Welcome Guest ( Log In | Register )

Bump Topic Topic Closed RSS Feed

Outline · [ Standard ] · Linear+

> Freeradius + Openldap + EAP MD5, XP client authentication failure

views
     
TSnewbieockids
post Mar 7 2007, 11:38 AM, updated 14y ago

Regular
******
Senior Member
1,401 posts

Joined: Jun 2005



Hello guyz..

Im trying to implement Freeradius + Openldap + EAP-MD5 for client authentication here..
But i got some issue between the freeradius and the LDAP in client authentication progress..

Here is the situation about the failure while running radius in debugging mode..

Configuration in /etc/raddb/users(failed)
CODE

DEFAULT Auth-Type:- LDAP
Fall-Through = 1

» Click to show Spoiler - click again to hide... «



But i'm able to get a successful authentication if i define username and password in the /etc/raddb/users file with authentication type LDAP.

Configuration in /etc/raddb/users(success)
CODE

firdauz Auth-Type = LDAP, User-Password :="something"
#DEFAULT Auth-Type:- LDAP
#Fall-Through = 1

» Click to show Spoiler - click again to hide... «


Seem like radius cant process the password and i need to define them manually..
But it'll be very inconvenient to define all user and password in LDAP at the /etc/raddb/users file.. Anyone got any idea?.. Just letme know if you need any other info.. Thanx.. notworthy.gif

This post has been edited by newbieockids: Mar 7 2007, 12:43 PM
Diligent Sloth
post Mar 7 2007, 01:04 PM

Lowyat VPN provider
*****
Senior Member
880 posts

Joined: Jul 2006
From: Sibu, Sarawak



Can you post up your config files?
kons
post Mar 7 2007, 01:20 PM

Конс
Group Icon
Moderator
5,949 posts

Joined: Oct 2004



Show us radiusd.conf, and ldap.conf (only if the ldap config isn't in radiusd.conf)
TSnewbieockids
post Mar 7 2007, 01:47 PM

Regular
******
Senior Member
1,401 posts

Joined: Jun 2005



QUOTE(kons @ Mar 7 2007, 01:20 PM)
Show us radiusd.conf, and ldap.conf (only if the ldap config isn't in radiusd.conf)
*
thanx for the headz up kons and diligent sloth.. notworthy.gif

[edited]
too long config cant fit in this page by copy n paste.. sweat.gif
the file was in the attachment..

the communication is simply like this..
client --> switch(EAP-MD5) --> FreeRadius --> LDAP..
freeradius and LDAP was in the same server..

This post has been edited by newbieockids: Mar 7 2007, 02:12 PM


Attached File(s)
Attached File  radiusd.txt ( 55.65k ) Number of downloads: 230
Attached File  clients.txt ( 2.93k ) Number of downloads: 127
Attached File  eap.txt ( 8.87k ) Number of downloads: 163
kons
post Mar 7 2007, 03:16 PM

Конс
Group Icon
Moderator
5,949 posts

Joined: Oct 2004



You sure you do not need identity/password to authenticate to LDAP?
TSnewbieockids
post Mar 7 2007, 04:09 PM

Regular
******
Senior Member
1,401 posts

Joined: Jun 2005



QUOTE(kons @ Mar 7 2007, 03:16 PM)
You sure you do not need identity/password to authenticate to LDAP?
*
No i need their id/password for sure.. But if i were about to use that rlm_ldap method for authentication, it need a clear text password(unencrypted) correct?..

kons
post Mar 7 2007, 04:54 PM

Конс
Group Icon
Moderator
5,949 posts

Joined: Oct 2004



Regarding this

CODE
ldap {
 server = "direcktori.mine.net.my"
 #identity = "cn=firdauz,dc=mine,dc=net,dc=my"
 basedn = "ou=group,dc=mine,dc=net,dc=my"
 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 #base_filter = "(objectclass=radiusprofile)"



The LDAP grants "read access" to all?
If you are not sure, show us slapd.conf
TSnewbieockids
post Mar 7 2007, 05:36 PM

