I put that entries in ldap.attrmap file
replyItem Extreme-Netlogin-Vlan radiusExtremeNetloginVlan replyItem Extreme-Netlogin-Url radiusExtremeNetloginUrl replyItem Extreme-Netlogin-Url-Desc radiusExtremeNetloginUrlDesc replyItem Extreme-Netlogin-Only radiusExtremeNetloginOnly
I had to modify dictionary.extreme file too VENDOR Extreme 1916
ATTRIBUTE Extreme-Netlogin-Vlan 203 string Extreme ATTRIBUTE Extreme-Netlogin-Url 204 string Extreme ATTRIBUTE Extreme-Netlogin-Url-Desc 205 string Extreme ATTRIBUTE Extreme-Netlogin-Only 206 integer Extreme
VALUE Extreme-Netlogin-Only Disabled 0 VALUE Extreme-Netlogin-Only Enabled 1
Paul Blaich wrote:
Hi Fernando,
Not related to your problem but something that might help mine, have you
used NTRadPing? Do you know where you made the entries to have these LDAP values sent in
the reply packet?
Extreme-Netlogin-Only = Enabled
Extreme-Netlogin-Vlan = "sicrac"
Thanks alot Paul
Fernando Lunardelli wrote:
Hi, Im still with ldap and eap-md5 authentication problems
Local eap-md5 authentication is fine ... radtest with ldap is fine too without authorize and authenticate eap
Both eap-md5 and ldap doesnt work ...
my freeradius version now is FreeRADIUS Version 1.0.0-pre0
radiusd.conf ------------------------- ldap { server = "10.1.10.184" identity = "cn=Manager,dc=uasic,dc=com" password = sic basedn = "ou=People,dc=uasic,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 }
eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no md5 { } }
authorize { eap files ldap } authenticate { eap }
dn: uid=user11, ou=People, dc=uasic,dc=com host: * sambaAcctFlags: [U ] mail: [EMAIL PROTECTED] uid: user11 sambaLMPassword: A0B0AC8F18874B99AAD3B435B51404EE sambaPwdCanChange: 1077918404 radiusGroupName: radius_lan radiusExtremeNetloginVlan: sicrac objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: account objectClass: top objectClass: radiusprofile description: User Radius 1 sambaProfilePath: \\aton\profiles\user11 uidNumber: 1003 sn: User Radius 1 gidNumber: 100 gecos: User Radius 1 sambaPwdMustChange: 2147483647 radiusExtremeNetloginOnly: Enabled sambaPwdLastSet: 1077918404 shadowMin: 1 userPassword:: e1NIQX1YMG1CdjZSSVpyS0FwL1l3bzZBNlA3TkdFMFU9 radiusAuthType: eap dialupAccess: yes shadowWarning: 10 cn: user11 sambaNTPassword: E3E3461371FA27F382B3E525F61668D5 sambaHomeDrive: U: mobile: 91060391 homeDirectory: /home/user11 givenName: User Radius 1 displayName: User Radius 1 shadowInactive: 10 shadowLastChange: 12394 sambaSID: S-1-5-21-1396432685-3474415907-3787697022-3004 sambaDomainName: SIC sambaPrimaryGroupSID: S-1-5-21-1396432685-3474415907-3787697022-1201 shadowMax: 365 shadowExpire: 21914 loginShell: /bin/bash sambaHomePath: \\aton\user11
------------------------------------------------------
rad_recv: Access-Request packet from host 10.1.14.254:1067, id=48, length=92 User-Name = "user11" EAP-Message = 0x0201000b01757365723131 NAS-IP-Address = 10.1.14.254 Service-Type = Login-User Calling-Station-Id = "172.22.17.103" NAS-Port-Type = Virtual Message-Authenticator = 0x6ce53147dd1f086aec9733e9fadffe40 modcall: entering group authorize for request 4 rlm_eap: EAP packet type response id 1 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall[authorize]: module "files" returns notfound for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for user11 radius_xlat: '(uid=user11)' radius_xlat: 'ou=People,dc=uasic,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=uasic,dc=com with filter (uid=user11) request 6 done rlm_ldap: Added password {SHA}X0mBv6RIZrKAp/Ywo6A6P7NGE0U= in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusAuthType as Auth-Type, value eap & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusExtremeNetloginOnly as Extreme-Netlogin-Only, value Enabled & op=11 rlm_ldap: Adding radiusExtremeNetloginVlan as Extreme-Netlogin-Vlan, value sicrac & op=11 rlm_ldap: user user11 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type eap auth: type "EAP" modcall: entering group authenticate for request 4 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 48 to 10.1.14.254:1067 Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "sicrac" EAP-Message = 0x010200160410b0c9730e0bcf18356262001518bb5a7e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5e6e9f795238443869a6f7eac46f83d4 Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.1.14.254:1068, id=51, length=127 User-Name = "user11" EAP-Message = 0x0202001c0410410fa347946c9a1428e78db9caede038757365723131 NAS-IP-Address = 10.1.14.254 Service-Type = Login-User Calling-Station-Id = "172.22.17.103" NAS-Port-Type = Virtual State = 0x5e6e9f795238443869a6f7eac46f83d4 Message-Authenticator = 0xe8543be9c5a40b1080da64e5371126b6 modcall: entering group authorize for request 5 rlm_eap: EAP packet type response id 2 length 28 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for user11 radius_xlat: '(uid=user11)' radius_xlat: 'ou=People,dc=uasic,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=uasic,dc=com with filter (uid=user11) request 7 done rlm_ldap: Added password {SHA}X0mBv6RIZrKAp/Ywo6A6P7NGE0U= in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusAuthType as Auth-Type, value eap & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusExtremeNetloginOnly as Extreme-Netlogin-Only, value Enabled & op=11 rlm_ldap: Adding radiusExtremeNetloginVlan as Extreme-Netlogin-Vlan, value sicrac & op=11 rlm_ldap: user user11 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type eap auth: type "EAP" modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: group authenticate returns reject for request 5 auth: Failed to validate the user. Login incorrect: [user11/<no User-Password attribute>] (from client private-network-1 port 0 cli 172.22.17.103) Delaying request 5 for 1 seconds Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.1.14.254:1068, id=51, length=127 Sending Access-Reject of id 51 to 10.1.14.254:1068 EAP-Message = 0x04020004 Message-Authenticator = 0x00000000000000000000000000000000 Extreme-Netlogin-Only = Enabled Extreme-Netlogin-Vlan = "sicrac" --- Walking the entire request list --- Waking up in 3 seconds...
thanks for any help ....
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
