Hey, Thanks for the help...
Still having difficulty, although I think you are
right on target.
LDAP appear to respond correctly then Radius states
that the User-Password attribute is missing. Isn't
this what I set with the ldap.attrmap and
dictionary_mapping in the radiusd.conf?
Here are snippets from configs and the radiusd -X
output for the failed eap request...
Please let me know if more is needed.
Thanks,
Matt
********ldap.attrmap:
checkItem User-Password userPassword
********radiusd.conf:
modules {
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
mschap {
authtype = MS-CHAP
}
ldap {
server = "localhost"
identity = "cn=Manager,dc=yoyo,dc=com"
password = secret
basedn = "dc=yoyo,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
}
authorize {
preprocess
eap
files
mschap
ldap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
*********Users File:
testuser Auth-Type := EAP, User-Password ==
"testpass"
raduser Auth-Type := Local, User-Password ==
"testpass"
DEFAULT Auth-Type := LDAP
Fall-Through = 1
*********radiusd -X output to failed eap request for
ldap user
rad_recv: Access-Request packet from host
143.116.5.238:2048, id=98, length=117
NAS-IP-Address = 192.168.1.238
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Message-Authenticator =
0xf884d8f729a9e770bd73e8e33f6e22e7
NAS-Port = 20
Framed-MTU = 1490
User-Name = "matt_moore"
Calling-Station-Id = "00-B0-D0-74-C3-5A"
EAP-Message = 0x0201000f016d6174745f6d6f6f7265
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_eap: EAP packet type notification id 1 length 15
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for matt_moore
radius_xlat: '(uid=matt_moore)'
radius_xlat: 'dc=yoyo,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=yoyo,dc=com, with
filter (uid=matt_moore)
rlm_ldap: Added password test123 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value
test123 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user matt_moore authorized to use remote
access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for
authentication.
modcall[authenticate]: module "ldap" returns invalid
modcall: group Auth-Type returns invalid
auth: Failed to validate the user.
Login incorrect: [matt_moore/<no User-Password
attribute>] (from client plant1 port 20 cli
00-B0-D0-74-C3-5A)
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host
192.168.1.238:2048, id=98, length=117
Sending Access-Reject of id 98 to 192.168.1.238:2048
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 98 with timestamp 41f56ee2
Nothing to do. Sleeping until we see a request.
--- NextGen$'s ShaDow <[EMAIL PROTECTED]> wrote:
> I solved this problem using an other attribute :
> in /etc/freeradius/ldap.attrmap :
>
> checkItem User-Password
> radiusTunnelPassword
>
> and set up passwords in it ;-)
>
> I think it's only an access right problem on the
> LDAP 'userPassword'
> attribute...
>
> If that don't solve your problem, please send a copy
> of your config.
> files and give more informations : It'll be easier
> to help.
>
> Regards
>
> Matt Moore a écrit :
>
> >Hello all,
> >
> >I am trying to setup a radius service for eap with
> an
> >ldap backend. I have gotten the ldap backend
> working
> >and I have gotten eap to work with a user defined
> in
> >the users file. Next 2 lines from my users file.
> >
> >testuser Auth-Type := EAP, User-Password ==
> >"testpass"
> >DEFAULT Auth-Type := LDAP
> >
> >But, how do I get EAP to work with ldap backend in
> >this situation? Or am I missing something more
> >fundamental? I have looked through the archives,
> but
> >turned up only help on ldap or eap, not combining
> the
> >two... any pointers?
> >
> >Thanks,
> >Matt Moore
> >
> >
> >
> >
> >__________________________________
> >Do you Yahoo!?
> >The all-new My Yahoo! - Get yours free!
> >http://my.yahoo.com
> >
> >
> >
> >-
> >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
> >
>
> --
> NextGen$.
> ---> In a world without fences nor walls - who needs
> windows and gates ?
>
> On peut obéïr aux lois en souhaitant qu'elles
> changent, comme on sert à la guerre en souhaitant la
> paix.
> Merleau Ponty "L'éloge de la philosophie"
>
>
> ATTACHMENT part 2 application/pgp-signature
name=signature.asc
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
