Re: Freeradius + OpenLDAP - user password problem
SOLVED! Problem is, Lynksys v5.1 can use only DD-WRT 23 sp1 MICRO - micro version is cousing problems! I used Lynksys v7 (thanks god i have plenty of those with different versions on dispossial :P) with original FW and it works! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Oh my god, now i opened up brand new Linksys router, installed dd-wrt on it and plugged it into my first freeradius server, that worked already. And now it doesn't get past the Access-Challenge! Please help me, what could be wrong? I used tcpdump to make sure, AP is sending nothing but access-request and radius sends back only access-challenge packets! It all worked before on the SAME setup! Nothing changed. :S If anyone has ANY idea please don't hasitate to post it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Yeah, i think radius doesn't even boot if there is something wrong with certs. I checked firewalls, routing tables, etc. and no problem there. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 9/22/06, K. Hoercher <[EMAIL PROTECTED]> wrote: the usual suspects: oid's in certs on supplicant, reception of ah, for peap, of course you only need a proper root ca cert there. Anyways it doesn't look like that gets even relevant. regards K .Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Hi, On 9/22/06, Tilen <[EMAIL PROTECTED]> wrote: Hello, it's me again, did you miss me? :) Thing is, i tried to make 2nd freeradius server (eap-peap,mschapv2,openldap), with same setup and i configured it exact same way, but i get this when i try to connect: Welcome back to our regular program *g*, Well, while your supplicant keeps sending EAP Type Identity requests, radius keeps answering them with EAP (Type PEAP) START messages. Why they don't get answered properly (TLS Client Helo inside EAP) by your supplicant is not really a freeradius problem. You might check (again) the usual suspects: oid's in certs on supplicant, reception of Access-Request there, time, MS foo (they sound familiar somehow *g*) regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Hello, it's me again, did you miss me? :)Thing is, i tried to make 2nd freeradius server (eap-peap,mschapv2,openldap), with same setup and i configured it exact same way, but i get this when i try to connect: rad_recv: Access-Request packet from host 192.168.1.1:3079, id=0, length=121 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00401013" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "00401013" NAS-Port = 30 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02090174657374 Message-Authenticator = 0x39a9a7986f599b0dc47291d0bbcce631 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0rlm_ldap: - authorizerlm_ldap: performing user authorization for test radius_xlat: '(uid=test)'radius_xlat: 'ou=People,dc=kapion,dc=si'rlm_ldap: ldap_get_conn: Checking Id: 0rlm_ldap: ldap_get_conn: Got Id: 0rlm_ldap: attempting LDAP reconnectionrlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389rlm_ldap: waiting for bind result ...rlm_ldap: Bind was successfulrlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test)rlm_ldap: Added password tset1 in check items rlm_ldap: looking for check items in directory...rlm_ldap: looking for reply items in directory...rlm_ldap: user test authorized to use remote accessrlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAPauth: type "EAP" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 192.168.1.1:3079 EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0x9ef689c7fbaeabf2695de1a430324a73 Finished request 0Going to the next request--- Walking the entire request list ---Waking up in 6 seconds...rad_recv: Access-Request packet from host 192.168.1.1:3079 , id=0, length=121 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00401013" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "00401013" NAS-Port = 30 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02090174657374 Message-Authenticator = 0x2ec95d116f20e8634b835c646acc514c Processing the authorize section of radiusd.confmodcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1rlm_ldap: - authorize rlm_ldap: performing user authorization for testradius_xlat: '(uid=test)'radius_xlat: 'ou=People,dc=kapion,dc=si'rlm_ldap: ldap_get_conn: Checking Id: 0rlm_ldap: ldap_get_conn: Got Id: 0rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test) rlm_ldap: Added password tset1 in check itemsrlm_ldap: looking for check items in directory...rlm_ldap: looking for reply items in directory...rlm_ldap: user test authorized to use remote accessrlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAPauth: type "EAP" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1Sending Access-Challe
Re: Freeradius + OpenLDAP - user password problem
Wohoo it works now :D Clear text password in LDAP worked like a charm now (dunno why i had problems with it in the past) :P Thank you all guys 10x!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Tilen <[EMAIL PROTECTED]> wrote: > Yes i know that, i heard it 100 times already... that's why i'm asking how > to store them in cleartext/NT hash You update the LDAP database to contain the clear-text password. How that's done is up to the LDAP server. See it's documentation. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Alan DeKok wrote: It is impossible to do MS-CHAP if the passwords are stored in crypt'd format. Yes i know that, i heard it 100 times already... that's why i'm asking how to store them in cleartext/NT hash (i still posted radius output though, just in case). I think i tried once by simply typing PW in cleartext in ldap users file before importing user to database but it didn't work. Will try again tommorow. Edvin Seferovic wrote: Set up the ldap module right for your server and map your NAS attributes to the LDAP attributes ! Shouldn't be hard to set up !Yes, module is already set up correctly for my server, will try to set up attributes now. Hope it really isn't too hard :) Thanks for help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Tilen <[EMAIL PROTECTED]> wrote:
> rlm_ldap: Added password {crypt}$1$9wlsOcEJ$QA/FskGvrnnmsj1SWi1kY/ in check
> items
...
> rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
http://deployingradius.com/documents/protocols/compatibility.html
It is impossible to do MS-CHAP if the passwords are stored in
crypt'd format.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + OpenLDAP - user password problem
Set up the ldap module right for your server and map your NAS attributes to the LDAP attributes ! Shouldn’t be hard to set up ! Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tilen Sent: Mittwoch, 30. August 2006 16:58 To: FreeRadius users mailing list Subject: Re: Freeradius + OpenLDAP - user password problem So, what i want to achieve is, to authorize against OpenLDAP the easiest way. I don't care if i use cleartext passwords or NT hashes. What would be the fastest way to make things work? I'm running out of time for this >.< - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Tilen <[EMAIL PROTECTED]> wrote: > rlm_mschap: No User-Password configured. Cannot create LM-Password. ... > Hm, now i have to make LDAP passwords in NT hash and it will work (still > gotta figure out how)? Or should i make changes in ldap.attrmap file too? No. If you have the clear-text password in the ldap "userPassword" attribute, it should just work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
So, what i want to achieve is, to authorize against OpenLDAP the easiest way. I don't care if i use cleartext passwords or NT hashes. What would be the fastest way to make things work? I'm running out of time for this >.< - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Ok sorry for spamming :) But here is update (again):
I noticed i had " password_attribute = userPassword" commented out in ldap module configuration.
After i uncommented that, i get new output:
...
modcall[authorize]: module "eap" returns updated for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat: '(uid=test)'
radius_xlat: 'ou=People,dc=kapion,dc=si'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test)
rlm_ldap: Added password {crypt}$1$9wlsOcEJ$QA/FskGvrnnmsj1SWi1kY/ in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 5
rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 5
modcall: group Auth-Type returns reject for request 5
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 5
modcall: group authenticate returns reject for request 5
auth: Failed to validate the user.
