Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard
For the moment I use Freeradius with EAP-TTLS and it works fine...now=20
I'd like to get users credentials form an existing LDAP database.
The LDAP server sends me a valable MD5 hashed password but I think=20
something failed in my users file configuration.
Does someone have such a working configuration ? If so, can you send a=20
copy ?
Thanks.
Bye.
--=20
---------------------------
Christophe Saillard
Centre R=E9seau Communication
Universit=E9 Louis Pasteur
---------------------------
T=E9l : 03 90 24 03 17
Fax : 03 90 24 03 12
---------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rok Papez
Christophe Saillard pravi:
> For the moment I use Freeradius with EAP-TTLS and it works fine...now
> I'd like to get users credentials form an existing LDAP database.
>
> The LDAP server sends me a valable MD5 hashed password but I think
> something failed in my users file configuration.
You should run the server in debug mode and check the output. I use this
command:
radiusd -Xxxx 2>&1 | tee logfile
> Does someone have such a working configuration ? If so, can you send a
> copy ?
modules {
ldap {
server = "localhost"
basedn = "ou=employees,dc=org,dc=tld"
filter = "(PrincipalName=%{User-Name})"
start_tls = no
}
[...]
authorize {
preprocess
auth_log
attr_rewrite
suffix
group {
# the files also activates EAP for user anonymous
files {
notfound = 1
ok = return
}
ldap
}
}
authenticate {
Auth-Type EAP {
eap
}
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
In the users file I have:
########################################################
# User anonymous and anonymous@realm should be allowed #
# activate eap for them #
########################################################
anonymous Auth-Type := EAP
########################################################
# Accounting fix for AP #
# LDAP authentication for local users #
########################################################
DEFAULT Realm == org.tld, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = yes
DEFAULT Realm == org.tld, Auth-Type := LDAP, Ldap-UserDN := `PrincipalName=%{User-Name},ou=employees,dc=org,dc=tld`, Freeradius-Proxied-To == 127.0.0.1
--
Lep pozdrav,
Rok Papez.
Christophe Saillard
I think I'm not far from the end but I still have problems.
Here's the debug logs :
[...]
Fri Jun 18 14:11:17 2004 : Debug: rlm_ldap: performing search in=20
dc=3Du-strasbg,dc=3Dfr, with filter (uid=3Dcsaillard)
request 6 done
Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: Added password=20
$1$QEnpt.4f$nixixczJ/xu0CnyuvaTLV/ in check items
Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for check items in=20
directory...
Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for reply items in=20
directory...
Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: user csaillard authorized to=20
use remote access
Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: ldap_release_conn: Release Id=
: 0
Fri Jun 18 14:11:31 2004 : Debug: modsingle[authorize]: returned from=20
ldap (rlm_ldap) for request 4
Fri Jun 18 14:11:31 2004 : Debug: modcall[authorize]: module "ldap"=20
returns ok for request 4
Fri Jun 18 14:11:31 2004 : Debug: modcall: group authorize returns=20
updated for request 4
Fri Jun 18 14:11:31 2004 : Debug: rad_check_password: Found Auth-Type =
EAP
Fri Jun 18 14:11:31 2004 : Debug: auth: type "EAP"
Fri Jun 18 14:11:31 2004 : Debug: Processing the authenticate section=20
of radiusd.conf
Fri Jun 18 14:11:31 2004 : Debug: modcall: entering group Auth-Type for=20
request 4
Fri Jun 18 14:11:31 2004 : Debug: modsingle[authenticate]: calling eap=20
(rlm_eap) for request 4
Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Request not found in the lis=
t
Fri Jun 18 14:11:31 2004 : Error: rlm_eap: Either EAP-request timed out=20
OR EAP-response to an unknown EAP-request
Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Failed in handler
Fri Jun 18 14:11:31 2004 : Debug: modsingle[authenticate]: returned=20
from eap (rlm_eap) for request 4
Fri Jun 18 14:11:31 2004 : Debug: modcall[authenticate]: module "eap"=20
returns invalid for request 4
Fri Jun 18 14:11:31 2004 : Debug: modcall: group Auth-Type returns=20
invalid for request 4
Fri Jun 18 14:11:31 2004 : Debug: auth: Failed to validate the user.
