Hello I'm facing some kind of configuration troubles with freeradius and openldap. I got a new Access Point wich i'm trying to use with 802.1x auth.
I'm using a classical samba/qmail LDAP schema so that users in the company can authenticate against ldap with win/linux workstations. Basically, i got 3 password fields, lmPassword, ntPassword, and userPassword . All of them are encrypted and, there is no "0x" in front of the ntPassword. The ldap section in radiusd.conf seems to be ok, the connection is done, and ive set the password_attribute to "userPassword" and later to "ntPassword" to check if it changed naything to the problem (no). Other sections i'm using: authorize { preprocess auth_log ldap eap } authenticate { eap } now, when i set up a 802.1x client, the AP connect to the radius server and here is the debug output: Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.6.3:1134, id=71, length=172 NAS-IP-Address = 192.168.6.3 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Framed-MTU = 1400 User-Name = "arnauld.dravet" Calling-Station-Id = "00904b625711" Called-Station-Id = "000d54fc1807" NAS-Identifier = "EPSI AP1" State = 0xa63191155f9268efbcad3167d4e42e90 EAP-Message = 0x0202002404105f6aa1f2ca8bfe0b6efc3da31527335861726e61756c642e647261766574 Message-Authenticator = 0xb917bedaab691dda63cd4364b2d93ae8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 radius_xlat: '/var/log/radius/radacct/192.168.6.3/auth-detail-20040618' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.6.3/auth-detail-20040618 modcall[authorize]: module "auth_log" returns ok for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for arnauld.dravet radius_xlat: '(&(objectclass=posixAccount)(uid=arnauld.dravet))' radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter (&(objectclass=posixAccount)(uid=arnauld.dravet)) rlm_ldap: looking for check items in directory... rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user arnauld.dravet authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 rlm_eap: EAP packet type response id 2 length 36 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type LDAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'arnauld.dravet' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 3 modcall: group authenticate returns invalid for request 3 auth: Failed to validate the user. Login incorrect: [arnauld.dravet/<no User-Password attribute>] (from client ap1 port 1 cli 00904b625711) Delaying request 3 for 2 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Sending Access-Reject of id 71 to 192.168.6.3:1134 EAP-Message = 0x04020004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 70 with timestamp 40d298d0 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 71 with timestamp 40d298d1 Nothing to do. Sleeping until we see a request. It's been two days i'm stuck on this problem, i think i've read all the documentation and mailing lists archives .. i've tried different things, but it still finish with a message saying it miss the User-Password attribute ... I've of course also try to use ldap in the authenticate section. I tested the initial config with radtest and it worked fine when i used ldap in the authenticate section, cause radtest won't use eap ... Thanks for any help you can give :) -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html