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Yes yes, i understand, this works now :) I copied CA public key to wireless client and now it works. Now i only get this error: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 5 modcall: group Auth-Type returns reject for request 5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: group authenticate returns reject for request 5 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE Hm, now i have to make LDAP passwords in NT hash and it will work (still gotta figure out how)? Or should i make changes in ldap.attrmap file too? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Ok, nevermind, i get it now. Client needs CA public key to verify the certificate authority, becouse i created it and is not in public registry. So, if i copy cacert.pem to client machine i should get rid of this error, right? WIll try i tnow, really hope it works :D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/30/06, Tilen <[EMAIL PROTECTED]> wrote: Ok i really don't get it. I made all certificates myself using only openssl (no scripts) and entered path to them in TLS part of the eap.conf file. CA, server cert.., everything is there in the same directory (in my case - CERTS, with big letters) (how would i sign certificate if i wouldn't create CA first?). And i don't have CA.all file at all :\ Files i'm using: cacert.pem<-- this is my CA cakey.pem newcert.pem <-- and this is my server cert newcert.req Your supplicant is sending an TLS Alert Message, because _it_ cannot find a CA certificate. What you are talking about is the freeradius side of things which looks alright at first glance. And if you don't get it to work, please first check with demo certficates to be generated by the CA.all script. hth K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Ok i really don't get it. I made all certificates myself using only openssl (no scripts) and entered path to them in TLS part of the eap.conf file. CA, server cert.., everything is there in the same directory (in my case - CERTS, with big letters) (how would i sign certificate if i wouldn't create CA first?). And i don't have CA.all file at all :\ Files i'm using: cacert.pem <-- this is my CA cakey.pem newcert.pem <-- and this is my server cert newcert.req - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/29/06, Tilen <[EMAIL PROTECTED]> wrote: So here comes something really weird: Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:3072, id=0, length=147 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00401013" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "00401013" NAS-Port = 30 Framed-MTU = 1400 State = 0x123b5c7e213692f7121dbe4052274024 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02020011198715030100020230 Message-Authenticator = 0xd65ea4a0e55f28c1e76a6b51f9ec9467 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 That's a tls1.0 Alert message the part "1503...". Therefore the openssl lib bails out of further processing as specified in RFC2246. Thats (arguably somewhat hard to understand) also mentioned int the output: 3447:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 3447:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: So your client wasn't able to fiind a correct CA certificate for the cert freeradius had sent before. Please see to provide those. If in doubt, check with dummy ones to be created by CA.all script. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Requests prior to #4 are missing becouse i tried to connect multiple times, and i didn't want to paste same thing twice. Then everything got corrupted, becouse i had to paste it by pieces in the gmail and it really got messed up. So here is the example of full (pasted with care :p) radius log: [EMAIL PROTECTED] ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/CERTS/newreq.pem" tls: certificate_file = "/etc/raddb/CERTS/newcert.pem" tls: CA_file = "/etc/raddb/CERTS/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded LDAP ldap: server = "localhost" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "ou=People,dc=kapion,dc=si" ldap: filt
Re: Freeradius + OpenLDAP - user password problem
On 8/23/06, Tilen <[EMAIL PROTECTED]> wrote: I get Access-Reject, whole debug log is here: That is obviously a false statement. While eventually not decisive, the output from startup is missing. Some Requests prior to #4 are missing, which might already be more interesting. Finally you seem to have edited the output in an ill-advised manner here: [...] rad_recv: Access-Request packet from host 192.168.1.1:3072, id=0, length=147 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00401013" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "00401013" NAS-Port = 30 Framed-MTU = 1400 State = 0x78d2170e45bcb6eac38f66525f681d9e Message-Authenticator = 0x90ba3baf012b7509c5c4c985a5452b26 Message-Authenticator is misaligned and EAP-Message is missing, which is definetly prohibiting the checking against the behaviour further down (which does indeed look peculiar, and is not the standard openssl error one would have guest from your previous truncations). rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A 3239:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 3239:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 _Again_ please see to provide details as has been requested numerous times. Some sniffing on the radius server might be helpful here too. I'll refrain from looking into that as long as I have to play some sort of detective to even get to know what is going on on your installation. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