[...]
I use TTLS/PAP for authentication, so you can see that the LDAP server=20
sends MD5 hased password...but I'm not sure that's what I need....
Could you tell me what kind of EAP method you use, with what type of=20
password's hash ?
Thanks for help !
Bye.
--=20
---------------------------
Christophe Saillard
Centre R=E9seau Communication
Universit=E9 Louis Pasteur
---------------------------
T=E9l : 03 90 24 03 17
Fax : 03 90 24 03 12
---------------------------
Alan DeKok
> For the moment I use Freeradius with EAP-TTLS and it works fine...now
> I'd like to get users credentials form an existing LDAP database.
>
> The LDAP server sends me a valable MD5 hashed password but I think
> something failed in my users file configuration.
Did you try running it debugging mode, as suggested in the FAQ,
README, INSTALL, and daily on this list?
> Does someone have such a working configuration ? If so, can you send a
> copy ?
Since no one knows what you're really trying to do. I doubt anyone
will send you a configuration.
Follow the documented instructions for running the server and asking
questions on this list.
Alan DeKok.
Alan DeKok
> Fri Jun 18 14:11:31 2004 : Debug: rad_check_password: Found Auth-Type EAP
...
> Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Request not found in the list
> Fri Jun 18 14:11:31 2004 : Error: rlm_eap: Either EAP-request timed out
> I use TTLS/PAP for authentication,
And you set "Auth-Type = EAP". DON'T DO THAT.
The "eap.conf" file has BIG HUGE COMMENTS saying DON'T DO THAT. It
really means DON'T DO THAT.
You're doing the exact opposite of what the documentation says, and
as a result, it's not working. You might try following the
recommendations of the server, which WILL allow it to work.
Christophe Saillard
The "eap.conf" file has BIG HUGE COMMENTS saying DON'T DO THAT. It
really means DON'T DO THAT.
You're doing the exact opposite of what the documentation says, and
as a result, it's not working. You might try following the
recommendations of the server, which WILL allow it to work.
Alan DeKok.
Ok. Sorry for being such a fool...
Here's what I want to do :
For the moment I've a running freeradius EAP-TTLS/PAP configuration which=
works fine.
Now I'd like to get credentials from an existing LDAP user storage instea=
d of the Freeradius "users" file=20
(I store MD5 hashed password to have PAP compatibility).
The Ldap bind is ok and I got correct uid and password when I launch a 80=
2.1X request from
a laptop client.
But there's some particular things I need to know :
- how do I have to store password in the LDAP database (because I'd like =
to use TTLS/PAP) : crypt/MD5 hashed, clear text ?
- what do I have to put in the "users" file ? (I know that auth-type :=3D=
EAP is wrong) ?
- if it's not possible to have TTLS/PAP authentication what can I do else=
(PEAP/Mschapv2 ...) ?
I hope my questions are not to stupid.
Thanks.
--=20
---------------------------
Christophe Saillard
Centre R=E9seau Communication
Universit=E9 Louis Pasteur
---------------------------
T=E9l : 03 90 24 03 17
Fax : 03 90 24 03 12
---------------------------
Alan DeKok
> Now I'd like to get credentials from an existing LDAP user storage instead
> of the Freeradius "users" file
That shouldn't be a problem.
> (I store MD5 hashed password to have PAP compatibility).
That will make CHAP & MS-CHAP not work.
> The Ldap bind is ok and I got correct uid and password when I launch
> a 802.1X request from a laptop client.
I'm not sure what you mean by that.
> But there's some particular things I need to know :
> - how do I have to store password in the LDAP database (because I'd like
> to use TTLS/PAP) : crypt/MD5 hashed, clear text ?
MD5 is fine if you're only doing PAP authentication.
