Re: Problem in freeradius 2.1.10, ldap and huntgroups
Hi,
Any news for this problem?
Br,
Ville
5.8.2013 19:08, vi...@leinonen.org kirjoitti:
Here:
rad_recv: Access-Request packet from host 172.150.0.62 port 25196, id=194,
length=63
User-Name = "testu...@.fi"
User-Password = "testpass"
NAS-IP-Address = 172.150.0.62
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/172.150.0.62/auth-detail-20130805
[auth_log] expand: %t -> Mon Aug 5 19:03:20 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm ".fi" for User-Name = "testu...@.fi"
[suffix] No such realm ".fi"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] Entering ldap_groupcmp()
[files] expand: dc=demonet,dc=local -> dc=demonet,dc=local
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> testu...@.fi
[files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=testu...@.fi)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(uid=testu...@.fi)
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
-> (|(&(objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(&(cn=)(|(&(objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Tauno
Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group
[ldap] ldap_release_conn: Release Id: 0
[ldap] Entering ldap_groupcmp()
[files] expand: dc=demonet,dc=local -> dc=demonet,dc=local
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
-> (|(&(objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(&(cn=disabled)(|(&(objectClass=GroupOfNames)(member=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dTauno
Testaaja\2cou\3d\2cou\3dCustomers\2cdc\3ddemonet\2cdc\3dlocal
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=Tauno
Testaaja,ou=,ou=Customers,dc=demonet,dc=local, with filter
(objectclass=*)
rlm_ldap::groupcmp: Group disabled not found or user not a member
[ldap] ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for testu...@.fi
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> testu...@.fi
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=testu...@.fi)
[ldap] expand: dc=demonet,dc=local -> dc=demonet,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=demonet,dc=local, with filter
(uid=testu...@.fi)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header ==
"{SSHA}g5PDm9CrOOQu+XjbMGHTPnY43mifXND0"
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] user testu...@.fi authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns
Radius proxy and attribute class 25
Hi all, I have setup fr (2.1.6) proxy against MS NPS it works fine and even chalenge-responce works great. But now i have one problem NPS sends attribute 25 (class) back to the fr server and it's seems that fr brokes that/or dont accepts that attribute class. When class should be eg. OU=Test_users fr says something like ?=xxx?Xx++xXX (in clear text). Any suggestions? Br, Ville - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.0 (ubuntu) proxying to NPS/IAS.
Hi, I just compile 2.1.6 from src and it's start to works. Thanks for everyone that tryed to help me. Br, Ville > Hi, >> Hi, >> >> I try to use FR to forwarding access-request to NPS servers, but some >> reason FR/NPS gives "User password is incorrect" message. I have tripple >> check that password is correct. When i test IAS to NPS proxy it works. I >> have enable in NPS side MS-CHAP-v2, MS-CHAP, CHAP and PAP/SPAP methods. > > this is usually symptomatic of an incorrect shared secret being entered at > one end of the RADIUS link > > alan > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.0 (ubuntu) proxying to NPS/IAS.
Hi, I have also changed shared secrets and it's not helping. Br, Ville > Ville Leinonen wrote: >> I try to use FR to forwarding access-request to NPS servers, but some >> reason FR/NPS gives "User password is incorrect" message. I have tripple >> check that password is correct. When i test IAS to NPS proxy it works. I >> have enable in NPS side MS-CHAP-v2, MS-CHAP, CHAP and PAP/SPAP methods. >> >> >> Any clue what is wrong? Here is some logs: > > The shared secret is wrong. Fix it. > >> rad_recv: Access-Request packet from host 192.168.21.150 port 1025, >> id=57, >> length=154 >> User-Name = "vle" >> User-Password = "\2063\261m\301\344J\216sCÑ \035\003\2328" > > This is NOT the users password. Fix the shared secrets on the NAS and > on FreeRADIUS so that they match. > > Alan DeKok. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.0 (ubuntu) proxying to NPS/IAS.