I get Access-Reject, whole debug log is here: rad_recv: Access-Request packet from host 192.168.1.1:3072, id=0, length=236 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00401013" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "00401013" NAS-Port = 30 Framed-MTU = 1400 State = 0xfbfc085c4b8a5b1973ea7d92703b0061 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201006a19800060160301005b0157030144ec0618e33d04cad22340edcd83b5b8a5aa6be4a035146cfe433178e4e054a13000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100 Message-Authenticator = 0x11f7f2a8e75c95f1e0e284a7dfd86163 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 1 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'ou=People,dc=kapion,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=kapion,dc=si, with filter (uid=test) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 031d], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 0 to 192.168.1.1:3072 EAP-Message = 0x010203801900160301004a0246030144ec0617ad338f7b43db504027f5cb34fe48656cf6713337665d0e235bc61dde201783bdc208cdc4349989ca629b9d754dd1a4f17e1855d2fba8c00b4b7dbe5537003500160301031d0b0003190003160003133082030f30820278a003020102020102300d06092a864886f70d01010405003056310b30090603550406130253493110300e06035504081307506f6d75726a65310f300d060355040713064d7572736b6131163014060355040a130d4b6170696f6e20642e6f2e6f2e310c300a060355040313036b6579301e170d3036303832313134303731395a170d3037303832313134303731395a305e EAP-Message = 0x310b30090603550406130253493110300e06035504081307506f6d75726a653117301506035504070c0e4d757264736b7f7f1b5b441b5b4431163014060355040a130d4b6170696f6e20642e6f2e6f2e310c300a06035504031303626c6130819f300d06092a864886f70d010101050003818d0030818902818100b2f4bc83918aa62084cd46a33410a0d63ee1f94f9a58f365bd098cb5dc2241cc453055c26284969ea573f5a43aaaec74da7c00d56651fc15cdcddd68d208a01396d98cd70a81b57ec0814e8089045187c625b2a78a7e9c70c77e4968935a1aa733933959fc003b02738dbcca20ef62d0899c42fba7ba5b2988efca5bb7f989030203 EAP-Message = 0x010001a381e43081e130090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414b527b4b72fb126f870699a8fa890b0fc3240f1d53081860603551d23047f307d8014e77015f7708c5f78601009f9db74ff8001a0515aa15aa4583056310b30090603550406130253493110300e06035504081307506f6d75726a65310f300d060355040713064d7572736b6131163014060355040a130d4b6170696f6e20642e6f2e6f2e310c300a060355040313036b6579820900d29d80bb0e169c12300d06092a864886f70d010104050003818100 EAP-Message = 0x3a6b3a362928faf1324f11e2202b1b32cb9d12d8e91726c8124c4e9e1a2c43ad421889195
Re: Freeradius + OpenLDAP - user password problem
Stuckzor <[EMAIL PROTECTED]> wrote: > Still doesn't work. I tried yesterday on new machine, i set up everything and > configure eap.conf to use peap. I set up server certificates and CA. When i > try to login from XP client via Linksys wireless router i get "error reading > client certificate" messege from freeRadius. Since i don't need client > certificate for peap, i'm pretty confused (again :D). While that message is annoying, it's not important. What response did the server send? Access-Accept? Access-Reject? Read the WHOLE debug log to see what's going on. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/22/06, Stuckzor <[EMAIL PROTECTED]> wrote: try to login from XP client via Linksys wireless router i get "error reading client certificate" messege from freeRadius. Since i don't need client Hi, thats probably the linked in openssl complaining about not being able to read the client certificate (which is possible but unneeded as you already noted). If so, it' s not an "error" with respect to freeradius eap etc. As you didn't provide meaningful output one cannot be sure of course... regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/22/06, Stuckzor <[EMAIL PROTECTED]> wrote: try to login from XP client via Linksys wireless router i get "error reading client certificate" messege from freeRadius. Since i don't need client Hi, thats probably the linked in openssl complaining about not being able to read the client certificate (which is unneeded as you already noted). If so, it' s not an "error" with respect to freeradius eap etc. As you didn't provide meaningful output one cannot be sure of course... regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Still doesn't work. I tried yesterday on new machine, i set up everything and configure eap.conf to use peap. I set up server certificates and CA. When i try to login from XP client via Linksys wireless router i get "error reading client certificate" messege from freeRadius. Since i don't need client certificate for peap, i'm pretty confused (again :D). -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5921516 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Stuckzor <[EMAIL PROTECTED]> wrote: > Now i configured radius to use EAP-PEAP and i tought i have only 1 step left > to take - make OpenLDAP use NT hash passwords (already know how to do > that), but damn, that "no dialup access attribute" error strikes again with > radtest:( From the "ldap" section of radiusd.conf: access_attr = "dialupAccess" Comment that out, and it won't check for dial-up access permissions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Thanks to you too. I noticed some people feel offended by my attitude, so let me apologize - i don't mean to be a smartass, and i definetly don't have any doubts in your knowledge, but i'm a young computer engineer (first months of work) and when things get hard for me i can get a little pushy while trying to solve them. Now i configured radius to use EAP-PEAP and i tought i have only 1 step left to take - make OpenLDAP use NT hash passwords (already know how to do that), but damn, that "no dialup access attribute" error strikes again with radtest:( If even radtest doesn't get through (though it doesn't use eap) there is no chance a real client would, eh? And i ask again - is it normal, that i don't get access-accept with radtest without setting auth-type to ldap and can i simply ignore that(i get that dialup access attribute error), or should i get access-accept with radtest without setting auth-type to ldap? That's what i wanted to know in one of my previous posts. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5649743 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/3/06, Stuckzor <[EMAIL PROTECTED]> wrote:
1.)I have ldap in authenticate section
2.)AUTH-TYPE set ot LDAP in users fileand
3.)MUST NOT have ldap under authorize section of radiusd.conf.
