radius authentication fallback from ldap to local

Chowdhury Satish-NVF476 satish.chowdhury at motorolasolutions.com
Sat May 7 09:20:38 CEST 2011 

Hi,
 
I am trying to configure fallback of radius server form ldap to local
file based authentication when the ldap server is not reachable.
 
 
I have a wireless client which needs to be authenticated by the radius
server on association. The wireless client uses EAP-PEAP authentication
and PEAP-GTC as inner protocol. The authentication works fine with LDAP
and Local files with separate configuration setting. However, I am
unable to configure for the fallback mechanism.
 
 
My freeradius version is 2.1.7. I did following modification for
fallback. 
 
Radiusd.conf
-------------
authorize {
         preprocessor
          .....
         passwd  
         
         ldap {
                  fail = 1
         }
         if(fail)
         {
               files
         }
}
 
 
eap.conf
---------
 
eap {
      ....
     gtc {
           Challange = "Password"
           auth_type = ldap
     }
      ....
}
 
users
--------
 
DEFAULT Auth-Type = Local
        Fall-Through = Yes
 
With above settings the LDAP authentication works fine. Then ldap is
disconnected the radius server fails to find ladp and fallback to file.
However in fail in eap with following error..
 
----->>
[eap] Request found, released from the list
[eap] EAP/gtc
[eap] processing type gtc
[gtc] +- entering group LDAP {...}
[ldap] login attempt by "user1" with password "symbol123"
[ldap]  expand: (sAMAccountName=%{Stripped-User-Name}) ->
(sAMAccountName=user1)
[ldap]  expand: DC=wlan,DC=com -> DC=wlan,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail
[eap] Handler failed in EAP/gtc
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
auth: Failed to validate the user.: [user1] (from client localhost port
1 cli 00-13-CE-F0-6E-32 via TLS tunnel)
Login incorrect: [user1] (from client localhost port 1 cli
00-13-CE-F0-6E-32 via TLS tunnel)
} # server
[peap] Got tunneled reply code 3
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
<<<---------
 
Complete log pasted here http://pastebin.com/PjDuvAvy. Packets 1-8 is
when ldap is connected. Ldap is diconnected from Packet 9 onwards. The
error is in Packet 17. The wireless client waits for Access-Accept.
 
 
Latter, I changed the eap.conf as below
eap {
      ....
     gtc {
           Challange = "Password"
           auth_type = Local
     }
      ....
}
 
With this configuration local fallback authentication works. However,
when ldap is connected the ldap authentication successful only if the
user credential is present in the password file.
 
 
How to solve it?. I am newbie to radius, please guide if I miss some
thing obvious.
 
Regards,
Satish

More information about the Freeradius-Users mailing list