Hi, I have also changed shared secrets and it's not helping. Br, Ville > Ville Leinonen wrote: >> I try to use FR to forwarding access-request to NPS servers, but some >> reason FR/NPS gives "User password is incorrect" message. I have tripple >> check that password is correct. When i test IAS to NPS proxy it works. I >> have enable in NPS side MS-CHAP-v2, MS-CHAP, CHAP and PAP/SPAP methods. >> >> >> Any clue what is wrong? Here is some logs: > > The shared secret is wrong. Fix it. > >> rad_recv: Access-Request packet from host 192.168.21.150 port 1025, >> id=57, >> length=154 >> User-Name = "vle" >> User-Password = "\2063\261m\301\344J\216sCÑ \035\003\2328" > > This is NOT the users password. Fix the shared secrets on the NAS and > on FreeRADIUS so that they match. > > Alan DeKok. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 2.1.0 (ubuntu) proxying to NPS/IAS.
Hi,
I try to use FR to forwarding access-request to NPS servers, but some
reason FR/NPS gives "User password is incorrect" message. I have tripple
check that password is correct. When i test IAS to NPS proxy it works. I
have enable in NPS side MS-CHAP-v2, MS-CHAP, CHAP and PAP/SPAP methods.
Any clue what is wrong? Here is some logs:
rad_recv: Access-Request packet from host 192.168.21.150 port 1025, id=57,
length=154
User-Name = "vle"
User-Password = "\2063\261m\301\344J\216sCÑ \035\003\2328"
NAS-Port = 626688
Called-Station-Id = "192.168.21.150"
Calling-Station-Id = "192.168.1.114"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "192.168.1.114"
NAS-IP-Address = 192.168.21.150
Cisco-AVPair = "ip:source-ip=192.168.1.114"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "vle", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "vle"
[suffix] Adding Realm = "NULL"
[suffix] Proxying request from user vle to realm NULL
[suffix] Preparing to proxy authentication request to realm "NULL"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
+- entering group pre-proxy {...}
++[files] returns noop
Sending Access-Request of id 118 to 192.168.21.200 port 1812
User-Name = "vle"
User-Password = "\2063\261m\301\344J\216sCÑ \035\003\2328"
NAS-Port = 626688
Called-Station-Id = "192.168.21.150"
Calling-Station-Id = "192.168.1.114"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "192.168.1.114"
NAS-IP-Address = 192.168.21.150
Cisco-AVPair = "ip:source-ip=192.168.1.114"
Proxy-State = 0x3537
Proxying request 0 to home server 192.168.21.200 port 1812
Sending Access-Request of id 118 to 192.168.21.200 port 1812
User-Name = "vle"
User-Password = "\2063\261m\301\344J\216sCÑ \035\003\2328"
NAS-Port = 626688
Called-Station-Id = "192.168.21.150"
Calling-Station-Id = "192.168.1.114"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "192.168.1.114"
NAS-IP-Address = 192.168.21.150
Cisco-AVPair = "ip:source-ip=192.168.1.114"
Proxy-State = 0x3537
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Reject packet from host 192.168.21.200 port 1812, id=118,
length=52
Proxy-State = 0x3537
Reply-Message = "User password is incorrect"
Br,
Ville
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius proxy and usename modifications.
Hi, I need to modify username before sending access-request/chalege-response messages my sms-server. My need is modify usern...@domain.com to this domain-username. Can some on help me how to do this? I can do that regex, but i dont know how to configure proxy.conf to do this. Br, Ville - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 2.1.5 and Solaris gmake install problem. (Solved)
Hi, I try to make "gmake clean" and try again. Now everything went fine. Maybe Moon is moving again for new position :) Br, Ville -Original Message- From: freeradius-users-bounces+ville.leinonen=solodel@lists.freeradius.org on behalf of Alan DeKok Sent: Mon 20/04/2009 14:42 To: FreeRadius users mailing list Subject: Re: Freeradius 2.1.5 and Solaris gmake install problem. Ville Leinonen wrote: > Yes i go make "gmake" before 2gmake install" and i went fine. It works for me on the Solaris Sparc / x86 boxes I have access to. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 2.1.5 and Solaris gmake install problem.
Hi, Yes i go make "gmake" before 2gmake install" and i went fine. Br, Ville -Original Message- From: freeradius-users-bounces+ville.leinonen=solodel@lists.freeradius.org on behalf of Alan DeKok Sent: Mon 20/04/2009 14:11 To: FreeRadius users mailing list Subject: Re: Freeradius 2.1.5 and Solaris gmake install problem. Ville Leinonen wrote: > I try to install FR to my Solaris 10 (SPARC) box. > Now i run gmake install and get this error: Did you follow the instructions to type "make", before "make install"? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.5 and Solaris gmake install problem.
