Re: Using mschap authentication without EAP
On 7/20/06, Thibault Le Meur [EMAIL PROTECTED] wrote:
Well isn't it a pb of rights ? Is the anonymous user able to search theopenldap directory for users entries ?Yes, the anonymous user is able to search.
What is the result of a simple ldapsearch with the same ldap filter.ldapsearch -x -b dc=,dc=it (uid=misterc)# extended LDIF## LDAPv3# base dc=,dc=it with scope subtree
# filter: (uid=misterc)# requesting: ALL## Vito Cu, utenti, .itdn: cn=Vito Cu,ou=utenti,dc=,dc=ituid: mistercdescription: bel giovinesn: Cucn: newperson
cn: Vito CuuserPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9objectClass: radiusprofileobjectClass: inetOrgPersonradiusA10:21uthType: LDAP# search resultsearch: 2result: 0 Success
10:21# numResponses: 2# numEntries: 1 Have you got ACLs in your openldap directory configuration files ?
All the users have the rights.Well, after some changes in OpenLDAP config, this is the result:Fri Jul 21 11:15:51 2006 : Debug: Processing the authorize section of radiusd.conf
Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group authorize for request 0Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0Fri Jul 21 11:15:51 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module eap returns noop for request 0Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authorizeFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing user authorization for mistercFri Jul 21 11:15:51 2006 : Debug: radius_xlat: '(uid=misterc)'Fri Jul 21 11:15:51 2006 : Debug: radius_xlat: 'ou=utenti,dc=,dc=it'
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: attempting LDAP reconnection
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: (re)connect to 192.168.1.221:389, authentication 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as cn=Manager,dc=,dc=it/PASSWORD to
192.168.1.221:389Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ...Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successfulFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=,dc=it, with filter (uid=misterc)
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for misterc is allowed by userPasswordFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in directory...Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP op=21Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in directory...Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use remote accessFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module ldap returns ok for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns ok) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rad_check_password: Found Auth-Type LDAPFri Jul 21 11:15:51 2006 : Debug: auth: type LDAPFri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of
radiusd.confFri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 0Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute Password is required for authentication. Cannot use CHAP-Password.
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module pap returns invalid for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling ldap (rlm_ldap) for request 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authenticateFri Jul 21 11:15:51 2006 : Auth: rlm_ldap: Attribute User-Password is required for authentication. Cannot use CHAP-Password.
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module ldap returns invalid for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group LDAP (returns invalid) for request 0Fri Jul 21 11:15:51 2006 : Debug: auth: Failed to validate the user.Config files are the same of above.
Best regards.Giusy Venezia
-
List info/subscribe/unsubscribe? See
Re: Using mschap authentication without EAP
Well, after some changes in OpenLDAP config, this is the result:
So your first issue was openldap related...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as
cn=Manager,dc=,dc=it/PASSWORD to 192.168.1.221:389
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successful
Bind as manager is ok...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in
ou=utenti,dc=,dc=it, with filter (uid=misterc)
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for
misterc is allowed by userPassword
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password
{SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in
directory...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as
Auth-Type, value LDAP op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as
User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in
directory...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use
remote access
Great rlm_ldap has retreived everything needed.
Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns
ok) for request 0
Now it's time to run the authenticate module
Fri Jul 21 11:15:51 2006 : Debug: rad_check_password: Found Auth-Type
LDAP
Fri Jul 21 11:15:51 2006 : Debug: auth: type LDAP
Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of
radiusd.conf
Ldap module will be used (that is to say a bind with the user's
credential will be attempted, provided that the request contains the
necessary data.
Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 0
Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute Password is required
for authentication. Cannot use CHAP-Password.
Well, it seems that your radius client is trying CHAP and not PAP. You
wrote in a previous mail that the request was:
rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217
User-Name = misterc
CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e
CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.2
Calling-Station-Id = XX-XX-XX-XX-XX-XX
Called-Station-Id = AA-AA-AA-AA-DD-AA
NAS-Identifier = nas01
Acct-Session-Id = 44bfd15d
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a
WISPr-Logoff-URL = http://192.168.182.1:3990/logoff;
That means that your client is trying MS-CHAP, and MS-CHAP can't be
used with something else than NT-Hash passwords or cleartext passwords
in the authorize backend (in your case LDAP).
