Matt McFarlane wrote:
Totally new to radius. I've installed freeradius 1.02 --with-edir on Suse 9. Attempting to use 802.1X auth from wireless user behind HP 420 AP using WinXP to an eDir tree via LDAP. When I use radtest the bind is successful. However when using the 802.1X supplicant I get the output below. Two things I've noticed are that the password appears to not be received (via PEAP) and that the bind password is being sent as "aassword" instead of "password" no matter what I enter on the supplicant.You can't use PEAP unless you have plaintext passwords stored in the LDAP or NT/LM password hashes. To use LDAP bind to authenticate you will need to use TTLS with PAP as inner tunnel authentication. This is how you can configure your clients to use TTLS+PAP
http://vuksan.com/linux/dot1x/wpa-client-config.html
Here is my set up with OpenLDAP that supports both TTLS/PEAP.
http://vuksan.com/linux/dot1x/802-1x-LDAP.html
Vladimir
modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(cn=testuser)' radius_xlat: 'ou=cs,ou=srvc,o=wheaton' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to nw_radius.wheaton.edu:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/wheatonCA/radtree.b64 rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: bind as cn=admin,ou=cs,ou=srvc,o=wheaton/password to nw_radius.wheaton.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=cs,ou=srvc,o=wheaton, with filter (cn=testuser) rlm_ldap: checking if remote access for testuser is allowed by uid rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "test-ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "test-ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [testuser/<no User-Password attribute>] (from client shopwap port 1 cli 000d88ac90c6) Processing the post-auth section of radiusd.conf modcall: entering group Post-Auth-Type for request 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to nw_radius.wheaton.edu:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/wheatonCA/radtree.b64 rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: bind as cn=testuser,ou=cs,ou=srvc,o=wheaton/aassword to nw_radius.wheaton.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: eDirectory account policy check failed. rlm_ldap: NDS error: failed authentication (-669) rlm_ldap: ldap_release_conn: Release Id: 0 modcall[post-auth]: module "test-ldap" returns reject for request 0 modcall: group Post-Auth-Type returns reject for request 0 Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 172.24.41.241:2460, id=31, length=130 Sending Access-Reject of id 31 to 172.24.41.241:2460 Reply-Message = "NDS error: failed authentication (-669)" --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 31 with timestamp 428b9927 Nothing to do. Sleeping until we see a request.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html