Re: Problem with LDAP and SSHA password
W dniu 11/1/10 3:56 PM, Rafał Kamiński pisze:
Hi,
I configured Freeradius + Ldap and ssha Password like userPassword but
when I try connect I have this debug log:
---CUT---
Ok - my bad :) I clicked Send fast.
---CUT---
Mon Nov 1 14:53:39 2010 : Debug: rlm_ldap: LDAP attribute userPassword
as RADIUS attribute Password == {SHA}izxUUJlzMp1DyX5R9DSblXZBpjI=
Mon Nov 1 14:53:39 2010 : Debug: rlm_ldap: LDAP attribute userPassword
as RADIUS attribute User-Password == {SHA}izxUUJlzMp1DyX5R9DSblXZBpjI=
Mon Nov 1 14:53:39 2010 : Debug: rlm_ldap: looking for reply items in
directory...
Mon Nov 1 14:53:39 2010 : Debug: rlm_ldap: user rafal.kaminski
authorized to use remote access
Mon Nov 1 14:53:39 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Mon Nov 1 14:53:39 2010 : Debug: modsingle[authorize]: returned from
ldap (rlm_ldap) for request 0
Mon Nov 1 14:53:39 2010 : Debug: ++[ldap] returns ok
Mon Nov 1 14:53:39 2010 : Debug: modsingle[authorize]: calling
expiration (rlm_expiration) for request 0
Mon Nov 1 14:53:39 2010 : Debug: modsingle[authorize]: returned from
expiration (rlm_expiration) for request 0
Mon Nov 1 14:53:39 2010 : Debug: ++[expiration] returns noop
Mon Nov 1 14:53:39 2010 : Debug: modsingle[authorize]: calling
logintime (rlm_logintime) for request 0
Mon Nov 1 14:53:39 2010 : Debug: modsingle[authorize]: returned from
logintime (rlm_logintime) for request 0
Mon Nov 1 14:53:39 2010 : Debug: ++[logintime] returns noop
Mon Nov 1 14:53:39 2010 : Debug: modsingle[authorize]: calling pap
(rlm_pap) for request 0
Mon Nov 1 14:53:39 2010 : Debug: rlm_pap: Found existing Auth-Type, not
changing it.
Mon Nov 1 14:53:39 2010 : Debug: modsingle[authorize]: returned from
pap (rlm_pap) for request 0
Mon Nov 1 14:53:39 2010 : Debug: ++[pap] returns noop
Mon Nov 1 14:53:39 2010 : Debug: rad_check_password: Found Auth-Type EAP
Mon Nov 1 14:53:39 2010 : Debug: auth: type EAP
Mon Nov 1 14:53:39 2010 : Debug: WARNING: Unknown value specified for
Auth-Type. Cannot perform requested action.
Mon Nov 1 14:53:39 2010 : Debug: auth: Failed to validate the user.
Mon Nov 1 14:53:39 2010 : Auth: Login incorrect: [rafal.kaminski/via
Auth-Type = EAP] (from client 192.168.37.3 port 0)
Mon Nov 1 14:53:39 2010 : Debug: Found Post-Auth-Type Reject
Mon Nov 1 14:53:39 2010 : Debug: +- entering group REJECT
Mon Nov 1 14:53:39 2010 : Debug: modsingle[post-auth]: calling
attr_filter.access_reject (rlm_attr_filter) for request 0
Mon Nov 1 14:53:39 2010 : Debug: expand: %{User-Name} - rafal.kaminski
Mon Nov 1 14:53:39 2010 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Mon Nov 1 14:53:39 2010 : Debug: modsingle[post-auth]: returned from
attr_filter.access_reject (rlm_attr_filter) for request 0
Mon Nov 1 14:53:39 2010 : Debug: ++[attr_filter.access_reject] returns
updated
Mon Nov 1 14:53:39 2010 : Debug: Delaying reject of request 0 for 1 seconds
Mon Nov 1 14:53:39 2010 : Debug: Going to the next request
Mon Nov 1 14:53:39 2010 : Debug: Waking up in 0.9 seconds.
Mon Nov 1 14:53:40 2010 : Debug: Sending delayed reject for request 0
Sending Access-Reject of id 217 to 192.168.37.3 port 1812
---END-CUT---
Where is the problem?
Thanks for help, because I can't resolve that problem for 2-3 days :(
--
Rafal Kaminski
System Administrator
Young Internet GmbH
Torstraße 35
10119 Berlin
Germany
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + 3Com switch 4500
Has anyone a sample configuration of 3Com 4500 switch to work with Freeradius? I :) I conf. that 3Com few days ago :) with pdf from 3com cd. Any question for that configuration? Br Kamyk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about 3Com 4500 series and Freeradius + Ldap
Hi, Is somebody configure 3Com switch series 4500 with Freeradius + Ldap auth. ? I have some problem: In debug mode i see: ---CUT--- Sending Access-Accept of id 18 to 192.168.2.201 port 5001 MS-MPPE-Recv-Key = 0x3c9698b69511f27c53657389c3994d28fa0c2db70bd6c671dc211ba697f92a09 MS-MPPE-Send-Key = 0xb571bf6045f094fa846995c6a3e89160e6eb476cc597d4dd0c6d90cd3341ca15 EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = rka --- But on switch and on computer, I have unauth. user :( And i don't know why ? Maybe null Message-Authenticator is wrong ? Thanks, Kamyk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap + EAP
Hi,
I have another problem with that LDAP auth.
I set clearPassword - userPassword, and i see that ldap auth.user:
rlm_ldap: user rka authorized to use remote access
but after i see:
rlm_eap_peap: Received EAP-TLV response.
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Tunneled data is valid.
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Had sent TLV failure.
User was rejcted rejected earlier in this session.
why ? what is wrong ?
BR,
/Debug mode/
User-Name = rka
NAS-IP-Address = 192.168.1.245
Called-Station-Id = 000f66a0643e
Calling-Station-Id = 0014a41e7112
NAS-Identifier = 000f66a0643e
NAS-Port = 61
Framed-MTU = 1400
State = 0x3e33510f9407a5ab3618886708f0a7ab
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020700261900170301001bac20ee16475c5840e93722613a0e23156a7025d2aa5bfa24846b31
Message-Authenticator = 0x0581c287817e870b2d4c1eb38f2b257f
Fri Jan 26 10:18:13 2007 : Debug: rad_lowerpair: User-Name now 'rka'
Fri Jan 26 10:18:13 2007 : Debug: Processing the authorize section of
radiusd.conf
Fri Jan 26 10:18:13 2007 : Debug: modcall: entering group authorize for
request 7
Fri Jan 26 10:18:13 2007 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 7
Fri Jan 26 10:18:13 2007 : Debug: modsingle[authorize]: returned from
mschap (rlm_mschap) for request 7
Fri Jan 26 10:18:13 2007 : Debug: modcall[authorize]: module mschap
returns noop for request 7
Fri Jan 26 10:18:13 2007 : Debug: modsingle[authorize]: calling ldap
(rlm_ldap) for request 7
Fri Jan 26 10:18:13 2007 : Debug: rlm_ldap: - authorize
Fri Jan 26 10:18:13 2007 : Debug: rlm_ldap: performing user
authorization for rka
Fri Jan 26 10:18:13 2007 : Debug: radius_xlat: '(uid=rka)'
Fri Jan 26 10:18:13 2007 : Debug: radius_xlat: 'ou=Users,dc=blstream'
Fri Jan 26 10:18:13 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Fri Jan 26 10:18:13 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Fri Jan 26 10:18:13 2007 : Debug: rlm_ldap: performing search in
ou=Users,dc=blstream, with filter (uid=rka)
Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: checking if remote access
for rka is allowed by uid
Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: Added password {CLEAR} dupa
in check items
Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: looking for check items in
directory...
Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: Adding userPassword as
User-Password, value {CLEAR} dupa op=21
Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: looking for reply items in
directory...
Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: user rka authorized to use
remote access
Fri Jan 26 10:18:14 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Fri Jan 26 10:18:14 2007 : Debug: modsingle[authorize]: returned from
ldap (rlm_ldap) for request 7
Fri Jan 26 10:18:14 2007 : Debug: modcall[authorize]: module ldap
returns ok for request 7
Fri Jan 26 10:18:14 2007 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 7
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: EAP packet type response id
7 length 38
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: No EAP Start, assuming it's
an on-going EAP conversation
Fri Jan 26 10:18:14 2007 : Debug: modsingle[authorize]: returned from
eap (rlm_eap) for request 7
Fri Jan 26 10:18:14 2007 : Debug: modcall[authorize]: module eap
returns updated for request 7
Fri Jan 26 10:18:14 2007 : Debug: modcall: leaving group authorize
(returns updated) for request 7
Fri Jan 26 10:18:14 2007 : Debug: rad_check_password: Found Auth-Type EAP
Fri Jan 26 10:18:14 2007 : Debug: auth: type EAP
Fri Jan 26 10:18:14 2007 : Debug: Processing the authenticate section
of radiusd.conf
Fri Jan 26 10:18:14 2007 : Debug: modcall: entering group authenticate
for request 7
Fri Jan 26 10:18:14 2007 : Debug: modsingle[authenticate]: calling eap
(rlm_eap) for request 7
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: Request found, released
from the list
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: EAP/peap
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: processing type peap
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Authenticate
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_tls: processing TLS
Fri Jan 26 10:18:14 2007 : Debug: eaptls_verify returned 7
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_tls: Done initial handshake
Fri Jan 26 10:18:14 2007 : Debug: eaptls_process returned 7
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: EAPTLS_OK
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Session established.
Decoding tunneled attributes.
PEAP tunnel data in : 02 07 00 0b 21 80 03 00 02 00 02
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Received EAP-TLV response.
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Tunneled data is valid.
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap_peap: Had sent TLV failure.
User was rejcted rejected earlier in this session.
Fri Jan 26 10:18:14 2007 : Debug: rlm_eap: Handler failed in
Re: Ldap + EAP
Phil Mayers napisał(a): Assuming you want the most common EAP type, PEAP/MS-CHAP, your LDAP server must contain the users plaintext password or NT/LM hash, and you must configure FreeRadius to extract this information and add it to the configure items for a given request. Hi, Can you tell me how configure FreeRadius to extract this information and add it to the configure items for request ? A set clear password in ldap and still i have that in debug mode: Login incorrect: [rka/no User-Password attribute] - rka is my user BR, -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap + EAP
checkItemUser-PasswordclearPassword
HI,
I set in ldap.attrmap
checkItem User-Password userPassword
because my admin say me that password in ldap schema is set by userPassword
in authorize and auth. i have:
authorize {
preprocess
chap
mschap
ldap
eap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
And when i try connect to linksys with windows client - i write
user-name and password i see
log - add on bottom of mail :)
I think that is crazy, because i see:
rlm_ldap: user rka authorized to use remote access
And why debug mode still write:
Auth: Login incorrect: [rka/no User-Password attribute] (from
client
linksys port 61 cli 0014a41e7112)
Maybe error isn't in ldap connection, maybe in driffrent place :(
Can somebody help me ?
