mschapv2 and peap not working, please help
Hi,
I am a newbee on Linux and RAdius stuff. I am trying to authenticate WinXP
and Win 7 machines on wireless using Freeradius, LDAP authentication. Please
help.
Module: Instantiating module digest from file /etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module unix from file /etc/raddb/modules/unix
unix {
radwtmp = /var/log/radius/radwtmp
}
Module: Linked to module rlm_ldap
Module: Instantiating module ldap from file /etc/raddb/modules/ldap
ldap {
server = 10.73.93.13
port = 389
password =
identity =
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = allow
tls {
start_tls = no
require_cert = allow
}
basedn = dc=uforadius,dc=com
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
base_filter = (objectclass=radiusprofile)
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
dictionary_mapping = /etc/raddb/ldap.attrmap
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x9ac42e8
Module: Linked to module rlm_eap
Module: Instantiating module eap from file /etc/raddb/eap.conf
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
how to generate certificate with xpextension for PEAP on FreeRAdius
Hi, Can somebody tell me, how to include the OID's while generating the client and root certificates. These instructions are in the xpextensions file, it says # Add this to the PKCS#7 keybag attributes holding the client's private key # for machine authentication. How does one do this? Please help. # # File containing the OID's required for Windows. # # http://support.microsoft.com/kb/814394/en-us # [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 # # Add this to the PKCS#7 keybag attributes holding the client's private key # for machine authentication. # # the presence of this OID tells Windows XP that the cert is intended # for use by the computer itself, and not by an end-user. # # The other solution is to use Microsoft's web certificate server # to generate these certs. # # 1.3.6.1.4.1.311.17.2 -- View this message in context: http://freeradius.1045715.n5.nabble.com/how-to-generate-certificate-with-xpextension-for-PEAP-on-FreeRAdius-tp4287904p4287904.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
syharash wrote: I am a newbee on Linux and RAdius stuff. I am trying to authenticate WinXP and Win 7 machines on wireless using Freeradius, LDAP authentication. Please help. Thanks for posting the debug output, but it would help if you read it. It's not complicated. Also post the debug output into the form at: http://networkradius.com/freeradius.html That will make it clearer what's going wrong, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
Jim Rice wrote: Quick question: I am looking into adding an ACT! Plugin to populate the Radius MySQL database through unix ODBC. Found rlm_sql_unixodbc and wondered if this is already provided for this purpose, or something else? It's for that purpose. Looks like it needs to be run through make... (not installed by default). Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to generate certificate with xpextension for PEAP on FreeRAdius
syharash wrote: Can somebody tell me, how to include the OID's while generating the client and root certificates. $ cd raddb/certs $ more README This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Authorization
On 04/06/2011 10:59 PM, Joren Love wrote: Hey, thanks for your reply. I did try creating the file module with the contents from the howto, and it seems to get loaded (Debug: including configuration file /etc/freeradius/modules/file however, I still get the same error: Edit: Now I'm noticing there's a typo in the wiki. Under raddb/sites-available/default it says authorize_macs instead of authorized_macs. Fixing this makes it work. Oops. Well spotted, fixed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Dear Alan, I am doing this all for the very first time. Could you please help me out? I do not understand what seems to be wrong? I have added that user mahendra in linux, ldap and also in the raddb/users file. The file contents are here; /etc/passwd mahendra:x:516:516::/home/mahendra:/bin/bash ldapsearch # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=mahendra # requesting: ALL # # mahendra, People, uforadius.com dn: uid=mahendra,ou=People,dc=uforadius,dc=com uid: mahendra cn: mahendra objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJDk0aGwzTmdKJEF1dVpsZWFlNWkyR2t6clQ5WEl5ZTA= shadowLastChange: 15071 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 516 gidNumber: 516 homeDirectory: /home/mahendra # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 /etc/raddb/users DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 001E65003C44 User-Name = rasheed, User-Password == M@d33na, Tunnel-Private-Group-ID := 3 001F3CD13053 User-Name = paresh, User-Password == paresh@123, Tunnel-Private-Group-ID := 18 001F3CD12B6C User-Name = subhash, User-Password == sub@1979, Tunnel-Private-Group-ID := 2 001F3CE117A9 User-Name = mahendra, User-Password == ufo@123, Tunnel-Private-Group-ID := 4 AC670639D299 User-Name = sachin, User-Password == sachin123, Tunnel-Private-Group-ID := 18 -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please-help-tp4287893p4288211.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Dear Alan, I am doing this all for the very first time. Could you please help me out? I do not understand what seems to be wrong? I have added that user mahendra in linux, ldap and also in the raddb/users file. The file contents are here; /etc/passwd mahendra:x:516:516::/home/mahendra:/bin/bash ldapsearch # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=mahendra # requesting: ALL # # mahendra, People, uforadius.com dn: uid=mahendra,ou=People,dc=uforadius,dc=com uid: mahendra cn: mahendra objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJDk0aGwzTmdKJEF1dVpsZWFlNWkyR2t6clQ5WEl5ZTA= shadowLastChange: 15071 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 516 gidNumber: 516 homeDirectory: /home/mahendra # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 /etc/raddb/users DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 001E65003C44 User-Name = rasheed, User-Password == M@d33na, Tunnel-Private-Group-ID := 3 001F3CD13053 User-Name = paresh, User-Password == paresh@123, Tunnel-Private-Group-ID := 18 001F3CD12B6C User-Name = subhash, User-Password == sub@1979, Tunnel-Private-Group-ID := 2 001F3CE117A9 User-Name = mahendra, User-Password == ufo@123, Tunnel-Private-Group-ID := 4 AC670639D299 User-Name = sachin, User-Password == sachin123, Tunnel-Private-Group-ID := 18 -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please-help-tp4287893p4288213.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no authenticate step ...
