Hey, Thanks for the help...
Still having difficulty, although I think you are
right on target.
LDAP appear to respond correctly then Radius states
that the User-Password attribute is missing. Isn't
this what I set with the ldap.attrmap and
dictionary_mapping in the radiusd.conf?
Here are snippets from configs and the radiusd -X
output for the failed eap request...
Please let me know if more is needed.
Thanks,
Matt
ldap.attrmap:
checkItem User-Password userPassword
radiusd.conf:
modules {
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
mschap {
authtype = MS-CHAP
}
ldap {
server = localhost
identity = cn=Manager,dc=yoyo,dc=com
password = secret
basedn = dc=yoyo,dc=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
}
authorize {
preprocess
eap
files
mschap
ldap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
*Users File:
testuser Auth-Type := EAP, User-Password ==
testpass
raduser Auth-Type := Local, User-Password ==
testpass
DEFAULT Auth-Type := LDAP
Fall-Through = 1
*radiusd -X output to failed eap request for
ldap user
rad_recv: Access-Request packet from host
143.116.5.238:2048, id=98, length=117
NAS-IP-Address = 192.168.1.238
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Message-Authenticator =
0xf884d8f729a9e770bd73e8e33f6e22e7
NAS-Port = 20
Framed-MTU = 1490
User-Name = matt_moore
Calling-Station-Id = 00-B0-D0-74-C3-5A
EAP-Message = 0x0201000f016d6174745f6d6f6f7265
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_eap: EAP packet type notification id 1 length 15
rlm_eap: EAP Start not found
modcall[authorize]: module eap returns updated
users: Matched DEFAULT at 154
modcall[authorize]: module files returns ok
modcall[authorize]: module mschap returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for matt_moore
radius_xlat: '(uid=matt_moore)'
radius_xlat: 'dc=yoyo,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=yoyo,dc=com, with
filter (uid=matt_moore)
rlm_ldap: Added password test123 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value
test123 op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user matt_moore authorized to use remote
access
ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
modcall: entering group Auth-Type
rlm_ldap: - authenticate
rlm_ldap: Attribute User-Password is required for
authentication.
modcall[authenticate]: module ldap returns invalid
modcall: group Auth-Type returns invalid
auth: Failed to validate the user.
Login incorrect: [matt_moore/no User-Password
attribute] (from client plant1 port 20 cli
00-B0-D0-74-C3-5A)
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host
192.168.1.238:2048, id=98, length=117
Sending Access-Reject of id 98 to 192.168.1.238:2048
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 98 with timestamp 41f56ee2
Nothing to do. Sleeping until we see a request.
--- NextGen$'s ShaDow [EMAIL PROTECTED] wrote:
I solved this problem using an other attribute :
in /etc/freeradius/ldap.attrmap :
checkItem User-Password
radiusTunnelPassword
and set up passwords in it ;-)
I think it's only an access right problem on the
LDAP 'userPassword'
attribute...
If that don't solve your problem, please send a copy
of your config.
files and give more informations : It'll be easier
to help.
Regards
Matt Moore a écrit :
Hello all,
I am trying to setup a radius service for eap with
an
ldap backend. I have gotten the ldap backend
working
and I have gotten eap to work with a user defined
in
the users file. Next 2 lines from my users file.
testuser Auth-Type := EAP, User-Password ==
testpass
DEFAULT Auth-Type := LDAP
But, how do