BR,
DEBUG MODE
rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0,
length=167
User-Name = rka
NAS-IP-Address = 192.168.1.245
Called-Station-Id = 001217694588
Calling-Station-Id = 0014a41e7112
NAS-Identifier = 001217694588
NAS-Port = 61
Framed-MTU = 1400
State = 0xf8bfced1a046e6c05d5ddcdee6c66a43
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020600261900170301001b6e9e46686e68b4189ee83563818eaad43d267262ed5ac48a0026a0
Message-Authenticator = 0x67e2d4387ffb387664c87ef24add26e9
Tue Jan 23 12:58:10 2007 : Debug: Processing the authorize section of
radiusd.conf
Tue Jan 23 12:58:10 2007 : Debug: modcall: entering group authorize for
request 19
Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 19
Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 19
Tue Jan 23 12:58:10 2007 : Debug: modcall[authorize]: module
preprocess returns ok for request 19
Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 19
Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: returned from
chap (rlm_chap) for request 19
Tue Jan 23 12:58:10 2007 : Debug: modcall[authorize]: module chap
returns noop for request 19
Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 19
Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: returned from
mschap (rlm_mschap) for request 19
Tue Jan 23 12:58:10 2007 : Debug: modcall[authorize]: module mschap
returns noop for request 19
Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: calling ldap
(rlm_ldap) for request 19
Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: - authorize
Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: performing user
authorization for rka
Tue Jan 23 12:58:10 2007 : Debug: radius_xlat: '(uid=rka)'
Tue Jan 23 12:58:10 2007 : Debug: radius_xlat: 'ou=Users,dc=blstream'
Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: performing search in
ou=Users,dc=blstream, with filter (uid=rka)
Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: checking if remote access
for rka is allowed by uid
Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: looking for check items in
directory...
Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: looking for reply items in
directory...
Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: user rka authorized to use
remote access
Tue Jan 23 12:58:10 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: returned from
ldap (rlm_ldap) for request 19
Tue Jan 23 12:58:10 2007 : Debug: modcall[authorize]: module ldap
returns ok for request 19
Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 19
Tue Jan 23 12:58:10 2007 : Debug: rlm_eap: EAP packet type response id
6 length 38
Tue Jan 23 12:58:10 2007 : Debug: rlm_eap: No EAP Start, assuming it's
an on-going EAP conversation
Tue Jan 23 12:58:10 2007 : Debug: modsingle[authorize]: returned from
eap (rlm_eap) for request 19
Tue Jan 23 12:58:10 2007 : Debug: modcall[authorize]: module eap
returns updated for request 19
Tue Jan 23 12:58:10 2007 : Debug: modcall: leaving group authorize
(returns updated) for request 19
Tue Jan 23 12:58:10 2007 : Debug: rad_check_password: Found Auth-Type EAP
Tue Jan 23 12:58:10 2007 : Debug: auth: type EAP
Tue Jan 23 12:58:10 2007 : Debug: Processing the authenticate section
of radiusd.conf
Tue Jan 23 12:58:10 2007 : Debug: modcall: entering group authenticate
for request 19
Tue Jan 23 12:58:10 2007 : Debug: modsingle[authenticate]: calling eap
(rlm_eap) for request 19
Tue Jan 23 12:58:10 2007 : Debug: rlm_eap: Request found, released
from the list
Tue Jan 23 12:58:10 2007 : Debug: rlm_eap: EAP/peap
Tue Jan 23 12:58:10
Freeradius + DHCP server ?
Hi, Is it works ? If yes, can somebody tell me how i can do that ? My users is auth. and i want get him some address IP. BR -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap + EAP
Hi, I set my freeradius with linksys and EAP, and when i use cert. that work fine. But when i want to use ldap without cert. in logs i see: rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=119 User-Name = rka NAS-IP-Address = 192.168.1.245 Called-Station-Id = 001217694588 Calling-Station-Id = 0014a41e7112 NAS-Identifier = 001217694588 NAS-Port = 61 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000801726b61 Message-Authenticator = 0x935d96fb44fccc41767e4667570ff8f2 All is oki, but my ldap need User-password, and next i see: Auth: Login incorrect: [rka/no User-Password attribute] (from client linksys port 61 cli 0014a41e7112) What i must change in ldap or ever to auth. users from wifi in ldap without User-password or with Password? BR, -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + DHCP server ?
Oki,
I set ippool main {} and what i must set in users to add auth. user IP
rka Auth-Type := EAP, Pool-Name := main_ippool
Framed-Route = 192.168.1.245
Is it correct ??
