Re: Problem with LDAP and SSHA password
W dniu 11/1/10 3:56 PM, Rafał Kamiński pisze: Hi, I configured Freeradius + Ldap and ssha Password like userPassword but when I try connect I have this debug log: ---CUT--- Ok - my bad :) I clicked Send fast. ---CUT--- Mon Nov 1 14:53:39 2010 : Debug: rlm_ldap: LDAP attribute userPassword as RADIUS attribute Password == {SHA}izxUUJlzMp1DyX5R9DSblXZBpjI= Mon Nov 1 14:53:39 2010 : Debug: rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password == {SHA}izxUUJlzMp1DyX5R9DSblXZBpjI= Mon Nov 1 14:53:39 2010 : Debug: rlm_ldap: looking for reply items in directory... Mon Nov 1 14:53:39 2010 : Debug: rlm_ldap: user rafal.kaminski authorized to use remote access Mon Nov 1 14:53:39 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Nov 1 14:53:39 2010 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 Mon Nov 1 14:53:39 2010 : Debug: ++[ldap] returns ok Mon Nov 1 14:53:39 2010 : Debug: modsingle[authorize]: calling expiration (rlm_expiration) for request 0 Mon Nov 1 14:53:39 2010 : Debug: modsingle[authorize]: returned from expiration (rlm_expiration) for request 0 Mon Nov 1 14:53:39 2010 : Debug: ++[expiration] returns noop Mon Nov 1 14:53:39 2010 : Debug: modsingle[authorize]: calling logintime (rlm_logintime) for request 0 Mon Nov 1 14:53:39 2010 : Debug: modsingle[authorize]: returned from logintime (rlm_logintime) for request 0 Mon Nov 1 14:53:39 2010 : Debug: ++[logintime] returns noop Mon Nov 1 14:53:39 2010 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 0 Mon Nov 1 14:53:39 2010 : Debug: rlm_pap: Found existing Auth-Type, not changing it. Mon Nov 1 14:53:39 2010 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 0 Mon Nov 1 14:53:39 2010 : Debug: ++[pap] returns noop Mon Nov 1 14:53:39 2010 : Debug: rad_check_password: Found Auth-Type EAP Mon Nov 1 14:53:39 2010 : Debug: auth: type EAP Mon Nov 1 14:53:39 2010 : Debug: WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. Mon Nov 1 14:53:39 2010 : Debug: auth: Failed to validate the user. Mon Nov 1 14:53:39 2010 : Auth: Login incorrect: [rafal.kaminski/via Auth-Type = EAP] (from client 192.168.37.3 port 0) Mon Nov 1 14:53:39 2010 : Debug: Found Post-Auth-Type Reject Mon Nov 1 14:53:39 2010 : Debug: +- entering group REJECT Mon Nov 1 14:53:39 2010 : Debug: modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 0 Mon Nov 1 14:53:39 2010 : Debug: expand: %{User-Name} - rafal.kaminski Mon Nov 1 14:53:39 2010 : Debug: attr_filter: Matched entry DEFAULT at line 11 Mon Nov 1 14:53:39 2010 : Debug: modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 0 Mon Nov 1 14:53:39 2010 : Debug: ++[attr_filter.access_reject] returns updated Mon Nov 1 14:53:39 2010 : Debug: Delaying reject of request 0 for 1 seconds Mon Nov 1 14:53:39 2010 : Debug: Going to the next request Mon Nov 1 14:53:39 2010 : Debug: Waking up in 0.9 seconds. Mon Nov 1 14:53:40 2010 : Debug: Sending delayed reject for request 0 Sending Access-Reject of id 217 to 192.168.37.3 port 1812 ---END-CUT--- Where is the problem? Thanks for help, because I can't resolve that problem for 2-3 days :( -- Rafal Kaminski System Administrator Young Internet GmbH Torstraße 35 10119 Berlin Germany - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + 3Com switch 4500
Has anyone a sample configuration of 3Com 4500 switch to work with Freeradius? I :) I conf. that 3Com few days ago :) with pdf from 3com cd. Any question for that configuration? Br Kamyk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about 3Com 4500 series and Freeradius + Ldap
Hi, Is somebody configure 3Com switch series 4500 with Freeradius + Ldap auth. ? I have some problem: In debug mode i see: ---CUT--- Sending Access-Accept of id 18 to 192.168.2.201 port 5001 MS-MPPE-Recv-Key = 0x3c9698b69511f27c53657389c3994d28fa0c2db70bd6c671dc211ba697f92a09 MS-MPPE-Send-Key = 0xb571bf6045f094fa846995c6a3e89160e6eb476cc597d4dd0c6d90cd3341ca15 EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = rka --- But on switch and on computer, I have unauth. user :( And i don't know why ? Maybe null Message-Authenticator is wrong ? Thanks, Kamyk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap + EAP
