Re: Problems with EAP and LDAP replyItems (2.0.2)
Original-Message
Datum: Tue, 19 Aug 2008 17:37:34 +0200
Von: [EMAIL PROTECTED]
An: freeradius-users@lists.freeradius.org
Betreff: Problems with EAP and LDAP replyItems (2.0.2)
Hi Guys,
Since freeradius2 has some major improvements I try to upgrade from 1.1.4.
Unfortunately there are a few problems i encounter:
cause of some weird reason the server isn't sending back my LDAP
replyItems back to the NAS along the Access-Accept packet.
In short i want to authenticate using EAP/PEAP against the server, which
itself checks against our LDAP Server. Additionally the server should also
send back a specific replyItem stored in our LDAP.
configuration looks like:
authorize {
preprocess
eap {
ok = return
}
ldap1
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
in ldap.attrmap the following is configured:
replyItem Airespace-Interface-NameradiusCallingStationId
so LDAP-Attribute radiusCallingStationId should be transformed to an
attribute called Airespace-Interface-Name and sent back to the NAS.
As you can see in the following debug-output, at the beginning the server
sends the attribute back as supposed, but for some weird reason in the
access-accept packet the attribute isnt sent along.
whats wrong here?
Thanks in advance!
debug-output: [cutted]
Noone has any clue, why this doesnt work? I really wanted to deploy the server
tonight.
Any help is welcome!
thanks,
Peter
--
Pt! Schon das coole Video vom GMX MultiMessenger gesehen?
Der Eine für Alle: http://www.gmx.net/de/go/messenger03
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with EAP and LDAP replyItems (2.0.2)
radiusCallingStationId is already mapped as Calling-Sattion-Id. Use
another ldap attribute name for this.
Ivan Kalik
Kalik Informatika ISP
Dana 20/8/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše:
Original-Message
Datum: Tue, 19 Aug 2008 17:37:34 +0200
Von: [EMAIL PROTECTED]
An: freeradius-users@lists.freeradius.org
Betreff: Problems with EAP and LDAP replyItems (2.0.2)
Hi Guys,
Since freeradius2 has some major improvements I try to upgrade from 1.1.4.
Unfortunately there are a few problems i encounter:
cause of some weird reason the server isn't sending back my LDAP
replyItems back to the NAS along the Access-Accept packet.
In short i want to authenticate using EAP/PEAP against the server, which
itself checks against our LDAP Server. Additionally the server should also
send back a specific replyItem stored in our LDAP.
configuration looks like:
authorize {
preprocess
eap {
ok = return
}
ldap1
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
in ldap.attrmap the following is configured:
replyItem Airespace-Interface-NameradiusCallingStationId
so LDAP-Attribute radiusCallingStationId should be transformed to an
attribute called Airespace-Interface-Name and sent back to the NAS.
As you can see in the following debug-output, at the beginning the server
sends the attribute back as supposed, but for some weird reason in the
access-accept packet the attribute isnt sent along.
whats wrong here?
Thanks in advance!
debug-output: [cutted]
Noone has any clue, why this doesnt work? I really wanted to deploy the server
tonight.
Any help is welcome!
thanks,
Peter
--
Pt! Schon das coole Video vom GMX MultiMessenger gesehen?
Der Eine für Alle: http://www.gmx.net/de/go/messenger03
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with EAP and LDAP replyItems (2.0.2)
Original-Message
Datum: Wed, 20 Aug 2008 09:18:57 +0100
Von: Ivan Kalik [EMAIL PROTECTED]
An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Betreff: Re: Problems with EAP and LDAP replyItems (2.0.2)
radiusCallingStationId is already mapped as Calling-Sattion-Id. Use
another ldap attribute name for this.
Ivan Kalik
Kalik Informatika ISP
I commented the original line containing the mapping between Calling-station-id
and radiusCallingStationId out. So there shouldnt be any complications.
By the way, its independent from the attribute-name, so even if i change the
source-ldap-attribute, the problem still occurs.
Dana 20/8/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše:
Original-Message
Datum: Tue, 19 Aug 2008 17:37:34 +0200
Von: [EMAIL PROTECTED]
An: freeradius-users@lists.freeradius.org
Betreff: Problems with EAP and LDAP replyItems (2.0.2)
Hi Guys,
Since freeradius2 has some major improvements I try to upgrade from
1.1.4.
Unfortunately there are a few problems i encounter:
cause of some weird reason the server isn't sending back my LDAP
replyItems back to the NAS along the Access-Accept packet.
