Re: Problems with EAP and LDAP replyItems (2.0.2)
Original-Message Datum: Tue, 19 Aug 2008 17:37:34 +0200 Von: [EMAIL PROTECTED] An: freeradius-users@lists.freeradius.org Betreff: Problems with EAP and LDAP replyItems (2.0.2) Hi Guys, Since freeradius2 has some major improvements I try to upgrade from 1.1.4. Unfortunately there are a few problems i encounter: cause of some weird reason the server isn't sending back my LDAP replyItems back to the NAS along the Access-Accept packet. In short i want to authenticate using EAP/PEAP against the server, which itself checks against our LDAP Server. Additionally the server should also send back a specific replyItem stored in our LDAP. configuration looks like: authorize { preprocess eap { ok = return } ldap1 } authenticate { Auth-Type MS-CHAP { mschap } eap } in ldap.attrmap the following is configured: replyItem Airespace-Interface-NameradiusCallingStationId so LDAP-Attribute radiusCallingStationId should be transformed to an attribute called Airespace-Interface-Name and sent back to the NAS. As you can see in the following debug-output, at the beginning the server sends the attribute back as supposed, but for some weird reason in the access-accept packet the attribute isnt sent along. whats wrong here? Thanks in advance! debug-output: [cutted] Noone has any clue, why this doesnt work? I really wanted to deploy the server tonight. Any help is welcome! thanks, Peter -- Pt! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with EAP and LDAP replyItems (2.0.2)
radiusCallingStationId is already mapped as Calling-Sattion-Id. Use another ldap attribute name for this. Ivan Kalik Kalik Informatika ISP Dana 20/8/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Original-Message Datum: Tue, 19 Aug 2008 17:37:34 +0200 Von: [EMAIL PROTECTED] An: freeradius-users@lists.freeradius.org Betreff: Problems with EAP and LDAP replyItems (2.0.2) Hi Guys, Since freeradius2 has some major improvements I try to upgrade from 1.1.4. Unfortunately there are a few problems i encounter: cause of some weird reason the server isn't sending back my LDAP replyItems back to the NAS along the Access-Accept packet. In short i want to authenticate using EAP/PEAP against the server, which itself checks against our LDAP Server. Additionally the server should also send back a specific replyItem stored in our LDAP. configuration looks like: authorize { preprocess eap { ok = return } ldap1 } authenticate { Auth-Type MS-CHAP { mschap } eap } in ldap.attrmap the following is configured: replyItem Airespace-Interface-NameradiusCallingStationId so LDAP-Attribute radiusCallingStationId should be transformed to an attribute called Airespace-Interface-Name and sent back to the NAS. As you can see in the following debug-output, at the beginning the server sends the attribute back as supposed, but for some weird reason in the access-accept packet the attribute isnt sent along. whats wrong here? Thanks in advance! debug-output: [cutted] Noone has any clue, why this doesnt work? I really wanted to deploy the server tonight. Any help is welcome! thanks, Peter -- Pt! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with EAP and LDAP replyItems (2.0.2)
Original-Message Datum: Wed, 20 Aug 2008 09:18:57 +0100 Von: Ivan Kalik [EMAIL PROTECTED] An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: Problems with EAP and LDAP replyItems (2.0.2) radiusCallingStationId is already mapped as Calling-Sattion-Id. Use another ldap attribute name for this. Ivan Kalik Kalik Informatika ISP I commented the original line containing the mapping between Calling-station-id and radiusCallingStationId out. So there shouldnt be any complications. By the way, its independent from the attribute-name, so even if i change the source-ldap-attribute, the problem still occurs. Dana 20/8/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Original-Message Datum: Tue, 19 Aug 2008 17:37:34 +0200 Von: [EMAIL PROTECTED] An: freeradius-users@lists.freeradius.org Betreff: Problems with EAP and LDAP replyItems (2.0.2) Hi Guys, Since freeradius2 has some major improvements I try to upgrade from 1.1.4. Unfortunately there are a few problems i encounter: cause of some weird reason the server isn't sending back my LDAP replyItems back to the NAS along the Access-Accept