Hi,
I have some problems with PEAP/LDAP (and TTLS/LDAP).
When I use LDAP only with a local authentification I don't have problem.
Reciprocally with PEAP module without LDAP.
But with these two modules the user is validated on the level of LDAP server
but the 802.1x authentificaton failed!
I don't have user entry in users files.
Thanks.
Lionel Gavage
Extract of radius.conf:
authorize {
preprocess
chap
mschap
suffix
eap
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
Auth-Type LDAP {
ldap
}
}
Extract of log:
rad_recv: Access-Request packet from host 139.165.212.248:21645, id=234,
length=172
User-Name = "u190336"
Framed-MTU = 1400
Called-Station-Id = "000c.304f.75da"
Calling-Station-Id = "000c.3052.9812"
Message-Authenticator = 0xc7f68224c50a922844d275cfcbdb5853
EAP-Message =
0x020b002b1900170301002098ab17170a67942473547a6c29b7c9fbca9c855e8117506214a1
92b989347f11
NAS-Port-Type = Wireless-802.11
NAS-Port = 322
State = 0xfc69a5223e55955e5e876a12c9561f84
Service-Type = Framed-User
NAS-IP-Address = 139.165.212.248
modcall: entering group authorize for request 11
modcall[authorize]: module "preprocess" returns ok for request 11
modcall[authorize]: module "chap" returns noop for request 11
modcall[authorize]: module "mschap" returns noop for request 11
rlm_realm: No '@' in User-Name = "u190336", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 11
rlm_eap: EAP packet type response id 11 length 43
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 11
users: Matched DEFAULT at 154
users: Matched DEFAULT at 173
modcall[authorize]: module "files" returns ok for request 11
rlm_ldap: - authorize
rlm_ldap: performing user authorization for u190336
radius_xlat: '(uid=u190336)'
radius_xlat: 'dc=ulg,dc=ac,dc=be'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ulg,dc=ac,dc=be, with filter (uid=u190336)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user u190336 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 11
modcall: group authorize returns updated for request 11
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 11
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled
attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 11
modcall: group authenticate returns invalid for request 11
auth: Failed to validate the user.
Delaying request 11 for 1 seconds
Finished request 11
Going to the next request
Waking up in 5 seconds...
Lionel Gavage
Network Engineer (SeGI/ULg)
Email: [EMAIL PROTECTED] Tél: +32-4-3664845
Fax: +32-4-3662920
Bat. B26 SeGI
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