--
Rafal Kaminski
http://blstream.com
email: [EMAIL PROTECTED]
jid: [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One question about Access-Request packet
Hi, i set all but in logs i have: Debug: rlm_eap_tls: TLS 1.0 Handshake [length 02c8], Certificate Fri Jan 19 14:06:18 2007 : Error: -- verify error:num=3:unable to get certificate CRL Fri Jan 19 14:06:18 2007 : Debug: rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca Fri Jan 19 14:06:18 2007 : Error: TLS Alert write:fatal:unknown CA Fri Jan 19 14:06:18 2007 : Error: TLS_accept:error in SSLv3 read client certificate B Fri Jan 19 14:06:18 2007 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Fri Jan 19 14:06:18 2007 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. I see that is some problem in CA :( I do cert from description on http://www.nantes-wireless.org/actu/article.php3?id_article=8artsuite=1 or famous EAPTLS.pdf but still doesn't work :( Some know why ? BR -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One question about Access-Request packet
Hi again,
I set EAP-TLS with cert. - i use that text
http://www.fredprod.com/affiche_howtos.php
but ...
i set in radius.conf
authorize {
files
}
and
authenticate {
eap
}
and in users file
username-the same what in cert Auth-Type := EAP
but in debug mode i see:
---
rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0,
length=135
User-Name = rka
NAS-IP-Address = 192.168.1.245
Called-Station-Id = 001217694588
Calling-Station-Id = 0014a41e7112
NAS-Identifier = 001217694588
NAS-Port = 61
Framed-MTU = 1400
State = 0x7fb3974e3abaf6925a5284b2338f93a6
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400061900
Message-Authenticator = 0xd8e04dc8793f5401249372587b5867df
Thu Jan 18 11:42:51 2007 : Debug: Processing the authorize section of
radiusd.conf
Thu Jan 18 11:42:51 2007 : Debug: modcall: entering group authorize for
request 3
Thu Jan 18 11:42:51 2007 : Debug: modsingle[authorize]: calling files
(rlm_files) for request 3
Thu Jan 18 11:42:51 2007 : Debug: users: Matched entry rka at line 141
Thu Jan 18 11:42:51 2007 : Debug: modsingle[authorize]: returned from
files (rlm_files) for request 3
Thu Jan 18 11:42:51 2007 : Debug: modcall[authorize]: module files
returns ok for request 3
Thu Jan 18 11:42:51 2007 : Debug: modcall: leaving group authorize
(returns ok) for request 3
Thu Jan 18 11:42:51 2007 : Debug: rad_check_password: Found Auth-Type EAP
Thu Jan 18 11:42:51 2007 : Debug: auth: type EAP
Thu Jan 18 11:42:51 2007 : Debug: Processing the authenticate section
of radiusd.conf
Thu Jan 18 11:42:51 2007 : Debug: modcall: entering group authenticate
for request 3
Thu Jan 18 11:42:51 2007 : Debug: modsingle[authenticate]: calling eap
(rlm_eap) for request 3
Thu Jan 18 11:42:51 2007 : Debug: rlm_eap: Request found, released
from the list
Thu Jan 18 11:42:51 2007 : Debug: rlm_eap: EAP/peap
Thu Jan 18 11:42:51 2007 : Debug: rlm_eap: processing type peap
Thu Jan 18 11:42:51 2007 : Debug: rlm_eap_peap: Authenticate
Thu Jan 18 11:42:51 2007 : Debug: rlm_eap_tls: processing TLS
Thu Jan 18 11:42:51 2007 : Debug: rlm_eap_tls: Received EAP-TLS ACK message
Thu Jan 18 11:42:51 2007 : Debug: rlm_eap_tls: ack handshake fragment
handler
Thu Jan 18 11:42:51 2007 : Debug: eaptls_verify returned 1
Thu Jan 18 11:42:51 2007 : Debug: eaptls_process returned 13
Thu Jan 18 11:42:51 2007 : Debug: rlm_eap_peap: EAPTLS_HANDLED
Thu Jan 18 11:42:51 2007 : Debug: modsingle[authenticate]: returned
from eap (rlm_eap) for request 3
Thu Jan 18 11:42:51 2007 : Debug: modcall[authenticate]: module eap
returns handled for request 3
Thu Jan 18 11:42:51 2007 : Debug: modcall: leaving group authenticate
(returns handled) for request 3
Sending Access-Challenge of id 0 to 192.168.1.245 port 3072
EAP-Message = 0x010500061900
Message-Authenticator = 0x
State = 0xdaf79644eaea9256a1b9537be3c3f7bc
---
What i must change to be good auth ?