Hi, I try to install FR to my Solaris 10 (SPARC) box. Now i run gmake install and get this error: Making install in rlm_acct_unique... gmake[6]: Entering directory `/home/ta/freeradius-server-2.1.4/src/modules/rlm_acct_unique' if [ "xrlm_acct_unique" != "x" ]; then \ /home/ta/freeradius-server-2.1.4/libtool --mode=install /home/ta/freeradius-server-2.1.4/install-sh -c -c \ rlm_acct_unique.la /usr/local/lib/rlm_acct_unique.la || exit $?; \ rm -f /usr/local/lib/rlm_acct_unique-2.1.5.la; \ ln -s rlm_acct_unique.la /usr/local/lib/rlm_acct_unique-2.1.5.la || exit $?; \ fi libtool: install: warning: relinking `rlm_acct_unique.la' (cd /home/ta/freeradius-server-2.1.4/src/modules/rlm_acct_unique; /bin/bash /home/ta/freeradius-server-2.1.4/libtool --mode=relink gcc -release 2.1.5 -module -export-dynamic -o rlm_acct_unique.la -rpath /usr/local/lib rlm_acct_unique.lo rlm_acct_unique.c /home/ta/freeradius-server-2.1.4/src/lib/libfreeradius-radius.la -lnsl -lresolv -lsocket -lposix4 -lpthread ) mv: cannot access rlm_acct_unique-2.1.5.so libtool: install: error: relink `rlm_acct_unique.la' with the above command before installing it gmake[6]: *** [install] Error 1 gmake[6]: Leaving directory `/home/ta/freeradius-server-2.1.4/src/modules/rlm_acct_unique' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/home/ta/freeradius-server-2.1.4/src/modules' gmake[4]: *** [install] Error 2 gmake[4]: Leaving directory `/home/ta/freeradius-server-2.1.4/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/home/ta/freeradius-server-2.1.4/src' gmake[2]: *** [install] Error 2 gmake[2]: Leaving directory `/home/ta/freeradius-server-2.1.4/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/home/ta/freeradius-server-2.1.4' gmake: *** [install] Error 2 Any suggestions? Br, Ville - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems in redudant ldap and authorization.
Hi,
I try to stop authorization proccess if user is not found in ldap.
If it's found then eap-tls is allowed.
Br,
Ville
-Original Message-
From: freeradius-users-bounces+ville.leinonen=solodel@lists.freeradius.org
on behalf of Alan DeKok
Sent: Mon 06/04/2009 14:45
To: FreeRadius users mailing list
Subject: Re: Problems in redudant ldap and authorization.
Ville Leinonen wrote:
> I have a little problem in my radius configuration in my
> redudant ldap section rad ver is 2.1.5.
>
> redundant {
>ldap-srv1
>ldap-srv2
>notfound = reject
> }
That is not the correct format. It does not follow any of the
examples or documentation.
> Any suggestion what is wrong in my configuration?
What are you trying to do?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems in redudant ldap and authorization.
Hi,
I have a little problem in my radius configuration in my
redudant ldap section rad ver is 2.1.5.
redundant {
ldap-srv1
ldap-srv2
notfound = reject
}
Gives this error message:
/usr/local/etc/raddb/sites-enabled/default[167]: Entry with no value is invalid
/usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize
section.
Any suggestion what is wrong in my configuration?
If i use individual configuration eg.
ldap-srv1{
notfound = reject
}
Then it works.
