News: This forum is now permanently frozen.
Pages: [1]
Topic: RADIUS+LDAP+mOnOwall  (Read 5679 times)
« on: April 12, 2007, 06:39:27 »
dalekurt *
Posts: 10

I have a setup with RADIUS+LDAP+mOnOwall.

LDAP stores my users
RADIUS authenticates against LDAP
mOnOwall uses RADIUS

I'm using a Windows client to VPN to my network, I'm currently testing this internally. I know freeRADIUS work, as I have tested radtest using this LDAP user (testuser) and I have authenticated. However when the request is sent to mOnOwall there is no User-Password attribute in the request. So later on in the authenticate section it has the username ( testuser ) but no password to bind with hence authentication fails.

Code:
        NAS-Identifier = "monowall.my-domain.lan"
        NAS-Port = 0
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "testuser"
        MS-CHAP-Challenge = 0xbb1e687e10c6481b45a4a0a4443f85b7
        MS-CHAP2-Response = 0x0100a5ac08636ba719aa2d3474095f0ea86c000000000000000076cfd03fcf4faad4e50c7a3066e58d064e77bf79036e61b3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: Added password 123456 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.

Can anyone shed some light on this...? Huh

I used this mailing list to help in my own debugging

http://lists.cistron.nl/pipermail/freeradius-users/2005-March/041731.html

A Successful Debug
Code:
Access-Request packet from host 127.0.0.1:32824, id=38, length=59
        User-Name = "testuser"
        User-Password = "123456"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: Added password 123456 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testuser" with password "123456"
rlm_ldap: user DN: uid=testuser,ou=Users,dc=my-domain,dc=lan
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=testuser,ou=Users,dc=my-domain,dc=lan/123456 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user testuser authenticated succesfully
Sending Access-Accept of id 38 to 127.0.0.1:32824

A Failed debug
Code:
        NAS-Identifier = "monowall.mrcorp.lan"
        NAS-Port = 0
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "testuser"
        MS-CHAP-Challenge = 0xbb1e687e10c6481b45a4a0a4443f85b7
        MS-CHAP2-Response = 0x01005df563a9f17f501ac8df2638239537d900000000000000007d7cae1e845eb61671eb13676e25cc331d878298acc9374b
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: Added password 123456 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user igodit authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.

As you can see in the failed debug message, there is NO User-Password sent.
« Last Edit: April 12, 2007, 07:24:31 by dalekurt »
« Reply #1 on: April 12, 2007, 14:26:46 »
dalekurt *
Posts: 10

This morning, I downloaded Radius Test (trial version) and sent the attributes to Radius and it worked, then to monowall and that also worked.

The problem is Microsoft Windows, big surprise there uh?

The MS Windows client does not send the ATTRIBUTE User-Password therefore no authentication.
« Reply #2 on: April 16, 2007, 22:29:24 »
JonnyRo *
Posts: 13

Windows is probably trying to use encrypted passwords.  The cool thing is that the encrypted password hashes that samba uses are similar if not the same as the ones the windows PPTP client uses. 

I dont remember what guide I was following, but I aliased the User-Password attribute to another attribute in ldap.attrmap

checkItem User-Password userPassword
checkItem LM-Password sambaLMPassword
checkItem NT-Password sambaNTPassword

Now, your ldap directory must contain the encrypted password hashes and the userPassword attribute in each of the users you plan on letting in via RADIUS/LDAP
« Reply #3 on: April 18, 2007, 14:06:34 »
lappyx86 *
Posts: 15

did you ever get this working?
« Reply #4 on: July 02, 2007, 20:57:03 »
ho2102 *
Posts: 1

Hello,

did anyone get it working? Maybe with another PPtP client?

Regards,

Heiner
« Reply #5 on: July 12, 2007, 10:45:02 »
fab100 *
Posts: 1

Anyone knows why the M0n0wall doesn't accept PAP ?
Any way to make XTRadius support MSCHAPv2 ?

I'm trying to make XTRadius + M0n0wall + Mobile OTP work together but until now, no success.

1) XTRadius doesn't seem to support MSCHAPv2
2) M0n0wall doesn't accept PAP protocol requests
3) Using the windows or osx PPTP VPN client, the User-Password attribute is not being sent to the radius server (because PAP is not used by default, but when enabling it, problem 2)

I'm quite stuck but will now try FreeRadius to see if I can adapt MobileOTP and otpverify.sh to it.

If anyone is trying the same, please get in touch with us.

Thx
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines