EAP-MD5 with LDAP

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

EAP-MD5 with LDAP

Rohaizam Abu Bakar
Hi..

Using FB 6.0
FR 1.0.5

trying to configure EAP-MD5  with LDAP backend...

But it keep reporting:

rlm_ldap: Attribute "User-Password" is required for authentication.

No EAP been processed...

please see full debug log below..


Below is my config with multiple DEFAULT entry... for Wireless services &
normal Dialup authentication



i) users
   =====

   DEFAULT         NAS-Identifier == "Wireless-802.11", Autz-Type := Y5,
Auth-Type :=Y5
   DEFAULT         Autz-Type := LDAP, Auth-Type := LDAP

ii) eap.conf
    ========
    eap {
        default_eap_type = md5
        }
        md5 {
        }
    }


iii) radiusd.conf
     ============

     $INCLUDE ${confdir}/eap.conf

     authorize {
        eap

        Autz-Type LDAP {
             ldap1
        }
        Autz-Type Y5 {
             ldapy51
        }
     }


     authenticate {

        Auth-Type LDAP {
              ldap1
        }
       Auth-Type Y5 {
             ldapy51
        }
     eap
     }


        ldap ldap1 {
                server = "localhost"
                identity = "cn=root,dc=jaring,dc=my"
                password = xxxxxx
                basedn = "ou=RADIUS,ou=People,dc=jaring,dc=my"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                access_attr = "dialupAccess"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 10
                password_attribute = userPassword
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }

     ldap ldapy51 {
                server = "localhost"
                identity = "cn=root,dc=jaring,dc=my"
                password = xxxxxx
                basedn = "ou=Y5,ou=People,dc=jaring,dc=my"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                access_attr = "dialupAccess"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 10
                password_attribute = userPassword
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }



rad_recv: Access-Request packet from host 202.73.10.12:1814, id=133,
length=197
        Framed-MTU = 1466
        NAS-IP-Address = 10.220.0.2
        NAS-Identifier = "OCEPOP"
        User-Name = "jaroce"
        Service-Type = Framed-User
        NAS-Port = 129
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "ether9_129"
        Called-Station-Id = "00-11-95-e1-ce-8a"
        Calling-Station-Id = "00-13-46-86-c3-93"
        Connect-Info = "CONNECT Ethernet 2Mbps Full duplex"
        EAP-Message = 0x02020015016a61726f6365406d793031352e636f6d
        Message-Authenticator = 0x6d5b3fff40ff4c920b88d100ed80a209
        Proxy-State = 0x3433
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '/' in User-Name = "jaroce", skipping NULL due to
config.
  modcall[authorize]: module "IPASS" returns noop for request 1
    rlm_realm: No '@' in User-Name = "jaroce", looking up realm NULL
    rlm_realm: Found realm "NULL"
    rlm_realm: Adding Stripped-User-Name = "jaroce"
    rlm_realm: Proxying request from user jaroce to realm NULL
    rlm_realm: Adding Realm = "NULL"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: EAP packet type response id 2 length 21
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry DEFAULT at line 68
  modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
  Processing the authorize section of radiusd.conf
modcall: entering group Autz-Type for request 1
modcall: entering group redundant for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jaroce
radius_xlat:  '(uid=jaroce)'
radius_xlat:  'ou=RADIUS,ou=People,dc=jaring,dc=my'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with
filter (uid=jaroce)
rlm_ldap: checking if remote access for jaroce is allowed by dialupAccess
rlm_ldap: Added password j4r1ng in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
Van-Jacobson-TCP-IP & op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP &
op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User &
op=11
rlm_ldap: user jaroce authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap1" returns ok for request 1
modcall: group redundant returns ok for request 1
modcall: group Autz-Type returns ok for request 1
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 1
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
  modcall[authenticate]: module "ldap1" returns invalid for request 1
modcall: group redundant returns invalid for request 1
modcall: group Auth-Type returns invalid for request 1
auth: Failed to validate the user.
Login incorrect: [jaroce] (from client OCE_JARING port 129 cli
00-13-46-86-c3-93)


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-MD5 with LDAP

Stefan Winter-4
Hi,

> trying to configure EAP-MD5  with LDAP backend...
>
> rlm_ldap: Attribute "User-Password" is required for authentication.

oh, a classic. You are trying to use a backend that requires to have the clear
text password, but are instead feeding it with a one-way crypted password.
This won't work out-of-the-box. What you *might* be able to do is retrieve
the user's password during authorize with an administrator account, and then
during authenticate let the server compare things themselves, without calling
ldap during authenticate. Never done that, but it seems possible to me. Good
luck.

