Hi, Any ideas on this error. Waiting anxiously for some pointer to the right direction. rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP Thanks Joseph "Joseph Silvin" Sent by: freeradius-users-admin@lists.freeradius.org 26/05/2004 04:47 PM Please respond to freeradius-users To: freeradius-users@lists.freeradius.org cc: Subject: Re: rlm_eap_leap: No User-Password or NT-Password configured for this user Hi, Thanks. I have rectified the password_header and now the Password header is gone. But still the EAP is not taking the LDAP password ( rlm_eap_leap: Stage 4). My config: radiusd.conf ------------------- default_eap_type = md5 users ----------- DEFAULT Auth-Type = LDAP Fall-Through = 1 Instead of this, if I put (as below) manually, the card associated with the AP. (LDAPPassword is the actual password) DEFAULT Auth-Type = LDAP, User-Password = "LDAPPassword" Fall-Through = 1 Waiting for your comments. Joseph Revised Log below. ============================= rad_recv: Access-Request packet from host 192.168.1.7:21646, id=16, length=125 User-Name = "FAnthony" Framed-MTU = 1400 Called-Station-Id = "000e.d7b1.008b" Calling-Station-Id = "000f.2478.85cf" Message-Authenticator = 0xe8f0eb5a20be270bdf42e04b15641dd6 EAP-Message = 0x0202000d0146416e74686f6e79 NAS-Port-Type = Wireless-802.11 NAS-Port = 495 Service-Type = Framed-User NAS-IP-Address = 192.168.1.7 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_eap: EAP packet type notification id 2 length 13 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated for request 0 rlm_realm: No '@' in User-Name = "FAnthony", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'o=MyOrg' radius_xlat: '(uid=FAnthony)' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.41:389, authentication 0 rlm_ldap: bind as cn=Admin,o=MyOrg/ to 192.168.1.41:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in o=MyOrg, with filter (uid=FAnthony) ldap_release_conn: Release Id: 0 radius_xlat: '(&(uid=FAnthony)(objectclass=top))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=MyLoc,O=MyOrg, with filter (&(uid=FAnthony)(objectclass=top)) rlm_ldap::ldap_groupcmp: User found in group OU=MyLoc,O=MyOrg ldap_release_conn: Release Id: 0 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for FAnthony radius_xlat: '(uid=FAnthony)' radius_xlat: 'o=MyOrg' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=MyOrg, with filter (uid=FAnthony) rlm_ldap: checking if remote access for FAnthony is allowed by proposedaltorgunit rlm_ldap: Added password (91CA074DSFSD4453936C9A32AF) in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user FAnthony authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 0 rlm_eap: EAP packet type notification id 2 length 13 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type leap rlm_eap_leap: Stage 2 rlm_eap_leap: Issuing AP Challenge rlm_eap_leap: Successfully initiated modcall[authenticate]: module "eap" returns ok for request 0 modcall: group authenticate returns ok for request 0 modcall: entering group post-auth for request 0 radius_xlat: '/var/log/radius/radacct/192.168.1.7/reply-detail-20040524' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.7/reply-detail-20040524 modcall[post-auth]: module "reply_log" returns ok for request 0 modcall: group post-auth returns ok for request 0 Sending Access-Challenge of id 16 to 192.168.1.7:21646 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x01030018110100087900c7559163b3ae46416e74686f6e79 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x862fd36799ba12ee881a477605e2880b5bd0b140aba87a1a97c697e9e6ca0f3a970c65d2 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.7:21646, id=17, length=190 User-Name = "FAnthony" Framed-MTU = 1400 Called-Station-Id = "000e.d7b1.008b" Calling-Station-Id = "000f.2478.85cf" Message-Authenticator = 0x61f158e50ab18ae2609916cdde5d3768 EAP-Message = 0x0203002811010018010364ea1f5cfcc8d6a0ce99255ffd208bbc7dd9f77326a246416e74686f6e79 NAS-Port-Type = Wireless-802.11 NAS-Port = 495 State = 0x862fd36799ba12ee881a477605e2880b5bd0b140aba87a1a97c697e9e6ca0f3a970c65d2 Service-Type = Framed-User NAS-IP-Address = 192.168.1.7 modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_eap: EAP packet type notification id 3 length 40 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated for request 1 rlm_realm: No '@' in User-Name = "FAnthony", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'o=MyOrg' radius_xlat: '(uid=FAnthony)' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=MyOrg, with filter (uid=FAnthony) ldap_release_conn: Release Id: 0 radius_xlat: '(&(uid=FAnthony)(objectclass=top))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=MyLoc,O=MyOrg, with filter (&(uid=FAnthony)(objectclass=top)) rlm_ldap::ldap_groupcmp: User found in group OU=MyLoc,O=MyOrg ldap_release_conn: Release Id: 0 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for FAnthony radius_xlat: '(uid=FAnthony)' radius_xlat: 'o=MyOrg' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=MyOrg, with filter (uid=FAnthony) rlm_ldap: checking if remote access for FAnthony is allowed by proposedaltorgunit rlm_ldap: Added password (91CA074DSFSD4453936C9A32AF) in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user FAnthony authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 1 rlm_eap: EAP packet type notification id 3 length 40 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - leap rlm_eap: processing type leap rlm_eap_leap: Stage 4 rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP modcall[authenticate]: module "eap" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 17 to 192.168.1.7:21646 EAP-Message = 0x04030004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 16 with timestamp 40b1d05b Cleaning up request 1 ID 17 with timestamp 40b1d05b Nothing to do. Sleeping until we see a request. ============================== Kostas Kalevras To: freeradius-users@lists.freeradius.org Sent by: cc: freeradius-users-admin@lists.fre Subject: Re: rlm_eap_leap: No User-Password or NT-Password configured for this eradius.org user 26/05/2004 04:27 PM Please respond to freeradius-users On Wed, 26 May 2004, Joseph Silvin wrote: > Hi, > > I am trying to authenticate Cisco AP 1200 against FreeRadius through > LDAP.The following is the error I am getting after stage 2 "rlm_eap_leap: > No User-Password or NT-Password configured for this user". The LDAP > authentication is getting done. and the EAP is also getting started. But, > the credentials of the LDAP is not getting used for EAP. > > Please suggest the reason for this error. Log is given below. > > Joseph > > =============================================================================== > rad_recv: Access-Request packet from host 192.168.1.7:21645, id=245, > length=125 > User-Name = "FAnthony" > Framed-MTU = 1400 > Called-Station-Id = "000e.d7b1.008b" > Calling-Station-Id = "000f.2478.85cf" > Message-Authenticator = 0x2f568765c076a1cc35ec515b50580740 > EAP-Message = 0x0202000d0146416e74686f6e79 > NAS-Port-Type = Wireless-802.11 > NAS-Port = 485 > Service-Type = Framed-User > NAS-IP-Address = 192.168.1.7 [...] > rlm_ldap: Password header not found in password (91CA0741343JHUG6C9A32A21F) > for user FAnthony The above is the error you are looking for. Check the password_header ldap configuration directive. > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... -- Kostas Kalevras Network Operations Center kkalev@noc.ntua.gr National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html