Br,
Ville
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VS: VS: Chap auhtentication against LDAP
Hi, Thank you for this reply. Well then i do some scripting and pull userinfo inside ldap and export it to my radsrv. Br, Ville -Alkuperäinen viesti- Lähettäjä: freeradius-users-bounces+ville.leinonen=solodel@lists.freeradius.org puolesta: Alan DeKok Lähetetty: su 5.4.2009 16:16 Vastaanottaja: FreeRadius users mailing list Aihe: Re: VS: Chap auhtentication against LDAP Ville Leinonen wrote: > So i cannot do this about using freeradius, but i can make it > using IAS (see link)? No. You seemed to have misunderstood my response. Let me say it a different way: LDAP servers cannot do CHAP authentication. Why? Because LDAP servers are *DATABASES*. LDAP servers are not *authentication* servers. FreeRADIUS is an *AUTHENTICATION* server. Configure FreeRADIUS so that it pulls the clear-text password from LDAP. FreeRADIUS will then do CHAP authentication. If you don't have a clear-text password in LDAP, then doing CHAP authentication is impossible. It is impossible with FreeRADIUS, IAS, Cisco ACS, Juniper SBR, Radiator, and also with every other RADIUS server on the planet. And go read my web page: http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VS: Chap auhtentication against LDAP
Hi, So i cannot do this about using freeradius, but i can make it using IAS (see link)? http://h40060.www4.hp.com/procurve/includes/application-notes/index.php?cc=uk&lc=en&content=ans2-en Br, Ville -Alkuperäinen viesti- Lähettäjä: freeradius-users-bounces+ville.leinonen=solodel@lists.freeradius.org puolesta: Alan DeKok Lähetetty: pe 3.4.2009 16:10 Vastaanottaja: FreeRadius users mailing list Aihe: Re: Chap auhtentication against LDAP Ville Leinonen wrote: > Does Freeradius 2.1.5 support chap authentication against ldap? No RADIUS server supports this. It's impossible. Instead, have FreeRADIUS pull the clear-text password from LDAP. FreeRADIUS can then do CHAP. If you don't have a clear-text password in LDAP, it's impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chap auhtentication against LDAP
Hi,
Does Freeradius 2.1.5 support chap authentication against ldap?
If i try it here is messages what i get:
Found Auth-Type = CHAP
+- entering group CHAP {...}
rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use
"CHAP-Password".
++[ldap] returns invalid
Failed to authenticate the user.
Br,
Ville
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 2.1.5 and LDAP+EAP-TLS problem.
Hi,
Never mind i figure out my problem. I add this line in my configuration:
ldap {
notfound = reject
}
So if user is not in my ldap. Then its rejected.
Br,
Ville
-Original Message-
From: freeradius-users-bounces+ville.leinonen=solodel@lists.freeradius.org
on behalf of Ville Leinonen
Sent: Mon 30/03/2009 14:36
To: freeradius-users@lists.freeradius.org
Subject: Re: Freeradius 2.1.5 and LDAP+EAP-TLS problem.
Hi,
Maybe im not started this post clearly. So i try open again what i want to do.
I have a computer certificates.
I also have openldap and that ldap includes my computer accounts.
Now I want to use those certificates to authenticate
computers and get authorization information inside my ldap. If
computers dont have account in my ldap it's rejected.
But if i put only ldap in my authorization section radius gives:
"No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user"
If i put also eap in authorization section, the radius uses eap
for authorization and give access-accept. Even if user not found
in ldap.
Br,
Ville
>Here is some other logs if i use only ldap for authorize section:
>
>You have butchered the configuration and now you are wondering why it's
>not working? If you don't know what you are doing - don't do it. If
>you feel the urge to disable something (disbling unused modules is
>hardly going to make any impact on preformance) get things working first
>- than remove things you feel you must one by one. If you remove
>something vital you will know what it was and will be able to put it
>back.
>Use default configuration. Configure *only* ldap module. Don't make
>*any* changes to virtual servers (authorize, authenticate etc.). And it
>will work.
>Ivan Kalik
>Kalik Informatika ISP
<>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.5 and LDAP+EAP-TLS problem.
Hi, Maybe im not started this post clearly. So i try open again what i want to do. I have a computer certificates. I also have openldap and that ldap includes my computer accounts. Now I want to use those certificates to authenticate computers and get authorization information inside my ldap. If computers dont have account in my ldap it's rejected. But if i put only ldap in my authorization section radius gives: "No authenticate method (Auth-Type) configuration found for the request: Rejecting the user" If i put also eap in authorization section, the radius uses eap for authorization and give access-accept. Even if user not found in ldap. Br, Ville >Here is some other logs if i use only ldap for authorize section: > >You have butchered the configuration and now you are wondering why it's >not working? If you don't know what you are doing - don't do it. If >you feel the urge to disable something (disbling unused modules is >hardly going to make any impact on preformance) get things working first >- than remove things you feel you must one by one. If you remove >something vital you will know what it was and will be able to put it >back. >Use default configuration. Configure *only* ldap module. Don't make >*any* changes to virtual servers (authorize, authenticate etc.). And it >will work. >Ivan Kalik >Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.5 and LDAP+EAP-TLS problem.
