Freeradius 2.1.5 and LDAP+EAP-TLS problem.

Ville Leinonen ville.leinonen at solodel.com
Mon Mar 30 12:45:37 CEST 2009


Hi,

I read that, but what if user not found in ldap? Radius seems to need
some auth-type. How i can force auth-type using ldap?

My radius gives this message -> "No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user"

Here is some other logs if i use only ldap for authorize section:

rad_recv: Access-Request packet from host 10.10.1.100 port 1024, id=198, length=224
        Framed-MTU = 1466
        NAS-IP-Address = 10.10.1.100
        NAS-Identifier = "8021x"
        User-Name = "lnx01.demo.local"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 37
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "37"
        Called-Station-Id = "00-16-b9-55-48-c0"
        Calling-Station-Id = "00-e0-00-1c-1e-c1"
        Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1"
        EAP-Message = 0x02330016017375736530312e64656d6f2e6c6f63616c
        Message-Authenticator = 0x5c313918e00d0d385d435e3194c284ed
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "lnx01.demo.local", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[files] users: Matched entry DEFAULT at line 190
++[files] returns ok
[ldap] performing user authorization for lnx01.demo.local
[ldap]  expand: (cn=%u) -> (cn=lnx01.demo.local)
[ldap]  expand: ou=8021x,dc=demo,dc=local -> ou=8021x,dc=demo,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.10.101.31:389, authentication 0
rlm_ldap: setting TLS CACert Directory to /path/to/ca/dir/
rlm_ldap: bind as cn=Directory Manager/ to 10.10.101.31:389
rlm_ldap: waiting for bind result ...
request done: ld 0x9ba2480 msgid 1
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=8021x,dc=demo,dc=local, with filter (cn=lnx01.demo.local)
request done: ld 0x9ba2480 msgid 2
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] user suse01.demo.local authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Login incorrect: [suse01.demo.local/<no User-Password attribute>] (from client 8021x port 37 cli 00-e0-00-1c-1e-c1)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> suse01.demo.local
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 198 to 10.10.1.100 port 1024
Waking up in 4.9 seconds.
Cleaning up request 0 ID 198 with timestamp +6
Ready to process requests.

Br,

Ville

>We have openldap which includes our machine accounts. We
>have also computer certificates. Now what i want to do that freeradius,
>checks authorization against ldap and authenticate against certificates.
>
>I have tested to put ldap to authorization section and eap to authentication
>section, but this wont work. I have also tested to put both ldap and eap to
>authorization section, but ldap wont return reject if user's noot found.
>
>Is there any method to return reject for authorization section if user not
>found in ldap and stop processing there? Or is there any other method to do this?
>

>Read doc/rlm_ldap about access_attr.

>Ivan Kalik
>Kalik Informatika ISP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090330/d11e4c46/attachment.html>


More information about the Freeradius-Users mailing list