Setting up FreeRADIUS 2.0.4 with OpenLDAP backend to do wireless auth

Jonathan Amiez ja at edatis.com
Wed Jan 27 11:20:10 CET 2010


Hi everybody.

As the title says, I'm trying to set up FreeRadius to authenticate wireless 
clients (employees). I just finished deploying a Samba/Ldap domain, and I'd 
like to take advantage of this user db.

I already followed several howtos, more or less outdated.

For now, I can authenticate a user against my directory only with radtest. 
When I try from a Win XP laptop doing PEAP (in the wireless assistant), i cant 
get it to work.

I'm not familiar with the bunch of protocols  coming with radius and 802.1x 
(PEAP, CHAP, etc.), and I can't find the issue.

Here is the trace of the server, with a connection attempt of the laptop.

FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep  7 2008 at 
23:35:34                                                                                                         
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.                                                                                                                        
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A                                                                                                                            
PARTICULAR PURPOSE.                                                                                                                                                                            
You may redistribute copies of FreeRADIUS under the terms of the                                                                                                                               
GNU General Public License.                                                                                                                                                                    
Starting - reading configuration files ...                                                                                                                                                     
including configuration file /etc/freeradius/radiusd.conf                                                                                                                                      
including configuration file /etc/freeradius/proxy.conf                                                                                                                                        
including configuration file /etc/freeradius/clients.conf                                                                                                                                      
including configuration file /etc/freeradius/snmp.conf                                                                                                                                         
including configuration file /etc/freeradius/eap.conf                                                                                                                                          
including configuration file /etc/freeradius/policy.conf                                                                                                                                       
including files in directory /etc/freeradius/sites-enabled/                                                                                                                                    
including configuration file /etc/freeradius/sites-enabled/inner-tunnel                                                                                                                        
including configuration file /etc/freeradius/sites-enabled/default                                                                                                                             
including dictionary file /etc/freeradius/dictionary                                                                                                                                           
main {                                                                                                                                                                                         
        prefix = "/usr"                                                                                                                                                                        
        localstatedir = "/var"                                                                                                                                                                 
        logdir = "/var/log/freeradius"                                                                                                                                                         
        libdir = "/usr/lib/freeradius"                                                                                                                                                         
        radacctdir = "/var/log/freeradius/radacct"                                                                                                                                             
        hostname_lookups = no                                                                                                                                                                  
        max_request_time = 30                                                                                                                                                                  
        cleanup_delay = 5                                                                                                                                                                      
        max_requests = 1024                                                                                                                                                                    
        allow_core_dumps = no                                                                                                                                                                  
        pidfile = "/var/run/freeradius/freeradius.pid"                                                                                                                                         
        user = "freerad"                                                                                                                                                                       
        group = "freerad"                                                                                                                                                                      
        checkrad = "/usr/sbin/checkrad"                                                                                                                                                        
        debug_level = 0                                                                                                                                                                        
        proxy_requests = no                                                                                                                                                                    
 security {                                                                                                                                                                                    
        max_attributes = 200                                                                                                                                                                   
        reject_delay = 1                                                                                                                                                                       
        status_server = yes                                                                                                                                                                    
 }                                                                                                                                                                                             
}                                                                                                                                                                                              
 client localhost {                                                                                                                                                                            
        ipaddr = 127.0.0.1                                                                                                                                                                     
        require_message_authenticator = no                                                                                                                                                     
        secret = "testing123"                                                                                                                                                                  
        shortname = "localhost"                                                                                                                                                                
        nastype = "other"                                                                                                                                                                      
 }                                                                                                                                                                                             
 client 192.168.2.254/24 {                                                                                                                                                                     
        require_message_authenticator = no                                                                                                                                                     
        secret = "testing123"                                                                                                                                                                  
        shortname = "ap1"                                                                                                                                                                      
        nastype = "other"                                                                                                                                                                      
 }                                                                                                                                                                                             
radiusd: #### Loading Realms and Home Servers ####                                                                                                                                             
 proxy server {                                                                                                                                                                                
        retry_delay = 5                                                                                                                                                                        
        retry_count = 3                                                                                                                                                                        
        default_fallback = no                                                                                                                                                                  
        dead_time = 120                                                                                                                                                                        
        wake_all_if_all_dead = no                                                                                                                                                              
 }                                                                                                                                                                                             
 home_server localhost {                                                                                                                                                                       
        ipaddr = 127.0.0.1                                                                                                                                                                     
        port = 1812                                                                                                                                                                            
        type = "auth"                                                                                                                                                                          
        secret = "testing123"                                                                                                                                                                  
        response_window = 20                                                                                                                                                                   
