Hi,
FreeRADIUS is trying to do LDAP authentication and not PEAP
authentication. This is probably because you have not configured the
peap module. Please read eap.conf on how to configure the peap module.
Rest of the comments inline.
On Wed, 2005-05-18 at 16:49 -0500, Matt McFarlane wrote:
> Totally new to radius. I've installed freeradius 1.02 --with-edir on Suse 9.
> Attempting to use 802.1X auth from wireless user behind HP 420 AP using
> WinXP to an eDir tree via LDAP. When I use radtest the bind is successful.
> However when using the 802.1X supplicant I get the output below. Two things
> I've noticed are that the password appears to not be received (via PEAP) and
> that the bind password is being sent as "aassword" instead of "password" no
> matter what I enter on the supplicant.
>
>
>
> ldap: base_filter = "(objectclass=radiusprofile)"
> ldap: default_profile = "(null)"
> ldap: profile_attribute = "(null)"
> ldap: password_header = "(null)"
> ldap: password_attribute = "nspmPassword"
> ldap: access_attr = "uid"
> ldap: groupname_attribute = "cn"
> ldap: groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> ldap: groupmembership_attribute = "(null)"
> ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
> ldap: ldap_debug = 0
> ldap: ldap_connections_number = 5
> ldap: compare_check_items = no
> ldap: access_attr_used_for_allow = yes
> ldap: do_xlat = yes
> ldap: edir_account_policy_check = yes
> rlm_ldap: Registering ldap_groupcmp for Ldap-Group
> rlm_ldap: Creating new attribute test-ldap-Ldap-Group
> rlm_ldap: Registering ldap_groupcmp for test-ldap-Ldap-Group
> rlm_ldap: Registering ldap_xlat with xlat_name test-ldap
> rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
> rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
> rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
> rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
> rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
> rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
> rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
> rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
> rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
> rlm_ldap: LDAP nspmPassword mapped to RADIUS User-Password
> rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
> rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
> rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
> rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
> rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
> rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
> rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
> rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
> rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
> rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
> rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
> rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
> rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
> rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
> rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
> rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
> rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
> rlm_ldap: LDAP radiusClass mapped to RADIUS Class
> rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
> rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
> rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
> rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
> rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
> rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
> rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
> Framed-AppleTalk-Link
> rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
> Framed-AppleTalk-Network
> rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
> Framed-AppleTalk-Zone
> rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
> rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
> conns: 0x8151848
> Module: Instantiated ldap (test-ldap)
> Module: Loaded preprocess
> preprocess: huntgroups = "/etc/raddb/huntgroups"
> preprocess: hints = "/etc/raddb/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded files
> files: usersfile = "/etc/raddb/users"
> files: acctusersfile = "/etc/raddb/acct_users"
> files: preproxy_usersfile = "/etc/raddb/preproxy_users"
> files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
> detail: detailfile =
> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
> radutmp: filename = "/var/log/radius/radutmp"
> radutmp: username = "%{User-Name}"
> radutmp: case_sensitive = yes
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Module: Loaded eap
> eap: default_eap_type = "peap"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"
> tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"
> tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"
> tls: private_key_password = "whatever"
> tls: dh_file = "/etc/raddb/certs/dh"
> tls: random_file = "/etc/raddb/certs/random"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = "(null)"
> rlm_eap: Loaded and initialized type tls
> peap: default_eap_type = "mschapv2"
> peap: copy_request_to_tunnel = no
> peap: use_tunneled_reply = no
> peap: proxy_tunneled_request_as_eap = yes
> rlm_eap: Loaded and initialized type peap
> mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Listening on authentication *:1812
> Listening on accounting *:1813
> Listening on proxy *:1814
> Ready to process requests.
> rad_recv: Access-Request packet from host 172.24.41.241:2460, id=31,
> length=130
> NAS-IP-Address = 172.24.41.241
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1
> Framed-MTU = 1400
> User-Name = "testuser"
> Calling-Station-Id = "000d88ac90c6"
> Called-Station-Id = "001279e10c1b"
> NAS-Identifier = "Enterprise AP"
> EAP-Message = 0x0201000d017465737475736572
> Message-Authenticator = 0x239e04043b7d03bd0698a0be9d0624d1
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> users: Matched entry DEFAULT at line 155
> modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for testuser
> radius_xlat: '(cn=testuser)'
> radius_xlat: 'ou=cs,ou=srvc,o=wheaton'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to nw_radius.wheaton.edu:389, authentication 0
> rlm_ldap: setting TLS CACert File to /etc/raddb/certs/wheatonCA/radtree.b64
> rlm_ldap: setting TLS Require Cert to demand
> rlm_ldap: starting TLS
> rlm_ldap: bind as cn=admin,ou=cs,ou=srvc,o=wheaton/password to
> nw_radius.wheaton.edu:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=cs,ou=srvc,o=wheaton, with filter
> (cn=testuser)
> rlm_ldap: checking if remote access for testuser is allowed by uid
> rlm_ldap: Added the eDirectory password in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user testuser authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "test-ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type LDAP
If no Auth-Type is configured, the authorize section of the ldap module
will set LDAP as the Auth-Type.
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication.
For LDAP authentication to work the User-Password must be there in the
request.But your client is trying to do PEAP authentication and PEAP
does not send password in the User-Password attribute.
> modcall[authenticate]: module "test-ldap" returns invalid for request 0
> modcall: group Auth-Type returns invalid for request 0
> auth: Failed to validate the user.
The user authentication has failed
> Login incorrect: [testuser/<no User-Password attribute>] (from client shopwap
> port 1 cli 000d88ac90c6)
> Processing the post-auth section of radiusd.conf
This is the post-auth section .
If your authentication succeeds then in the post-auth section user will
bind to eDirectory with correct password to perform account policy
check.
If authentication fails then in the post-auth section user will bind to
eDirectory with a wrong password to allow intruder detection system of
eDirectory to be activated.
> modcall: entering group Post-Auth-Type for request 0
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to nw_radius.wheaton.edu:389, authentication 0
> rlm_ldap: setting TLS CACert File to /etc/raddb/certs/wheatonCA/radtree.b64
> rlm_ldap: setting TLS Require Cert to demand
> rlm_ldap: starting TLS
> rlm_ldap: bind as cn=testuser,ou=cs,ou=srvc,o=wheaton/aassword to
> nw_radius.wheaton.edu:389
Since auth has failed we bind with wrong password( generated by
modifying the correct password).
> rlm_ldap: waiting for bind result ...
> rlm_ldap: LDAP login failed: check identity, password settings in ldap
> section of radiusd.conf
> rlm_ldap: eDirectory account policy check failed.
> rlm_ldap: NDS error: failed authentication (-669)
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[post-auth]: module "test-ldap" returns reject for request 0
> modcall: group Post-Auth-Type returns reject for request 0
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> rad_recv: Access-Request packet from host 172.24.41.241:2460, id=31,
> length=130
> Sending Access-Reject of id 31 to 172.24.41.241:2460
> Reply-Message = "NDS error: failed authentication (-669)"
> --- Walking the entire request list ---
> Waking up in 3 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 31 with timestamp 428b9927
> Nothing to do. Sleeping until we see a request.
Hope this help.Please get back in case you have any further queries.
-Sayantan.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
