I am also struggling with this same problem as Arnuald so hopefully the solution to my
problem will be the same as the solution to his. It seems that the password is not
being extracted from ldap. I know there has been lots of conversation going on about
this in the past, but I'm still not sure whether my configuration is correct. I'll
post some relevant info:
radiusd.conf
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
}
..
ldap {
server = "ldap.domain.com"
basedn = "ou=people,dc=domain,dc=com"
filter = "(uid=%{User-Name})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
} The other attributes are commented out
authorize{
preprocess
eap
ldap
}
authenticate{
eap
}
Finally, here is what happens when I try to authenticate:
Ready to process requests.
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1024, id=39, length=103
NAS-IP-Address = XXX.XXX.XXX.XXX
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Message-Authenticator = 0x1212fff00a4b01a5b7a71915ca70554a
NAS-Port = 11
Framed-MTU = 1490
User-Name = "mda"
Calling-Station-Id = " 0- 2-B3- 4-DC-C7"
EAP-Message = 0x02060008016d6461
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
users: Matched DEFAULT at 181
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for mda
radius_xlat: '(uid=mda)'
radius_xlat: 'ou=people,dc=domain,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.domian.com:389, authentication 0
rlm_ldap: bind as / to ldap.domain.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter (uid=mda)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mda authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_eap: EAP packet type notification id 6 length 8
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 0
rlm_eap: EAP packet type notification id 6 length 8
rlm_eap: EAP Start not found
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [mda] (from client matt port 11 cli 0- 2-B3- 4-DC-C7)
Sending Access-Challenge of id 39 to XXX.XXX.XXX.XXX:1024
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0107001604100ef750947c7048fdaa847777ff26a493
Message-Authenticator = 0x00000000000000000000000000000000
State =
0xc2ad44327337a497591079562232c5ffcdf3d24047b349ea0e91e83f44f9bb31a8798196
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1024, id=40, length=158
NAS-IP-Address = XXX.XXX.XXX.XXX
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Message-Authenticator = 0x91075ac82afb21f4fd3b327f7a1b1bc4
NAS-Port = 11
Framed-MTU = 1490
User-Name = "mda"
Calling-Station-Id = " 0- 2-B3- 4-DC-C7"
State =
0xc2ad44327337a497591079562232c5ffcdf3d24047b349ea0e91e83f44f9bb31a8798196
EAP-Message = 0x020700190410dd6eb09c6c721bd91d603e18ef781ff46d6461
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
users: Matched DEFAULT at 181
modcall[authorize]: module "files" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for mda
radius_xlat: '(uid=mda)'
radius_xlat: 'ou=people,dc=domain,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=domain,dc=com, with filter (uid=mda)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mda authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
rlm_eap: EAP packet type notification id 7 length 25
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 1
rlm_eap: EAP packet type notification id 7 length 25
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - md5
rlm_eap: processing type md5
rlm_eap_md5: No password configured for this user
modcall[authenticate]: module "eap" returns invalid for request 1
modcall: group authenticate returns invalid for request 1
auth: Failed to validate the user.
Login incorrect: [mda/<no User-Password attribute>] (from client matt port 11 cli 0-
2-B3- 4-DC-C7)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1024, id=40, length=158
Sending Access-Reject of id 40 to XXX.XXX.XXX.XXX:1024
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 4 seconds...
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1024, id=40, length=158
Sending duplicate reply to client matt:1024 - ID: 40
Re-sending Access-Reject of id 40 to XXX.XXX.XXX.XXX:1024
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 39 with timestamp 40d2f3cd
Cleaning up request 1 ID 40 with timestamp 40d2f3cd
Nothing to do. Sleeping until we see a request.
I am running freeRadius 0.9.3 and connecting to an LDAP directory that another employee
setup. Any help would be much appreciated by myself and I'm sure by Arnauld as well.
Thanks!
-Alastair Grant
Quoting Kostas Kalevras <[EMAIL PROTECTED]>:
> On Fri, 18 Jun 2004, Arnauld Dravet wrote:
>
> > Hello
> >
> > I'm facing some kind of configuration troubles with freeradius and openldap. I
> > got a new Access Point wich i'm trying to use with 802.1x auth.
> >
> >
> > I'm using a classical samba/qmail LDAP schema so that users in the company can
> > authenticate against ldap with win/linux workstations. Basically, i got 3
> > password fields, lmPassword, ntPassword, and userPassword . All of them are
> > encrypted and, there is no "0x" in front of the ntPassword.
> >
> > The ldap section in radiusd.conf seems to be ok, the connection is done, and ive
> > set the password_attribute to "userPassword" and later to "ntPassword" to check
> > if it changed naything to the problem (no).