        max_outstanding = 65536                                                                                                                                                                
        zombie_period = 40                                                                                                                                                                     
        status_check = "status-server"                                                                                                                                                         
        ping_check = "none"                                                                                                                                                                    
        ping_interval = 30                                                                                                                                                                     
        check_interval = 30                                                                                                                                                                    
        num_answers_to_alive = 3                                                                                                                                                               
        num_pings_to_alive = 3                                                                                                                                                                 
        revive_interval = 120                                                                                                                                                                  
        status_check_timeout = 4                                                                                                                                                               
 }                                                                                                                                                                                             
 home_server_pool my_auth_failover {                                                                                                                                                           
        type = fail-over                                                                                                                                                                       
        home_server = localhost                                                                                                                                                                
 }                                                                                                                                                                                             
 realm example.com {                                                                                                                                                                           
        auth_pool = my_auth_failover                                                                                                                                                           
 }                                                                                                                                                                                             
 realm LOCAL {                                                                                                                                                                                 
 }                                                                                                                                                                                             
radiusd: #### Instantiating modules ####                                                                                                                                                       
 instantiate {                                                                                                                                                                                 
 Module: Linked to module rlm_exec                                                                                                                                                             
 Module: Instantiating exec                                                                                                                                                                    
  exec {                                                                                                                                                                                       
        wait = yes                                                                                                                                                                             
        input_pairs = "request"                                                                                                                                                                
        shell_escape = yes                                                                                                                                                                     
  }                                                                                                                                                                                            
 Module: Linked to module rlm_expr                                                                                                                                                             
 Module: Instantiating expr                                                                                                                                                                    
 Module: Linked to module rlm_expiration                                                                                                                                                       
 Module: Instantiating expiration                                                                                                                                                              
  expiration {                                                                                                                                                                                 
        reply-message = "Password Has Expired  "                                                                                                                                               
  }                                                                                                                                                                                            
 Module: Linked to module rlm_logintime                                                                                                                                                        
 Module: Instantiating logintime                                                                                                                                                               
  logintime {                                                                                                                                                                                  
        reply-message = "You are calling outside your allowed timespan  "                                                                                                                      
        minimum-timeout = 60                                                                                                                                                                   
  }                                                                                                                                                                                            
 }                                                                                                                                                                                             
radiusd: #### Loading Virtual Servers ####                                                                                                                                                     
server inner-tunnel {                                                                                                                                                                          
 modules {                                                                                                                                                                                     
 Module: Checking authenticate {...} for more modules to load                                                                                                                                  
 Module: Linked to module rlm_pap                                                                                                                                                              
 Module: Instantiating pap                                                                                                                                                                     
  pap {                                                                                                                                                                                        
        encryption_scheme = "auto"                                                                                                                                                             
        auto_header = yes                                                                                                                                                                      
  }                                                                                                                                                                                            
 Module: Linked to module rlm_chap                                                                                                                                                             
 Module: Instantiating chap                                                                                                                                                                    
 Module: Linked to module rlm_mschap                                                                                                                                                           
 Module: Instantiating mschap                                                                                                                                                                  
  mschap {                                                                                                                                                                                     
        use_mppe = yes                                                                                                                                                                         
        require_encryption = no                                                                                                                                                                
        require_strong = no                                                                                                                                                                    
        with_ntdomain_hack = no                                                                                                                                                                
  }                                                                                                                                                                                            
 Module: Linked to module rlm_unix                                                                                                                                                             
 Module: Instantiating unix                                                                                                                                                                    
  unix {                                                                                                                                                                                       
        radwtmp = "/var/log/freeradius/radwtmp"                                                                                                                                                
  }                                                                                                                                                                                            
 Module: Linked to module rlm_ldap                                                                                                                                                             
 Module: Instantiating ldap                                                                                                                                                                    
  ldap {                                                                                                                                                                                       
        server = "ldap-samba.edatis.net"                                                                                                                                                       
