Re: LDAP + TTLS PAP
Ivan Kalik wrote: > >> Here is my all debug. > > Enable ldap in inner-tunnel virtual server as well. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > Thanks for your help Ivan. Now everything looks fine. -- View this message in context: http://www.nabble.com/LDAP-%2B-TTLS-PAP-tp24498710p24500243.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP + TTLS PAP
Ivan Kalik wrote:
>
>
>> You have deleted the interesting part of the debug.
>
>>Ivan Kalik
>>Kalik Informatika ISP
>
>
Sorry
Here is my all debug.
Ready to process requests.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=2,
length=163
User-Name = "user"
Calling-Station-Id = "00-24-2C-83-AA-92"
Called-Station-Id = "00-21-A1-9E-F9-30:testGDL"
NAS-Port = 1
NAS-IP-Address = 10.14.56.33
NAS-Identifier = "test-gdl-wlc"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020800090175736572
Message-Authenticator = 0xb86c778d5e5cbb982425e05ea5b4b6e8
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for user
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=user)
[ldap] expand: ou=Wireless,dc=local,dc=test,dc=com ->
ou=Wireless,dc=local,dc=test,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Wireless,dc=local,dc=test,dc=com, with
filter (cn=user)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: userPassword -> Cleartext-Password == "Newuser01"
[ldap] looking for reply items in directory...
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 2 to 10.14.56.33 port 32768
EAP-Message = 0x010900160410a1a022fc9a0dfa06c749cc18033a2a4a
Message-Authenticator = 0x
State = 0xeb2a1c90eb2318c7f00b52ffc2a1bc44
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=2,
length=163
Sending duplicate reply to client 10.14.56.33 port 32768 - ID: 2
Sending Access-Challenge of id 2 to 10.14.56.33 port 32768
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=2,
length=163
Sending duplicate reply to client 10.14.56.33 port 32768 - ID: 2
Sending Access-Challenge of id 2 to 10.14.56.33 port 32768
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=3,
length=178
User-Name = "user"
Calling-Station-Id = "00-24-2C-83-AA-92"
Called-Station-Id = "00-21-A1-9E-F9-30:testGDL"
NAS-Port = 1
NAS-IP-Address = 10.14.56.33
NAS-Identifier = "test-gdl-wlc"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020900060315
State = 0xeb2a1c90eb2318c7f00b52ffc2a1bc44
Message-Authenticator = 0xbe3af8eada8201dbfd51322d12e53c40
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for user
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=user)
[ldap] expand: ou=Wireless,dc=local,dc=test,dc=com ->
ou=Wireless,dc=local,dc=test,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Wireless,dc=local,dc=test,dc=com, with
filter (cn=user)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: userPassword -> Cleartext-Password == "Newuser01"
[ldap] looking for reply items in directory...
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EA
LDAP + TTLS PAP
Hi.
I've been trying to setup freeradius with LDAP + TTLS PAP.
I use the default radius, eap users files configuration, I configure my
modules/ldap file to connect to my ldap, sites-avilable/default file to
authorize ldap, and ldap.attrmap to check Cleartext-Password against
userPassword.
Everything seems normal, when I test it with
radtest user pass 10.14.56.26 0 secret
is accepted.
but when i try from mi XP client the debug show this:
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
Here my /sites-avilable/default authorize section:
authorize {
preprocess
chap
mschap
eap {
ok = return
}
unix
files
ldap
expiration
logintime
pap
}
Any Ideas?
Thanks.
--
View this message in context:
http://www.nabble.com/LDAP-%2B-TTLS-PAP-tp24498710p24498710.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Thanks for your help. I'm pretty new on freeradius. I've been read many how's to, but only in this post I've discovered many things. Alan DeKok-2 wrote: > > jpablorp wrote: >> I replace eap.conf with the Default eap.conf file >> >> and this is my debug: > > Where you have *deleted* the real cause of the error. > >> [peap] Had sent TLV failure. User was rejected earlier in this session. > > Look EARLIER in the debug log for the failure. It's really not hard. > Look for words like "reject", or "fail", or "error". > > The messages will tell you what is wrong, and why. All you need to do > is read them. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24187153.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Ivan Kalik wrote:
>
>
> Have you done some strange things to eap.conf or are you using the default
> one? Default configuration works.
