Hello folks, I want to do a setup with a HP Procurve 520wl Access Point, OpenLDAP and FreeRadius with 802.1x and users in my LDAP backend. LDAP and Radius works fine, when i do a
radtest user pass radius.domain.tld 0 secret i get an access accept package back. Now i configured my AP to use the Radius server for 802.1x auth, when i want to logon into the WLAN I enter my user and pass that just worked with radtest but I recieve an acces reject package. This is really strange cause the Radius debug mode tells me LDAP connection successfull. I use clear passwords in the backend, so there should be no problem. Anyone has an idea for my problem? Here is the Radius debug message with the access reject packet: rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(uid=user)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=user) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 11 to xxx.xxx.164.26:6001 EAP-Message = 0x0105040619407c917840ad1cf254e5ca549ca9b1053de4de1e704dc6eb9cec86a35eafabe5 2f60e8ee1a9697a755a713be14acd2db7f3402acb70864e3139ef470c900d024f2fd0f455b94 028c87d7a170ce86f302e35c4e658d09f17016227f0003cf308203cb30820334a00302010202 0900927540ab5d693004300d06092a864886f70d01010405003081a0310b3009060355040613 0244453110300e06035504081307426176617269613112301006035504071309577565727a62 75726731163014060355040a130d4765466f656b6f4d20652e562e31193017060355040b1310 4765466f656b6f4d20652e562e20434131193017060355040313 EAP-Message = 0x104765466f656b6f4d20652e562e204341311d301b06092a864886f70d010901160e636140 6765666f656b6f6d2e6465301e170d3035303531363137313832335a170d3036303531363137 313832335a3081a0310b30090603550406130244453110300e06035504081307426176617269 613112301006035504071309577565727a6275726731163014060355040a130d4765466f656b 6f4d20652e562e31193017060355040b13104765466f656b6f4d20652e562e20434131193017 060355040313104765466f656b6f4d20652e562e204341311d301b06092a864886f70d010901 160e6361406765666f656b6f6d2e646530819f300d06092a8648 EAP-Message = 0x86f70d010101050003818d0030818902818100c8124b32b761710b8c576a5b8f566a1dd8cc 97c423dfd8901cd58b9e90960328233879b3a09ebda855dbaa4376c00318ebc1767173051ae1 5995a1d41c9a6289707d5f7dd1e608ca5071e2aeb99092204f9386789c9ec8d5f754a26e9940 297ffbe547b5d0cf5ee16566abcc7578e25ac6a3b5e57befee43f2828174d27db19f02030100 01a382010930820105301d0603551d0e04160414ac6e4891d5a749d6548d7eda627ca2d64d12 d2693081d50603551d230481cd3081ca8014ac6e4891d5a749d6548d7eda627ca2d64d12d269 a181a6a481a33081a0310b30090603550406130244453110300e EAP-Message = 0x06035504081307426176617269613112301006035504071309577565727a62757267311630 14060355040a130d4765466f656b6f4d20652e562e31193017060355040b13104765466f656b 6f4d20652e562e20434131193017060355040313104765466f656b6f4d20652e562e20434131 1d301b06092a864886f70d010901160e6361406765666f656b6f6d2e6465820900927540ab5d 693004300c0603551d13040530030101ff300d06092a864886f70d0101040500038181004a36 34f23e46d180ec87122ee39ba0c6757d22a23ec39a38e3f282e82efb7428b83d04f665e28b00 e99a88217803c1abb4a0bc90fe6a51a37eec1c1868853a5436d5 EAP-Message = 0x9035f217c35ab4d53d6f1e3d11cdeabc9f77 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc479631c6d6d413371d8af0ebf14ac4f Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host xxx.xxx.164.26:6001, id=12, length=155 User-Name = "user" NAS-IP-Address = xxx.xxx.1.66 Called-Station-Id = "00-08-88-12-2e-3f" Calling-Station-Id = "00-0d-37-ab-2f-c7" NAS-Identifier = "ORiNOCO-AP-2000-00-02-00" State = 0xc479631c6d6d413371d8af0ebf14ac4f Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 Message-Authenticator = 0xb07e446b64197c49b0ebaca6e799dc53 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(uid=user)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=user) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 12 to xxx.xxx.164.26:6001 EAP-Message = 0x0106003b1900715e896f163c5ccb279cd28b82295a1bd493ac86f6ffe4733d43f380f4871b 567d14ecb8d5171f15de61995e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xccbffd45885465294711dc5bf8395320 Finished request 3 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host xxx.xxx.164.26:6001, id=13, length=341 User-Name = "user" NAS-IP-Address = xxx.xxx.1.66 Called-Station-Id = "00-08-88-12-2e-3f" Calling-Station-Id = "00-0d-37-ab-2f-c7" NAS-Identifier = "ORiNOCO-AP-2000-00-02-00" State = 0xccbffd45885465294711dc5bf8395320 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600c01980000000b616030100861000008200801942772db96a99e5e538cb1d5d208967 b1353ea1158512bb1bd050ab7e2aca218fe43e45fbb41a076a2a0dad179b456de8d7afce55b7 c72e125ebe3bb4c42ff4804ded92a10e29c9f021a9dcfe7cac9c60fc41d1be343c7cb74b2889 5a5855e476b79b5db1fea73e1d0615baa9bfcca6004b37f7ebc2ef0f54e6d38ba0c57a631403 010001011603010020340f13326352d4d4b739b0a1d5350db6b211be3d1b16345f3429ce4875 18e879 Message-Authenticator = 0x1379379ef003130e6e5d8bc4ea849160 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 6 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(uid=user)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=user) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 13 to xxx.xxx.164.26:6001 EAP-Message = 0x0107003119001403010001011603010020eb7dbacfe1675927e1f3fcf8e5f61914d375ca69 10fcded8e503adb2dbfccbff Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbe4b1111c47a456a9bbe659aa28a4911 Finished request 4 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host xxx.xxx.164.26:6001, id=14, length=182 User-Name = "user" NAS-IP-Address = xxx.xxx.1.66 Called-Station-Id = "00-08-88-12-2e-3f" Calling-Station-Id = "00-0d-37-ab-2f-c7" NAS-Identifier = "ORiNOCO-AP-2000-00-02-00" State = 0xbe4b1111c47a456a9bbe659aa28a4911 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700211980000000171503010012a389dbe218dce122f0104ff21769ccb64b2b Message-Authenticator = 0xca07ce402c4e46c7342a2abc05383cab Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 7 length 33 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(uid=user)' radius_xlat: 'ou=people,dc=domain,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter (uid=user) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5 Going to the next request Waking up in 4 seconds... rad_recv: Access-Request packet from host xxx.xxx.164.26:6001, id=14, length=182 Sending Access-Reject of id 14 to xxx.xxx.164.26:6001 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 9 with timestamp 43886940 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 10 with timestamp 43886941 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 11 with timestamp 43886942 Cleaning up request 3 ID 12 with timestamp 43886942 Cleaning up request 4 ID 13 with timestamp 43886942 Cleaning up request 5 ID 14 with timestamp 43886942 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html