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Thibault Le Meur wrote: rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217 User-Name = misterc CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986 That means that your client is trying MS-CHAP, and MS-CHAP can't be used with something else than NT-Hash passwords or cleartext passwords in the authorize backend (in your case LDAP). No, it does NOT. It means his client is trying CHAP. Not MS-CHAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Using mschap authentication without EAP
Thibault Le Meur wrote: rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217 User-Name = misterc CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986 That means that your client is trying MS-CHAP, and MS-CHAP can't be used with something else than NT-Hash passwords or cleartext passwords in the authorize backend (in your case LDAP). No, it does NOT. It means his client is trying CHAP. Not MS-CHAP You're right... sorry I was too fast in my reply... ;-) but the conclusion was about the same : use a cleartext password (except for the Nt-hash alternative ;-) ). Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Using mschap authentication without EAP
All rightNow authentication works fine.Many thanks to all ones which have given me these useful advicesHave a nice dayThanks AgainGiusy Venezia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using mschap authentication without EAP
Hi, i'm using freeradius-1.1.2 with openldap for storing users account, for authenticate a WI-FI LAN.I need of a transparent authentication method since for the clients are heterogeneous so i can't use any type of EAP* authentication because I cannot install Xsupplicant on every Client. Can I use mschap authentication for this and there are some specific documentation ?,i've searched a lot but i haven't found exhaustive documentation.And if I cannot use mschap, are there others solution for wi-fi authentication via LDAP? Excuse my bad english.Giusy Venezia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Giuseppina Venezia wrote: Hi, i'm using freeradius-1.1.2 with openldap for storing users account, for authenticate a WI-FI LAN. I need of a transparent authentication method since for the clients are heterogeneous so i can't use any type of EAP* authentication because I cannot install Xsupplicant on every Client. If you mean 802.1x authentication, I don't think you understand how it works. All 802.1x (link layer) authentication methods use EAP, so all clients must have SOME kind of supplicant. Non-802.1x authentication is normally done via some kind of web-based login. Google for captive portal or walled garden. The auth types you can use with a captive portal depend on the captive portal. See the docs for your portal. Can I use mschap authentication for this and there are some specific documentation ?,i've searched a lot but i haven't found exhaustive documentation. And if I cannot use mschap, are there others solution for wi-fi authentication via LDAP? I'm afraid this doesn't make sense to me. Can you describe in more detail what you're trying to do? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Sorry but my english is not so good, we need to implement a web-based login (Chillispot + Apache) connected to FreeRadius. FreeRadius needs to read informations on users using OpenLDAP. We need an exclusively web-based authentication for clients, avoiding the installation of external programs to check access like Xsupplicant. The implementation works fine with a MySQL Database, but the question is if is possible realize the same implementation using OpenLDAP instead of MySQL keeping for clients the same web-based login criterions. Thanks for your attention On 7/20/06, Phil Mayers [EMAIL PROTECTED] wrote: Giuseppina Venezia wrote: Hi, i'm using freeradius-1.1.2 with openldap for storing users account, for authenticate a WI-FI LAN. I need of a transparent authentication method since for the clients are heterogeneous so i can't use any type of EAP* authentication because I cannot install Xsupplicant on every Client.If you mean 802.1x authentication, I don't think you understand how itworks. All 802.1x (link layer) authentication methods use EAP, so allclients must have SOME kind of supplicant.Non-802.1x authentication is normally done via some kind of web-basedlogin. Google for captive portal or walled garden. The auth types you can use with a captive portal depend on the captive portal. See thedocs for your portal. Can I use mschap authentication for this and there are some specific documentation ?,i've searched a lot but i haven't found exhaustive documentation. And if I cannot use mschap, are there others solution for wi-fi authentication via LDAP?I'm afraid this doesn't make sense to me. Can you describe in moredetail what you're trying to do? -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Giuseppina Venezia [EMAIL PROTECTED] wrote: We need an exclusively web-based authentication for clients, avoiding the installation of external programs to check access like Xsupplicant. The implementation works fine with a MySQL Database, but the question is if is possible realize the same implementation using OpenLDAP instead of MySQL keeping for clients the same web-based login criterions. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