Stefan Winter

--
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-MD5 with LDAP

Phil Mayers
In reply to this post by Rohaizam Abu Bakar
Rohaizam Abu Bakar wrote:

> Hi..
>
> Using FB 6.0
> FR 1.0.5
>
> trying to configure EAP-MD5  with LDAP backend...
>
> But it keep reporting:
>
> rlm_ldap: Attribute "User-Password" is required for authentication.
>


EAP-MD5 requires you have the plaintext password (in the LDAP server, in
this case). If you do not, you cannot do EAP-MD5. If you do, configure
the LDAP server to give the plaintext password to the radius server
(usually in userPassword) and the radius server to map that into
User-Password (done by default) and it will work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-MD5 with LDAP

Rohaizam Abu Bakar

After searching for solution.. found one comment from Alan that advise not
to set Auth-Type :=LDAP because LDAP do not do authentication.. EAP does..
let server figure out itself... In case of EAP, LDAP just extract password
for EAP to do authentication.

But the problem is,  my radius need to serve a few services...  such as
ADSL,  Wifi, Dial up .. etc. Each services have their own LDAP tree for
better management.  So in radiusd.conf, there will be a few ldap modules..
See below:-


How do i set in users file in order for WIFI user to perform EAP but get
LDAP info from certain LDAP tree  without having to set Auth-Type ????



i) users
=====

DEFAULT     ????  (not to set Auth-Type but need to direct to certain LDAP
tree)



ii) radiusd.conf
==========

ldap adsl {
    basedn=ou=ADSL, ou=People...
}
ldap wifi {
    basedn=ou=wifi, ou=People...
}

Then .. in authenticate and authorize section :-

authorize {
    eap
    Autz-Type=ADSL {
        adsl
   }
    Autz-Type=WIFI {
         wifi
    }
}
authenticate {

    Auth-Type=ADSL {
        adsl
   }
    Auth-Type=WIFI {
         wifi
    }
    eap

}

iii) eap.conf

 ... some config...


----- Original Message -----
From: "Phil Mayers" <[hidden email]>
To: "FreeRadius users mailing list" <[hidden email]>
Sent: Saturday, June 24, 2006 5:37 PM
Subject: Re: EAP-MD5 with LDAP


> Rohaizam Abu Bakar wrote:
>> Hi..
>>
>> Using FB 6.0
>> FR 1.0.5
>>
>> trying to configure EAP-MD5  with LDAP backend...
>>
>> But it keep reporting:
>>
>> rlm_ldap: Attribute "User-Password" is required for authentication.
>>
>
>
> EAP-MD5 requires you have the plaintext password (in the LDAP server, in
> this case). If you do not, you cannot do EAP-MD5. If you do, configure the
> LDAP server to give the plaintext password to the radius server (usually
> in userPassword) and the radius server to map that into User-Password
> (done by default) and it will work.
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-MD5 with LDAP

Alan DeKok-3
"Rohaizam Abu Bakar" <[hidden email]> wrote:
> How do i set in users file in order for WIFI user to perform EAP but get
> LDAP info from certain LDAP tree  without having to set Auth-Type ????

  The EAP module will take care of setting Auth-Type.  You don't have to.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-MD5 with LDAP

Rohaizam Abu Bakar
Can I set Autz-Type in users? but leave EAP to set Auth-Type??

--haizam

----- Original Message -----
From: "Alan DeKok" <[hidden email]>
To: "FreeRadius users mailing list" <[hidden email]>
Sent: Sunday, June 25, 2006 10:48 PM
Subject: Re: EAP-MD5 with LDAP


> "Rohaizam Abu Bakar" <[hidden email]> wrote:
>> How do i set in users file in order for WIFI user to perform EAP but get
>> LDAP info from certain LDAP tree  without having to set Auth-Type ????
>
>  The EAP module will take care of setting Auth-Type.  You don't have to.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-MD5 with LDAP

Stefan Winter-4
> Can I set Autz-Type in users? but leave EAP to set Auth-Type??

Sure.

Stefan Winter

--
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [hidden email]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

attachment0 (196 bytes) Download Attachment