Dear Alan,Ivan and all, I am having the Problem in rlm_ldap module in FreeRadius. I am doing a MD5 based Authentication with a Windows XP Supplicant and a Alcatel Switch acting as Authenticator and FreeRadius2.0.5 build as Front end and OpenLDAP 2.3.32 as backend.
When a Request is received the *FreeRadius rlm_ldap module is not able to Authorize the User-Name in Authorize section.* But when I tried with* radtest it was able to Authorize and bind the identity with server. and authorized password. I am unable to find the problem. Please comment in this regard. SYED Debugged output with RADIUS Access Request received from Authenticator:* rad_recv: Access-Request packet from host 192.168.1.2 port 1026, id=23, length=118 User-Name = "hasan" NAS-IP-Address = 192.168.1.2 State = 0xd2721542d2731113194d83152fbd73d0 NAS-Port = 1003 Calling-Station-Id = "000fb0ba868d" EAP-Message = 0x0201001b0410aa93c55c3f5fb6f41369d77838fad2a2686173616e Message-Authenticator = 0x6525206bdea6b09c81a5a3252e515782 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "hasan", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 27 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize *rlm_ldap: Attribute "User-Name" is required for authorization.* *++[ldap] returns noop* ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> hasan attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 23 to 192.168.1.2 port 1026 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 1. Going to the next request Debugged o/p with radtest: radtest hasan password 192.168.1.131 10 testing123 *rlm_ldap: - authorize rlm_ldap: performing user authorization for password WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=hasan) expand: dc=thales,dc=com -> dc=thales,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=thales,dc=com/thales to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=thales,dc=com, with filter (uid=hasan) rlm_ldap: checking if remote access for password is allowed by uid rlm_ldap: Added User-Password = password in check items rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user password authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0* ++[ldap] returns ok expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> hasan attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 27 to 192.168.1.131 port 1068
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html