>
>
I replace eap.conf with the Default eap.conf file
and this is my debug:
++[ldap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 198 to 10.14.56.33 port 32768
EAP-Message = 0x040d0004
Message-Authenticator = 0x
Waking up in 3.6 seconds.
Cleaning up request 1 ID 190 with timestamp +51
Cleaning up request 2 ID 191 with timestamp +51
Cleaning up request 3 ID 192 with timestamp +51
Cleaning up request 4 ID 193 with timestamp +51
Cleaning up request 5 ID 194 with timestamp +51
Cleaning up request 6 ID 195 with timestamp +51
Cleaning up request 7 ID 196 with timestamp +51
Cleaning up request 8 ID 197 with timestamp +51
Waking up in 1.0 seconds.
Cleaning up request 9 ID 198 with timestamp +51
I'm missing something?
--
View this message in context:
http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24173891.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Thanks for your response.
Now I'm using the defaults files and configure the access in modules
(raddb/modules/ldap).
Now seems like the solution is closer,
When I test this appear in my server in debug mode:
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for unsupported type 25
[eap] No common EAP types found.
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 189 to 10.14.56.33 port 32768
EAP-Message = 0x040c0004
Message-Authenticator = 0x
Waking up in 3.9 seconds.
Cleaning up request 1 ID 188 with timestamp +30
Waking up in 1.0 seconds.
Cleaning up request 2 ID 189 with timestamp +30
Ready to process requests.
I think is problem on mi eap.conf file but I'm no sure what exactly I have
to do.
Any idea?
Ivan Kalik wrote:
>
>> I've trying to setup a freeradius 2.1.6 with Ldap and mschapv2 to
>> authenticate.
>> when I send test from my console, this works fine.
>>
>> But when I try to connect.
>>
>> I don't know what I'm missing.
>> here is my radiusd.conf:
>
> Why did you find it necessary to butcher default configuration? Use
> default radiusd.conf, configure ldap in modules (raddb/modules/ldap) and
> watch it work.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
--
View this message in context:
http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24170971.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.1.6 ldap + mschapv2 to authenticate
Hi everyone.
I've trying to setup a freeradius 2.1.6 with Ldap and mschapv2 to
authenticate.
when I send test from my console, this works fine.
client:
$ radtest user pass 10.14.56.26 0 secret.
server in debug mode:
Ready to process requests.
rad_recv: Access-Request packet from host 172.24.104.12 port 39285, id=52,
length=69
User-Name = "user"
User-Password = "pass"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
[ldap] performing user authorization for user
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand:
(&(SamAccountName=%{Stripped-User-Name:-%{User-Name})(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
->
(&(SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] expand: OU=Groups,DC=it,DC=test,DC=com ->
OU=Groups,DC=it,DC=test,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.14.56.100:389, authentication 0
rlm_ldap: bind as ad...@it.test.com/adminpass to 10.14.56.100:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in OU=Groups,DC=it,DC=test,DC=com, with filter
(&(SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = ldap
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = ldap
+- entering group authenticate {...}
[ldap] login attempt by "user" with password "pass"
[ldap] user DN: CN=user,OU=General Group,OU=Users,DC=it,DC=test,DC=com
rlm_ldap: (re)connect to 10.14.56.100:389, authentication 1
rlm_ldap: bind as CN=user,OU=General
Group,OU=Users,DC=it,DC=test,DC=com/pass to 10.14.56.100:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap] user user authenticated succesfully
++[ldap] returns ok
Login OK: [user/pass] (from client redprivada1 port 0)
Sending Access-Accept of id 52 to 172.24.104.12 port 39285
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 52 with timestamp +10
But when I try to connect.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=174,
length=189
User-Name = "user"
Calling-Station-Id = "00-24-2C-83-AA-92"
Called-Station-Id = "00-21-A1-9E-F9-30:redprivada1"
NAS-Port = 1
NAS-IP-Address = 10.14.56.33
NAS-Identifier = "acces-ponit-wlc"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020e0016016a75616e7061626c6f5f72616d6972657a
Message-Authenticator = 0x76c7af8be679e0867bb2c06d1146d7e6
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
[ldap] performing user authorization for user
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand:
(&(SamAccountName=%{Stripped-User-Name:-%{User-Name})(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
->
(&(SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] expand: OU=Groups,DC=it,DC=test,DC=com ->
OU=Groups,DC=it,DC=test,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Groups,DC=it,DC=test,DC=com, with filter
(&(SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
