I am using FreeRadius1.0.0Pre3.
I am having a problem trying to get my user to authenticate. It seems
as though everything is working right but the user is not being
authenticated. The debug shows that the password is the same as the
ntpassword from the LDAP server but it is not working. Here is a
portion of the debug log file:
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host <PROTECTED>, id=228,
length=219
User-Name = "nhb5"
Framed-MTU = 1400
Called-Station-Id = "000d.ed4c.f93d"
Calling-Station-Id = "000c.f130.b094"
Message-Authenticator = 0x3ccb10295e286d284666ec46af251394
EAP-Message =
0x020800561900170301004b8e0f8589ab7d18d41dbd26de8891f6768749c1af2b29aeb7e1d437fffba30a5816c4ab38c834b740355c1e4a17affee2e6a271733035bcb599d7ac9684bb5be7f4b63e8e06878f269871e5
NAS-Port-Type = Wireless-802.11
NAS-Port = 426
State = 0x5838e5b33cf16ad5b8dc180c3590ca3c
Service-Type = Framed-User
NAS-IP-Address = <PROTECTED>
NAS-Identifier = "<PROTECTED>"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
radius_xlat: '/usr/local/radius/share/<PROTECTED>/auth-detail-20040804'
rlm_detail:
/usr/local/radius/share/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /usr/local/radius/share/<PROTECTED>/auth-detail-20040804
modcall[authorize]: module "auth_log" returns ok for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nhb5
radius_xlat: '(uid=nhb5)'
radius_xlat: '<PROTECTED>'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in <PROTECTED> with filter (uid=nhb5)
rlm_ldap: Added password EAC65B528A048695B20A771229A76215 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21
rlm_ldap: Adding ntPassword as NT-Password, value
EAC65B528A048695B20A771229A76215 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value
E4262816C09038B4C81667E9D738C5D9 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nhb5 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 6
rlm_eap: EAP packet type response id 8 length 86
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type LDAP
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'nhb5'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to nhb5
PEAP: Adding old state with 96 eb
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
radius_xlat: '/usr/local/radius/share/<PROTECTED>/auth-detail-20040804'
rlm_detail:
/usr/local/radius/share/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /usr/local/radius/share/127.0.0.1/auth-detail-20040804
modcall[authorize]: module "auth_log" returns ok for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nhb5
radius_xlat: '(uid=nhb5)'
radius_xlat: '<PROTECTED>'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in <PROTECTED> with filter (uid=nhb5)
rlm_ldap: Added password EAC65B528A048695B20A771229A76215 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21
rlm_ldap: Adding ntPassword as NT-Password, value
EAC65B528A048695B20A771229A76215 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value
E4262816C09038B4C81667E9D738C5D9 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nhb5 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 6
rlm_eap: EAP packet type response id 8 length 63
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type LDAP
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'nhb5'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
ERROR: Unknown value specified for Auth-Type. Cannot perform
requested action.
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 228 to <PROTECTED>:21669
EAP-Message =
0x010900261900170301001b272a551d2acbf19b0d0d3a85dfbef20771ffb263a732ef451e6910
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa6f45a05613f44d41620498401847ad9
Finished request 6
And here is my LDAP and authorize and authenticate sections from
Radiusd.conf with comments deleted
ldap {
server = "<PROTECTED>"
identity = "<PROTECTED>"
password = <PROTECTED>
basedn = "ou=accounts,ou=caedm,dc=et,dc=byu,dc=edu"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=sambaAccount)"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = ntPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
preprocess
auth_log
ldap
eap
}
authenticate {
eap
}
Thanks
Nathan Blackham
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