Only with this config i get access-accept with radtest (i tried all possible
combinations of those 3). I get this message otherwise:
"rlm_ldap: no dialupAccess attribute - access denied by default"
And with my "working" config i get already mentioned userPassword attribute
error. So, i'm afraid i don't even get so far, to have problems with
password encription.
Hi,
OK, I'll give it a try.
1. Going far back in this thread, you said something about using
EAP-PEAP/MSCHAP. Therefore you are _required_ to have the cleartext
password in LDAP or in the alternative an equivalent hash (nt/lm) if
you want to use that.
If so, configure your ldap instance in radius.conf accordingly AND
include it in authorize{}. This was pointed out often enough one might
think (and from people who really know, because they wrote the
software you are trying to use). Then there will be no need for
explicit setting of Auth-Type. It has been said.
2. Even if you tried something else (EAP-TTLS for example) you were
already told how to proceed and how that relates to the need for
cleartext passwords. Even then there is no need for setting Auth-Type
manually.
3. If you insist on setting Auth-Type nevertheless, you will break
other things you obviously don't know about. There is plenty of
(perhaps even a bit too overwhelming) documentation on freeradius.org,
in the tarball, in the example configuration, this very list, etctetc.
Believe its contents. If you think their is a fault and you are wiser
show that precisely (NOT by reasoning in generalities stemming from
false assumptions on your side).
4. Whatever you test with radtest does not relate to EAP-PEAP/MSCHAP.
Please restart your efforts with unchanged default configuration
files. Alter them step-by-step according to the information you were
already given. And, sorry, don't whip a dead horse, again, by setting
Auth-Type.
regards
K. Hoercher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Thank you again, you were very helpful, but still i have issues. That's bugging me: Only under these circumstances: 1.)I have ldap in authenticate section 2.)AUTH-TYPE set ot LDAP in users fileand 3.)MUST NOT have ldap under authorize section of radiusd.conf. Only with this config i get access-accept with radtest (i tried all possible combinations of those 3). I get this message otherwise: "rlm_ldap: no dialupAccess attribute - access denied by default" And with my "working" config i get already mentioned userPassword attribute error. So, i'm afraid i don't even get so far, to have problems with password encription. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5633159 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Stuckzor wrote: Thank you, your reply was very usefull, and yes, i am confused about how this things work and i am not ashamed to admit it, but it's getting clearer pretty rapidly :) Now i have one last question (or at least i hope so) - which choice is more viable, using EAP-PEAP+MS-CHAP for wireless auth. (but with clear text passwords this time), like i originaly planned to, or can you recommend using something else? I really don't care, as long as it works with most wireless hardware :) Unless the wireless hardware is very broken (assuming you mean APs and so forth) it won't care. The main issue is software support. EAP-PEAP+MS-CHAP is generally considered to be the most widely supported. It works on WinXP, MacOS X and with Linux wpa_supplicant/NetworkManager, most PDAs and so forth. EAP-TLS is about as well supported, but has much higher administrative overhead since you have to generate and distribute certificates. All the other EAP mechanisms require special software on windows, which is obviously effort to distribute, install and configure. If you are willing to go to that effort, Secure_W2 offers EAP-TTLS+PAP which will work with any auth database. If you have the choice, I would recommend going with plaintext or NT-hashed passwords and EAP-PEAP+MS-CHAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Phil Mayers wrote: > > > Wrong. You're very confused about how this work. > > Your original mail states you want to do EAP-PEAP+MS-CHAP for wireless > auth. > > Unless your LDAP directory contains the plaintext password or the NT > hash, what you want to do is impossible. If it does contain the > plaintext or NT hashes, correct configuration will make it work. Does it? > > Also, you've failed to register this several times, but I'll repeat it. > DO NOT SET Auth-Type. At all. To anything. In common use, there's no > need to set it, and in fact it can actively break things. > > Thank you, your reply was very usefull, and yes, i am confused about how this things work and