Chap auhtentication against LDAP

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

Chap auhtentication against LDAP

Ville Leinonen-2
Chap auhtentication against LDAP

Hi,

Does Freeradius 2.1.5 support chap authentication against ldap?

If i try it here is messages what i get:

Found Auth-Type = CHAP
+- entering group CHAP {...}
rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password".
++[ldap] returns invalid
Failed to authenticate the user.


Br,

Ville


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Chap auhtentication against LDAP

Alan DeKok-2
Ville Leinonen wrote:
> Does Freeradius 2.1.5 support chap authentication against ldap?

  No RADIUS server supports this.  It's impossible.

  Instead, have FreeRADIUS pull the clear-text password from LDAP.
FreeRADIUS can then do CHAP.

  If you don't have a clear-text password in LDAP, it's impossible.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

VS: Chap auhtentication against LDAP

Ville Leinonen-2
In reply to this post by Ville Leinonen-2
Hi,

So i cannot do this about using freeradius, but i can make it
using IAS (see link)?

http://h40060.www4.hp.com/procurve/includes/application-notes/index.php?cc=uk&lc=en&content=ans2-en

Br,

Ville

-----Alkuperäinen viesti-----
Lähettäjä: freeradius-users-bounces+ville.leinonen=[hidden email] puolesta: Alan DeKok
Lähetetty: pe 3.4.2009 16:10
Vastaanottaja: FreeRadius users mailing list
Aihe: Re: Chap auhtentication against LDAP
 
Ville Leinonen wrote:
> Does Freeradius 2.1.5 support chap authentication against ldap?

  No RADIUS server supports this.  It's impossible.

  Instead, have FreeRADIUS pull the clear-text password from LDAP.
FreeRADIUS can then do CHAP.

  If you don't have a clear-text password in LDAP, it's impossible.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

winmail.dat (4K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: VS: Chap auhtentication against LDAP

Alan DeKok-2
Ville Leinonen wrote:
> So i cannot do this about using freeradius, but i can make it
> using IAS (see link)?

  No.  You seemed to have misunderstood my response.  Let me say it a
different way:

  LDAP servers cannot do CHAP authentication.

  Why?

  Because LDAP servers are *DATABASES*.

  LDAP servers are not *authentication* servers.

  FreeRADIUS is an *AUTHENTICATION* server.

  Configure FreeRADIUS so that it pulls the clear-text password from
LDAP.  FreeRADIUS will then do CHAP authentication.

  If you don't have a clear-text password in LDAP, then doing CHAP
authentication is impossible.  It is impossible with FreeRADIUS, IAS,
Cisco ACS, Juniper SBR, Radiator, and also with every other RADIUS
server on the planet.

  And go read my web page:

http://deployingradius.com/documents/protocols/compatibility.html

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

VS: VS: Chap auhtentication against LDAP

Ville Leinonen-2
In reply to this post by Ville Leinonen-2
Hi,

Thank you for this reply. Well then i do some scripting and pull
userinfo inside ldap and export it to my radsrv.

Br,

Ville


-----Alkuperäinen viesti-----
Lähettäjä: freeradius-users-bounces+ville.leinonen=[hidden email] puolesta: Alan DeKok
Lähetetty: su 5.4.2009 16:16
Vastaanottaja: FreeRadius users mailing list
Aihe: Re: VS: Chap auhtentication against LDAP
 
Ville Leinonen wrote:
> So i cannot do this about using freeradius, but i can make it
> using IAS (see link)?

  No.  You seemed to have misunderstood my response.  Let me say it a
different way:

  LDAP servers cannot do CHAP authentication.

  Why?

  Because LDAP servers are *DATABASES*.

  LDAP servers are not *authentication* servers.

  FreeRADIUS is an *AUTHENTICATION* server.

  Configure FreeRADIUS so that it pulls the clear-text password from
LDAP.  FreeRADIUS will then do CHAP authentication.

  If you don't have a clear-text password in LDAP, then doing CHAP
authentication is impossible.  It is impossible with FreeRADIUS, IAS,
Cisco ACS, Juniper SBR, Radiator, and also with every other RADIUS
server on the planet.

  And go read my web page:

http://deployingradius.com/documents/protocols/compatibility.html

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

winmail.dat (4K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: VS: Chap auhtentication against LDAP

tnt-5
In reply to this post by Ville Leinonen-2
>So i cannot do this about using freeradius, but i can make it
>using IAS (see link)?
>
>http://h40060.www4.hp.com/procurve/includes/application-notes/index.php?cc=uk&lc=en&content=ans2-en
>

But that's not LDAP, that's Active Directory. Active Directory can be
made to reveal a clear text password to IAS (setting needs to be
activated *before* you start storing passwords in it; if AD passwords
are stored only in nt format, and you then enable this - CHAP still
won't work: it will work *after* next password change - AD will store
both clear and nt version of the new password). Microsoft does not allow
this for third party radius servers.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html