And
How i must set authentication and authorize if i will use that in future
with ldap?
BR,
Rafal Kaminski
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
One question about Access-Request packet
Hi, i have one question: Why when i try auth. by laptop-wifi over linksys then it's send that request: rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=119 User-Name = rka NAS-IP-Address = 192.168.1.245 Called-Station-Id = 001217694588 Calling-Station-Id = 0014a41e7112 NAS-Identifier = 001217694588 NAS-Port = 61 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000801726b61 Message-Authenticator = 0x794e9d729e673a6c41b875855ae5a464 Request without User-Password - and that is problem with auth. When i try auth. over lan my PC send request: rad_recv: Access-Request packet from host 10.44.3.15:62963, id=66, length=55 User-Name = rka User-Password = qazwsxedc NAS-IP-Address = 255.255.255.255 NAS-Port = 0 And the auth. is correct. Where is the problem? Maybe with Linksys? This is WPA54G. Thanks a lot for help BR, -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compile freeradius + debian + rlm_eap_tls
Hello, I have freeradius on debian etch but without rlm_eap_tls. How i can compile new freeradius-1.1.4 witch rlm_eap_tls ? Sorry for easy question, but i'm new one in that. BR, Rafal Kaminski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Freeradius+LDAP+wifi
Hello,
I have that configuration:
-server with Freeradius + connect with internal system and Ldap server
-Linksys WPA54G
-laptop with wifi
-PC with freebsd
when i testing connections from PC use radtest i was auth. by radius and
ldap server.
But when i want to use laptop and wifi i see some freeradius logs:
- i see that linksys connect to ldap.server over freeradius but user
(the same what on the pc auth) didn't be auth :(
LOGS:
rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0,
length=119
User-Name = rka
NAS-IP-Address = 192.168.1.245
Called-Station-Id = 001217694588
Calling-Station-Id = 000d93ee9b55
NAS-Identifier = 001217694588
NAS-Port = 32
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020801726b61
Message-Authenticator = 0x31c848a6f4f552bd2024d49b5ffa79c4
Mon Jan 15 13:39:00 2007 : Debug: Processing the authorize section of
radiusd.conf
Mon Jan 15 13:39:00 2007 : Debug: modcall: entering group authorize for
request 2
Mon Jan 15 13:39:00 2007 : Debug: modsingle[authorize]: calling ldap
(rlm_ldap) for request 2
Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: - authorize
Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: performing user
authorization for rka
Mon Jan 15 13:39:00 2007 : Debug: radius_xlat: '(uid=rka)'
Mon Jan 15 13:39:00 2007 : Debug: radius_xlat: 'ou=Users,dc=domain'
Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: performing search in
ou=Users,dc=blstream, with filter (uid=rka)
Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: looking for check items in
directory...
Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: looking for reply items in
directory...
Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: user rka authorized to use
remote access
Mon Jan 15 13:39:00 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Mon Jan 15 13:39:00 2007 : Debug: modsingle[authorize]: returned from
ldap (rlm_ldap) for request 2
Mon Jan 15 13:39:00 2007 : Debug: modcall[authorize]: module ldap
returns ok for request 2
Mon Jan 15 13:39:00 2007 : Debug: modcall: leaving group authorize
(returns ok) for request 2
Mon Jan 15 13:39:00 2007 : Debug: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
Mon Jan 15 13:39:00 2007 : Debug: auth: Failed to validate the user.