hello *
i try to transfer a working configuration from an very old (1.x) freeradius
version to a more recent radius version:
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010
at 21:14:10
My problem: after authenticate against ldap and auth-type = ldap is
set, no authorize step is done
the next step happening is trying the next entry from the users file
expected: authenticate with bind as user and password hash of the user
against ldap
here the snippet from debug log i assume relevant:
hu Apr 7 12:45:28 2011 : Info: [auth_log] expand: %t - Thu Apr 7
12:45:28 2011
Thu Apr 7 12:45:28 2011 : Info: ++[auth_log] returns ok
Thu Apr 7 12:45:28 2011 : Info: ++[mschap] returns noop
Thu Apr 7 12:45:28 2011 : Info: [suffix] No '@' in User-Name = pilot1,
looking up realm NULL
Thu Apr 7 12:45:28 2011 : Info: [suffix] No such realm NULL
Thu Apr 7 12:45:28 2011 : Info: ++[suffix] returns noop
Thu Apr 7 12:45:28 2011 : Info: [ldap] performing user authorization for
pilot1
Thu Apr 7 12:45:28 2011 : Info: [ldap] WARNING: Deprecated conditional
expansion :-. See man unlang for details
Thu Apr 7 12:45:28 2011 : Info: [ldap] ... expanding second conditional
Thu Apr 7 12:45:28 2011 : Info: [ldap] expand: %{User-Name} -
pilot1
Thu Apr 7 12:45:28 2011 : Info: [ldap] expand:
(uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=pilot1)
Thu Apr 7 12:45:28 2011 : Info: [ldap] expand: l=Berlin,dc=de,o=ABC-
l=Berlin,dc=de,o=ABC
Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_get_conn: Got Id: 0
Thu Apr 7 12:45:28 2011 : Debug: [ldap] attempting LDAP reconnection
Thu Apr 7 12:45:28 2011 : Debug: [ldap] (re)connect to 10.128.1.1:389,
authentication 0
Thu Apr 7 12:45:28 2011 : Debug: [ldap] bind as cn=Manager,o=ABC/xyz to
10.128.1.1:389
Thu Apr 7 12:45:28 2011 : Debug: [ldap] waiting for bind result ...
Thu Apr 7 12:45:28 2011 : Debug: [ldap] Bind was successful
Thu Apr 7 12:45:28 2011 : Debug: [ldap] performing search in
l=Berlin,dc=de,o=ABC, with filter (uid=pilot1)
Thu Apr 7 12:45:28 2011 : Info: [ldap] No default NMAS login sequence
Thu Apr 7 12:45:28 2011 : Info: [ldap] looking for check items in directory...
Thu Apr 7 12:45:28 2011 : Debug: [ldap] userPassword - Password-With-Header
== {MD5}hashvalueD1xtOw==- the sequence after the hashed pw astonishes
me, the D1xt0w
Thu Apr 7 12:45:28 2011 : Info: [ldap] looking for reply items in directory...
Thu Apr 7 12:45:28 2011 : Info: [ldap] Setting Auth-Type = LDAP
Thu Apr 7 12:45:28 2011 : Info: [ldap] user pilot1 authorized to use
remote access
Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_release_conn: Release Id: 0
Thu Apr 7 12:45:28 2011 : Info: ++[ldap] returns ok
Thu Apr 7 12:45:28 2011 : Info: [eap] No EAP-Message, not doing EAP
Thu Apr 7 12:45:28 2011 : Info: ++[eap] returns noop
... next line / match in users file is done next
...in the old config next step was authenticate
So clearly i do a mistake and have overlooked a neccessary config option
any hints where to look next ?