        port = 389                                                                                                                                                                             
        password = "*samba$edatis!"                                                                                                                                                            
        identity = "cn=samba,ou=DSA,o=siege,dc=edatis,dc=net"                                                                                                                                  
        net_timeout = 1                                                                                                                                                                        
        timeout = 4                                                                                                                                                                            
        timelimit = 3                                                                                                                                                                          
        tls_mode = no                                                                                                                                                                          
        start_tls = no                                                                                                                                                                         
        tls_require_cert = "allow"                                                                                                                                                             
   tls {                                                                                                                                                                                       
        start_tls = no                                                                                                                                                                         
        require_cert = "allow"                                                                                                                                                                 
   }                                                                                                                                                                                           
        basedn = "o=siege,dc=edatis,dc=net"                                                                                                                                                    
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"                                                                                                                                
        base_filter = "(objectclass=radiusprofile)"                                                                                                                                            
        password_attribute = "userPassword"                                                                                                                                                    
        auto_header = no                                                                                                                                                                       
        access_attr_used_for_allow = yes                                                                                                                                                       
        groupname_attribute = "cn"                                                                                                                                                             
        groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-
UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"                                     
        dictionary_mapping = "/etc/freeradius/ldap.attrmap"                                                                                                                                    
        ldap_debug = 0                                                                                                                                                                         
        ldap_connections_number = 2                                                                                                                                                            
        compare_check_items = no                                                                                                                                                               
        do_xlat = yes                                                                                                                                                                          
        edir_account_policy_check = no                                                                                                                                                         
        set_auth_type = yes                                                                                                                                                                    
  }                                                                                                                                                                                            
rlm_ldap: Registering ldap_groupcmp for Ldap-Group                                                                                                                                             
rlm_ldap: Registering ldap_xlat with xlat_name ldap                                                                                                                                            
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap                                                                                                                
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$                                                                                                                                      
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$                                                                                                                                      
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type                                                                                                                                       
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use                                                                                                                         
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id                                                                                                                        
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id                                                                                                                      
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password                                                                                                                                         
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password                                                                                                                                         
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password                                                                                                                                    
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password                                                                                                                                    
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT                                                                                                                                
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration                                                                                                                                    
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address                                                                                                                              
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password                                                                                                                                     
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type                                                                                                                                 
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol                                                                                                                           
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address                                                                                                                        
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask                                                                                                                        
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route                                                                                                                                 
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing                                                                                                                             
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id                                                                                                                                       
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU                                                                                                                                     
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression                                                                                                                     
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host                                                                                                                                
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service                                                                                                                               
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port                                                                                                                              
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number                                                                                                                           
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id                                                                                                                                   
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network                                                                                                                      
rlm_ldap: LDAP radiusClass mapped to RADIUS Class                                                                                                                                              
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout                                                                                                                           
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout                                                                                                                                 
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action                                                                                                                     
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service                                                                                                                        
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node                                                                                                                              
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group                                                                                                                            
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-
Link                                                                                                                
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-
Network                                                                                                          
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-
Zone                                                                                                                
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit                                                                                                                                     
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port                                                                                                                              
