Hello
I'm facing some kind of configuration troubles with freeradius and openldap. I
got a new Access Point wich i'm trying to use with 802.1x auth.
I'm using a classical samba/qmail LDAP schema so that users in the company can
authenticate against ldap with win/linux workstations. Basically, i got 3
password fields, lmPassword, ntPassword, and userPassword . All of them are
encrypted and, there is no "0x" in front of the ntPassword.
The ldap section in radiusd.conf seems to be ok, the connection is done, and ive
set the password_attribute to "userPassword" and later to "ntPassword" to check
if it changed naything to the problem (no).
Other sections i'm using:
authorize {
preprocess
auth_log
ldap
eap
}
authenticate {
eap
}
now, when i set up a 802.1x client, the AP connect to the radius server and here
is the debug output:
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.6.3:1134, id=71, length=172
NAS-IP-Address = 192.168.6.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = "arnauld.dravet"
Calling-Station-Id = "00904b625711"
Called-Station-Id = "000d54fc1807"
NAS-Identifier = "EPSI AP1"
State = 0xa63191155f9268efbcad3167d4e42e90
EAP-Message =
0x0202002404105f6aa1f2ca8bfe0b6efc3da31527335861726e61756c642e647261766574
Message-Authenticator = 0xb917bedaab691dda63cd4364b2d93ae8
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
radius_xlat: '/var/log/radius/radacct/192.168.6.3/auth-detail-20040618'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.6.3/auth-detail-20040618
modcall[authorize]: module "auth_log" returns ok for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for arnauld.dravet
radius_xlat: '(&(objectclass=posixAccount)(uid=arnauld.dravet))'
radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter
(&(objectclass=posixAccount)(uid=arnauld.dravet))
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user arnauld.dravet authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 3
rlm_eap: EAP packet type response id 2 length 36
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type LDAP
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'arnauld.dravet'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/md5
rlm_eap: processing type md5
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
rlm_eap: Handler failed in EAP/md5
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 3
modcall: group authenticate returns invalid for request 3
auth: Failed to validate the user.
Login incorrect: [arnauld.dravet/<no User-Password attribute>] (from client ap1
port 1 cli 00904b625711)
Delaying request 3 for 2 seconds
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 71 to 192.168.6.3:1134
EAP-Message = 0x04020004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 70 with timestamp 40d298d0
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 71 with timestamp 40d298d1
Nothing to do. Sleeping until we see a request.
It's been two days i'm stuck on this problem, i think i've read all the
documentation and mailing lists archives .. i've tried different things, but it
still finish with a message saying it miss the User-Password attribute ... I've
of course also try to use ldap in the authenticate section. I tested the initial
config with radtest and it worked fine when i used ldap in the authenticate
section, cause radtest won't use eap ...
Thanks for any help you can give :)
--
Arnauld Dravet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