The hint to transfer a deprecated expression from users file to unlang
will be done when i succeed with auth
TIA
Micha
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP-TLS authentication in Freeradius 2.1.0
Hi All,
I am using Freeradius 2.1.0
PEAP/TTLS is working fine and I am facing problem in TLS
authentication. I am able to generate certificate but while connecting it
throws Authentication error.
Please let me know how to debug it.
rad_recv: Access-Request packet from host 192.168.1.1 port 4906, id=6,
length=147
User-Name = ma...@nokia.com
NAS-IP-Address = 192.168.1.1
Called-Station-Id = 0023692c6f74
Calling-Station-Id = 0025d05b72ab
NAS-Identifier = 0023692c6f74
NAS-Port = 2
Framed-MTU = 1400
State = 0xc0ff35f8c1fd389f4e860dc8a76c03f8
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200060d00
Message-Authenticator = 0xcf453c67c6fe4f7695dbba231da2ba1e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm nokia.com for User-Name = ma...@nokia.com
[suffix] Found realm DEFAULT
[suffix] Adding Stripped-User-Name = maemo
[suffix] Adding Realm = DEFAULT
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
[files] users: Matched entry maemo at line 74
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 6 to 192.168.1.1 port 4906
EAP-Message =
0x010304000dc0085b310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f301e170d3131303430373038333135345a170d3132303430363038333135345a306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebdf
EAP-Message =
0xbd5045d1129f68d6354ecaf6d0b003ba682e0399145d83af7d3f7baeac7b70278682f26b7a6cf02cb0f70d06c27cd5666f6acd0a6e1a05f14cbca9ee2ca06038289d718635789b9378b41d5d89d98c09528e5d75a7ed1210ab639c80a82bb7f727a6641b4ead338d36c98e4910f69add0990c1838bf1dd67d3ef00190a8c50afa3d267b4721eb24c9297eac37244c2f09bf5db1e864ed3e71d7b2f1523f957d040b88bdfbb50ffa7a1fcb77fe8f692faeaf4f26539f93d4b16fefd22576b63425a3b106d4100a7e606110980202629a14f721f576e7b57e94182c695034f33cc5cf153c08074379ee285a4800d30fcc3eeb9618e95b3298852c0e050cc
EAP-Message =
0x370203010001a381d33081d0301d0603551d0e041604146495968035da2071580d6554ff37f49f34a6a4fc3081a00603551d2304819830819580146495968035da2071580d6554ff37f49f34a6a4fca172a470306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f82090088f0548531fc31df300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c60eb4fe9642b5cf1a479ddd03
EAP-Message =
0x31954bd3c5a8c13dac220146915074390da01b0cf44950935ca2fad0bbca312ad8d1ac38a0ad88e51bc7bfc4df349d238aa9dee95ccc333e46e422da2fd67073a5fc1d6109e623efdf7be334a6746b4d3eb012ddb331600471732e961861980a4d0a146e56ee383e1717a209476a34d2ad7153a00f0729976f4d73d4979dc992ab8cc4515787e68afd1979038963882c5f55ed1d038c137689ef3e0fa52d63eabe0466ef126564ff4627776f31dba8bd91b9c486ddf6e8399c755bd29456cfed9bda7890851bfb23d3c381e5176a6b6c86ea9cefc5b7428409e35a794775d27f1664c06aeb46842f61c6145a71a7a0fdea54e316030100800d7803
EAP-Message = 0x01024000720070306e310b30
Message-Authenticator = 0x
State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8
Finished request 156.
Going to the next request
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 4908, id=6,
length=147
User-Name = ma...@nokia.com
NAS-IP-Address = 192.168.1.1
Called-Station-Id = 0023692c6f74
Calling-Station-Id = 0025d05b72ab
NAS-Identifier = 0023692c6f74
NAS-Port = 2
Framed-MTU = 1400
State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300060d00
Message-Authenticator = 0xdeea6893aacbe253ed951368cec20746
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm nokia.com for User-Name = ma...@nokia.com
[suffix] Found realm DEFAULT
[suffix] Adding Stripped-User-Name = maemo
[suffix] Adding Realm = DEFAULT
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming
Re: mschapv2 and peap not working, please help
[ldap] looking for check items in directory...
[ldap] userPassword - Password-With-Header ==
{crypt}$1$94hl3NgJ$AuuZleae5i2GkzrT9XIye0
crypt passwords cannot be used to do MS-CHAP. It is impossible.