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message                                                                                                                               
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type                                                                                                                                   
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type                                                                                                                      
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-
Group-Id                                                                                                             
conns: 0x94af250                                                                                                                                                                               
 Module: Linked to module rlm_eap                                                                                                                                                              
 Module: Instantiating eap                                                                                                                                                                     
  eap {                                                                                                                                                                                        
        default_eap_type = "md5"                                                                                                                                                               
        timer_expire = 60                                                                                                                                                                      
        ignore_unknown_eap_types = no                                                                                                                                                          
        cisco_accounting_username_bug = no                                                                                                                                                     
  }                                                                                                                                                                                            
 Module: Linked to sub-module rlm_eap_md5                                                                                                                                                      
 Module: Instantiating eap-md5                                                                                                                                                                 
 Module: Linked to sub-module rlm_eap_leap                                                                                                                                                     
 Module: Instantiating eap-leap                                                                                                                                                                
 Module: Linked to sub-module rlm_eap_gtc                                                                                                                                                      
 Module: Instantiating eap-gtc                                                                                                                                                                 
   gtc {                                                                                                                                                                                       
        challenge = "Password: "                                                                                                                                                               
        auth_type = "PAP"                                                                                                                                                                      
   }                                                                                                                                                                                           
rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.                                                                                                                         
rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support.                                                                                                                        
rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support.                                                                                                                        
 Module: Linked to sub-module rlm_eap_mschapv2                                                                                                                                                 
 Module: Instantiating eap-mschapv2                                                                                                                                                            
   mschapv2 {                                                                                                                                                                                  
        with_ntdomain_hack = no                                                                                                                                                                
   }                                                                                                                                                                                           
 Module: Checking authorize {...} for more modules to load                                                                                                                                     
 Module: Linked to module rlm_realm                                                                                                                                                            
 Module: Instantiating suffix                                                                                                                                                                  
  realm suffix {                                                                                                                                                                               
        format = "suffix"                                                                                                                                                                      
        delimiter = "@"                                                                                                                                                                        
        ignore_default = no                                                                                                                                                                    
        ignore_null = no                                                                                                                                                                       
  }                                                                                                                                                                                            
 Module: Linked to module rlm_files                                                                                                                                                            
 Module: Instantiating files                                                                                                                                                                   
  files {                                                                                                                                                                                      
        usersfile = "/etc/freeradius/users"                                                                                                                                                    
        acctusersfile = "/etc/freeradius/acct_users"                                                                                                                                           
        preproxy_usersfile = "/etc/freeradius/preproxy_users"                                                                                                                                  
        compat = "no"                                                                                                                                                                          
  }                                                                                                                                                                                            
 Module: Checking session {...} for more modules to load                                                                                                                                       
 Module: Linked to module rlm_radutmp                                                                                                                                                          
 Module: Instantiating radutmp                                                                                                                                                                 
  radutmp {                                                                                                                                                                                    
        filename = "/var/log/freeradius/radutmp"                                                                                                                                               
        username = "%{User-Name}"                                                                                                                                                              
        case_sensitive = yes                                                                                                                                                                   
        check_with_nas = yes                                                                                                                                                                   
        perm = 384                                                                                                                                                                             
        callerid = yes                                                                                                                                                                         
  }                                                                                                                                                                                            
 Module: Checking post-proxy {...} for more modules to load                                                                                                                                    
 Module: Checking post-auth {...} for more modules to load                                                                                                                                     
 Module: Linked to module rlm_attr_filter                                                                                                                                                      
 Module: Instantiating attr_filter.access_reject                                                                                                                                               
  attr_filter attr_filter.access_reject {                                                                                                                                                      
        attrsfile = "/etc/freeradius/attrs.access_reject"                                                                                                                                      
        key = "%{User-Name}"                                                                                                                                                                   
  }                                                                                                                                                                                            
 }                                                                                                                                                                                             
}                                                                                                                                                                                              
server {                                                                                                                                                                                       
 modules {                                                                                                                                                                                     
