problem migrating to freeradius2 with LDAP/krb5 Authorization/Authentication

Fri, 18 Jun 2010 02:39:45 -0700 

Hello,
i moved my old freeradius 1.x server to freeradius 2 I am on CentOS5.5

freeradius2-utils-2.1.7-7.el5
freeradius2-mysql-2.1.7-7.el5
freeradius2-2.1.7-7.el5
freeradius2-postgresql-2.1.7-7.el5
freeradius2-python-2.1.7-7.el5
freeradius2-unixODBC-2.1.7-7.el5
freeradius2-krb5-2.1.7-7.el5
freeradius2-perl-2.1.7-7.el5
freeradius2-ldap-2.1.7-7.el5
What I would like to do is to have the same service with LDAP authorization plus Kerberos V authentication, 
and users using EAP-TTLS client (SecureW2).
But it does not work to me, Kerberos authentication is not even entered by the radius server because of missconfiguration 
and I am trying to guess where is my error.

Basic Cleartext password in users file with EAP authentication works.
I am not able to make KErberos authentication work with EAP.
I Setup the radius server, I added principal in the kerberos server and I have the proper krb5.keytab file setup
here is my configuration, might you check please where I get wrong in my configuration ? 
Following is my configuration and at the end is the radius log,
thank you very much



# users
DEFAULT         Auth-Type := eap

DEFAULT        Auth-Type := Kerberos
       Fall-Through = 1


# modules/krb5

krb5 {
   keytab = /etc/krb5.keytab
   #service_principal = name_of_principle
}


# modules/ldap

ldap {
   server = "ldap-m.mydomain.com"
   basedn = "ou=people,o=myorg o=myorg,c=it"
   filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