> >
> > Other sections i'm using:
> >
> > authorize {
> > preprocess
> > auth_log
> > ldap
> > eap
> > }
> >
> > authenticate {
> > eap
> > }
> >
> > now, when i set up a 802.1x client, the AP connect to the radius server and here
> > is the debug output:
> >
> > Waking up in 6 seconds...
> > rad_recv: Access-Request packet from host 192.168.6.3:1134, id=71, length=172
> > NAS-IP-Address = 192.168.6.3
> > NAS-Port-Type = Wireless-802.11
> > NAS-Port = 1
> > Framed-MTU = 1400
> > User-Name = "arnauld.dravet"
> > Calling-Station-Id = "00904b625711"
> > Called-Station-Id = "000d54fc1807"
> > NAS-Identifier = "EPSI AP1"
> > State = 0xa63191155f9268efbcad3167d4e42e90
> > EAP-Message =
> > 0x0202002404105f6aa1f2ca8bfe0b6efc3da31527335861726e61756c642e647261766574
> > Message-Authenticator = 0xb917bedaab691dda63cd4364b2d93ae8
> > Processing the authorize section of radiusd.conf
> > modcall: entering group authorize for request 3
> > modcall[authorize]: module "preprocess" returns ok for request 3
> > radius_xlat: '/var/log/radius/radacct/192.168.6.3/auth-detail-20040618'
> > rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> > expands to /var/log/radius/radacct/192.168.6.3/auth-detail-20040618
> > modcall[authorize]: module "auth_log" returns ok for request 3
> > rlm_ldap: - authorize
> > rlm_ldap: performing user authorization for arnauld.dravet
> > radius_xlat: '(&(objectclass=posixAccount)(uid=arnauld.dravet))'
> > radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr'
> > rlm_ldap: ldap_get_conn: Checking Id: 0
> > rlm_ldap: ldap_get_conn: Got Id: 0
> > rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter
> > (&(objectclass=posixAccount)(uid=arnauld.dravet))
> > rlm_ldap: looking for check items in directory...
> > rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21
> > rlm_ldap: looking for reply items in directory...
> > rlm_ldap: user arnauld.dravet authorized to use remote access
> > rlm_ldap: ldap_release_conn: Release Id: 0
>
> Either you haven't configured password extraction in the ldap module or it isn't
> working. Make sure the user rlm_ldap uses to connect to the ldap server is
> allowed to read the userpassword entry. Posting your rlm_ldap configuration
> might help.
>
> > modcall[authorize]: module "ldap" returns ok for request 3
> > rlm_eap: EAP packet type response id 2 length 36
> > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> > modcall[authorize]: module "eap" returns updated for request 3
> > modcall: group authorize returns updated for request 3
> > rad_check_password: Found Auth-Type LDAP
> > rad_check_password: Found Auth-Type EAP
> > Warning: Found 2 auth-types on request for user 'arnauld.dravet'
> > auth: type "EAP"
> > Processing the authenticate section of radiusd.conf
> > modcall: entering group authenticate for request 3
> > rlm_eap: Request found, released from the list
> > rlm_eap: EAP/md5
> > rlm_eap: processing type md5
> > rlm_eap_md5: User-Password is required for EAP-MD5 authentication
> > rlm_eap: Handler failed in EAP/md5
> > rlm_eap: Failed in EAP select
> > modcall[authenticate]: module "eap" returns invalid for request 3
> > modcall: group authenticate returns invalid for request 3
> > auth: Failed to validate the user.
> > Login incorrect: [arnauld.dravet/<no User-Password attribute>] (from client ap1
> > port 1 cli 00904b625711)
> > Delaying request 3 for 2 seconds
> > Finished request 3
> > Going to the next request
> > --- Walking the entire request list ---
> > Waking up in 2 seconds...
> > --- Walking the entire request list ---
> > Waking up in 2 seconds...
> > --- Walking the entire request list ---
> > Sending Access-Reject of id 71 to 192.168.6.3:1134
> > EAP-Message = 0x04020004
> > Message-Authenticator = 0x00000000000000000000000000000000
> > Waking up in 1 seconds...
> > --- Walking the entire request list ---
> > Cleaning up request 2 ID 70 with timestamp 40d298d0
> > Waking up in 1 seconds...
> > --- Walking the entire request list ---
> > Cleaning up request 3 ID 71 with timestamp 40d298d1
> > Nothing to do. Sleeping until we see a request.
> >
> >
> > It's been two days i'm stuck on this problem, i think i've read all the
> > documentation and mailing lists archives .. i've tried different things, but it
> > still finish with a message saying it miss the User-Password attribute ... I've
> > of course also try to use ldap in the authenticate section. I tested the initial
> > config with radtest and it worked fine when i used ldap in the authenticate
> > section, cause radtest won't use eap ...
> >
> > Thanks for any help you can give :)
> >
> > --
> > Arnauld Dravet
> >
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 210 7721861
> 'Go back to the shadow' Gandalf
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