 Module: Checking authenticate {...} for more modules to load                                                                                                                                  
 Module: Checking authorize {...} for more modules to load                                                                                                                                     
 Module: Linked to module rlm_preprocess                                                                                                                                                       
 Module: Instantiating preprocess                                                                                                                                                              
  preprocess {                                                                                                                                                                                 
        huntgroups = "/etc/freeradius/huntgroups"                                                                                                                                              
        hints = "/etc/freeradius/hints"                                                                                                                                                        
        with_ascend_hack = no                                                                                                                                                                  
        ascend_channels_per_line = 23                                                                                                                                                          
        with_ntdomain_hack = no                                                                                                                                                                
        with_specialix_jetstream_hack = no                                                                                                                                                     
        with_cisco_vsa_hack = no                                                                                                                                                               
        with_alvarion_vsa_hack = no                                                                                                                                                            
  }                                                                                                                                                                                            
 Module: Checking preacct {...} for more modules to load                                                                                                                                       
 Module: Linked to module rlm_acct_unique                                                                                                                                                      
 Module: Instantiating acct_unique                                                                                                                                                             
  acct_unique {                                                                                                                                                                                
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, 
NAS-Port"                                                                                                        
  }                                                                                                                                                                                            
 Module: Checking accounting {...} for more modules to load                                                                                                                                    
 Module: Linked to module rlm_detail                                                                                                                                                           
 Module: Instantiating detail                                                                                                                                                                  
  detail {                                                                                                                                                                                     
        detailfile = "/var/log/freeradius/radacct/%{Client-IP-
Address}/detail-%Y%m%d"                                                                                                          
        header = "%t"                                                                                                                                                                          
        detailperm = 384                                                                                                                                                                       
        dirperm = 493                                                                                                                                                                          
        locking = no                                                                                                                                                                           
        log_packet_header = no                                                                                                                                                                 
  }                                                                                                                                                                                            
 Module: Instantiating attr_filter.accounting_response                                                                                                                                         
  attr_filter attr_filter.accounting_response {                                                                                                                                                
        attrsfile = "/etc/freeradius/attrs.accounting_response"                                                                                                                                
        key = "%{User-Name}"                                                                                                                                                                   
  }                                                                                                                                                                                            
 Module: Checking session {...} for more modules to load                                                                                                                                       
 Module: Checking post-proxy {...} for more modules to load                                                                                                                                    
 Module: Checking post-auth {...} for more modules to load                                                                                                                                     
 }                                                                                                                                                                                             
}                                                                                                                                                                                              
radiusd: #### Opening IP addresses and Ports ####                                                                                                                                              
listen {                                                                                                                                                                                       
        type = "auth"                                                                                                                                                                          
        ipaddr = *                                                                                                                                                                             
        port = 0                                                                                                                                                                               
}                                                                                                                                                                                              
listen {                                                                                                                                                                                       
        type = "acct"                                                                                                                                                                          
        ipaddr = *                                                                                                                                                                             
        port = 0                                                                                                                                                                               
}                                                                                                                                                                                              
main {                                                                                                                                                                                         
        snmp = no                                                                                                                                                                              
        smux_password = ""                                                                                                                                                                     
        snmp_write_access = no                                                                                                                                                                 
}                                                                                                                                                                                              
Listening on authentication address * port 1812                                                                                                                                                
Listening on accounting address * port 1813                                                                                                                                                    
Ready to process requests.                                                                                                                                                                     
rad_recv: Access-Request packet from host 192.168.2.254 port 2029, id=34, 
length=171                                                                                                           
        Message-Authenticator = 0xd656642af1dbbf33c13b354ef78a401d                                                                                                                             
        Service-Type = Framed-User                                                                                                                                                             
        User-Name = "ja"                                                                                                                                                                       
        Framed-MTU = 1488                                                                                                                                                                      
        Called-Station-Id = "0A1B2F3F4B09:TEST-RADIUS"                                                                                                                                         
        Calling-Station-Id = "00215DE37F06"                                                                                                                                                    
        NAS-Identifier = "EdatisAP01"                                                                                                                                                          
        NAS-Port-Type = Wireless-802.11                                                                                                                                                        
        Connect-Info = "CONNECT 54Mbps 802.11g"                                                                                                                                                
        EAP-Message = 0x02000007016a61                                                                                                                                                         
        NAS-IP-Address = 192.168.2.254                                                                                                                                                         