MS-CHAP requires either the cleartext password or NT/LM hashes.
See:
http://deployingradius.com/documents/protocols/compatibility.html
[ldap] looking for reply items in directory...
[ldap] user mahendra authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/default
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: mahendra
[mschap] Told to do MS-CHAPv2 for mahendra with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
...because you only have crypt passwords, it fails.
You MUST store plaintext or nt/lm hashes if you want to do PEAP/MSCHAP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Great Phil, I've changed my /etc/raddb/users file and it worked, could you please help me if i can make a particular user login only from a single machine using the MAC Address of that machine. my existing /etc/raddb/users file looks like this DEFAULT Auth-Type = System Fall-Through = 1 # # Defaults for LDAP # #DEFAULT Auth-Type := LDAP #Fall-Through = 1 DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Service-Type = Framed-User, Fall-Through = Yes abdul Cleartext-Password := test123, Tunnel-Private-Group-ID := 18 -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please-help-tp4287893p4288360.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no authenticate step ...
Michael Arndt wrote: i try to transfer a working configuration from an very old (1.x) freeradius version to a more recent radius version: You should transfer it by starting with the default configuration for 2.1.10, and then make gradual changes, with tests, until you have what you want. Right now, your message says I have a new configuration which doesn't behave the same as my old configuration. That kind of issue is impossible to figure out without additional information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Hi, comparisons/requirements are ont he first line, replies are on following lines ie user Cleartext-Password := testing, NAS-IP-Address = 192.168.0.1 AttributeX = this, AttributeY = that alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu
wrote:
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
I don't know if this should be sent to the developers list instead.
=== Background ===
When there is a failure of the client to match the challenge of the
server:
According to rfc2759 a failure packet in section 6 a failure packet
includes a message like:
E=ee R=r C= V=vv M=msg
where E is the error code, R 1/0 allow/disallow retry C an ascii version
of the challenge V=3 and M= some text message.
After this mschap failure message is sent by the server an acknowledgment
which seems to be have a failure code should be returned from the client.
At that point the server can close the eap connection with a failure.
What the 2.1.10 code (and earlier) appears to do is after mschap is
detected immediately close the eap connection with a failure.
The effect for windows XP/7 machines connecting wirelessly using mschapv2
is that they are presented with a dialog box and can enter new
credentials.
What happens with mac/iphones/androids/ubuntu is that they appear to be
confused and time out and re-send (at various rates) authentication
attempts without presenting a dialog box to the user.
For some environments (such as using Novell NDS to authenticate) if
configured modules/ldap edir_account_policy_check=yes then these repeated
failures result in account lock outs.
Scenario: Institution requires periodic change of password - user uses a
web site to change password - user forgets to update their
mac/iphone/android - user turns on their mac/iphone/android - shortly
after user cannot access any resources (such as blackboard/portal etc)
because their account is locked out.
== proposed fix
Modify freeradius to follow rfc2759.
This requires patches to two source files:
o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms
to rfc2759
o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the
response created by rlm_mschap.c and send that back, also accept an
authentication failure acknowledgment before sending eap failure
packet.
Below are the diffs:
==
Comments
o Results:
We have implemented this patch (along with the configuration change
edir_account_policy_check=no) and observe:
1) no more lockouts
2) Mac/Iphones users are now presented with a dialog box where they
can update their password.
o Code:
a) I don't like the 100 character msg variable - there is probably a
better way to do this.
b) There is probably a function in free radius library to do the
sprintf
which should be used.
c) samba locked accounts should probably have a similar message
generated if they are mschapv2.
I would be happy if someone could look over these patches and incorporate
the ideas into freeradius for future releases.
Hi John,
I had trouble applying the patches to 2.1.x git -- maybe because they got
mushed during the email process.
Adding the bits by hand seemed to work, and I can confirm the result is as
you describe on an iPhone (that's all I had to hand to test).
Attached are the two 'git diff' that I ended up with.