Mon Jan 15 13:39:00 2007 : Debug: Delaying request 2 for 1 seconds
Mon Jan 15 13:39:00 2007 : Debug: Finished request 2
Mon Jan 15 13:39:00 2007 : Debug: Going to the next request
Mon Jan 15 13:39:00 2007 : Debug: --- Walking the entire request list ---
Mon Jan 15 13:39:00 2007 : Debug: Waking up in 1 seconds...
Mon Jan 15 13:39:01 2007 : Debug: --- Walking the entire request list ---
Mon Jan 15 13:39:01 2007 : Debug: Waking up in 1 seconds...
Mon Jan 15 13:39:02 2007 : Debug: --- Walking the entire request list ---
Sending Access-Reject of id 0 to 192.168.1.245 port 3072
I set in /etc/freeradius/clients.conf
client 192.168.1.245 {
secret = password
shortname = ldap_test
}
Why ldap didn't want auth. me ? And it is so freak because when i used
PC with the same users ldap auth me.
BR,
--
Rafal Kaminski
http://blstream.com
email: [EMAIL PROTECTED]
jid: [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with unprintable characters in the password
Hello, I don't touch my Radius server since 2 weeks, and know when I try do some radtest, it show me Acces-Reject and in log: Mon Dec 11 14:51:47 2006 : Debug: Processing the authorize section of radiusd.conf Mon Dec 11 14:51:47 2006 : Debug: modcall: entering group authorize for request 2 Mon Dec 11 14:51:47 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 2 Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: - authorize Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: performing user authorization for rka Mon Dec 11 14:51:47 2006 : Debug: radius_xlat: '(uid=rka)' Mon Dec 11 14:51:47 2006 : Debug: radius_xlat: 'ou=users,dc=firm' Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: performing search in ou=users,dc=firm, with filter (uid=rka) Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: looking for check items in directory... Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: looking for reply items in directory... Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: Setting Auth-Type = ldap Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: user rka authorized to use remote access Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Dec 11 14:51:47 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 2 Mon Dec 11 14:51:47 2006 : Debug: modcall[authorize]: module ldap returns ok for request 2 Mon Dec 11 14:51:47 2006 : Debug: modcall: leaving group authorize (returns ok) for request 2 Mon Dec 11 14:51:47 2006 : Debug: rad_check_password: Found Auth- Type ldap Mon Dec 11 14:51:47 2006 : Debug: auth: type LDAP Mon Dec 11 14:51:47 2006 : Debug: Processing the authenticate section of radiusd.conf Mon Dec 11 14:51:47 2006 : Debug: modcall: entering group LDAP for request 2 Mon Dec 11 14:51:47 2006 : Debug: modsingle[authenticate]: calling ldap (rlm_ldap) for request 2 Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: - authenticate Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: login attempt by rka with password ?Pđ ,??č?ń/9?Â?? Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: user DN: uid=rka,ou=Users,dc=firm Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: (re)connect to ldap:636, authentication 1 Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: setting TLS mode to 1 Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: setting TLS CACert File to /etc/freeradius/cert/ca.pem Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: setting TLS Cert File to / etc/freeradius/cert/radius.crt Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: setting TLS Key File to / etc/freeradius/cert/radius.key Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: bind as uid=rka,ou=Users,dc=firm/?Pđ ,??č?ń/9?Â?? to ldap:636 Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: waiting for bind result ... Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: Bind failed with invalid credentials Mon Dec 11 14:51:47 2006 : Debug: rlm_ldap: Mon Dec 11 14:51:47 2006 : Debug: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 2 Mon Dec 11 14:51:47 2006 : Debug: modcall[authenticate]: module ldap returns reject for request 2 Mon Dec 11 14:51:47 2006 : Debug: modcall: leaving group LDAP (returns reject) for request 2 Mon Dec 11 14:51:47 2006 : Debug: auth: Failed to validate the user. Mon Dec 11 14:51:47 2006 : Debug: WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Mon Dec 11 14:51:47 2006 : Debug: Delaying request 2 for 1 seconds Mon Dec 11 14:51:47 2006 : Debug: Finished request 2 Mon Dec 11 14:51:47 2006 : Debug: Going to the next request Mon Dec 11 14:51:47 2006 : Debug: --- Walking the entire request list --- Mon Dec 11 14:51:47 2006 : Debug: Waking up in 1 seconds... Mon Dec 11 14:51:48 2006 : Debug: --- Walking the entire request list --- Mon Dec 11 14:51:48 2006 : Debug: Waking up in 1 seconds... Mon Dec 11 14:51:49 2006 : Debug: --- Walking the entire request list --- Last when i run that servers all was oki :( And know :( not :( Why ? I'm sure that my secret is good. Can you help me? BR Kamyk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius + Ldap + TLS/SSL
Hello I install freeradius on Debian Sarge machine. I have my user in ldap and I use that directory to auth. them. It's works. But when I want to use TLS in connections between radius and ldap, I have that error in radius log. rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/freeradius/cert/ca.crt rlm_ldap: setting TLS CACert File to /etc/freeradius/cert/ rlm_ldap: setting TLS Require Cert to never rlm_ldap: setting TLS Cert File to /etc/freeradius/cert/radius.crt rlm_ldap: setting TLS Key File to /etc/freeradius/cert/radius.key rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 When i saw that error, i check ldap logs. My ldap is configure with SSL not a TLS. Now i have a problem with configure freeradius to work with SSL ldap not TLS ldap :( I have in radiusd.conf: server = ldap port = 636 #port = 389 ... filter = (uid=%u) base_filter = (objectclass=radiusprofile) start_tls = no # tls_cacertfile= /path/to/cacert.pem tls_cacertfile = /etc/freeradius/cert/ca.crt # tls_cacertdir = /path/to/ca/dir/ tls_cacertdir = /etc/freeradius/cert/ tls_cacertdir = /etc/freeradius/cert/ # tls_certfile = /path/to/radius.crt tls_certfile = /etc/freeradius/cert/radius.crt # tls_keyfile = /path/to/radius.key tls_keyfile = /etc/freeradius/cert/radius.key #tls_mode = yes I read about SSL in freeradius and i thought that that conf. use SSL to connections with ldap, but i wrong ? Can somebody tell me how i can use SSL auth between ldap and freeradius ? BR. Kamyk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : FreeRadius + Ldap + TLS/SSL
Thx It's works. But I have another question: -In freeradius log (freeradius -XXX -A) i see my password from ldap server, how i can crypt that password ? BR Kamyk On Dec 4, 2006, at 1:57 PM, Thibault Le Meur wrote: -Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de Rafa³ Kamiñski Envoyé : lundi 4 décembre 2006 13:28 À : freeradius-users@lists.freeradius.org Objet : FreeRadius + Ldap + TLS/SSL When i saw that error, i check ldap logs. My ldap is configure with SSL not a TLS. Now i have a problem with configure freeradius to work with SSL ldap not TLS ldap :( I have in radiusd.conf: server = ldap port = 636 #port = 389 ... filter = (uid=%u) base_filter = (objectclass=radiusprofile) start_tls = no This last line is ok: it will ask not to try Start-TLS connection. # tls_cacertfile= /path/to/cacert.pem tls_cacertfile = /etc/freeradius/cert/ca.crt # tls_cacertdir = /path/to/ca/dir/ tls_cacertdir = /etc/freeradius/cert/ tls_cacertdir = /etc/freeradius/cert/ Why do you have both tls_cacertfile and tls_cacertdir ? # tls_certfile = /path/to/radius.crt tls_certfile = /etc/freeradius/cert/radius.crt # tls_keyfile = /path/to/radius.key tls_keyfile = /etc/freeradius/cert/radius.key tls_certfile and tls_keyfile are used to make the radius server authenticate itself to the ldap server. This is not mandatory, if you're not willing to authenticate the radius server to the ldap server, then you can ommit these two lines. However, if you are trying to authenticate the radius server to the ldap server with certificates, then check that the CA that has signed the radius' certificate is known by the ldap server. #tls_mode = yes Argh... I think you have to uncomment this line. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