        NAS-Port = 1                                                                                                                                                                           
        NAS-Port-Id = "STA port # 1"                                                                                                                                                           
+- entering group authorize                                                                                                                                                                    
++[preprocess] returns ok                                                                                                                                                                      
++[chap] returns noop                                                                                                                                                                          
++[mschap] returns noop                                                                                                                                                                        
    rlm_realm: No '@' in User-Name = "ja", looking up realm NULL                                                                                                                               
    rlm_realm: No such realm "NULL"                                                                                                                                                            
++[suffix] returns noop                                                                                                                                                                        
  rlm_eap: EAP packet type response id 0 length 7                                                                                                                                              
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation                                                                                                                            
++[eap] returns updated                                                                                                                                                                        
++[unix] returns notfound                                                                                                                                                                      
++[files] returns noop                                                                                                                                                                         
rlm_ldap: - authorize                                                                                                                                                                          
rlm_ldap: performing user authorization for ja                                                                                                                                                 
        expand: %{Stripped-User-Name} ->                                                                                                                                                       
        expand: %{User-Name} -> ja                                                                                                                                                             
        expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ja)                                                                                                                       
        expand: o=siege,dc=edatis,dc=net -> o=siege,dc=edatis,dc=net                                                                                                                           
rlm_ldap: ldap_get_conn: Checking Id: 0                                                                                                                                                        
rlm_ldap: ldap_get_conn: Got Id: 0                                                                                                                                                             
rlm_ldap: attempting LDAP reconnection                                                                                                                                                         
rlm_ldap: (re)connect to ldap-samba.edatis.net:389, authentication 0                                                                                                                   
rlm_ldap: bind as cn=samba,ou=DSA,o=siege,dc=edatis,dc=net/XXXXXXXXXXXXXX to 
ldap-samba.edatis.net:389                                                                                         
rlm_ldap: waiting for bind result ...                                                                                                                                                          
rlm_ldap: Bind was successful                                                                                                                                                                  
rlm_ldap: performing search in o=siege,dc=edatis,dc=net, with filter (uid=ja)                                                                                                                  
rlm_ldap: Added User-Password = {SSHA}M+2zAL4OL40EyemvS5a7Ugr15dZzSGU3 in 
check items                                                                                                          
rlm_ldap: No default NMAS login sequence                                                                                                                                                       
rlm_ldap: looking for check items in directory...                                                                                                                                              
rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password == 
"{SSHA}M+2zAL4OL40EyemvS5a7Ugr15dZzSGU3"                                                                            
rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password == 
0x3735323435463143333236443138413433393031383942453643463332313044                                                 
rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password == 
0x3843443438453034363436383542424131343836323335413233333345344432                                                 
rlm_ldap: looking for reply items in directory...                                                                                                                                              
rlm_ldap: user ja authorized to use remote access                                                                                                                                              
rlm_ldap: ldap_release_conn: Release Id: 0                                                                                                                                                     
++[ldap] returns ok                                                                                                                                                                            
++[expiration] returns noop                                                                                                                                                                    
++[logintime] returns noop                                                                                                                                                                     
rlm_pap: Normalizing NT-Password from hex encoding                                                                                                                                             
rlm_pap: Normalizing LM-Password from hex encoding                                                                                                                                             
rlm_pap: Normalizing SSHA1-Password from base64 encoding                                                                                                                                       
rlm_pap: Found existing Auth-Type, not changing it.                                                                                                                                            
++[pap] returns noop                                                                                                                                                                           
  rad_check_password:  Found Auth-Type EAP                                                                                                                                                     
auth: type "EAP"                                                                                                                                                                               
+- entering group authenticate                                                                                                                                                                 
  rlm_eap: EAP Identity                                                                                                                                                                        
  rlm_eap: processing type md5                                                                                                                                                                 
rlm_eap_md5: Issuing Challenge                                                                                                                                                                 
++[eap] returns handled                                                                                                                                                                        
Sending Access-Challenge of id 34 to 192.168.2.254 port 2029                                                                                                                                   
        EAP-Message = 0x010100160410fa30bf980ba96ef49bb5c937347c1e3b                                                                                                                           
        Message-Authenticator = 0x00000000000000000000000000000000                                                                                                                             
        State = 0x7056fb277057ffca98e813bcb8a5e12b                                                                                                                                             
Finished request 0.                                                                                                                                                                            
Going to the next request                                                                                                                                                                      
Waking up in 4.9 seconds.                                                                                                                                                                      
rad_recv: Access-Request packet from host 192.168.2.254 port 2029, id=35, 
length=188                                                                                                           
        Message-Authenticator = 0x0cef594ab56e2919eabcef184089b5d8                                                                                                                             
        Service-Type = Framed-User                                                                                                                                                             
        User-Name = "ja"                                                                                                                                                                       
        Framed-MTU = 1488                                                                                                                                                                      
        State = 0x7056fb277057ffca98e813bcb8a5e12b                                                                                                                                             
        Called-Station-Id = "0A1B2F3F4B09:TEST-RADIUS"                                                                                                                                         
        Calling-Station-Id = "00215DE37F06"                                                                                                                                                    
        NAS-Identifier = "EdatisAP01"                                                                                                                                                          
        NAS-Port-Type = Wireless-802.11                                                                                                                                                        
        Connect-Info = "CONNECT 54Mbps 802.11g"                                                                                                                                                
        EAP-Message = 0x020100060319                                                                                                                                                           