We have tried to integrate OpenLDAP and FreeRadius. When we try to authenticate with the clients this is the error message:Thu Jul 20 20:53:45 2006 : Info: Ready to process requests.rad_recv: Access-Request packet from host
127.0.0.1:32801, id=0, length=217 User-Name = misterc CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986
NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = XX-XX-XX-XX-XX-XX
Called-Station-Id = AA-AA-AA-AA-DD-AA NAS-Identifier = nas01 Acct-Session-Id = 44bfd15d NAS-Port-Type = Wireless-802.11 NAS-Port = 0
Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a WISPr-Logoff-URL = "" href="http://192.168.182.1:3990/logoff">http://192.168.182.1:3990/logoffThu Jul 20 20:54:50 2006 : Debug: Processing the authorize section of
radiusd.confThu Jul 20 20:54:50 2006 : Debug: modcall: entering group authorize for request 0Thu Jul 20 20:54:50 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0Thu Jul 20 20:54:50 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP
Thu Jul 20 20:54:50 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0Thu Jul 20 20:54:50 2006 : Debug: modcall[authorize]: module eap returns noop for request 0Thu Jul 20 20:54:50 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorizeThu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user authorization for mistercThu Jul 20 20:54:50 2006 : Debug: radius_xlat: '(uid=misterc)'Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: 'ou=utenti,dc=,dc=it'
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: attempting LDAP reconnection
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: (re)connect to 192.168.1.221:389, authentication 0Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to
192.168.1.221:389Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result ...Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successfulThu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=,dc=it, with filter (uid=misterc)
Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got ambiguous search resultThu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failedThu Jul 20 20:54:51 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Thu Jul 20 20:54:51 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0Thu Jul 20 20:54:51 2006 : Debug: modcall[authorize]: module ldap returns notfound for request 0
Thu Jul 20 20:54:51 2006 : Debug: modcall: leaving group authorize (returns noop) for request 0Thu Jul 20 20:54:51 2006 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Thu Jul 20 20:54:51 2006 : Debug: auth: Failed to validate the user.This is the Radius configuration we are using:my radius.confmodules { pap { encryption_scheme = clear
} ldap { server=192.168.1.221 port=389 basedn=ou=utenti,dc=uniroma1,dc=it
filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no access_attr = uid dictionary_mapping = ${raddbdir}/ldap.attrmap
authtype = ldap ldap_connections_number = 5 password_header = {SHA} password_attribute = userPassword } }
authorize { eap ldap }authenticate { Auth-Type PAP {pap} Auth-Type LDAP { ldap
}}And this is the my OpenLDAP directory (maybe can be useful):My LDAP directory treedn: dc=,dc=itdc: objectClass: dcObjectobjectClass: organizationalUnit
ou: uniromaProjectstructuralObjectClass: organizationalUnitentryUUID: 8344c65e-aa07-102a-869a-1bfd23c6a14fcreatorsName: cn=Manager,dc=,dc=itmodifiersName: cn=Manager,dc=,dc=itcreateTimestamp: 20060717174334Z
modifyTimestamp: 20060717174334ZentryCSN: 20060717174334Z#00#00#00dn: dc=,dc=itdc: objectClass: dcObjectobjectClass: organizationalUnitou: uniromaProjectstructuralObjectClass: organizationalUnit
entryUUID: 8344c65e-aa07-102a-869a-1bfd23c6a14fcreatorsName: cn=Manager,dc=,dc=itmodifiersName: cn=Manager,dc=,dc=itcreateTimestamp: 20060717174334ZmodifyTimestamp: 20060717174334ZentryCSN: 20060717174334Z#00#00#00
dn: cn=Luca Ricci,ou=utenti,dc=,dc=ituid: mistercdescription: bel giovinesn: Riccicn: newpersoncn: Luca RiccistructuralObjectClass: inetOrgPersonentryUUID: 729c0282-ab64-102a-8ceb-c14bbfafb8b4
creatorsName: cn=Manager,dc=,dc=itcreateTimestamp: 20060719112120ZuserPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9objectClass: radiusprofileobjectClass: inetOrgPersonradiusAuthType: LDAP
entryCSN: 20060719135155Z#00#00#00If you need any other information please ask us; sorry if we are boring you but we are trying and trying without any significant result.Thanks.