-James
--
James J J Hooper
Network Specialist, University of Bristol
http://www.wireless.bristol.ac.uk http://www.jamesjj.net
--
index c512018..3f3fc46 100644
--- a/src/modules/rlm_mschap/rlm_mschap.c
+++ b/src/modules/rlm_mschap/rlm_mschap.c
@@ -1239,9 +1239,21 @@ static int mschap_authenticate(void * instance, REQUEST
*request)
response-vp_octets + 26, nthashhash,
do_ntlm_auth) 0) {
RDEBUG2(FAILED: MS-CHAP2-Response is incorrect);
+
+ /* JCH - changes to include challenge and message */
+char msg[100];
+strcpy(msg, E=691 R=0 C=);
+int i, offset = strlen(msg);
+char *ptr = msg[offset];
+for (i=0; i16; i++, ptr+=2) {
+ sprintf(ptr, %02X, response-vp_octets[i+2]);
+}
+*ptr = 0;
+strcat(msg, V=3 M=May Need to reset cached
password);
+
mschap_add_reply(request, request-reply-vps,
*response-vp_octets,
-MS-CHAP-Error, E=691 R=1, 9);
+MS-CHAP-Error, msg, strlen(msg));
return RLM_MODULE_REJECT;
}
index bdf4668..051fe71 100644
--- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
+++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
@@ -195,7 +195,9 @@ static int eapmschapv2_compose(EAP_HANDLER *handler,
VALUE_PAIR *reply)
case
Re: MS-CHAP-V2 with no retry
--On Thursday, April 07, 2011 13:33:33 +0100 James J J Hooper jjj.hoo...@bristol.ac.uk wrote: Attached are the two 'git diff' that I ended up with. gzipped so they don't get messed up. -James p1.txt.gz Description: Binary data p2.txt.gz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 problem
Looking at the output, things become clearer. The conversation ends when the server tries to send the first Access-Challenge packet to the client. It seems like that packet never gets there - and so the client retransmits the same Request over and over again. The server then repeatedly tries to re-send its reply, but again, it never seems to get there. Make sure that the changed IP address doesn't lead to some firewall (host FW? net FW? Cisco Controller's ACLs?) eats the responses. I checked with wireshark, requests were send, but no response. This was the point. An ACL blocked traffic back to the wlc. Thanks al lot for your help :-) Greetings, Juergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
hi, this would be great to get into 2.1.11 release if possible if not 2.1.12 or 2.2.x as it solves one of our current problems of devices configured for our roaming SSID continually trying to authenticate to the system even if the user no longer exists - currently they just keep on and on and on... this will 'break' their settings until they put in new details (which they cant if no longer a member able to use the roaming SSID alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to radtest from another client
I install freeradius in the server its ip is 192.168.1.1.
In the server I have already do the radtest ,and the result is OK
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=11, length=20
the end of my clients.conf and assign a shared-secret.
client 192.168.1.100 {
secret = testing123
shortname = 192.168.1.100
}
Should I do other things to finish it? I need to do the radtest in
the client(192.168.1.100) right? But there isn't a radtest command in
the client, Need I install some softwares in the client?
thank you for your help ,best regards.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and peap not working, please help
Hi Alan,
Thanks, everything is set. works fine just that my client pc is not getting
an IP address leased from that particular vlan's dhcp scope. It just worked
once but after that its baffling that the client's are not getting an IP
address leased from the dhcp scope. my routing is fine, on the wired i get
IP addresses from all the respective vlan scopes. I have pasted the debug
output
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = ufomoviez, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 8 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 219
[files] users: Matched entry ufomoviez at line 229
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/default
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: ufomoviez
[mschap] Told to do MS-CHAPv2 for ufomoviez with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server
[peap] Got tunneled reply code 11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 14
EAP-Message =
0x010900331a0308002e533d343130373445353137393930323232303835323534334634413033453935423736413131
Message-Authenticator = 0x
State = 0xf8774653f97e5cc97113aabe8c277640
[peap] Got tunneled reply RADIUS code 11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 14
EAP-Message =
0x010900331a0308002e533d343130373445353137393930323232303835323534334634413033453935423736413131
Message-Authenticator = 0x
State = 0xf8774653f97e5cc97113aabe8c277640
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 67 to 10.73.93.151 port 1027
EAP-Message =
0x0109004a1900170301003f666073d1310682a7a10b8428e26dd7635ca8d935dd7fddec1cd136768ca41bfdfc62b2d099c4f981e4d80d6d36eadf76aeb394d608351f6f58a4a2aed304bd
Message-Authenticator = 0x
State = 0xc25314c9ca5a0d8b20dd096be7aef9e4
Finished request 35.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.73.93.151 port 1027, id=68,
length=226
User-Name = ufomoviez
Calling-Station-Id = 00-1F-3C-E1-17-A9
NAS-IP-Address = 10.73.93.151
NAS-Port = 1
Called-Station-Id = AC-67-06-39-C7-A9
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = AC-67-06-39-C7-A9
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message =
0x0209001d19001703010012fb14fcf6b8188d4bec31a53ccd4a02d3fe40
State = 0xc25314c9ca5a0d8b20dd096be7aef9e4
Vendor-25053-Attr-3 = 0x55464f4d6f7669657a
Message-Authenticator = 0xf765d281ccdde6faa88707b082869895
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = ufomoviez, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 9 length 29
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020900061a03
server {
PEAP: Setting User-Name to ufomoviez
Sending tunneled request
EAP-Message = 0x020900061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = ufomoviez
State = 0xf8774653f97e5cc97113aabe8c277640
server {
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name =
PC XP SP2 with 802.1x/PEAP authenticate problem
Hi,
maybe somebody can help me in my attempt to authenticate
supplicant
PC (WinXP SP2 with enabled 802.1x authentication using PEAP and
Authentication Mehtod Secured password EAP-MSCHAP v2) using
Free RADIUS Version 2.1.10. RADIUS client is ONT (GPON,
802.1x enabled on it's Ethernet port).