i am not ashamed to admit it, but it's getting clearer pretty rapidly :) Now i have one last question (or at least i hope so) - which choice is more viable, using EAP-PEAP+MS-CHAP for wireless auth. (but with clear text passwords this time), like i originaly planned to, or can you recommend using something else? I really don't care, as long as it works with most wireless hardware :) -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5630872 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Tilen wrote: Ok, let me try to get that straight - i can't use ldap in authorization section of radiusd.conf (or in users file) and connect to radius with WinXP client. But i can use something else instead and still connect to radius with ldap accounts, right? Wrong. You're very confused about how this work. Your original mail states you want to do EAP-PEAP+MS-CHAP for wireless auth. Unless your LDAP directory contains the plaintext password or the NT hash, what you want to do is impossible. If it does contain the plaintext or NT hashes, correct configuration will make it work. Does it? Also, you've failed to register this several times, but I'll repeat it. DO NOT SET Auth-Type. At all. To anything. In common use, there's no need to set it, and in fact it can actively break things. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Okey i tried some things out and noticed, that what John pasted definitly isn't .ldif file. And if i set Auth-Type to LDAP in users file or if i uncomment it in authorize section of radiusd.conf --> isn't the same! If i set ldap in radiusd.conf i get "rlm_ldap: no dialupAccess attribute - access denied by default" with radtest. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5629052 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Ok, let me try to get that straight - i can't use ldap in authorization section of radiusd.conf (or in users file) and connect to radius with WinXP client. But i can use something else instead and still connect to radius with ldap accounts, right? John wrote:>>However, in my LDAP directory, it looks a little different:>>dn: uid=user1,ou=Users,ou=radius>>dc=example,dc=com>>objectClass: top >>objectClass: inetOrgPerson>>objectClass: radiusprofile>>radiusAuthType: Local>>radiusServiceType: Framed-User>>uid: user1>>cn: user1>>sn: user1>>radiusFramedIPAddress: y.y.y.y>>radiusAcctInterimInterval: 60>>radiusTunnelServerEndpoint: x.x.x.x>>dialupAccess: true>>As you can see, AuthType is set to Local in LDAP. I don't know if this>>is the recommended way to do this, but it work for me :-) Is that .ldif file for your ldap users? If it is, it has way more lines than mine and doesn't have password. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
John McEleney <[EMAIL PROTECTED]> wrote: > As you can see, AuthType is set to Local in LDAP. I don't know if this > is the recommended way to do this, but it work for me :-) If all you do is PAP authentication. And if you have "ldap" listed in the "authorise" section, the module takes care of setting "Auth-Type = LDAP". i.e. you could delete that entry from the "users" file and nothing would change. Try it. The original post that started this was using EAP. LDAP doesn't do EAP, hence the problem. PLEASE don't tell people to set Auth-Type. It's not needed for your deployment, and it breaks most other peoples deployments. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Hi Tillen, Although I'm no expert, I do have a working FreeRadius+LDAP set-up, so I can tell you what works for me. Tilen wrote: > I have that set in users file: > -- > DEFAULT Auth-Type := LDAP > Fall-Through = 1 > - > My users file says: DEFAULT Auth-Type := LDAP Fall-Through = Yes However, in my LDAP directory, it looks a little different: dn: uid=user1,ou=Users,ou=radius,dc=example,dc=com objectClass: top objectClass: inetOrgPerson objectClass: radiusprofile radiusAuthType: Local radiusServiceType: Framed-User uid: user1 cn: user1 sn: user1 radiusFramedIPAddress: y.y.y.y radiusAcctInterimInterval: 60 radiusTunnelServerEndpoint: x.x.x.x dialupAccess: true As you can see, AuthType is set to Local in LDAP. I don't know if this is the recommended way to do this, but it work for me :-) Regards, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