> - what do I have to put in the "users" file ? (I know that auth-type :=
> EAP is wrong) ?
Don't put anything in the "users" file.
> - if it's not possible to have TTLS/PAP authentication what can I do else
> (PEAP/Mschapv2 ...) ?
TTLS/PAP is possible.
Alan DeKok.
Rok Papez
Christophe Saillard pravi:
> And you set "Auth-Type = EAP". DON'T DO THAT.
I do that ;). I prefer to manualy set EAP when user tries to identify as
"anonymous@.*". Users are *NOT* allowed to use any other authentication
method :).
> For the moment I've a running freeradius EAP-TTLS/PAP configuration
> which works fine.
>
> Now I'd like to get credentials from an existing LDAP user storage
> instead of the Freeradius "users" file (I store MD5 hashed password to
> have PAP compatibility).
1. It would be nice to see relevant parts of the config file
2. The `radiusd -Xxxx 2>&1 | tee logfile` output
> But there's some particular things I need to know :
> - how do I have to store password in the LDAP database (because I'd like
> to use TTLS/PAP) : crypt/MD5 hashed, clear text ?
That's an LDAP thingy.. Here is an example of ldap diff entry for userPassword:
userPassword: {crypt}$1$dK1Zl.Qp$khF3af1c7Te0cSf2w/tZO0
All you need is a type prefix in {...} and then a password hash. This is a perl
code snippet that creates these hashes:
my $pass = '{crypt}' . crypt($plaintext_password, '$1$' . join("", ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]) . '$');
The hash is the same kind as used in a /etc/shadow file. Check the crypt() man page
for details.
=====================================
And this is in my radiusd.conf file:
modules {
pap {
encryption_scheme = clear
}
# this is for the "files", passwords are plaintext there :)
ldap {
server = "localhost"
basedn = "ou=users,dc=org,dc=tld"
filter = "(attribWithUserName=%{User-Name})"
start_tls = no
}
...
authenticate {
Auth-Type EAP {
eap
}
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
> - what do I have to put in the "users" file ? (I know that auth-type :=
> EAP is wrong) ?
In contrary to Alans advice O;-), I have this:
########################################################
# User anonymous and anonymous@realm should be allowed #
# activate eap for them #
DEFAULT User-Name =~ "^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]@.*$", Auth-Type := EAP
########################################################
# Users with a NULL realm should be rejected #
DEFAULT Realm == NULL, Auth-Type := Reject
Fall-Through = No
########################################################
# 1. Accounting fix for AP #
# 2. a static username files_test for testing #
# 3. LDAP authentication for local users #
DEFAULT Realm == org.tld, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = yes
files_test Realm == org.tld, User-Password == "<secret>"
DEFAULT Realm == org.tld, Auth-Type := LDAP, Ldap-UserDN := `attribWithUserName=%{User-Name},ou=users,dc=org,dc=tld`, Freeradius-Pro
xied-To == 127.0.0.1
Do notice, that I use the users username/password to bind to LDAP. This is done with the "Ldap-UserDN" item.
> - if it's not possible to have TTLS/PAP authentication what can I do
> else (PEAP/Mschapv2 ...) ?
TTLS/PAP is working :). For MsCHAP you won't be able to use SecureW2 and
you'll need to have plaintext passwords in LDAP.
> I hope my questions are not to stupid.
Radius configuration is not simple. The documentation is still lacking and
you simply have to "learn as you go" ;). So don't feel like you are asking
stupid questions.
--
Best regards,
Rok Papez.
Christophe Saillard
Now I've a working TTLS/PAP with LDAP storage configuration ;-)
Here's what I've to put in the "users" file to make it work :
DEFAULT Auth-Type :=3D PAP, Freeradius-Proxied-To =3D=3D 127.0.0.=
1
User-Name =3D `%{User-Name}`,
Fall-Through =3D no
But now PEAP/MSCHAPv2 doesn't work...I've try a lot of combination=20
(Auth-Type :=3D MSCHAP Fall-Through =3D yes ...)
but none seem to work...if someone has a clue ;-)
Thanks for all !