Hi, I have another problem with that LDAP auth. I set clearPassword - userPassword, and i see that ldap auth.user: rlm_ldap: user rka authorized to use remote access but after i see: rlm_eap_peap: Received EAP-TLV response. Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Tunneled data is valid. Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. why ? what is wrong ? BR, /Debug mode/ User-Name = rka NAS-IP-Address = 192.168.1.245 Called-Station-Id = 000f66a0643e Calling-Station-Id = 0014a41e7112 NAS-Identifier = 000f66a0643e NAS-Port = 61 Framed-MTU = 1400 State = 0x3e33510f9407a5ab3618886708f0a7ab NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700261900170301001bac20ee16475c5840e93722613a0e23156a7025d2aa5bfa24846b31 Message-Authenticator = 0x0581c287817e870b2d4c1eb38f2b257f Fri Jan 26 10:18:13 2007 : Debug: rad_lowerpair: User-Name now 'rka' Fri Jan 26 10:18:13 2007 : Debug: Processing the authorize section of radiusd.conf Fri Jan 26 10:18:13 2007 : Debug: modcall: entering group authorize for request 7 Fri Jan 26 10:18:13 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 7 Fri Jan 26 10:18:13 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 7 Fri Jan 26 10:18:13 2007 : Debug: modcall[authorize]: module mschap returns noop for request 7 Fri Jan 26 10:18:13 2007 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 7 Fri Jan 26 10:18:13 2007 : Debug: rlm_ldap: - authorize Fri Jan 26 10:18:13 2007 : Debug: rlm_ldap: performing user authorization for rka Fri Jan 26 10:18:13 2007 : Debug: radius_xlat: '(uid=rka)' Fri Jan 26 10:18:13 2007 : Debug: radius_xlat: 'ou=Users,dc=blstream' Fri Jan 26 10:18:13 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Fri Jan 26 10:18:13 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Fri Jan 26 10:18:13 2007 : Debug: rlm_ldap: performing search in ou=Users,dc=blstream, with filter (uid=rka) Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: checking if remote access for rka is allowed by uid Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: Added password {CLEAR} dupa in check items Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: looking for check items in directory... Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: Adding userPassword as User-Password, value {CLEAR} dupa op=21 Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: looking for reply items in directory... Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: user rka authorized to use remote access Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Fri Jan 26 10:18:14 2007 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 7 Fri Jan 26 10:18:14 2007 : Debug: modcall[authorize]: module ldap returns ok for request 7 Fri Jan 26 10:18:14 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 7 Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: EAP packet type response id 7 length 38 Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Fri Jan 26 10:18:14 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 7 Fri Jan 26 10:18:14 2007 : Debug: modcall[authorize]: module eap returns updated for request 7 Fri Jan 26 10:18:14 2007 : Debug: modcall: leaving group authorize (returns updated) for request 7 Fri Jan 26 10:18:14 2007 : Debug: rad_check_password: Found Auth-Type EAP Fri Jan 26 10:18:14 2007 : Debug: auth: type EAP Fri Jan 26 10:18:14 2007 : Debug: Processing the authenticate section of radiusd.conf Fri Jan 26 10:18:14 2007 : Debug: modcall: entering group authenticate for request 7 Fri Jan 26 10:18:14 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 7 Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: Request found, released from the list Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: EAP/peap Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: processing type peap Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Authenticate Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_tls: processing TLS Fri Jan 26 10:18:14 2007 : Debug: eaptls_verify returned 7 Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_tls: Done initial handshake Fri Jan 26 10:18:14 2007 : Debug: eaptls_process returned 7 Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: EAPTLS_OK Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. PEAP tunnel data in : 02 07 00 0b 21 80 03 00 02 00 02 Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Received EAP-TLV response. Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Tunneled data is valid. Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: Handler failed in