Hi,
I read that, but what if user not found in ldap? Radius seems to need
some auth-type. How i can force auth-type using ldap?
My radius gives this message -> "No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user"
Here is some other logs if i use only ldap for authorize section:
rad_recv: Access-Request packet from host 10.10.1.100 port 1024, id=198,
length=224
Framed-MTU = 1466
NAS-IP-Address = 10.10.1.100
NAS-Identifier = "8021x"
User-Name = "lnx01.demo.local"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 37
NAS-Port-Type = Ethernet
NAS-Port-Id = "37"
Called-Station-Id = "00-16-b9-55-48-c0"
Calling-Station-Id = "00-e0-00-1c-1e-c1"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
EAP-Message = 0x02330016017375736530312e64656d6f2e6c6f63616c
Message-Authenticator = 0x5c313918e00d0d385d435e3194c284ed
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "lnx01.demo.local", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[files] users: Matched entry DEFAULT at line 190
++[files] returns ok
[ldap] performing user authorization for lnx01.demo.local
[ldap] expand: (cn=%u) -> (cn=lnx01.demo.local)
[ldap] expand: ou=8021x,dc=demo,dc=local -> ou=8021x,dc=demo,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.10.101.31:389, authentication 0
rlm_ldap: setting TLS CACert Directory to /path/to/ca/dir/
rlm_ldap: bind as cn=Directory Manager/ to 10.10.101.31:389
rlm_ldap: waiting for bind result ...
request done: ld 0x9ba2480 msgid 1
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=8021x,dc=demo,dc=local, with filter
(cn=lnx01.demo.local)
request done: ld 0x9ba2480 msgid 2
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user suse01.demo.local authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [suse01.demo.local/] (from client
8021x port 37 cli 00-e0-00-1c-1e-c1)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> suse01.demo.local
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 198 to 10.10.1.100 port 1024
Waking up in 4.9 seconds.
Cleaning up request 0 ID 198 with timestamp +6
Ready to process requests.
Br,
Ville
>We have openldap which includes our machine accounts. We
>have also computer certificates. Now what i want to do that freeradius,
>checks authorization against ldap and authenticate against certificates.
>
>I have tested to put ldap to authorization section and eap to authentication
>section, but this wont work. I have also tested to put both ldap and eap to
>authorization section, but ldap wont return reject if user's noot found.
>
>Is there any method to return reject for authorization section if user not
>found in ldap and stop processing there? Or is there any other method to do
>this?
>
>Read doc/rlm_ldap about access_attr.
>Ivan Kalik
>Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.5 and LDAP+EAP-TLS problem.
Hi, We have openldap which includes our machine accounts. We have also computer certificates. Now what i want to do that freeradius, checks authorization against ldap and authenticate against certificates. I have tested to put ldap to authorization section and eap to authentication section, but this wont work. I have also tested to put both ldap and eap to authorization section, but ldap wont return reject if user's noot found. Is there any method to return reject for authorization section if user not found in ldap and stop processing there? Or is there any other method to do this? We also have printers, which uses 802.1x mac-auth. Br, Ville Leinonen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HP Procurve 5300XL and Privilege Levels
Hi all, Has anyone have some information how i handle priv levels in 5300xl's and freeradius? Id like to make account wich have priv level 14 access (Operator RO) and couple level 15 access (Manager RW). I get aaa working, but i dont know how i must to do that level thing in users.conf. Best regards, Ville Leinonen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius snapshot20040309 and wpa+nt-domain auth.
Hi! Thank you for your answer. Sadly i must then buy some commercial radius srv, wich can do that. - Ville > "Ville Leinonen" <[EMAIL PROTECTED]> wrote: >> i need to do enviroment that autheticates to w2k domain ctrl. >> >> Can somebody give me "dumbass" example how to configure this kindoff >> enviroment. > > The short answer is that it's not possible right now. The wireless > authentication uses MS-CHAP, and the server can't do MS-CHAP to an NT > domain controller. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius snapshot20040309 and wpa+nt-domain auth.
Hi all! Background: I have windows xp laptop with wlan and w2k domain ctrl. I have succesfully get wpa/tkip authetication working with usrname/password and certificates. But i need to do enviroment that autheticates to w2k domain ctrl. Can somebody give me "dumbass" example how to configure this kindoff enviroment. Best regards, Name: Ville Leinonen E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
