Thanks Alan . I did EAP and telnet works fine!<br><br>I have set up the freeradius and using lotus notes LDAP I am able to get <br>authenticated for a TELNET session with CISCO 2950.<br>However in the same setup when I try to get the port authenticated for the WinXP client
<br>using EAP-MD5 it is being rejected <br><br>Help Requested<br><br>****************************************************************************************************<br> TEST PLATFORM<br>****************************************************************************************************
<br><br><br>LDAP : Lotus Notes Directory<br>Radius : Freeradius 1.0.1<br>Switch : Cisco 2950 <br>OS : Windows XP with SP2<br><br><br>****************************************************************************************************
<br><br> Successfull telnet authentication using radius to Cisco 2950 <br>****************************************************************************************************<br><br>Listening on proxy *:1814<br>
Ready to process requests.<br>rad_recv: Access-Request packet from host <a href="http://172.16.1.1:1812">172.16.1.1:1812</a>, id=56, length=78<br> NAS-IP-Address = <a href="http://172.16.1.1">172.16.1.1</a><br> NAS-Port = 1
<br> NAS-Port-Type = Virtual<br> User-Name = "abey"<br> Calling-Station-Id = "<a href="http://172.16.2.1">172.16.2.1</a>"<br> User-Password = "abeypass"<br> Processing the authorize section of
radiusd.conf<br>modcall: entering group authorize for request 0<br>rlm_ldap: - authorize<br>rlm_ldap: performing user authorization for abey<br>radius_xlat: '(uid=abey)'<br>radius_xlat: 'o=example'<br>rlm_ldap: ldap_get_conn: Checking Id: 0
<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: attempting LDAP reconnection<br>rlm_ldap: (re)connect to <a href="http://192.168.1.1:389">192.168.1.1:389</a>, authentication 0<br>rlm_ldap: bind as / to <a href="http://192.168.1.1:389">
192.168.1.1:389</a><br>rlm_ldap: waiting for bind result ...<br>rlm_ldap: Bind was successful<br>rlm_ldap: performing search in o=example, with filter (uid=abey)<br>rlm_ldap: looking for check items in directory...<br>rlm_ldap: looking for reply items in directory...
<br>rlm_ldap: user abey authorized to use remote access<br>rlm_ldap: ldap_release_conn: Release Id: 0<br> modcall[authorize]: module "ldap" returns ok for request 0<br> rlm_eap: No EAP-Message, not doing EAP<br>
modcall[authorize]: module "eap" returns noop for request 0<br> modcall[authorize]: module "files" returns notfound for request 0<br>modcall: group authorize returns ok for request 0<br> rad_check_password: Found Auth-Type LDAP
<br>auth: type "LDAP"<br> Processing the authenticate section of radiusd.conf<br>modcall: entering group Auth-Type for request 0<br>rlm_ldap: - authenticate<br>rlm_ldap: login attempt by "abey" with password "abeypass"
<br>rlm_ldap: user DN: CN=Abey Thomas,O=example<br>rlm_ldap: (re)connect to <a href="http://192.168.1.1:389">192.168.1.1:389</a>, authentication 1<br>rlm_ldap: bind as CN=Abey Thomas,O=example/abeypass to <a href="http://192.168.1.1:389">
192.168.1.1:389</a><br>rlm_ldap: waiting for bind result ...<br>rlm_ldap: Bind was successful<br>rlm_ldap: user abey authenticated succesfully<br> modcall[authenticate]: module "ldap" returns ok for request 0<br>
modcall: group Auth-Type returns ok for request 0<br>Sending Access-Accept of id 56 to <a href="http://172.16.1.1:1812">172.16.1.1:1812</a><br>Finished request 0<br>Going to the next request<br>--- Walking the entire request list ---
<br>Waking up in 6 seconds...<br>--- Walking the entire request list ---<br>Cleaning up request 0 ID 56 with timestamp 44481b5d<br>Nothing to do. Sleeping until we see a request.<br><br>****************************************************************************************************
<br><br> Unsuccessful authentication using WinXP EAP-MD5 with LDAP<br>****************************************************************************************************<br><br>rad_recv: Access-Request packet from host
<a href="http://172.16.1.1:1812">172.16.1.1:1812</a>, id=65, length=162<br> NAS-IP-Address = <a href="http://172.16.1.1">172.16.1.1</a><br> NAS-Port = 50035<br> NAS-Port-Type = Ethernet<br> User-Name = "abey"
<br> Called-Station-Id = "00-14-69-B1-DE-63"<br> Calling-Station-Id = "00-16-17-29-73-6A"<br> Service-Type = Framed-User<br> Framed-MTU = 1500<br> State = 0x20e0298dbd677f901ed08b90898c8919
<br> EAP-Message = 0x0201001c0410cbc40efb162c0ae53832615a88e73548616265796274<br> Message-Authenticator = 0xae7f4801c3431879926a3ec72e5bcc5b<br> Processing the authorize section of radiusd.conf<br>modcall: entering group authorize for request 1
<br>rlm_ldap: - authorize<br>rlm_ldap: performing user authorization for abey<br>radius_xlat: '(uid=abey)'<br>radius_xlat: 'o=example'<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: performing search in o=example, with filter (uid=abey)<br>rlm_ldap: looking for check items in directory...<br>rlm_ldap: looking for reply items in directory...<br>rlm_ldap: user abey authorized to use remote access
<br>rlm_ldap: ldap_release_conn: Release Id: 0<br> modcall[authorize]: module "ldap" returns ok for request 1<br> rlm_eap: EAP packet type response id 1 length 28<br> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
<br> modcall[authorize]: module "eap" returns updated for request 1<br> modcall[authorize]: module "files" returns notfound for request 1<br>modcall: group authorize returns updated for request 1<br>
rad_check_password: Found Auth-Type LDAP<br> rad_check_password: Found Auth-Type EAP<br>Warning: Found 2 auth-types on request for user 'abey'<br>auth: type "EAP"<br> Processing the authenticate section of
radiusd.conf<br>modcall: entering group authenticate for request 1<br> rlm_eap: Request found, released from the list<br> rlm_eap: EAP/md5<br> rlm_eap: processing type md5<br>rlm_eap_md5: User-Password is required for EAP-MD5 authentication
<br> rlm_eap: Handler failed in EAP/md5<br> rlm_eap: Failed in EAP select<br> modcall[authenticate]: module "eap" returns invalid for request 1<br>modcall: group authenticate returns invalid for request 1<br>auth: Failed to validate the user.
