I am using FreeRadius1.0.0Pre3. I am having a problem trying to get my user to authenticate. It seems as though everything is working right but the user is not being authenticated. The debug shows that the password is the same as the ntpassword from the LDAP server but it is not working. Here is a portion of the debug log file:
Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host <PROTECTED>, id=228, length=219 User-Name = "nhb5" Framed-MTU = 1400 Called-Station-Id = "000d.ed4c.f93d" Calling-Station-Id = "000c.f130.b094" Message-Authenticator = 0x3ccb10295e286d284666ec46af251394 EAP-Message = 0x020800561900170301004b8e0f8589ab7d18d41dbd26de8891f6768749c1af2b29aeb7e1d437fffba30a5816c4ab38c834b740355c1e4a17affee2e6a271733035bcb599d7ac9684bb5be7f4b63e8e06878f269871e5 NAS-Port-Type = Wireless-802.11 NAS-Port = 426 State = 0x5838e5b33cf16ad5b8dc180c3590ca3c Service-Type = Framed-User NAS-IP-Address = <PROTECTED> NAS-Identifier = "<PROTECTED>" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 radius_xlat: '/usr/local/radius/share/<PROTECTED>/auth-detail-20040804' rlm_detail: /usr/local/radius/share/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius/share/<PROTECTED>/auth-detail-20040804 modcall[authorize]: module "auth_log" returns ok for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for nhb5 radius_xlat: '(uid=nhb5)' radius_xlat: '<PROTECTED>' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in <PROTECTED> with filter (uid=nhb5) rlm_ldap: Added password EAC65B528A048695B20A771229A76215 in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21 rlm_ldap: Adding ntPassword as NT-Password, value EAC65B528A048695B20A771229A76215 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value E4262816C09038B4C81667E9D738C5D9 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user nhb5 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 rlm_eap: EAP packet type response id 8 length 86 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type LDAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'nhb5' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to nhb5 PEAP: Adding old state with 96 eb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 radius_xlat: '/usr/local/radius/share/<PROTECTED>/auth-detail-20040804' rlm_detail: /usr/local/radius/share/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius/share/127.0.0.1/auth-detail-20040804 modcall[authorize]: module "auth_log" returns ok for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for nhb5 radius_xlat: '(uid=nhb5)' radius_xlat: '<PROTECTED>' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in <PROTECTED> with filter (uid=nhb5) rlm_ldap: Added password EAC65B528A048695B20A771229A76215 in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21 rlm_ldap: Adding ntPassword as NT-Password, value EAC65B528A048695B20A771229A76215 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value E4262816C09038B4C81667E9D738C5D9 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user nhb5 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 rlm_eap: EAP packet type response id 8 length 63 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type LDAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'nhb5' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 228 to <PROTECTED>:21669 EAP-Message = 0x010900261900170301001b272a551d2acbf19b0d0d3a85dfbef20771ffb263a732ef451e6910 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa6f45a05613f44d41620498401847ad9 Finished request 6 And here is my LDAP and authorize and authenticate sections from Radiusd.conf with comments deleted ldap { server = "<PROTECTED>" identity = "<PROTECTED>" password = <PROTECTED> basedn = "ou=accounts,ou=caedm,dc=et,dc=byu,dc=edu" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=sambaAccount)" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = ntPassword timeout = 4 timelimit = 3 net_timeout = 1 } authorize { preprocess auth_log ldap eap } authenticate { eap } Thanks Nathan Blackham - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html