802.1x + freeradius authentication problem

Ramon Barquier <Ramon.Barquier@uab.es> · Thu, 01 Feb 2007 17:32:38 +0100

Hi all,

We are trying to set up an environment with 802.1x + Freeradius for our 

Wireless net. Our goal is to authenticate Windows XP clients using EAP.

Our radius server is bound to an LDAP database. We have tested our users 

with a "radius-test" tool and everything seems to work fine, but when 

trying to validate in our 802.1x environment, the radius server rejects 

the user. In fact, although we get a "authorize returns ok", there seems 

to be an additional check that claims the user has no password.

Any ideas? We attach the radiusd log (hope it helps!).

Thanks in advance,

rad_recv: Access-Request packet from host **NAS_ IP_ADDRESS** port 1027, 

id=2, length=187

      Message-Authenticator = 0xc40883257068815f1b14f3b80780eeab
      Service-Type = Framed-User
      User-Name = "ID_of_USER"
      Framed-MTU = 1488
      State = 0xb32f32ffc94e41b83d5af8f919ee449e
      Called-Station-Id = "00-12-CF-1A-15-80:Eduroam"
      Calling-Station-Id = "00-0E-35-FE-1F-6D"
      NAS-Port-Type = Wireless-802.11
      Connect-Info = "CONNECT 54Mbps 802.11g"
      EAP-Message = 0x020200060319
      NAS-IP-Address = 1.0.1.2
      NAS-Port = 1
      NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall:  entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6

radius_xlat:  

'/home/radmgr/freeradius/var/log/radius/radacct/158.109.1.15/auth-detail-20070201' 

rlm_detail: 

/home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 

expands to 

/home/radmgr/freeradius/var/log/radius/radacct/NAS_IP_ADDRESS/auth-detail-20070201 

radius_xlat:  'Thu Feb  1 17:06:44 2007'
modcall[authorize]: module "auth_log" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
  rlm_realm: No '@' in User-Name = "ID_of_USER", looking up realm NULL
  rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: Ignoring NAK with request for unknown EAP type
modcall[authorize]: module "eap" returns noop for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ID_of_USER
radius_xlat:  '(uid=ID_of_USER)'
radius_xlat:  'ou=People,dc=my_org,dc=es'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: performing search in ou=People,dc=my_org,dc=es, with filter 

(uid=ID_of_USER)

rlm_ldap: Password header not found in password 

{SSHA}HzNGeJ1eXDD/B9ZOG+QdbpeCGUx1Q+UiMSdLZg== for user ID_of_USER

rlm_ldap: Added User-Password = 

{SSHA}HzNGeJ1eXDD/B9ZOG+QdbpeCGUx1Q+UiMSdLZg== in check items

rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...

rlm_ldap: Adding LDAP attribute UserClass as RADIUS attribute Filter-Id 

= GRUPS_INTERES#951#Servei d'InformÃ?tica

rlm_ldap: Adding LDAP attribute UserClass as RADIUS attribute Filter-Id 

= USUARI_PROVES#951#Servei d'InformÃ?tica

rlm_ldap: user IP_of_USER authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 6
modcall: group authorize returns ok for request 6

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

!!!    Replacing User-Password in config items with 

Cleartext-Password.     !!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

!!! Please update your configuration so that the "known 

good"               !!!

!!! clear text password is in Cleartext-Password, and not in 

User-Password. !!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.

Login incorrect: [ID_of_User/<no User-Password attribute>] (from client 

NAS_IP_ADDRESS port 1 cli 00-0E-35-FE-1F-6D)

Delaying request 6 for 1 seconds
Finished request 6
Going to the next request
Waking up in 5 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 2 to NAS_IP_ADDRESS port 1027
      Filter-Id = "GRUPS_INTERES#951#Servei d'Inform\303\240tica"
Cleaning up request 6 ID 2 with timestamp 45c21014
Cleaning up request 5 ID 1 with timestamp 45c21014
Cleaning up request 4 ID 0 with timestamp 45c21014
Nothing to do.  Sleeping until we see a request.

--

Ramón Barquier Montalbán           

Comunicacions

Servei d'Informàtica

Edifici D
Campus de la UAB
08193 Bellaterra. Barcelona
Tel. +34 935 811 488        Fax: +34 935 812 094
Ramon.Barquier@uab.es
www.uab.es/si