Yet another multiple SSID setup question
Fajar A. Nugraha
list at fajar.net
Fri Jul 15 03:15:08 CEST 2011
On Fri, Jul 15, 2011 at 7:13 AM, Nick Kartsioukas
<lists.freeradius at change.nightwind.net> wrote:
> Okay, I've gotten a bit further, but I'm still not grasping something in
> the process flow from authorization to authentication and EAP outer and
> inner methods.
>
> I'll paste relevant chunks of my authorize, authenticate, and eap config
> sections below. The conditional switch statement is working properly
> and matching my SSID (I do have other statements there, I just chopped
> them out here for brevity), the LDAP lookup is working properly and
> granting me authorization, but when it goes to EAP to perform
> authentication it seems like it never gets to the inner MSCHAPv2 auth
> and eventually fails.
>
> ERROR: No authenticate method (Auth-Type) found for the request:
> Rejecting the user
> Failed to authenticate the user.
> Login incorrect: [nicholas_kartsioukas] (from client slo-wlc1 port 0 via
> TLS tunnel)
> } # server
> [peap] Got tunneled reply code 3
> [peap] Got tunneled reply RADIUS code 3
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
>
> I've attached the full debug log. Hopefully someone can point me in the
> right direction? Thanks!
I'd look at these lines:
[ldap_parrotfish] performing search in ou=CUESTA,dc=cuesta,dc=org,
with filter (sAMAccountName=nicholas_kartsioukas)
[ldap_parrotfish] No default NMAS login sequence
[ldap_parrotfish] looking for check items in directory...
[ldap_parrotfish] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
Do you have cleartex-password somewhere in your LDAP schema?
If not, then MSCHAPv2 will NOT work. It MIGHT work with TTLS-PAP or
PEAP-GTC, but requires special setup (to force LDAP bind).
If yes, then check ldap.attrmap to ensure attribute mappings matched.
--
Fajar
More information about the Freeradius-Users
mailing list