<br>Delaying request 1 for 1 seconds<br>Finished request 1<br>Going to the next request<br>--- Walking the entire request list ---<br>Waking up in 1 seconds...<br>--- Walking the entire request list ---<br>Waking up in 1 seconds...
<br>--- Walking the entire request list ---<br>Sending Access-Reject of id 65 to <a href="http://172.16.1.1:1812">172.16.1.1:1812</a><br> EAP-Message = 0x04010004<br> Message-Authenticator = 0x00000000000000000000000000000000
<br>Waking up in 3 seconds...<br>--- Walking the entire request list ---<br>Cleaning up request 0 ID 64 with timestamp 44483e3e<br>Waking up in 1 seconds...<br>--- Walking the entire request list ---<br>Cleaning up request 1 ID 65 with timestamp 44483e3f
<br>Nothing to do. Sleeping until we see a request.<br> <br>****************************************************************************************************<br><br>
radiusd.conf<br>****************************************************************************************************<br>prefix = /usr<br>exec_prefix = ${prefix}<br>sysconfdir = /etc<br>localstatedir = /var<br>sbindir = ${exec_prefix}/sbin
<br>logdir = ${localstatedir}/log/radius<br>raddbdir = ${sysconfdir}/raddb<br>radacctdir = ${logdir}/radacct<br><br>confdir = ${raddbdir}<br>run_dir = ${localstatedir}/run/radiusd<br><br>log_file = ${logdir}/radius.log<br>
<br>libdir = /usr/lib/freeradius<br><br>pidfile = ${run_dir}/radiusd.pid<br><br>user = radiusd<br>group = radiusd<br><br>max_request_time = 30<br><br>delete_blocked_requests = no<br><br>cleanup_delay = 5<br><br>max_requests = 1024
<br><br>bind_address = *<br><br>port = 0<br><br>hostname_lookups = no<br><br>allow_core_dumps = no<br><br>regular_expressions = yes<br>extended_expressions = yes<br><br>log_stripped_names = no<br><br>log_auth = no<br>
<br>log_auth_badpass = no<br>log_auth_goodpass = no<br><br>usercollide = no<br><br>lower_user = no<br>lower_pass = no<br><br>nospace_user = no<br>nospace_pass = no<br><br>checkrad = ${sbindir}/checkrad<br><br>security {<br>
max_attributes = 200<br> reject_delay = 1<br> status_server = no<br>}<br><br><br><br>$INCLUDE ${confdir}/clients.conf<br><br><br><br><br>thread pool {<br> start_servers = 5<br> max_servers = 32<br> min_spare_servers = 3
<br> max_spare_servers = 10<br> max_requests_per_server = 0<br>}<br><br>modules {<br><br> eap {<br> default_eap_type = md5<br> timer_expire = 120<br><br> md5 {
<br> }<br> leap {<br> }<br> }<br> <br> ldap {<br> server = "<a href="http://10.1.1.111">10.1.1.111</a>"<br> basedn = "o=slashsupport"
<br> filter = "(uid=%u)"<br> <br> }<br> preprocess {<br> } <br><br> files {<br> usersfile = ${confdir}/users<br> acctusersfile = ${confdir}/acct_users
<br> compat = no<br> }<br>}<br><br>authorize {<br> <br> ldap<br> eap<br> files<br>} <br><br>authenticate {<br> eap<br><br> Auth-Type LDAP {<br> ldap<br> }
<br><br>} <br><br>****************************************************************************************************<br><br> users<br>****************************************************************************************************
<br>userone User-Password == "userpass"<br><br><br># DEFAULT Auth-Type := LDAP<br># Fall-Through = 1<br>#<br>*************************************************************************<br>Regards,<br>Abey Babu Thomas