I have modified 3 RADIUS configuration files:
***
1.eap.conf*
***
deafault_eap_type = peap
***
2.clients.conf*
***
Added new client (PC is connected to ONT which further forwards
requests to BLM acting as client).
client 10.223.0.131 {
ipaddr = 10.223.0.131
secret = hello123
require_message_authenticator = no
nastype = other # localhost isn't usually a
NAS...
}
Secret password hello123 is also configured on related client
(ONT):
RADIUS proxy address | 100.1.1.1
RADIUS proxy secret | ont343
RADIUS auth server 1 | 10.223.0.13
RADIUS auth secret 1 | hello123
RADIUS auth port 1 | 1812
RADIUS auth server 2 | 0.0.0.0
RADIUS auth secret 2 | -
RADIUS auth port 2 | 0
RADIUS auth server 3 | 0.0.0.0
RADIUS auth secret 3 | -
RADIUS auth port 3 | 0
3.users*
Added new entry for PC using its MAC address for credentials:
00:02:a5:f8:70:29 Cleartext-Password := 00:02:a5:f8:70:29
When I try to authenticate PC by entering its MAC address as user
name/password
RADIUS Access-Reject message is generated by Free RADIUS and in
debug window
following output is obtained:
rad_recv: Access-Request packet from host 10.223.0.131 port
65534, id=71, length=142
NAS-IP-Address = 100.1.1.1
NAS-Port-Id = 1.2
Framed-MTU = 1024
User-Name = 00-02-A5-F8-70-29
Calling-Station-Id = 00-02-A5-F8-70-29
Message-Authenticator =
0xe990ef46d4eaddc9760eff3924f3613e
EAP-Message =
0x025200160130303a30323a61353a66383a37303a3239
NAS-Identifier = PENKALA
Ericsson-Attr-101 = 0x4552494353534f4e # Executing
section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = 00-02-A5-F8-70-29, looking up
realm NULL [suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 82 length 22 [eap] No EAP
Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP
Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -
00-02-A5-F8-70-29
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds Going to the next
request Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 71 to 10.223.0.131 port 65534 Waking
up in 4.9 seconds.
Cleaning up request 0 ID 71 with timestamp +160 Ready to process
requests.
Please can you help me with this issue, I assume I missed
something related to configuration..
BR,
Irena
-- T - C o m - - W e b m a i l --
Ova poruka poslana je upotrebom T-Com Webmail usluge
Uzivajte u shoppingu ne napustajuci udobnost svoga doma!
http://shopping.tportal.hr
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PC XP SP2 with 802.1x/PEAP authenticate problem
Hi, maybe somebody can help me in my attempt to authenticate supplicant PC (WinXP SP2 with enabled 802.1x authentication using PEAP and Authentication Mehtod Secured password EAP-MSCHAP v2) using *that* (PEAP) wont work with this: Added new entry for PC using its MAC address for credentials: 00:02:a5:f8:70:29 Cleartext-Password := 00:02:a5:f8:70:29 configure the PC to use PEAP, with username/pass and put that username/pass into users file alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
Found this in the rlm_sql_unixodbc config.log: ... /usr/bin/ld: cannot find -lodbc ... configure:3080: WARNING: silently not building rlm_sql_unixodbc. configure:3082: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. Did I miss some dependencies earlier when installing FR 2.1.10? Can I run make within this directory stand-alone, or should I rebuild from the top? I wouldn't want to lose where I am now and start over. ;-) - Original Message - From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, April 07, 2011 12:43 AM Subject: Re: rlm_sql_unixodbc ? Jim Rice wrote: Quick question: I am looking into adding an ACT! Plugin to populate the Radius MySQL database through unix ODBC. Found rlm_sql_unixodbc and wondered if this is already provided for this purpose, or something else? It's for that purpose. Looks like it needs to be run through make... (not installed by default). Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 07/04/2011 13:33, James J J Hooper wrote: --On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu wrote: List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't know if this should be sent to the developers list instead. === Background === When there is a failure of the client to match the challenge of the server: According to rfc2759 a failure packet in section 6 a failure packet includes a message like: E=ee R=r C= V=vv M=msg where E is the error code, R 1/0 allow/disallow retry C an ascii version of the challenge V=3 and M= some text message. After this mschap failure message is sent by the server an acknowledgment which seems to be have a failure code should be returned from the client. At that point the server can close the eap connection with a failure. What the 2.1.10 code (and earlier) appears to do is after mschap is detected immediately close the eap connection with a failure. The effect for windows XP/7 machines connecting wirelessly using mschapv2 is that they are presented with a dialog box and can enter new credentials. What happens with mac/iphones/androids/ubuntu is that they appear to be confused and time out and re-send (at various rates) authentication attempts without presenting a dialog box to the user. For some environments (such as using Novell NDS to authenticate) if