On 7/20/06, Alan DeKok [EMAIL PROTECTED]
Re: Using mschap authentication without EAP
Sorry,dc=,dc=it is the correct not dc=uniroma1,dc=it as appear in the other configuration file.Giusy VeneziaOn 7/20/06,
Giuseppina Venezia [EMAIL PROTECTED] wrote:
Here is mi slapd.conf## See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.#include /usr/local/etc/openldap/schema/core.schemainclude /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schemainclude /usr/local/etc/openldap/schema/samba.schemainclude /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org#Aggiungiamo il livello di loggingloglevel 296
pidfile /usr/local/var/run/slapd.pidargsfile /usr/local/var/run/slapd.args#Direttive SSL#TLSCipherSuite HIGH#TLSCertificateFile /usr/local/etc/openldap/slapd-cert.pem#TLSCertificateKeyFile /usr/local/etc/openldap/slapd-
key.pem# Load dynamic backend modules:# modulepath /usr/local/libexec/openldap# moduleload back_bdb.la# moduleload back_ldap.la# moduleload back_ldbm.la# moduleload back_passwd.la
# moduleload back_shell.la# Sample security restrictions# Require integrity protection (prevent hijacking)# Require 112-bit (3DES or better) encryption for updates# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64# Sample access control policy:# Root DSE: allow anyone to read it# Subschema (sub)entry DSE: allow anyone to read it# Other DSEs:
# Allow self write access# Allow authenticated users read access# Allow anonymous users to authenticate# Directives needed to implement policy:# access to dn.base=
by * read# access to dn.base=cn=Subschema by * read# access to *# by self write# by users read# by anonymous auth## if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts# updates to rootdn. (e.g., access to * by * read)## rootdn can always read and write EVERYTHING!###
# BDB database definitions###database bdbsuffix dc=,dc=itrootdn cn=Manager,dc=,dc=it
# Cleartext passwords, especially for the rootdn, should# be avoid. See slappasswd(8) and slapd.conf(5) for details.# Use of strong authentication encouraged.rootpw {SSHA}gUlr8Lqr7eYgfSti9+Dl76lbkbgK3fqc
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory /usr/local/var/openldap-data/.itmode 0600
# Indices to maintainindex objectClass eq,presindex cn eq,presindex uid eq,presindex userPassword eq,prescachesize 2000Thanks in advanceGiusy Venezia
On 7/20/06, Thibault Le Meur
[EMAIL PROTECTED] wrote:
rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217
User-Name = mistercCHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e
CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986NAS-IP-Address =
0.0.0.0Service-Type = Login-UserFramed-IP-Address =
192.168.182.2Calling-Station-Id = XX-XX-XX-XX-XX-XXCalled-Station-Id = AA-AA-AA-AA-DD-AANAS-Identifier = nas01Acct-Session-Id = 44bfd15d
NAS-Port-Type = Wireless-802.11NAS-Port = 0Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0aWISPr-Logoff-URL = "" href="http://192.168.182.1:3990/logoff" title="http://192.168.182.1:3990/logoff" target="_blank" >
http://192.168.182.1:3990/logoff Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorize Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user authorization for misterc
Thu Jul 20 20:54:50 2006 : Debug: radius_xlat:'(uid=misterc)' Thu Jul 20 20:54:50 2006 : Debug: radius_xlat:'ou=utenti,dc=,dc=it'Ok rlm_ldap is initialized Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to
192.168.1.221:389 Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result ...
Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successfulbind to the directory is Ok
Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=,dc=it, with filter (uid=misterc) Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got ambiguous search result
Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failedAh...Seems that the used bound to the ldap directory can't find uid=mistercin ou=utenti,dc=,dc=it Thu Jul 20 20:54:51 2006 : Debug: auth: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the userSo Auth-Type isn't setted to Ldap Thu Jul 20 20:54:51 2006 : Debug: auth: Failed to validate the user.This is logicalldap {
server=192.168.1.221port=389
basedn=ou=utenti,dc=uniroma1,dc=itfilter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no access_attr = uiddictionary_mapping = ${raddbdir}/ldap.attrmapauthtype = ldapldap_connections_number = 5
