802.1x, EAP and LDAP

Mike Richardson doctor at mcc.ac.uk
Mon Mar 3 17:07:43 CET 2008 

On Mon, Mar 03, 2008 at 04:46:36PM +0100, Alan DeKok wrote:
> Mike Richardson wrote:
> >>   2) Configure an test LDAP with "radtest" (clear-text password)
> >>      for a *different* user
> > 
> > Doesn't work. Similar sort of error though.
> 
>   Then fix that before proceeding with EAP.

> >>   Don't do 802.1x and LDAP until you have normal "radtest" working with
> >> LDAP.
> > 
> > AFAICT radtest doesn't do EAP so it didn't seem to be a particularly valid
> > test. 
> 
>   To be blunt: it's rude to ask questions of experts, and then to tell
> them that their answers are invalid.  If you know better, why are you
> asking questions on this list?

I'm not trying to be rude I promise. I'm asking here because I don't know
better. I'm sorry if it sounds differently, it's just that after a solid
week on this I'm a little frustrated. Apologies if this came through.

I'd read that radtest didn't do EAP so I installed Xsupplicant and was using
that for tests. That seems to be a more realisic approach. If you think that
I can fix the problem by not attempting EAP and using radtest then that is
exactly what I shall do. 

> > The approach required appeared quite different but I'm open to
> > suggestions. I've spent a long time trying to get RADIUS/LDAP auth to work
> > in any format.
> 
>   I've spent over 10 years working with RADIUS, and almost 9 years with
> FreeRADIUS.  The "Active Directory with LDAP && TTLS" issue has come up
> more times than I can count.  It has been *solved* more times than I can
> count, by FOLLOWING INSTRUCTIONS.

I am doing everything that has been asked of me. 

> > Anyway, the output from a test with 'radtest' and LDAP:
> ...
> > rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
> 
>   You were told to go fix this.  Do it.  Now

I DID. I didn't think that posting the new radius config would be of use but
the section in authenticate is DEFINTIELY there and uncommented. Why this
message is appearing in the output is a mystery to me.

> > rad_recv: Access-Request packet from host 130.88.200.85:1025, id=61, length=48
> > 	User-Name = "raduser2"
> > 	User-Password = "raduser20"
> ...
> > rlm_ldap: looking for check items in directory...
> 
>   Nothing.  This isn't surprising for Active Directory.

Novell eDirectory not active directory.

> > auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
> 
>   If you have configured "ldap" in the "authenticate" section, then this
> would work.  The LDAP "bind as user" works with AD for PAP requests.

I did.

>   Hint: look in the configuration files for instances of the word
> "ldap".  Read the comments.  Un-comment the sample configurations.
>
I did.

>   It's *not* hard.

I know, that's why I did it.

>   1) install FreeRADIUS
>   2) configure LDAP (*all* references in radiusd.conf &&
> sites-available/default)
>   3) validate that radtest works.

I'm reading everything and following all the instructions to the letter.
Please don't take that sort of attitude. I've explained that I'm not so I'd
appreciate it if you'd do the same.

Thanks,

Mike

-- 
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*

More information about the Freeradius-Users mailing list