Using mschap authentication without EAP

Giuseppina Venezia giusy.venezia at gmail.com
Thu Jul 20 20:37:50 CEST 2006


We have tried to integrate OpenLDAP and FreeRadius. When we try to
authenticate with the clients this is the error message:

Thu Jul 20 20:53:45 2006 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217
        User-Name = "misterc"
        CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e
        CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986
        NAS-IP-Address = 0.0.0.0
        Service-Type = Login-User
        Framed-IP-Address = 192.168.182.2
        Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
        Called-Station-Id = "AA-AA-AA-AA-DD-AA"
        NAS-Identifier = "nas01"
        Acct-Session-Id = "44bfd15d00000000"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a
        WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"
Thu Jul 20 20:54:50 2006 : Debug:   Processing the authorize section of
radiusd.conf
Thu Jul 20 20:54:50 2006 : Debug: modcall: entering group authorize for
request 0
Thu Jul 20 20:54:50 2006 : Debug:   modsingle[authorize]: calling eap
(rlm_eap) for request 0
Thu Jul 20 20:54:50 2006 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Thu Jul 20 20:54:50 2006 : Debug:   modsingle[authorize]: returned from eap
(rlm_eap) for request 0
Thu Jul 20 20:54:50 2006 : Debug:   modcall[authorize]: module "eap" returns
noop for request 0
Thu Jul 20 20:54:50 2006 : Debug:   modsingle[authorize]: calling ldap
(rlm_ldap) for request 0
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorize
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user authorization
for misterc
Thu Jul 20 20:54:50 2006 : Debug: radius_xlat:  '(uid=misterc)'
Thu Jul 20 20:54:50 2006 : Debug: radius_xlat:  'ou=utenti,dc=XXXX,dc=it'
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: attempting LDAP reconnection
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: (re)connect to 192.168.1.221:389,
authentication 0
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to 192.168.1.221:389
Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result ...
Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successful
Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in
ou=utenti,dc=XXXX,dc=it, with filter (uid=misterc)
Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got
ambiguous search result
Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failed
Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Thu Jul 20 20:54:51 2006 : Debug:   modsingle[authorize]: returned from ldap
(rlm_ldap) for request 0
Thu Jul 20 20:54:51 2006 : Debug:   modcall[authorize]: module "ldap"
returns notfound for request 0
Thu Jul 20 20:54:51 2006 : Debug: modcall: leaving group authorize (returns
noop) for request 0
Thu Jul 20 20:54:51 2006 : Debug: auth: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Thu Jul 20 20:54:51 2006 : Debug: auth: Failed to validate the user.


This is the Radius configuration we are using:

my radius.conf

modules {
    pap {
                    encryption_scheme = clear
                }
    ldap {
                server="192.168.1.221"
                port="389"
                basedn="ou=utenti,dc=uniroma1,dc=it"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
           access_attr = "uid"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                authtype = ldap
                ldap_connections_number = 5
                password_header = "{SHA}"
                password_attribute = userPassword
                 }
           }

authorize {
        eap
        ldap
         }
authenticate {
         Auth-Type PAP {
                        pap
                    }
           Auth-Type LDAP {
                    ldap
                           }
}

And this is the my OpenLDAP directory (maybe can be useful):

My LDAP directory tree

dn: dc=xxxx,dc=it
dc: xxxx
objectClass: dcObject
objectClass: organizationalUnit
ou: uniromaProject
structuralObjectClass: organizationalUnit
entryUUID: 8344c65e-aa07-102a-869a-1bfd23c6a14f
creatorsName: cn=Manager,dc=xxxx,dc=it
modifiersName: cn=Manager,dc=xxxx,dc=it
createTimestamp: 20060717174334Z
modifyTimestamp: 20060717174334Z
entryCSN: 20060717174334Z#000000#00#000000

dn: dc=xxxx,dc=it
dc: xxxx
objectClass: dcObject
objectClass: organizationalUnit
ou: uniromaProject
structuralObjectClass: organizationalUnit
entryUUID: 8344c65e-aa07-102a-869a-1bfd23c6a14f
creatorsName: cn=Manager,dc=xxxx,dc=it
modifiersName: cn=Manager,dc=xxxx,dc=it
createTimestamp: 20060717174334Z
modifyTimestamp: 20060717174334Z
entryCSN: 20060717174334Z#000000#00#000000

dn: cn=Luca Ricci,ou=utenti,dc=xxxx,dc=it
uid: misterc
description: bel giovine
sn: Ricci
cn: newperson
cn: Luca Ricci
structuralObjectClass: inetOrgPerson
entryUUID: 729c0282-ab64-102a-8ceb-c14bbfafb8b4
creatorsName: cn=Manager,dc=xxxx,dc=it
createTimestamp: 20060719112120Z
userPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9
objectClass: radiusprofile
objectClass: inetOrgPerson
radiusAuthType: LDAP
entryCSN: 20060719135155Z#000000#00#000000

If you need any other information please ask us; sorry if we are boring you
but we are trying and trying without any significant result.
Thanks.

On 7/20/06, Alan DeKok <aland at nitros9.org> wrote:
>
> "Giuseppina Venezia" <giusy.venezia at gmail.com> wrote:
> > We need an exclusively web-based authentication for clients, avoiding
> the
> > installation of external programs to check access like Xsupplicant. The
> > implementation works fine with a MySQL Database, but the question is if
> is
> > possible realize the same implementation using OpenLDAP instead of MySQL
> > keeping for clients the same web-based login criterions.
>
>   Yes.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060720/5f2609a4/attachment.html>


More information about the Freeradius-Users mailing list