Regular
******
Senior Member
1,401 posts

Joined: Jun 2005



QUOTE(kons @ Mar 7 2007, 04:54 PM)
Regarding this

CODE
ldap {
 server = "direcktori.mine.net.my"
 #identity = "cn=firdauz,dc=mine,dc=net,dc=my"
 basedn = "ou=group,dc=mine,dc=net,dc=my"
 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 #base_filter = "(objectclass=radiusprofile)"



The LDAP grants "read access" to all?
If you are not sure, show us slapd.conf
*
yup..
but there is some attribute defined to limit access for client from radius..
CODE

access_attr = "dialupAccess"
password_attribute = userPassword

i dont have slapd.conf only ldap.conf as in the attachment(ldap.txt)

im also not very sure if my configuration was right..
I want to use userbase in LDAP and use EAP-MD5 authentication..

This post has been edited by newbieockids: Mar 7 2007, 05:42 PM


Attached File(s)
Attached File  ldap.txt ( 129bytes ) Number of downloads: 41
kons
post Mar 7 2007, 06:14 PM

Конс
Group Icon
Moderator
5,949 posts

Joined: Oct 2004



Do you have access to the server running LDAP?

Can this hostname "direcktori.mine.net.my" be resolved by the radius machine?
TSnewbieockids
post Mar 7 2007, 06:29 PM

Regular
******
Senior Member
1,401 posts

Joined: Jun 2005



QUOTE(kons @ Mar 7 2007, 06:14 PM)
Do you have access to the server running LDAP?

Can this hostname "direcktori.mine.net.my" be resolved by the radius machine?
*
yup.. can be resolved..
radius and ldap was in the same machine..
this server is not online yet bro..
i just run it inside VMware to solve this authentication first..

CODE
[[email protected] ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               direcktori.mine.net.my direcktori localhost.localdomain localhost




kons
post Mar 7 2007, 07:06 PM

Конс
Group Icon
Moderator
5,949 posts

Joined: Oct 2004



What distro is it?

Strange there's no slapd.conf, what version of openldap is that?
ldap.conf is meant for client machines only.
TSnewbieockids
post Mar 7 2007, 07:13 PM

Regular
******
Senior Member
1,401 posts

Joined: Jun 2005



QUOTE(kons @ Mar 7 2007, 07:06 PM)
What distro is it?

Strange there's no slapd.conf, what version of openldap is that?
ldap.conf is meant for client machines only.
*
RHEL4 with Redhat Directory server 7.1..
kons
post Mar 7 2007, 10:57 PM

Конс
Group Icon
Moderator
5,949 posts

Joined: Oct 2004



QUOTE(newbieockids @ Mar 7 2007, 07:13 PM)
RHEL4 with Redhat Directory server 7.1..
*
I think RDS and OpenLDAP is totally different thing...
mokona_modoki
post Mar 7 2007, 11:07 PM

Getting Started
**
Junior Member
267 posts

Joined: Jul 2006


Red Hat directory server is not based on openldap smile.gif

Btw, how about your ldap attribute ? Ensure all atttribute is correct and does exists. Although i'm not sure what went wrong, normally you'll need atleast "whatever defined as access_attr (dialupAccess ?)" & "whatever defined as user password (userPassword)". If you're not sure, paste a snip of your LDIF here.
TSnewbieockids
post Mar 8 2007, 02:24 AM

Regular
******
Senior Member
1,401 posts

Joined: Jun 2005



QUOTE(kons @ Mar 7 2007, 10:57 PM)
I think RDS and OpenLDAP is totally different thing...
*
sorry my mistake.. but the same purpose.. tongue.gif

QUOTE(mokona_modoki @ Mar 7 2007, 11:07 PM)
Red Hat directory server is not based on openldap smile.gif

Btw, how about your ldap attribute ? Ensure all atttribute is correct and does exists. Although i'm not sure what went wrong, normally you'll need atleast "whatever defined as access_attr (dialupAccess ?)" & "whatever defined as user password (userPassword)". If you're not sure, paste a snip of your LDIF here.
*
based on Netscape Directory should be.. tongue.gif
Yes im pretty sure with the attribute.. the "dialupAccess" is manually define at the ldap for some user.. I'd created several instance of new directory to try n error thats why my radiusd.conf is a little bit mess.. Sorry for confusing..