   ldap_connections_number = 5

   timeout = 4

   timelimit = 3

   net_timeout = 1

   tls {
       start_tls = no
   }

   dictionary_mapping = ${confdir}/ldap.attrmap

   edir_account_policy_check = no
}



#sites-avaliable/default

authorize {
   preprocess

   auth_log

   chap

   mschap




   suffix

   eap {
       ok = return
   }

   unix

   files



   ldap



   expiration
   logintime

   pap

}



authenticate {
   Auth-Type PAP {
       pap
   }

   Auth-Type CHAP {
       chap
   }

   Auth-Type MS-CHAP {
       mschap
   }


   Auth-Type Kerberos {
       krb5
   }




   unix


   eap

   Auth-Type eap {
       eap {
handled = 1 } 
   }
}


preacct {
   preprocess

   acct_unique

   suffix

   files
}

accounting {
   detail

   unix

   radutmp





   attr_filter.accounting_response

}


session {
   radutmp

}


post-auth {





   exec



   Post-Auth-Type REJECT {
       attr_filter.access_reject
   }
}

pre-proxy {



}

post-proxy {




   eap


}


#sites-avaliable/inner-tunnel

server inner-tunnel {



authorize {
   chap

   mschap

   unix


   suffix

   update control {
          Proxy-To-Realm := LOCAL
   }

   eap {
       ok = return
   }

   files



   ldap



   expiration
   logintime

   pap
}



authenticate {
   Auth-Type PAP {
       pap
   }

   Auth-Type CHAP {
       chap
   }

   Auth-Type MS-CHAP {
       mschap
   }
   Auth-Type Kerberos {
       krb5
   }


   unix


   eap
}



session {
   radutmp

}


post-auth {





   Post-Auth-Type REJECT {
       attr_filter.access_reject
   }


}

pre-proxy {



}

post-proxy {




   eap


}




radiusd -X
rad_recv: Access-Request packet from host 192.168.252.17 port 1645, id=55, length=157 
   User-Name = "usern...@myrealm.com"
   Framed-MTU = 1400
   Called-Station-Id = "0012.438a.e8f0"
   Calling-Station-Id = "0022.5f08.a887"
   Service-Type = Login-User
   Message-Authenticator = 0xf4d6a67552977fb729b374eba35a1ff4
   EAP-Message = 0x0202001b016775697a7a756e746940636e61662e696e666e2e6974
   NAS-Port-Type = Wireless-802.11
   NAS-Port = 331
   NAS-IP-Address = 192.168.252.17
   NAS-Identifier = "ap"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.252.17/auth-detail-20100618 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.252.17/auth-detail-20100618 
[auth_log]     expand: %t -> Fri Jun 18 11:11:43 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "myrealm.com" for User-Name = "usern...@myrealm.com" 
[suffix] Found realm "myrealm.com"
[suffix] Adding Stripped-User-Name = "username"
[suffix] Adding Realm = "myrealm.com"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 27
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 6
++[files] returns ok
[ldap] performing user authorization for username
[ldap]     expand: %{Stripped-User-Name} -> username
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=username) [ldap] expand: ou=people,o=myorg,o=myorg,c=it -> ou=people,o=myorg,o=myorg,c=it 
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap-m.cr.myrealm.com:389, authentication 0
rlm_ldap: bind as / to ldap-m.cr.myrealm.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,o=myorg,o=myorg,c=it, with filter (uid=username) 
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? 
[ldap] user username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. 
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 55 to 192.168.252.17 port 1645
   EAP-Message = 0x010300061520
   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0x5753d13e5750c4ac9fc5b5a8b7c8a781
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.252.17 port 1645, id=56, length=208 
   User-Name = "usern...@myrealm.com"
   Framed-MTU = 1400
   Called-Station-Id = "0012.438a.e8f0"
   Calling-Station-Id = "0022.5f08.a887"
   Service-Type = Login-User
   Message-Authenticator = 0x98a6abafe23ad54ef0b53c22e50538aa
EAP-Message = 0x0203003c158000000032160301002d0100002903010975d1c7f4c77c95b90742f17d51e0e098c8018d2ca1e685239b82b7f1f94398000002000a0100 
   NAS-Port-Type = Wireless-802.11
   NAS-Port = 331
   State = 0x5753d13e5750c4ac9fc5b5a8b7c8a781
   NAS-IP-Address = 192.168.252.17
   NAS-Identifier = "ap"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.252.17/auth-detail-20100618 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.252.17/auth-detail-20100618 
[auth_log]     expand: %t -> Fri Jun 18 11:11:43 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "myrealm.com" for User-Name = "usern...@myrealm.com" 
[suffix] Found realm "myrealm.com"
[suffix] Adding Stripped-User-Name = "username"
[suffix] Adding Realm = "myrealm.com"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 3 length 60
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
 TLS Length 50
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 002d], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 0771], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A 
[ttls]     TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A 
In SSL Handshake Phase
In SSL Accept mode [ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 56 to 192.168.252.17 port 1645
