EAP-TTLS with mschapv2 and edirectory
Ivan Kalik
tnt at kalik.net
Wed Sep 9 11:28:28 CEST 2009
>> >> Freeradius and eDirectory work like a charm when I use it for Cisco-
>> >> VPN
>> >> authentication.
>> >
>> > Which is likely PAP (i.e. clear-text password).
>> >
>> >
>> >> rlm_ldap: Error reading Universal Password.Return Code = -1635
>> >
>> > Go fix that.
>> >
>> > eDirectory isn't returning the password. Therefore, FreeRADIUS
>> > doesn't have it, and cannot authenticate anyone.
>>
>> Turn on universal password and allow user to retrieve password in your
>> universal password policy.
>> Then reset their password using imanager or via ldap and try again.
>>
> the strange thing is that I've never used anything else than universal
> password and my universal password policy does allow the user to read
> the password.
There is a link to the document explaining how to set this up in ldap
module. Have you read that?
> I get the same error with the working Cisco-VPN configuration, see the
> debug output:
>
Yes, but ...
> Ready to process requests.
> rad_recv: Access-Request packet from host 10.99.4.1:1025, id=161,
> length=142
> User-Name = "dfuernsin"
> User-Password = "xxxxxx"
> NAS-Port = 172
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Called-Station-Id = "10.99.4.1"
> Calling-Station-Id = "10.3.4.97"
> NAS-Port-Type = Virtual
> Tunnel-Client-Endpoint:0 = "10.3.4.97"
> NAS-IP-Address = 10.99.4.1
> Cisco-AVPair = "ip:source-ip=10.3.4.97"
It's a PAP request.
...
> rlm_ldap: bind as cn=dfuernsin,ou=ITS,ou=People,o=TGM/xxxxxx to
> localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user dfuernsin authenticated succesfully
...
And you are doing "bind as user" authentication.
> I guess that cannot be the problem then...
Yes, it can.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list