        NAS-IP-Address = 192.168.2.254                                                                                                                                                         
        NAS-Port = 1                                                                                                                                                                           
        NAS-Port-Id = "STA port # 1"                                                                                                                                                           
+- entering group authorize                                                                                                                                                                    
++[preprocess] returns ok                                                                                                                                                                      
++[chap] returns noop                                                                                                                                                                          
++[mschap] returns noop                                                                                                                                                                        
    rlm_realm: No '@' in User-Name = "ja", looking up realm NULL                                                                                                                               
    rlm_realm: No such realm "NULL"                                                                                                                                                            
++[suffix] returns noop                                                                                                                                                                        
  rlm_eap: EAP packet type response id 1 length 6                                                                                                                                              
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation                                                                                                                            
++[eap] returns updated                                                                                                                                                                        
++[unix] returns notfound                                                                                                                                                                      
++[files] returns noop                                                                                                                                                                         
rlm_ldap: - authorize                                                                                                                                                                          
rlm_ldap: performing user authorization for ja                                                                                                                                                 
        expand: %{Stripped-User-Name} ->                                                                                                                                                       
        expand: %{User-Name} -> ja                                                                                                                                                             
        expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ja)                                                                                                                       
        expand: o=siege,dc=edatis,dc=net -> o=siege,dc=edatis,dc=net                                                                                                                           
rlm_ldap: ldap_get_conn: Checking Id: 0                                                                                                                                                        
rlm_ldap: ldap_get_conn: Got Id: 0                                                                                                                                                             
rlm_ldap: performing search in o=siege,dc=edatis,dc=net, with filter (uid=ja)                                                                                                                  
rlm_ldap: Added User-Password = {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX in 
check items                                                                                                          
rlm_ldap: No default NMAS login sequence                                                                                                                                                       
rlm_ldap: looking for check items in directory...                                                                                                                                              
rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password == 
"{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"                                                                            
rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password == 
0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX                                                 
rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password == 
0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX                                                 
rlm_ldap: looking for reply items in directory...                                                                                                                                              
rlm_ldap: user ja authorized to use remote access                                                                                                                                              
rlm_ldap: ldap_release_conn: Release Id: 0                                                                                                                                                     
++[ldap] returns ok                                                                                                                                                                            
++[expiration] returns noop                                                                                                                                                                    
++[logintime] returns noop                                                                                                                                                                     
rlm_pap: Normalizing NT-Password from hex encoding                                                                                                                                             
rlm_pap: Normalizing LM-Password from hex encoding                                                                                                                                             
rlm_pap: Normalizing SSHA1-Password from base64 encoding                                                                                                                                       
rlm_pap: Found existing Auth-Type, not changing it.                                                                                                                                            
++[pap] returns noop                                                                                                                                                                           
  rad_check_password:  Found Auth-Type EAP                                                                                                                                                     
auth: type "EAP"                                                                                                                                                                               
+- entering group authenticate                                                                                                                                                                 
  rlm_eap: Request found, released from the list                                                                                                                                               
  rlm_eap: EAP NAK                                                                                                                                                                             
 rlm_eap: NAK asked for unsupported type 25                                                                                                                                                    
 rlm_eap: No common EAP types found.                                                                                                                                                           
  rlm_eap: Failed in EAP select                                                                                                                                                                
++[eap] returns invalid                                                                                                                                                                        
auth: Failed to validate the user.                                                                                                                                                             
Login incorrect: [ja/<via Auth-Type = EAP>] (from client ap1 port 1 cli 
00215DE37F06)                                                                                                          
  Found Post-Auth-Type Reject                                                                                                                                                                  
+- entering group REJECT                                                                                                                                                                       
        expand: %{User-Name} -> ja                                                                                                                                                             
 attr_filter: Matched entry DEFAULT at line 11                                                                                                                                                 
++[attr_filter.access_reject] returns updated                                                                                                                                                  
Delaying reject of request 1 for 1 seconds                                                                                                                                                     
Going to the next request                                                                                                                                                                      
Waking up in 0.9 seconds.                                                                                                                                                                      
rad_recv: Access-Request packet from host 192.168.2.254 port 2029, id=35, 
length=188                                                                                                           
Waiting to send Access-Reject to client ap1 port 2029 - ID: 35                                                                                                                                 
Sending delayed reject for request 1                                                                                                                                                           
Sending Access-Reject of id 35 to 192.168.2.254 port 2029                                                                                                                                      
        EAP-Message = 0x04010004                                                                                                                                                               
        Message-Authenticator = 0x00000000000000000000000000000000                                                                                                                             
Waking up in 3.9 seconds.                                                                                                                                                                      
Cleaning up request 0 ID 34 with timestamp +1                                                                                                                                                  
Waking up in 1.0 seconds.                                                                                                                                                                      
Cleaning up request 1 ID 35 with timestamp +1                                                                                                                                                  
Ready to process requests.

I hope you can help me.
Thanks by advance,
Jonathan
-- 
***************************
Jonathan Amiez
Administrateur système
ja at edatis.com
***************************
	




More information about the Freeradius-Users mailing list