another wpa/ldap issue

Brian Dial bdial at rkk.com
Wed May 26 16:49:54 CEST 2010


hello everyone, i have a typical wpa + radius + ldap issue. Im using freeradius 2.1.6. i've tried to follow the 'dont edit anything but the ldap module, it will figure it out' mantra as much as possible.  i have an openldap server and the test user i'm using has a plain text password.  here is my ldap module config

ldap {
	server = "ldap.mydomain.com"
	identity = "cn=ldapproxy,dc=mydomain,dc=com"
	password = mypassword
	basedn = "dc=mydomain,dc=com"
	filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
	ldap_connections_number = 5
	timeout = 4
	timelimit = 3
	net_timeout = 1
	tls {
		start_tls = no
	}
	access_attr = "uid"
	dictionary_mapping = ${confdir}/ldap.attrmap
	password_attribute = userPassword
	edir_account_policy_check = no
}

I found after my first radtest attempt that it wasn't even trying ldap, and because the sites-available/default file had ldap commented out in the authorize section, so I uncommented that (my first change) and running the following command

radtest testuser Dirxml1 127.0.0.1 1812 testing123

rad_recv: Access-Request packet from host 127.0.0.1 port 43729, id=226, length=61
	User-Name = "testuser"
	User-Password = "Dirxml1"
	NAS-IP-Address = 127.0.0.2
	NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for testuser
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap] 	expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=testuser)
[ldap] 	expand: dc=mydomain,dc=com -> dc=mydomain,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.mydomain.com:389, authentication 0
rlm_ldap: bind as cn=ldapproxy,dc=mydomain,dc=com/mypassword to ldap.mydomain.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=mydomain,dc=com, with filter (uid=testuser)
[ldap] checking if remote access for testuser is allowed by uid
[ldap] Added User-Password = Dirxml1 in check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group PAP {...}
[pap] login attempt with password "Dirxml1"
[pap] Using clear text password "Dirxml1"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 226 to 127.0.0.1 port 43729


so it works, but i figured the big warning should be addressed.  wasn't quite sure what to do but i modified the ldap.attrmap and added

checkItem      Cleartext-Password              userPassword

and now when i run the radtest there is no error, and it pretty much works the same.  Now I setup my cisco 1200 series ap to point to the freeradius server and configured a laptop to try to connect via EAP-TTLS with PAP.  Here is the debug 

rad_recv: Access-Request packet from host 192.168.199.25 port 21648, id=187, length=268
	User-Name = "testuser"
	Framed-MTU = 1400
	Called-Station-Id = "0012.7f3f.c4b0"
	Calling-Station-Id = "0024.2b81.8896"
	Service-Type = Login-User
	Message-Authenticator = 0x9320d95b16fe205069287df91cd6b783
	EAP-Message = 0x0207008015001703010020d1340dcdcbe734bcc98e3b3fd19f09133ad78d6bd382ab4f4fa95ed5acf6c3a51703010050bd112bf770827d4848cd8f5f4fa9da752a1729a3a6cffce111f651441f7c36e0bb231ef24a8a8ed798b255d9d93ca136be1051f5307d985227f7acb80eb17376e6bab49140907b2d3f91dde05b08a3d4
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 721
	State = 0x8c184d3f891f58a17315ecfba6c3a889
	NAS-IP-Address = 192.168.199.25
	NAS-Identifier = "rkkap01"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 128
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 
[ttls] Done initial handshake
[ttls] eaptls_process returned 7 
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
	User-Name = "testuser"
	User-Password = "Dirxmnl1"
	FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
	User-Name = "testuser"
	User-Password = "Dirxmnl1"
	FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> testuser
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated


If I change my username/password on the laptop eap-ttls config to be one i listed in the users file, it works fine so i know that eap-ttls-pap is working correctly.  Can someone clue me in where i'm going wrong?


"RK&K" and "RK&K Engineers" are registered trade names of Rummel, Klepper & Kahl, LLP, a Maryland 
limited liability partnership.  This message contains confidential information intended only for
the person or persons named above.  If you have received this message in error, please immediately 
notify the sender by return email and delete the message.  Thank you.



More information about the Freeradius-Users mailing list