Re: Ldap + EAP
Phil Mayers napisał(a): Assuming you want the most common EAP type, PEAP/MS-CHAP, your LDAP server must contain the users plaintext password or NT/LM hash, and you must configure FreeRadius to extract this information and add it to the configure items for a given request. Hi, Can you tell me how configure FreeRadius to extract this information and add it to the configure items for request ? A set clear password in ldap and still i have that in debug mode: Login incorrect: [rka/no User-Password attribute] - rka is my user BR, -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap + EAP
checkItemUser-PasswordclearPassword HI, I set in ldap.attrmap checkItem User-Password userPassword because my admin say me that password in ldap schema is set by userPassword in authorize and auth. i have: authorize { preprocess chap mschap ldap eap } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } eap } And when i try connect to linksys with windows client - i write user-name and password i see log - add on bottom of mail :) I think that is crazy, because i see: rlm_ldap: user rka authorized to use remote access And why debug mode still write: Auth: Login incorrect: [rka/no User-Password attribute] (from client linksys port 61 cli 0014a41e7112) Maybe error isn't in ldap connection, maybe in driffrent place :( Can somebody help me ? BR, DEBUG MODE rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=167 User-Name = rka NAS-IP-Address = 192.168.1.245 Called-Station-Id = 001217694588 Calling-Station-Id = 0014a41e7112 NAS-Identifier = 001217694588 NAS-Port = 61 Framed-MTU = 1400 State = 0xf8bfced1a046e6c05d5ddcdee6c66a43 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600261900170301001b6e9e46686e68b4189ee83563818eaad43d267262ed5ac48a0026a0 Message-Authenticator = 0x67e2d4387ffb387664c87ef24add26e9 Tue Jan 23 12:58:10 2007 : Debug: Processing the authorize section of radiusd.conf Tue Jan 23 12:58:10 2007 : Debug: modcall: entering group authorize for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modcall[authorize]: module preprocess returns ok for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modcall[authorize]: module chap returns noop for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modcall[authorize]: module mschap returns noop for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: - authorize Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: performing user authorization for rka Tue Jan 23 12:58:10 2007 : Debug: radius_xlat: '(uid=rka)' Tue Jan 23 12:58:10 2007 : Debug: radius_xlat: 'ou=Users,dc=blstream' Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: performing search in ou=Users,dc=blstream, with filter (uid=rka) Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: checking if remote access for rka is allowed by uid Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: looking for check items in directory... Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: looking for reply items in directory... Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: user rka authorized to use remote access Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modcall[authorize]: module ldap returns ok for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: rlm_eap: EAP packet type response id 6 length 38 Tue Jan 23 12:58:10 2007 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: modcall[authorize]: module eap returns updated for request 19 Tue Jan 23 12:58:10 2007 : Debug: modcall: leaving group authorize (returns updated) for request 19 Tue Jan 23 12:58:10 2007 : Debug: rad_check_password: Found Auth-Type EAP Tue Jan 23 12:58:10 2007 : Debug: auth: type EAP Tue Jan 23 12:58:10 2007 : Debug: Processing the authenticate section of radiusd.conf Tue Jan 23 12:58:10 2007 : Debug: modcall: entering group authenticate for request 19 Tue Jan 23 12:58:10 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 19 Tue Jan 23 12:58:10 2007 : Debug: rlm_eap: Request found, released from the list Tue Jan 23 12:58:10 2007 : Debug: rlm_eap: EAP/peap Tue Jan 23 12:58:10
Freeradius + DHCP server ?
Hi, Is it works ? If yes, can somebody tell me how i can do that ? My users is auth. and i want get him some address IP. BR -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap + EAP
Hi, I set my freeradius with linksys and EAP, and when i use cert. that work fine. But when i want to use ldap without cert. in logs i see: rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=119 User-Name = rka NAS-IP-Address = 192.168.1.245 Called-Station-Id = 001217694588 Calling-Station-Id = 0014a41e7112 NAS-Identifier = 001217694588 NAS-Port = 61 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000801726b61 Message-Authenticator = 0x935d96fb44fccc41767e4667570ff8f2 All is oki, but my ldap need User-password, and next i see: Auth: Login incorrect: [rka/no User-Password attribute] (from client linksys port 61 cli 0014a41e7112) What i must change in ldap or ever to auth. users from wifi in ldap without User-password or with Password? BR, -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + DHCP server ?
Oki, I set ippool main {} and what i must set in users to add auth. user IP rka Auth-Type := EAP, Pool-Name := main_ippool Framed-Route = 192.168.1.245 Is it correct ?? -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One question about Access-Request packet
Hi, i set all but in logs i have: Debug: rlm_eap_tls: TLS 1.0 Handshake [length 02c8], Certificate Fri Jan 19 14:06:18 2007 : Error: -- verify error:num=3:unable to get certificate CRL Fri Jan 19 14:06:18 2007 : Debug: rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca Fri Jan 19 14:06:18 2007 : Error: TLS Alert write:fatal:unknown CA Fri Jan 19 14:06:18 2007 : Error: TLS_accept:error in SSLv3 read client certificate B Fri Jan 19 14:06:18 2007 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Fri Jan 19 14:06:18 2007 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. I see that is some problem in CA :( I do cert from description on http://www.nantes-wireless.org/actu/article.php3?id_article=8artsuite=1 or famous EAPTLS.pdf but still doesn't work :( Some know why ? BR -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One question about Access-Request packet
Hi again, I set EAP-TLS with cert. - i use that text http://www.fredprod.com/affiche_howtos.php but ... i set in radius.conf authorize { files } and authenticate { eap } and in users file username-the same what in cert Auth-Type := EAP but in debug mode i see: --- rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=135 User-Name = rka NAS-IP-Address = 192.168.1.245 Called-Station-Id = 001217694588 Calling-Station-Id = 0014a41e7112 NAS-Identifier = 001217694588 NAS-Port = 61 Framed-MTU = 1400 State = 0x7fb3974e3abaf6925a5284b2338f93a6 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061900 Message-Authenticator = 0xd8e04dc8793f5401249372587b5867df Thu Jan 18 11:42:51 2007 : Debug: Processing the authorize section of radiusd.conf Thu Jan 18 11:42:51 2007 : Debug: modcall: entering group authorize for request 3 Thu Jan 18 11:42:51 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 3 Thu Jan 18 11:42:51 2007 : Debug: users: Matched entry rka at line 141 Thu Jan 18 11:42:51 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 3 Thu Jan 18 11:42:51 2007 : Debug: modcall[authorize]: module files returns ok for request 3 Thu Jan 18 11:42:51 2007 : Debug: modcall: leaving group authorize (returns ok) for request 3 Thu Jan 18 11:42:51 2007 : Debug: rad_check_password: Found Auth-Type EAP Thu Jan 18 11:42:51 2007 : Debug: auth: type EAP Thu Jan 18 11:42:51 2007 : Debug: Processing the authenticate section of radiusd.conf Thu Jan 18 11:42:51 2007 : Debug: modcall: entering group authenticate for request 3 Thu Jan 18 11:42:51 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 3 Thu Jan 18 11:42:51 2007 : Debug: rlm_eap: Request found, released from the list Thu Jan 18 11:42:51 2007 : Debug: rlm_eap: EAP/peap Thu Jan 18 11:42:51 2007 : Debug: rlm_eap: processing type peap Thu Jan 18 11:42:51 2007 : Debug: rlm_eap_peap: Authenticate Thu Jan 18 11:42:51 2007 : Debug: rlm_eap_tls: processing TLS Thu Jan 18 11:42:51 2007 : Debug: rlm_eap_tls: Received EAP-TLS ACK message Thu