Bye.
--=20
---------------------------
Christophe Saillard
Centre R=E9seau Communication
Universit=E9 Louis Pasteur
---------------------------
T=E9l : 03 90 24 03 17
Fax : 03 90 24 03 12
---------------------------
Michael Griego
DEFAULT Freeradius-Proxied-To == 127.0.0.1, EAP-Message !* "",
Auth-Type := PAP
--Mike
On Mon, 2004-06-21 at 06:59, Christophe Saillard wrote:
> Hi,
>
> Now I've a working TTLS/PAP with LDAP storage configuration ;-)
>
> Here's what I've to put in the "users" file to make it work :
>
> DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
> User-Name = `%{User-Name}`,
> Fall-Through = no
>
> But now PEAP/MSCHAPv2 doesn't work...I've try a lot of combination
> (Auth-Type := MSCHAP Fall-Through = yes ...)
> but none seem to work...if someone has a clue ;-)
>
> Thanks for all !
>
> Bye.
Christophe Saillard
DEFAULT Freeradius-Proxied-To =3D=3D 127.0.0.1, EAP-Message !* ""=
,
Auth-Type :=3D PAP
--Mike
Now it works !
Thanks a lot !
--=20
---------------------------
Christophe Saillard
Centre R=E9seau Communication
Universit=E9 Louis Pasteur
---------------------------
T=E9l : 03 90 24 03 17
Fax : 03 90 24 03 12
---------------------------
Alan DeKok
> > And you set "Auth-Type = EAP". DON'T DO THAT.
>
> I do that ;). I prefer to manualy set EAP when user tries to identify as
> "anonymous@.*". Users are *NOT* allowed to use any other authentication
> method :).
That's about the only time you should set it.
Alan DeKok.
Alan DeKok
> Now I've a working TTLS/PAP with LDAP storage configuration ;-)
>
> Here's what I've to put in the "users" file to make it work :
>
> DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
> User-Name = `%{User-Name}`,
> Fall-Through = no
>
> But now PEAP/MSCHAPv2 doesn't work...
If you had read the debug log, you would see WHY it doesn't work.
Repeat it like a mantra: If you're not sure, DO NOT SET AUTH-TYPE.
The server will figure it out on it's own.
Christophe Saillard
>>=20
>> Here's what I've to put in the "users" file to make it work :
>> DEFAULT Auth-Type :=3D PAP, Freeradius-Proxied-To =3D=3D 127.0=
.0.1
>> User-Name =3D `%{User-Name}`,
>> Fall-Through =3D no
>> But now PEAP/MSCHAPv2 doesn't work...
>
> If you had read the debug log, you would see WHY it doesn't work.
>=20
> Repeat it like a mantra: If you're not sure, DO NOT SET AUTH-TYPE.
When I do not set Auth-Type TTLS/PAP works with users stored in the "user=
s" files,
PEAP/Ms-chap-v2 works with users from LDAP storage, but TTLS/PAP from LDA=
P doesn't work....
>=20
> The server will figure it out on it's own.
>=20
> Alan DeKok.
--=20
---------------------------
Christophe Saillard
Centre R=E9seau Communication
Universit=E9 Louis Pasteur
---------------------------
T=E9l : 03 90 24 03 17
Fax : 03 90 24 03 12
---------------------------
Alan DeKok
> When I do not set Auth-Type TTLS/PAP works with users stored in the
> but TTLS/PAP from LDAP doesn't work....
And the debug log would tell you why. The FAQ also mentions
something about statements like "it doesn't work".
Without looking at your configuration, I can tell that you've
probably stored the passwords as NT-Passwords, so MS-CHAP works, but
PAP doesn't. This isn't an issue for TTLS or PEAP, as it's
completely independent of them.
The rlm_pap module could be updated to compare PAP passwords from
the packet with NT-Passwords retrieved from somewhere else. This
could probably go into 1.0.0, as there are a few other issues with
building on certain platforms.
Alan DeKok.