configured modules/ldap edir_account_policy_check=yes then these repeated failures result in account lock outs. Scenario: Institution requires periodic change of password - user uses a web site to change password - user forgets to update their mac/iphone/android - user turns on their mac/iphone/android - shortly after user cannot access any resources (such as blackboard/portal etc) because their account is locked out. == proposed fix Modify freeradius to follow rfc2759. This requires patches to two source files: o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms to rfc2759 o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the response created by rlm_mschap.c and send that back, also accept an authentication failure acknowledgment before sending eap failure packet. Below are the diffs: == Comments o Results: We have implemented this patch (along with the configuration change edir_account_policy_check=no) and observe: 1) no more lockouts 2) Mac/Iphones users are now presented with a dialog box where they can update their password. o Code: a) I don't like the 100 character msg variable - there is probably a better way to do this. b) There is probably a function in free radius library to do the sprintf which should be used. c) samba locked accounts should probably have a similar message generated if they are mschapv2. I would be happy if someone could look over these patches and incorporate the ideas into freeradius for future releases. Hi John, I had trouble applying the patches to 2.1.x git -- maybe because they got mushed during the email process. Adding the bits by hand seemed to work, and I can confirm the result is as you describe on an iPhone (that's all I had to hand to test). Attached are the two 'git diff' that I ended up with. Hi John, It works on Mac OS and iOS, but I havn't been able to get it to work as expected on XP or Win7: * Win7 does as it did before * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate' message. Could you forward your patches gzipped [so they don't get mangled] so I can verify I have patched the source correctly? Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Per Vendor NAS-Port documentation
I was wondering if there has been a collective effort to document the meaning of the NAS-Port by the various Network Vendors? If there's nothing yet, maybe they can create a wiki page for it? I'd be willing to edit the entries, either on the wiki if I can get an account, or offline and batch up the responses into wiki markup. As suggested, I created a Wiki page: http://wiki.freeradius.org/NAS-Port I added what we have so far. I'll try to remember to maintain it. Cheers! -- Olivier Bilodeau obilod...@inverse.ca :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
Hi, Found this in the rlm_sql_unixodbc config.log: ... /usr/bin/ld: cannot find -lodbc ... configure:3080: WARNING: silently not building rlm_sql_unixodbc. configure:3082: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. Did I miss some dependencies earlier when installing FR 2.1.10? yes. Can I run make within this directory stand-alone, or should I rebuild from the top? just install the required dependencies , then recompile...then run 'make install' the required rlm_sql_unixodbc will be built and installed and none of your config will be touched (though you might want to just back up your current RADDB config directory just in case! ;-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP-group filter search is failing
2.1.10
Here's a snippet of freeradius -X...
+- entering group post-auth {...}
[ldap] Entering ldap_groupcmp()
[files] expand: ou=Departments,dc=corp,dc=development,dc=com -
ou=Departments,dc=corp,dc=development,dc=com
[files] expand: ((sAMAccountName=%{mschap:User-Name})) -
((sAMAccountName=RobertTest1))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=Departments,dc=corp,dc=development,dc=com,
with filter ((sAMAccountName=RobertTest1))
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
-
(|((objectClass=GroupOfNames)(member=CN\3dRobertTest1\2cOU\3dWANN\2cOU\3dDepartments\2cDC\3dcorp\2cDC\3ddevelopment\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRobertTest1\2cOU\3dWANN\2cOU\3dDepartments\2cDC\3dcorp\2cDC\3ddevelopment\2cDC\3dcom)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=Departments,dc=corp,dc=development,dc=com,
with filter
((cn=WANN)(|((objectClass=GroupOfNames)(member=CN\3dRobertTest1\2cOU\3dWANN\2cOU\3dDepartments\2cDC\3dcorp\2cDC\3ddevelopment\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRobertTest1\2cOU\3dWANN\2cOU\3dDepartments\2cDC\3dcorp\2cDC\3ddevelopment\2cDC\3dcom
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in
CN=RobertTest1,OU=WANN,OU=Departments,DC=corp,DC=development,DC=com, with
filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
[ldap] ldap_release_conn: Release Id: 0
++[files] returns noop
Sending Access-Accept of id 100 to 192.168.100.2 port 1645
User-Name = DEVELOPMENT\\RobertTest1
MS-MPPE-Recv-Key =
0xa873077b6643bb983d8dbf04da7699d7832fe38f78c5458b0318eaa27db6
MS-MPPE-Send-Key =
0x866779d60ae2e9da0a928ebfb1f20e2f5e26dc05d050075dc8e65210e2946936
EAP-Message = 0x030a0004
Message-Authenticator = 0x
Finished request 8.