I got the clear idea already bout what happening now after several test..
The authentication process is missing the user password parameter.
So user was failed to authenticate.
But still need your opinion guyz on how to sort this thing out since from radius:

1) If i'm using LDAP for authentication type, I'll be able to fetch the password for user from LDAP.. But I need a clear text password for that.. The parameter was encrypted so I cant use this method..

2) If im using EAP for authentication type, I'm not sure how to fetch the password for user from LDAP instead of adding them manually in /etc/raddb/users as a pointer to LDAP.
Is there any other way to define EAP to search all user and password from LDAP by default?

Thanx for the response guyz.. I really appreciate it.. icon_rolleyes.gif
Diligent Sloth
post Mar 8 2007, 02:50 AM

Lowyat VPN provider
*****
Senior Member
880 posts

Joined: Jul 2006
From: Sibu, Sarawak



I'm not sure about RDS but using openLDAP, my configuration is as follows

radiusd.conf
CODE
ldap ldap_server {
               server = *Hostname*
               identity = *DN*
               password =*Pass*
               basedn = *BaseDN*

               base_filter = "(objectclass=radiusprofile)"
               start_tls = yes
               # This is your Certificate Authority (CA) certificate
               tls_cacertfile = /etc/ldap/csca.crt
               tls_require_cert = "demand"
               access_attr = "uid"
               dictionary_mapping = ${raddbdir}/ldap.attrmap
               authtype = ldap

               ldap_connections_number = 5
               timeout = 4
               timelimit = 3
               net_timeout = 1
}


CODE

authorize {
       preprocess
       chap
       mschap
       suffix
       ldap_1x
       eap
}

authenticate {
       Auth-Type PAP {
               pap
       }
       Auth-Type MS-CHAP {
               mschap
       }
       eap
}


/etc/freeradius/ldap.attrmap

CODE

checkItem       User-Password                   userPassword

replyItem   Tunnel-Type                            radiusTunnelType
replyItem   Tunnel-Medium-Type             radiusTunnelMediumType
replyItem   Tunnel-Private-Group-Id        radiusTunnelPrivateGroupId



Added on March 8, 2007, 2:54 amThese are just snippets on how it *should* look like but should be enough to get you started

This post has been edited by Diligent Sloth: Mar 8 2007, 02:54 AM
kons
post Mar 8 2007, 07:38 AM

Конс
Group Icon
Moderator
5,949 posts

Joined: Oct 2004



QUOTE(newbieockids @ Mar 8 2007, 02:24 AM)
I got the clear idea already bout what happening now after several test..
The authentication process is missing the user password parameter.
So user was failed to authenticate.
But still need your opinion guyz on how to sort this thing out since from radius:
*
I haven't done it using RDS before..
But from the logs, I think...

It's not missing the user password parameter, it did not even manage to connect to LDAP server to perform search, as I didn't see any binding message there.

Over here, the FreeRadius logs shows this, if it's connecting to LDAP, but yours doesn't.

CODE

rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.133.2:636, authentication 0
rlm_ldap: bind as / to 192.168.133.2:636
rlm_ldap: waiting for bind result ...

TSnewbieockids
post Mar 8 2007, 11:47 PM

Regular
******
Senior Member
1,401 posts

Joined: Jun 2005



QUOTE(Diligent Sloth @ Mar 8 2007, 02:50 AM)
I'm not sure about RDS but using openLDAP, my configuration is as follows

radiusd.conf
CODE
ldap ldap_server {
               identity = *DN*
               password =*Pass*



Added on March 8, 2007, 2:54 amThese are just snippets on how it *should* look like but should be enough to get you started
*
any hint how im going to define all user and password in ldap here?..

Topic ClosedOptions
 

Change to:
| Lo-Fi Version
0.0261sec    0.55    6 queries    GZIP Disabled
Time is now: 21st January 2021 - 01:11 AM