I said: > >> The debug log you posted hows that you set "Auth-Type := LDAP". > >> > >> Don't do that. To which you responded: > I have that set in users file: > -- > DEFAULT Auth-Type := LDAP > Fall-Through = 1 > - > > And i'm pretty sure, that is okay To which I respond again: No, it's not. Honestly, if you know better than the people here about what's OK and what's not, why are you asking questions on this list? > if i comment it out i don't get > access-accept even with radtest if i use ldap password, which makes sense. > So, why do you think this is the cause of my problem and how could i fix it? You're not following instructions. Please search the list archives for the answer to your question. It's there. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Ok, i'm back on this case. I didn't have time to work on it past few days. >> The debug log you posted hows that you set "Auth-Type := LDAP". Don't do that. Alan DeKok.I have that set in users file:--DEFAULT Auth-Type := LDAPFall-Through = 1 -And i'm pretty sure, that is okay, if i comment it out i don't get access-accept even with radtest if i use ldap password, which makes sense. So, why do you think this is the cause of my problem and how could i fix it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
2006/7/28, Alan DeKok <[EMAIL PROTECTED]>: Stuckzor <[EMAIL PROTECTED]> wrote:> Hello, as you can see, i must be pretty desperate to register somewhere so i> can ask for help. Anyway, the situation is: i recently set up a freeradius > server with openldap for auth., everything seemed to work great (radtest> returns access-accept ), until i tried to login via notebook and Linksys> router (with dd-wrt firmware). The debug log you posted hows that you set "Auth-Type := LDAP". Don't do that. Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlOh, thank you, and yes, i have set "Auth-Type := LDAP" in users.conf file. Will try to change it to something that works on Monday. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Stuckzor <[EMAIL PROTECTED]> wrote: > Hello, as you can see, i must be pretty desperate to register somewhere so i > can ask for help. Anyway, the situation is: i recently set up a freeradius > server with openldap for auth., everything seemed to work great (radtest > returns access-accept ), until i tried to login via notebook and Linksys > router (with dd-wrt firmware). The debug log you posted hows that you set "Auth-Type := LDAP". Don't do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
And here is the example of sucessful logon with radtest: radtest bbb badblueboy 192.168.1.129 1 testing123 rad_recv: Access-Request packet from host 192.168.1.129:35640, id=191, length=55 User-Name = "bbb" User-Password = "badblueboy" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "bbb", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 users: Matched entry DEFAULT at line 1 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns ok for request 5 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 5 rlm_ldap: - authenticate rlm_ldap: login attempt by "bbb" with password "badblueboy" radius_xlat: '(uid=bbb)' radius_xlat: 'ou=People,dc=BLah,dc=si' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=BLah,dc=si, with filter (uid=bbb) rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: user DN: uid=bbb,ou=People,dc=BLah,dc=si rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=bbb,ou=People,dc=kapion,dc=si/badblueboy to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user bbb authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 5 modcall: group Auth-Type returns ok for request 5 Sending Access-Accept of id 191 to 192.168.1.129:35640 Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 191 with timestamp 44c9f995 Nothing to do. Sleeping until we see a request. -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5538165 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
OK, i guess, i should paste that anyway, so here it is, hope it helps: rad_recv: Access-Request packet from host 192.168.1.1:2051, id=0, length=121 User-Name = "root" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0016b6016815" Calling-Station-Id = "00130237d9db" NAS-Identifier = "0016b6016815" NAS-Port = 53 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020901726f6f74 Message-Authenticator = 0x4ec4b4b08fe410e47f6c233f47b4dbb0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "root", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 users: Matched entry DEFAULT at line 1 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 3 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 3 modcall: group Auth-Type returns invalid for request 3 auth: Failed to validate the user. Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.1:2051 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 0 with timestamp 44c9f898 Nothing to do. Sleeping until we see a request. ### -- View this message in context: http://www.nabble.com/Freeradius-%2B-OpenLDAP---user-password-problem-tf2014904.html#a5538103 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