This is in my postauth_users file...
DEFAULT Huntgroup-Name == Switches, Ldap-Group == WANN
Service-Type = Framed-User,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = dragons_cave
The 10th line from the bottom of the snippet returns with the following...
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
I'm waiting for a subsequent [ldap] performing search in my DN and to
match with filter (cn=WANN)
But it's not happening.
Any insight?
Thx.
Joe
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/LDAP-group-filter-search-is-failing-tp4289457p4289457.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
I thought I had followed the FR installation instructions and was surprised that something might have been missing. How can I know which dependencies are missing? (Which packages to install?) I had already installed mysql-connector-odbc before finding rlm_sql_unixodbc. There were several new library files added, including /usr/lib/libodbc.so.1.0.0 But -lodbc not so much. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
On Fri, Apr 8, 2011 at 4:30 AM, Jim Rice jmrice6...@yahoo.com wrote: I thought I had followed the FR installation instructions and was surprised that something might have been missing. How can I know which dependencies are missing? (Which packages to install?) I had already installed mysql-connector-odbc before finding rlm_sql_unixodbc. There were several new library files added, including /usr/lib/libodbc.so.1.0.0 But -lodbc not so much. Usually you'd need a *.so for linking, so I'm guessing you need a package which contains /usr/lib/libodbc.so (although in reality it could be just a symlink to libodbc.so.1.0.0). It's probably called mysql-connector-odbc-devel or mysql-connector-odbc-dev -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
Jim Rice wrote: I thought I had followed the FR installation instructions and was surprised that something might have been missing. I think you're misunderstanding *optional* modules. The server comes with plugins for LDAP, SQL (MySQL, PostGreSQL, DB2, Oracle, ...), and many, many, more. However, the build process checks for preconditions. If you don't have MySQL installed, it won't build the MySQL plugin. This shouldn't be a suprise. How can I know which dependencies are missing? (Which packages to install?) The Unixodbc headers and libraries. *Read* the configure output from the rlm_sql_unixodbc module. It says what it's looking for. I had already installed mysql-connector-odbc before finding rlm_sql_unixodbc. There were several new library files added, including /usr/lib/libodbc.so.1.0.0 But -lodbc not so much. -lodbc tells the linker to find a file libodbc*. Please do some reading on how Unix build systems work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
After installing mysql-connector-odbc, running ./configure within rlm_sql_unixodbc it was then able to find: checking for SQLConnect in -lodbc... yes But not: checking for sql.h... no configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: sql.h. I ran a find for sql.h and it is not in /usr. And neither pkg exists for mysql-connector-odbc-devel nor mysql-connector-odbc-dev. There is this: /usr/local/src/freeradius-server-2.1.10/src/modules/rlm_sql/rlm_sql.h Still not sure how to resolve this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_unixodbc ?
On Fri, Apr 8, 2011 at 8:13 AM, Jim Rice jmrice6...@yahoo.com wrote: After installing mysql-connector-odbc, running ./configure within rlm_sql_unixodbc it was then able to find: checking for SQLConnect in -lodbc... yes But not: checking for sql.h... no configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: sql.h. I ran a find for sql.h and it is not in /usr. And neither pkg exists for mysql-connector-odbc-devel nor mysql-connector-odbc-dev. There is this: /usr/local/src/freeradius-server-2.1.10/src/modules/rlm_sql/rlm_sql.h Still not sure how to resolve this. Ask your distro list/forum/support, the package name can be distro-specific. Or build unixodbc from source. For example, on Ubuntu, it should be unixodbc-dev http://packages.ubuntu.com/search?searchon=contentskeywords=sql.hmode=exactfilenamesuite=maverickarch=any -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