In short i want to authenticate using EAP/PEAP against the server,
which
itself checks against our LDAP Server. Additionally the server should
also
send back a specific replyItem stored in our LDAP.
configuration looks like:
authorize {
preprocess
eap {
ok = return
}
ldap1
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
in ldap.attrmap the following is configured:
replyItem Airespace-Interface-NameradiusCallingStationId
so LDAP-Attribute radiusCallingStationId should be transformed to an
attribute called Airespace-Interface-Name and sent back to the NAS.
As you can see in the following debug-output, at the beginning the
server
sends the attribute back as supposed, but for some weird reason in the
access-accept packet the attribute isnt sent along.
whats wrong here?
Thanks in advance!
debug-output: [cutted]
Noone has any clue, why this doesnt work? I really wanted to deploy the
server tonight.
Any help is welcome!
thanks,
Peter
--
Pt! Schon das coole Video vom GMX MultiMessenger gesehen?
Der Eine für Alle: http://www.gmx.net/de/go/messenger03
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Pt! Schon das coole Video vom GMX MultiMessenger gesehen?
Der Eine für Alle: http://www.gmx.net/de/go/messenger03
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with EAP and LDAP replyItems (2.0.2)
Hi Guys,
Since freeradius2 has some major improvements I try to upgrade from 1.1.4.
Unfortunately there are a few problems i encounter:
cause of some weird reason the server isn't sending back my LDAP replyItems
back to the NAS along the Access-Accept packet.
In short i want to authenticate using EAP/PEAP against the server, which itself
checks against our LDAP Server. Additionally the server should also send back a
specific replyItem stored in our LDAP.
configuration looks like:
authorize {
preprocess
eap {
ok = return
}
ldap1
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
in ldap.attrmap the following is configured:
replyItem Airespace-Interface-NameradiusCallingStationId
so LDAP-Attribute radiusCallingStationId should be transformed to an attribute
called Airespace-Interface-Name and sent back to the NAS.
As you can see in the following debug-output, at the beginning the server sends
the attribute back as supposed, but for some weird reason in the access-accept
packet the attribute isnt sent along.
whats wrong here?
Thanks in advance!
debug-output:
rad_recv: Access-Request packet from host 10.110.101.4 port 32770, id=237,
length=182
User-Name = testuser
Calling-Station-Id = 00-0E-35-AE-DB-DF
Called-Station-Id = 00-1A-30-2E-C9-60:wlan-test
NAS-Port = 29
NAS-IP-Address = 10.110.101.4
NAS-Identifier = WiSM-2
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 995
EAP-Message = 0x0202000d0173737065726c3232
Message-Authenticator = 0x1c08d8491b0ebb2a032ab1ebb8f7ee59
+- entering group authorize
++[preprocess] returns ok
rlm_eap: EAP packet type response id 2 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
expand: (|(uid=%u)(uid=%U)) - (|(uid=testuser)(uid=_))
expand: dc=mydomain,dc=ac,dc=at - dc=mydomain,dc=ac,dc=at
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.mydomain.com:389, authentication 0
rlm_ldap: bind as uid=service-user,ou=services,dc=mydomain,dc=ac,dc=at/passme
to ldap.mydomain.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=mydomain,dc=ac,dc=at, with filter
(|(uid=testuser)(uid=_))
rlm_ldap: Added User-Password = testpwd in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute radiusCallingStationId as RADIUS attribute
Airespace-Interface-Name = 599
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap1] returns ok
rad_check_password: Found Auth-Type EAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known good !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
auth: type EAP
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 237 to 10.110.101.4 port 32770
Airespace-Interface-Name = 599
EAP-Message = 0x0103001604104f56bcec8ceb0ba608af483ccb4111c9
Message-Authenticator = 0x
State = 0x33b5046233b6000c0bb076d000b26f5e
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.110.101.4 port 32770, id=238,
length=193
User-Name = testuser
Calling-Station-Id = 00-0E-35-AE-DB-DF
Called-Station-Id = 00-1A-30-2E-C9-60:wlan-test
NAS-Port = 29
NAS-IP-Address = 10.110.101.4
NAS-Identifier = WiSM-2
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 995
EAP-Message = 0x020300060319
State = 0x33b5046233b6000c0bb076d000b26f5e
Message-Authenticator = 0xae7227a437741cee122a96438eb2b8c6
+- entering group authorize
++[preprocess] returns ok
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No
