Problem with LDAP authentication

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with LDAP authentication

Pircher, Sabine
Dear Freeradius-Team,
 
I set up a wifi-system, authenticating via freeradius v3.0.12 and openldap. During the configuration I run into a problem, which I can’t understand.
- Works: Authentication of the testuser ‘bob’ via EAP
- Works: Radtest authentication of the user ‘spircher’ via ldap is also working fine. “radtest –x spircher test 127.0.0.1:1812 0 testing123”
- Not working: Authentication of the user ‘spircher’ via ldap and eap 
Attached my debugging output.
 
Do you have any ideas how to solve it?
Thank you!
 
Best regards
Sabine Pircher




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradiusV3-output-ldap.txt (65K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with LDAP authentication

Alan DeKok-2
On May 18, 2017, at 1:58 PM, Pircher, Sabine <[hidden email]> wrote:
>
>  
> I set up a wifi-system, authenticating via freeradius v3.0.12 and openldap. During the configuration I run into a problem, which I can’t understand.
> - Works: Authentication of the testuser ‘bob’ via EAP

  What did you use for a test client?  eapol_test?  Or a real system?

> - Works: Radtest authentication of the user ‘spircher’ via ldap is also working fine. “radtest –x spircher test 127.0.0.1:1812 0 testing123”

  Which doesn't test the end system.  i.e. certificates, etc.

> - Not working: Authentication of the user ‘spircher’ via ldap and eap
> Attached my debugging output.
>  
> Do you have any ideas how to solve it?

  The supplicant is giving up.  If you had waited a few more seconds, you would see more debug output which points you to a Wiki page.  That page describes what's going on.

  Odds are you didn't put the CA certificate on the end user machine.

  See http://deployingradius.com for a "how to" guide.  There are detailed and explicit instructions for what to do, along with what can go wrong, and why.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: Problem with LDAP authentication

Matthew Newton-2
In reply to this post by Pircher, Sabine
On 18 May 2017 18:58:41 BST, "Pircher, Sabine" <[hidden email]> wrote:
>- Not working: Authentication of the user ‘spircher’ via ldap and eap 
>Attached my debugging output.

>Do you have any ideas how to solve it?

Password from LDAP is SSHA1 format, which isn't going to be compatible with anything inside PEAP.

Assuming the debug continues further, otherwise may be a certificate problem as well.


--
Matthew

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: Problem with LDAP authentication

Pircher, Sabine
In reply to this post by Alan DeKok-2
Thanks for your answers.

WORKS: Storing the passwords in clear-text in the LDAP database (Standard-PosixAccount).
But in general I don’t like to store any passwords in clear-text.

I read this article: http://deployingradius.com/documents/protocols/compatibility.html and PAP inside EAP-TTLS looks good for me to store encrypted passwords, but I’m new to freeradius and authentication.

What’s the best way ‘to do’ it?


On 18.05.2017, 20:19, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+sabine.pircher=[hidden email] on behalf of [hidden email]> wrote:

 >   On May 18, 2017, at 1:58 PM, Pircher, Sabine <[hidden email]> wrote:
 >   >
 >   >  
 >   > I set up a wifi-system, authenticating via freeradius v3.0.12 and openldap. During the configuration I run into a problem, which I can’t understand.
 >   > - Works: Authentication of the testuser ‘bob’ via EAP
 >    
 >    What did you use for a test client?  eapol_test?  Or a real system?

I use a real system.

 >  
 >   > - Works: Radtest authentication of the user ‘spircher’ via ldap is also working fine. “radtest –x spircher test 127.0.0.1:1812 0 testing123”
 >    
 >    Which doesn't test the end system.  i.e. certificates, etc.
 >  
 >   > - Not working: Authentication of the user ‘spircher’ via ldap and eap
 >   > Attached my debugging output.
 >   >  
 >   > Do you have any ideas how to solve it?
 >  
 >    The supplicant is giving up.  If you had waited a few more seconds, you would see more debug output which points you to a Wiki page.  That page describes what's going on.
 >  
 >      Odds are you didn't put the CA certificate on the end user machine.

Certificates are installed.

 >    
 >     See http://deployingradius.com for a "how to" guide.  There are detailed and explicit instructions for what to do, along with what can go wrong, and why.
 >  
 >     Alan DeKok.
   
Best regards,
Sabine Pircher


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: Problem with LDAP authentication

Matthew Newton-2
On Fri, May 19, 2017 at 09:59:49AM +0000, Pircher, Sabine wrote:

> WORKS: Storing the passwords in clear-text in the LDAP database
> (Standard-PosixAccount).
> But in general I don’t like to store any passwords in
> clear-text.
>
> I read this article:
> http://deployingradius.com/documents/protocols/compatibility.html
> and PAP inside EAP-TTLS looks good for me to store encrypted
> passwords, but I’m new to freeradius and authentication.
>
> What’s the best way ‘to do’ it?

Decide on a combination that works for your environment. Which
probably means evaluating what EAP methods your client
supplicants can do and then having to store passwords that are
compatible.

A lot of clients can't do EAP-TTLS/PAP (e.g. Windows 7). So you
end up having to use PEAP/EAP-MSCHAPv2 or EAP-TTLS/MSCHAPv2.
Which means storing the passwords in NTLM hash or cleartext. And
NTLM hash isn't much better than cleartext.

If all your clients support EAP-TTLS/PAP then sure, store the
passwords hashed in whatever method you like.

Or just move to EAP-TLS and use certificates. But the overheads
of that are significantly higher with cert management.

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html