EAP-Message = 0x0104040015c0000007ae160301002a0200002603014c1b384f09835579da8b5456f480d5c4f5e6adc766d3db6e528ce79ffaf48eed00000a0016030107710b00076d00076a0003ed308203e9308202d1a003020102020243e8300d06092a864886f70d0101050500302e310b3009060355040613024954310d300b060355040a1304494e464e3110300e06035504031307494e464e204341301e170d3130303631313133333433385a170d3131303631313133333433385a3058310b3009060355040613024954310d300b060355040a1304494e464e310d300b060355040b1304486f7374310d300b06035504071304434e4146311c301a0603550403 EAP-Message = 0x13137261646975732e636e61662e696e666e2e697430819f300d06092a864886f70d010101050003818d0030818902818100e52a70b55fcf6cff98debcc333b2250d5bf311550dff5048a3da3436752fcc35fa65da8eeac6ac7661aa05162cfa43a3a9c02b528d01390647ee270d8710bd5a2a91dd0d178afdc7b8720807169ff02b337b4609df026e74b2b67a0c39da43b38b7202bb588f96d28b6ae5da739f19c09579552ef5826cd1868c48bafc29ca870203010001a382016930820165300c0603551d130101ff04023000300e0603551d0f0101ff0404030205a030340603551d25042d302b06082b0601050507030106082b0601050507030206 EAP-Message = 0x0a2b0601040182370a030306096086480186f8420401303d0603551d1f043630343032a030a02e862c687474703a2f2f73656375726974792e66692e696e666e2e69742f43412f494e464e43415f63726c2e64657230250603551d20041e301c300c060a2b06010401d1230a0107300c060a2a864886f74c05020201301d0603551d0e041604143e48fa5b450e5dba99497d2aedda7254d4c70e0030560603551d23044f304d8014d162f3b37772c82efbf2791a6f374e279f13d520a132a430302e310b3009060355040613024954310d300b060355040a1304494e464e3110300e06035504031307494e464e20434182010030320603551d11042b30 EAP-Message = 0x2982137261646975732e636e61662e696e666e2e697481127379736f7040636e61662e696e666e2e6974300d06092a864886f70d0101050500038201010008d0f5e2826b7d1c556096cc4feed46b101a4ec00272fd0d942b554c396c7886e33487362615a313c9dcfdfdb8ab64203ecee766344bf3912a2518e10e2aac98b37ca8c4d4159427c592adda8afc63b25a841583daba3c9922b65784c6bf5810f5581a0e3f4ca7155f323ec784a222ddec9cb96f334699374670f16bee4e7dda4d65796feb99b7cef70801676714813a3dc8575d3803f6bacda7ea4724bf2f441216fcc0b285029a8efcf9aa95d820b88239fe2738e3a283f529b60a656e62 
   EAP-Message = 0xc960ed2032f034653f28879f
   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0x5753d13e5657c4ac9fc5b5a8b7c8a781
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.252.17 port 1645, id=57, length=154 
   User-Name = "usern...@myrealm.com"
   Framed-MTU = 1400
   Called-Station-Id = "0012.438a.e8f0"
   Calling-Station-Id = "0022.5f08.a887"
   Service-Type = Login-User
   Message-Authenticator = 0x908d086ab2287026379e7037b0d5c711
   EAP-Message = 0x020400061500
   NAS-Port-Type = Wireless-802.11
   NAS-Port = 331
   State = 0x5753d13e5657c4ac9fc5b5a8b7c8a781
   NAS-IP-Address = 192.168.252.17
   NAS-Identifier = "ap"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.252.17/auth-detail-20100618 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.252.17/auth-detail-20100618 
[auth_log]     expand: %t -> Fri Jun 18 11:11:43 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "myrealm.com" for User-Name = "usern...@myrealm.com" 
[suffix] Found realm "myrealm.com"
[suffix] Adding Stripped-User-Name = "username"
[suffix] Adding Realm = "myrealm.com"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 57 to 192.168.252.17 port 1645
EAP-Message = 0x010503c21580000007aef89beeea09cd7cba4cc6815861d1765a5f2cb89b735aa8fbc1bfbdf4d4e8d5001689aab6d4161f788f4e6bd9176dae3836bc5bf626000377308203733082025ba003020102020100300d06092a864886f70d0101050500302e310b3009060355040613024954310d300b060355040a1304494e464e3110300e06035504031307494e464e204341301e170d3036313030333134313634375a170d3136313030333134313634375a302e310b3009060355040613024954310d300b060355040a1304494e464e3110300e06035504031307494e464e20434130820122300d06092a864886f70d01010105000382010f003082010a EAP-Message = 0x0282010100ce958e0e83959d42a9ca2923cab763f90a49ba825e2a4a85e1f6dde8baea7902f476a02296e551f03e32fd3d8caafb1d1ff7e0d2cdc46195034198a6700982dda9a64d7deba973b3df81962c6a57a170265152963cd149a3aac0130870dd28da6bc9848cc89913f262807379448f0aead68ab632ff8c4e1751364e19bbe52ac44ec7324f33a6cee0625d60efaa84af44e47b1b57af7d0d8cae9017d407a0a1b43e860db71d3ca50ac217a78b98f4bfab2616388111bdd5420e0efae0564c730fd75e8bf643d8f88ee88f35cbb9ac8c4ddfba4d7cee9d1df7fafea1f00b4b0a171046de2f8fba06fec7138377929c5b2aa043b80f8205f6fe EAP-Message = 0x3cd46249c20e7c2f0203010001a3819b308198300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414d162f3b37772c82efbf2791a6f374e279f13d52030560603551d23044f304d8014d162f3b37772c82efbf2791a6f374e279f13d520a132a430302e310b3009060355040613024954310d300b060355040a1304494e464e3110300e06035504031307494e464e204341820100300d06092a864886f70d0101050500038201010078d7d33fb73f72724062012396805ce4b736e0c47f431da822c5206b178edbc89b690348c48640e839b999c92d3021693fa05f978d90377386eb891205b5 EAP-Message = 0x14f183cb621feb3803e13e04b12e7413e2f905334e1bbf14cc5e07f4318195bae40fc544ba0f51a711aeb12c1e1869673ba093fd4d536f75d8e598c8accb9b874f54c268caf671087b7bc244f2270246e66a6b5e7b3a4a3aa0b92a78f4669a94f829d692ec989e3b255f57bd3b995bba92d3a7934ea99442167d628938e9a0d79f82a2c4dec1de7606f63f5bd2f253be1088519d681f37da801d2aa443e64e6f121f3c915d725baef1dfcab57b0590a9a616e1077744ab629061f5908b0e0ab6c7d616030100040e000000 
