/doc/3.0.10/raddb/mods-available/ldap.html
>>
>>
>> Greetings,
>>
>>
>> Michael
>>
>>
>>>
>>> Il 24/03/21 12:39, Alan DeKok ha scritto:
>>>> On Mar 24, 2021, at 7:15 AM, Marco Miglietta
>>>> <marco.miglietta at unisalento.it> wrote:
>>>>> In order to solve the problem in passing VLAN related attribute
>>>>> during 802.1x authentication with Aruba AP, I found the post below
>>>>> useful.
>>>>> But this caused problems with VLAN assignment on Junipers switches
>>>>> during the 802.1x authentication process.
>>>>> What is a way to solve the problem? The solutions seem to be
>>>>> mutually exclusive.
>>>>    There is not a unique "the problem" which is being solved.
>>>> Instead, there is a whole grab-bag of issues.
>>>>
>>>>    IF you want to apply policies based on "real" name, THEN for PEAP
>>>> / TTLS, that real name is only available in the inner tunnel.  AND
>>>> THEN you have to apply the policies in the inner tunnel, and then
>>>> copy the results to the outer reply.
>>>>
>>>>    IF you want to apply policies based on things like MAC addresses,
>>>> THEN those addresses are always available (you don't need
>>>> inner-tunnel). AND THEN you can just apply policies in the "default"
>>>> outer virtual server.
>>>>
>>>>    There is no "magic set of incantations" which will make FreeRADIUS
>>>> do what you want.  You have to understand what's going on, including
>>>> understanding how FreeRADIUS works.  And only then can you configure
>>>> the server to do it.
>>>>
>>>>    Alan DeKok.
>>>>
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>
>> Mit freundlichen Grüßen,
>>
>> --
>>
>> [*] sys4 AG
>>
>> https://sys4.de, +49 (89) 30 90 46 64
>> Schleißheimer Straße 26/MG,80333 München
>>
>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>> Aufsichtsratsvorsitzender: Florian Kirstein
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



More information about the Freeradius-Users mailing list