Jan 18 11:42:51 2007 : Debug: rlm_eap_tls: ack handshake fragment handler Thu Jan 18 11:42:51 2007 : Debug: eaptls_verify returned 1 Thu Jan 18 11:42:51 2007 : Debug: eaptls_process returned 13 Thu Jan 18 11:42:51 2007 : Debug: rlm_eap_peap: EAPTLS_HANDLED Thu Jan 18 11:42:51 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 3 Thu Jan 18 11:42:51 2007 : Debug: modcall[authenticate]: module eap returns handled for request 3 Thu Jan 18 11:42:51 2007 : Debug: modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 0 to 192.168.1.245 port 3072 EAP-Message = 0x010500061900 Message-Authenticator = 0x State = 0xdaf79644eaea9256a1b9537be3c3f7bc --- What i must change to be good auth ? And How i must set authentication and authorize if i will use that in future with ldap? BR, Rafal Kaminski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
One question about Access-Request packet
Hi, i have one question: Why when i try auth. by laptop-wifi over linksys then it's send that request: rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=119 User-Name = rka NAS-IP-Address = 192.168.1.245 Called-Station-Id = 001217694588 Calling-Station-Id = 0014a41e7112 NAS-Identifier = 001217694588 NAS-Port = 61 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000801726b61 Message-Authenticator = 0x794e9d729e673a6c41b875855ae5a464 Request without User-Password - and that is problem with auth. When i try auth. over lan my PC send request: rad_recv: Access-Request packet from host 10.44.3.15:62963, id=66, length=55 User-Name = rka User-Password = qazwsxedc NAS-IP-Address = 255.255.255.255 NAS-Port = 0 And the auth. is correct. Where is the problem? Maybe with Linksys? This is WPA54G. Thanks a lot for help BR, -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compile freeradius + debian + rlm_eap_tls
Hello, I have freeradius on debian etch but without rlm_eap_tls. How i can compile new freeradius-1.1.4 witch rlm_eap_tls ? Sorry for easy question, but i'm new one in that. BR, Rafal Kaminski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Freeradius+LDAP+wifi
Hello, I have that configuration: -server with Freeradius + connect with internal system and Ldap server -Linksys WPA54G -laptop with wifi -PC with freebsd when i testing connections from PC use radtest i was auth. by radius and ldap server. But when i want to use laptop and wifi i see some freeradius logs: - i see that linksys connect to ldap.server over freeradius but user (the same what on the pc auth) didn't be auth :( LOGS: rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=119 User-Name = rka NAS-IP-Address = 192.168.1.245 Called-Station-Id = 001217694588 Calling-Station-Id = 000d93ee9b55 NAS-Identifier = 001217694588 NAS-Port = 32 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020801726b61 Message-Authenticator = 0x31c848a6f4f552bd2024d49b5ffa79c4 Mon Jan 15 13:39:00 2007 : Debug: Processing the authorize section of radiusd.conf Mon Jan 15 13:39:00 2007 : Debug: modcall: entering group authorize for request 2 Mon Jan 15 13:39:00 2007 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 2 Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: - authorize Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: performing user authorization for rka Mon Jan 15 13:39:00 2007 : Debug: radius_xlat: '(uid=rka)' Mon Jan 15 13:39:00 2007 : Debug: radius_xlat: 'ou=Users,dc=domain' Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: performing search in ou=Users,dc=blstream, with filter (uid=rka) Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: looking for check items in directory... Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: looking for reply items in directory... Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: user rka authorized to use remote access Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Jan 15 13:39:00 2007 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 2 Mon Jan 15 13:39:00 2007 : Debug: modcall[authorize]: module ldap returns ok for request 2 Mon Jan 15 13:39:00 2007 : Debug: modcall: leaving group authorize (returns ok) for request 2 Mon Jan 15 13:39:00 2007 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Mon Jan 15 13:39:00 2007 : Debug: auth: Failed to validate the user. Mon Jan 15 13:39:00 2007 : Debug: Delaying request 2 for 1 seconds Mon Jan 15 13:39:00 2007 : Debug: Finished request 2 Mon Jan 15 13:39:00 2007 : Debug: Going to the next request Mon Jan 15 13:39:00 2007 : Debug: --- Walking the entire request list --- Mon Jan 15 13:39:00 2007 : Debug: Waking up in 1 seconds... Mon Jan 15 13:39:01 2007 : Debug: --- Walking the entire request list --- Mon Jan 15 13:39:01 2007 : Debug: Waking up in 1 seconds... Mon Jan 15 13:39:02 2007 : Debug: --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.245 port 3072 I set in /etc/freeradius/clients.conf client 192.168.1.245 { secret = password shortname = ldap_test } Why ldap didn't want auth. me ? And it is so freak because when i used PC with the same users ldap auth me. BR, -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with unprintable characters in the password
Hello, I don't touch my Radius server since 2 weeks, and know when I try do some radtest, it show me Acces-Reject and in log: Mon Dec 11 14:51:47 2006 : Debug: Processing the authorize section of radiusd.conf Mon Dec 11 14:51:47 2006 : Debug: modcall: entering group authorize for request 2 Mon Dec 11 14:51:47 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 2 Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: - authorize Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: performing user authorization for rka Mon Dec 11 14:51:47 2006 : Debug: radius_xlat: '(uid=rka)' Mon Dec 11 14:51:47 2006 : Debug: radius_xlat: 'ou=users,dc=firm' Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: performing search in ou=users,dc=firm, with filter (uid=rka) Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: looking for check items in directory... Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: looking for reply items in directory... Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: Setting Auth-Type = ldap Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: user rka authorized to use remote access Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Dec 11 14:51:47 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 2 Mon Dec 11 14:51:47 2006 : Debug: modcall[authorize]: module ldap returns ok for request 2 Mon Dec 11 14:51:47 2006 : Debug: modcall: leaving group authorize (returns ok) for request 2 Mon Dec 11 14:51:47 2006 : Debug: rad_check_password: Found Auth- Type ldap Mon Dec 11 14:51:47 2006 : Debug: auth: type LDAP Mon Dec 11 14:51:47 2006 : Debug: Processing the authenticate section of radiusd.conf Mon Dec 11 14:51:47 2006 : Debug: modcall: entering group LDAP for request 2 Mon Dec 11 14:51:47 2006 : Debug: modsingle[authenticate]: calling ldap (rlm_ldap) for request 2 Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: - authenticate Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: login attempt by rka with password ?Pđ ,??č?ń/9?Â?? Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: user DN: uid=rka,ou=Users,dc=firm Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: (re)connect to ldap:636, authentication 1 Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: setting TLS mode to 1 Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: setting TLS CACert File to /etc/freeradius/cert/ca.pem Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: setting TLS Cert File to / etc/freeradius/cert/radius.crt Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: setting TLS Key File to / etc/freeradius/cert/radius.key Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: bind as uid=rka,ou=Users,dc=firm/?Pđ ,??č?ń/9?Â?? to ldap:636 Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: waiting for bind result ... Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: Bind failed with invalid credentials Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: Mon Dec 11 14:51:47 2006 : Debug: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 2 Mon Dec 11 14:51:47 2006 : Debug: modcall[authenticate]: module ldap returns reject for request 2 Mon Dec 11 14:51:47 2006 : Debug: modcall: leaving group LDAP (returns reject) for request 2 Mon Dec 11 14:51:47 2006 : Debug: auth: Failed to validate the user. Mon Dec 11 14:51:47 2006 : Debug: WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Mon Dec 11 14:51:47 2006 : Debug: Delaying request 2 for 1 seconds Mon Dec 11 14:51:47 2006 : Debug: Finished request 2 Mon Dec 11 14:51:47 2006 : Debug: Going to the next request Mon Dec 11 14:51:47 2006 : Debug: --- Walking the entire request list --- Mon Dec 11 14:51:47 2006 : Debug: Waking up in 1 seconds... Mon Dec 11 14:51:48 2006 : Debug: --- Walking the entire request list --- Mon Dec 11 14:51:48 2006 : Debug: Waking up in 1 seconds... Mon Dec 11 14:51:49 2006 : Debug: --- Walking the entire request list --- Last when i run that servers all was oki :( And know :( not :( Why ? I'm sure that my secret is good. Can you help me? BR Kamyk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius + Ldap + TLS/SSL
Hello I install freeradius on Debian Sarge machine. I have my user in ldap and I use that directory to auth. them. It's works. But when I want to use TLS in connections between radius and ldap, I have that error in radius log. rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/freeradius/cert/ca.crt rlm_ldap: setting TLS CACert File to /etc/freeradius/cert/ rlm_ldap: setting TLS Require Cert to never rlm_ldap: setting TLS Cert File to /etc/freeradius/cert/radius.crt rlm_ldap: setting TLS Key File to /etc/freeradius/cert/radius.key rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 When i saw that error, i check ldap logs. My ldap is configure with SSL not a TLS. Now i have a problem with configure freeradius to work with SSL ldap not TLS ldap :( I have in radiusd.conf: server = ldap port = 636 #port = 389 ... filter = (uid=%u) base_filter = (objectclass=radiusprofile) start_tls = no # tls_cacertfile= /path/to/cacert.pem tls_cacertfile = /etc/freeradius/cert/ca.crt # tls_cacertdir = /path/to/ca/dir/ tls_cacertdir = /etc/freeradius/cert/ tls_cacertdir = /etc/freeradius/cert/ # tls_certfile = /path/to/radius.crt tls_certfile = /etc/freeradius/cert/radius.crt # tls_keyfile = /path/to/radius.key tls_keyfile = /etc/freeradius/cert/radius.key #tls_mode = yes I read about SSL in freeradius and i thought that that conf. use SSL to connections with ldap, but i wrong ? Can somebody tell me how i can use SSL auth between ldap and freeradius ? BR. Kamyk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : FreeRadius + Ldap + TLS/SSL
Thx It's works. But I have another question: -In freeradius log (freeradius -XXX -A) i see my password from ldap server, how i can crypt that password ? BR Kamyk On Dec 4, 2006, at 1:57 PM, Thibault Le Meur wrote: -Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de Rafa³ Kamiñski Envoyé : lundi 4 décembre 2006 13:28 À : freeradius-users@lists.freeradius.org Objet : FreeRadius + Ldap + TLS/SSL When i saw that error, i check ldap logs. My ldap is configure with SSL not a TLS. Now i have a problem with configure freeradius to work with SSL ldap not TLS ldap :( I have in radiusd.conf: server = ldap port = 636 #port = 389 ... filter = (uid=%u) base_filter = (objectclass=radiusprofile) start_tls = no This last line is ok: it will ask not to try Start-TLS connection. # tls_cacertfile= /path/to/cacert.pem tls_cacertfile = /etc/freeradius/cert/ca.crt # tls_cacertdir = /path/to/ca/dir/ tls_cacertdir = /etc/freeradius/cert/ tls_cacertdir = /etc/freeradius/cert/ Why do you have both tls_cacertfile and tls_cacertdir ? # tls_certfile = /path/to/radius.crt tls_certfile = /etc/freeradius/cert/radius.crt # tls_keyfile = /path/to/radius.key tls_keyfile = /etc/freeradius/cert/radius.key tls_certfile and tls_keyfile are used to make the radius server authenticate itself to the ldap server. This is not mandatory, if you're not willing to authenticate the radius server to the ldap server, then you can ommit these two lines. However, if you are trying to authenticate the radius server to the ldap server with certificates, then check that the CA that has signed the radius' certificate is known by the ldap server. #tls_mode = yes Argh... I think you have to uncomment this line. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html