packet. In short i want to authenticate using EAP/PEAP against the server, which itself checks against our LDAP Server. Additionally the server should also send back a specific replyItem stored in our LDAP. configuration looks like: authorize { preprocess eap { ok = return } ldap1 } authenticate { Auth-Type MS-CHAP { mschap } eap } in ldap.attrmap the following is configured: replyItem Airespace-Interface-NameradiusCallingStationId so LDAP-Attribute radiusCallingStationId should be transformed to an attribute called Airespace-Interface-Name and sent back to the NAS. As you can see in the following debug-output, at the beginning the server sends the attribute back as supposed, but for some weird reason in the access-accept packet the attribute isnt sent along. whats wrong here? Thanks in advance! debug-output: [cutted] Noone has any clue, why this doesnt work? I really wanted to deploy the server tonight. Any help is welcome! thanks, Peter -- Pt! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pt! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with EAP and LDAP replyItems (2.0.2)
Hi Guys, Since freeradius2 has some major improvements I try to upgrade from 1.1.4. Unfortunately there are a few problems i encounter: cause of some weird reason the server isn't sending back my LDAP replyItems back to the NAS along the Access-Accept packet. In short i want to authenticate using EAP/PEAP against the server, which itself checks against our LDAP Server. Additionally the server should also send back a specific replyItem stored in our LDAP. configuration looks like: authorize { preprocess eap { ok = return } ldap1 } authenticate { Auth-Type MS-CHAP { mschap } eap } in ldap.attrmap the following is configured: replyItem Airespace-Interface-NameradiusCallingStationId so LDAP-Attribute radiusCallingStationId should be transformed to an attribute called Airespace-Interface-Name and sent back to the NAS. As you can see in the following debug-output, at the beginning the server sends the attribute back as supposed, but for some weird reason in the access-accept packet the attribute isnt sent along. whats wrong here? Thanks in advance! debug-output: rad_recv: Access-Request packet from host 10.110.101.4 port 32770, id=237, length=182 User-Name = testuser Calling-Station-Id = 00-0E-35-AE-DB-DF Called-Station-Id = 00-1A-30-2E-C9-60:wlan-test NAS-Port = 29 NAS-IP-Address = 10.110.101.4 NAS-Identifier = WiSM-2 Airespace-Wlan-Id = 7 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 995 EAP-Message = 0x0202000d0173737065726c3232 Message-Authenticator = 0x1c08d8491b0ebb2a032ab1ebb8f7ee59 +- entering group authorize ++[preprocess] returns ok rlm_eap: EAP packet type response id 2 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser expand: (|(uid=%u)(uid=%U)) - (|(uid=testuser)(uid=_)) expand: dc=mydomain,dc=ac,dc=at - dc=mydomain,dc=ac,dc=at rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.mydomain.com:389, authentication 0 rlm_ldap: bind as uid=service-user,ou=services,dc=mydomain,dc=ac,dc=at/passme to ldap.mydomain.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mydomain,dc=ac,dc=at, with filter (|(uid=testuser)(uid=_)) rlm_ldap: Added User-Password = testpwd in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusCallingStationId as RADIUS attribute Airespace-Interface-Name = 599 rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns ok rad_check_password: Found Auth-Type EAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 237 to 10.110.101.4 port 32770 Airespace-Interface-Name = 599 EAP-Message = 0x0103001604104f56bcec8ceb0ba608af483ccb4111c9 Message-Authenticator = 0x State = 0x33b5046233b6000c0bb076d000b26f5e Finished request 0. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.110.101.4 port 32770, id=238, length=193 User-Name = testuser Calling-Station-Id = 00-0E-35-AE-DB-DF Called-Station-Id = 00-1A-30-2E-C9-60:wlan-test NAS-Port = 29 NAS-IP-Address = 10.110.101.4 NAS-Identifier = WiSM-2 Airespace-Wlan-Id = 7 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 995 EAP-Message = 0x020300060319 State = 0x33b5046233b6000c0bb076d000b26f5e Message-Authenticator = 0xae7227a437741cee122a96438eb2b8c6 +- entering group authorize ++[preprocess] returns ok rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No