   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0x5753d13e5556c4ac9fc5b5a8b7c8a781
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.252.17 port 1645, id=58, length=348 
   User-Name = "usern...@myrealm.com"
   Framed-MTU = 1400
   Called-Station-Id = "0012.438a.e8f0"
   Calling-Station-Id = "0022.5f08.a887"
   Service-Type = Login-User
   Message-Authenticator = 0xb9b0cb0f79cce7dbac3e6580be35fee8
EAP-Message = 0x020500c81580000000be16030100861000008200805bff51c22c6177f2bb156dc96f1443d0af3f20350edd0b28d8b9e4844b86129d463fde980cabf5fce46c7024645276c3586d28b6ac4581ee187e28a940c0e0475c644cd561d0f22ac52a838e25273d454f11f9614a463646c931f9bac9f87b9af09ca01a7fa78ceea056ba56007a7a41e5853e3283b33bc2aa691cede3ac53bf1403010001011603010028a98916d48662eef747eaca2bb451650dcc22fae50e9dc86965dbb3e82a01f0770c31958f10da6dfd 
   NAS-Port-Type = Wireless-802.11
   NAS-Port = 331
   State = 0x5753d13e5556c4ac9fc5b5a8b7c8a781
   NAS-IP-Address = 192.168.252.17
   NAS-Identifier = "ap"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.252.17/auth-detail-20100618 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.252.17/auth-detail-20100618 
[auth_log]     expand: %t -> Fri Jun 18 11:11:43 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "myrealm.com" for User-Name = "usern...@myrealm.com" 
[suffix] Found realm "myrealm.com"
[suffix] Adding Stripped-User-Name = "username"
[suffix] Adding Realm = "myrealm.com"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 5 length 200
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
 TLS Length 190
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A 
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 58 to 192.168.252.17 port 1645
EAP-Message = 0x0106003d158000000033140301000101160301002843ccdc295b6dbd1d720d5e9087e94f173b3f2cd83798f8012aaca2f7b61d21b38e51a91262b8a64f 
   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0x5753d13e5455c4ac9fc5b5a8b7c8a781
Finished request 3.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.252.17 port 1645, id=59, length=243 
   User-Name = "usern...@myrealm.com"
   Framed-MTU = 1400
   Called-Station-Id = "0012.438a.e8f0"
   Calling-Station-Id = "0022.5f08.a887"
   Service-Type = Login-User
   Message-Authenticator = 0x23d67a33d7bfb5afdb680d317b5e5280
EAP-Message = 0x0206005f1580000000551703010050c032907ee2ba0e63bbcc36909c482b61c8d18de52649368384225179d61b86e908bb354bf43d401d75df8bf4e1c07ffc68e07640501742f4a3bf7abe6b99ae0060fc058eade22ce7a088faee0a6a7243 
   NAS-Port-Type = Wireless-802.11
   NAS-Port = 331
   State = 0x5753d13e5455c4ac9fc5b5a8b7c8a781
   NAS-IP-Address = 192.168.252.17
   NAS-Identifier = "ap"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.252.17/auth-detail-20100618 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.252.17/auth-detail-20100618 
[auth_log]     expand: %t -> Fri Jun 18 11:11:43 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "myrealm.com" for User-Name = "usern...@myrealm.com" 
[suffix] Found realm "myrealm.com"
[suffix] Adding Stripped-User-Name = "username"
[suffix] Adding Realm = "myrealm.com"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 6 length 95
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
 TLS Length 85
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
   User-Name = "usern...@myrealm.com"
   User-Password = "mypassword"
   FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
   User-Name = "usern...@myrealm.com"
   User-Password = "mypassword"
   FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] Looking up realm "myrealm.com" for User-Name = "usern...@myrealm.com" 
[suffix] Found realm "myrealm.com"
[suffix] Adding Stripped-User-Name = "username"
[suffix] Adding Realm = "myrealm.com"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 6
++[files] returns ok
[ldap] performing user authorization for username
[ldap]     expand: %{Stripped-User-Name} -> username
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=username) [ldap] expand: ou=people,o=myorg,o=myorg,c=it -> ou=people,o=myorg,o=myorg,c=it 
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,o=myorg,o=myorg,c=it, with filter (uid=username) 
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? 
[ldap] user username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
rlm_eap: EAP-Message not found
[eap] Malformed EAP Message
++[eap] returns fail
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> usern...@myrealm.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 59 to 192.168.252.17 port 1645
   EAP-Message = 0x04060004
   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
Cleaning up request 0 ID 55 with timestamp +7
Cleaning up request 1 ID 56 with timestamp +7
Cleaning up request 2 ID 57 with timestamp +7
Waking up in 0.2 seconds.
Cleaning up request 3 ID 58 with timestamp +7
Waking up in 1.0 seconds.
Cleaning up request 4 ID 59 with timestamp +7
Ready to process requests.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to