Uncommented the "Auth-Type" in users, and the debug output: radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr } radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "crypt" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "ldap.mydomain.hu" port = 636 password = "" identity = "" net_timeout = 5 timeout = 4 timelimit = 3 tls_mode = yes start_tls = no tls_cacertfile = "/etc/ssl/mydomain.hu/ca/cacert.pem" tls_require_cert = "never" basedn = "dc=mydomain,dc=hu" filter = "(uid=%{User-Name})" base_filter = "(objectclass=posixAccount)" password_header = "{clear}" password_attribute = "userPassword" auto_header = no access_attr = "uid" access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP userPassword mapped to RADIUS User-Password rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x8816b00 Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_detail Module: Instantiating auth_log detail auth_log { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" compat = "no" } Module: Linked to module rlm_passwd Module: Instantiating ciscopwd passwd ciscopwd { filename = "/etc/freeradius/ciscopwd" format = "*User-Name:Crypt-Password" delimiter = ":" ignorenislike = yes ignoreempty = yes allowmultiplekeys = no hashsize = 100 } rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no Module: Instantiating ciscoextra passwd ciscoextra { filename = "/etc/freeradius/ciscoextra" format = "*User-Name:=Cisco-AVPair" delimiter = ";" ignorenislike = yes ignoreempty = yes allowmultiplekeys = no hashsize = 100 } rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no Module: Instantiating ciscogroup passwd ciscogroup { filename = "/etc/freeradius/ciscogroup" format = "*User-Name:~Group" delimiter = ":" ignorenislike = yes ignoreempty = yes allowmultiplekeys = no hashsize = 100 } rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_counter Module: Instantiating daily counter daily { filename = "/etc/freeradius/db.daily" key = "User-Name" reset = "daily" count-attribute = "Acct-Session-Time" counter-name = "Daily-Session-Time" check-name = "Max-Daily-Session" allowed-servicetype = "Framed-User" cache-size = 5000 } rlm_counter: Counter attribute Daily-Session-Time is number 11276 rlm_counter: Current Time: 1225186760 [2008-10-28 10:39:20], Next reset 1225234800 [2008-10-29 00:00:00] Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host myswitchip port 1645, id=139, length=80 NAS-IP-Address = myswitchip NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "myusernamer" Calling-Station-Id = "myclientip" User-Password = "myvalid_ldap_password" +- entering group authorize ++[preprocess] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/myswitchip/auth-detail-20081028 rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/myswitchip/auth-detail-20081028 expand: %t -> Tue Oct 28 10:39:26 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++- entering policy redundant users: Matched entry DEFAULT at line 11 +++[files] returns ok ++- policy redundant returns ok rlm_passwd: Added Cisco-AVPair: 'shell:priv-lvl=1' to reply_items ++[ciscoextra] returns ok ++[ciscogroup] returns notfound rad_check_password: Found Auth-Type LDAP auth: type "LDAP" +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: login attempt by "myusername" with password "myvalid_ldap_password" expand: (uid=%{User-Name}) -> (uid=myusername) expand: dc=mydomain,dc=hu -> dc=mydomain,dc=hu rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.mydomain.hu:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/ssl/mydomain.hu/ca/cacert.pem rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as / to ldap.mydomain.hu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mydomain,dc=hu, with filter (uid=myusername) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: user DN: cn=myusername,ou=users,dc=mydomain,dc=hu rlm_ldap: (re)connect to ldap.mydomain.hu:636, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/ssl/mydomain.hu/ca/cacert.pem rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as cn=myusername,ou=users,dc=mydomain,dc=hu/myvalid_ldap_password to ldap.mydomain.hu:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user myusername authenticated succesfully ++[ldap] returns ok Login OK: [myusername/myvalid_ldap_password] (from client myshortname port 1 cli myclientip) Sending Access-Accept of id 139 to myswitchip port 1645 Cisco-AVPair = "shell:priv-lvl=1" Finished request 0. Going to the next request Waking up in 4.9 seconds.
The myusername is same in the ciscopwd file and in LDAP, but the passwords are different. ________________________________________ Feladó: [EMAIL PROTECTED] [EMAIL PROTECTED], meghatalmazó: [EMAIL PROTECTED] [EMAIL PROTECTED] Küldve: 2008. október 28. 10:36 Címzett: FreeRadius users mailing list Tárgy: RE: Need help for configuration - LDAP with custom files Failover >redundant { > # if I comment the folloing line out, the password is accepted, but I > get "% Authorization failed." from the switch (this is coused by the > incorrect "users" file maybe). So, post the debug (radiusd -X). > files > ldap > ciscopwd > # if I uncomment the following line, freerad won't start > # ok = return >} > >The users file: > >DEFAULT Auth-Type := Crypt-Local > Service-Type = Login-User > You said you have plain text passwords. This will ensure that authentication fails. Delete that Auth-Type. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html