<html><body>
<p><tt>Hi all,</tt><br>
<br>
<tt>I am trying to get freradius with edir to work. PAP is working already, but CHAP does some strange things... here's a trace</tt><br>
<br>
<br>
<tt>Started freeradius 2.0.4 on SLES10SP1 by typing: "radiusd -X"</tt><br>
<br>
<tt>hamburgauth01:~ # radiusd -X</tt><br>
<tt>FreeRADIUS Version 2.0.4, for host i686-suse-linux-gnu, built on May 7 2008 at 21:45:01</tt><br>
<tt>Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.</tt><br>
<tt>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A</tt><br>
<tt>PARTICULAR PURPOSE.</tt><br>
<tt>You may redistribute copies of FreeRADIUS under the terms of the</tt><br>
<tt>GNU General Public License.</tt><br>
<tt>Starting - reading configuration files ...</tt><br>
<tt>including configuration file /etc/raddb/radiusd.conf</tt><br>
<tt>including configuration file /etc/raddb/proxy.conf</tt><br>
<tt>including configuration file /etc/raddb/clients.conf</tt><br>
<tt>including configuration file /etc/raddb/snmp.conf</tt><br>
<tt>including configuration file /etc/raddb/eap.conf</tt><br>
<tt>including configuration file /etc/raddb/sql.conf</tt><br>
<tt>including configuration file /etc/raddb/sql/mysql/dialup.conf</tt><br>
<tt>including configuration file /etc/raddb/sql/mysql/counter.conf</tt><br>
<tt>including configuration file /etc/raddb/policy.conf</tt><br>
<tt>including files in directory /etc/raddb/sites-enabled/</tt><br>
<tt>including configuration file /etc/raddb/sites-enabled/smc</tt><br>
<tt>including dictionary file /etc/raddb/dictionary</tt><br>
<tt>main {</tt><br>
<tt> prefix = "/usr"</tt><br>
<tt> localstatedir = "/var"</tt><br>
<tt> logdir = "/var/log/radius"</tt><br>
<tt> libdir = "/usr/lib/freeradius"</tt><br>
<tt> radacctdir = "/var/log/radius/radacct"</tt><br>
<tt> hostname_lookups = no</tt><br>
<tt> max_request_time = 30</tt><br>
<tt> cleanup_delay = 5</tt><br>
<tt> max_requests = 1024</tt><br>
<tt> allow_core_dumps = no</tt><br>
<tt> pidfile = "/var/run/radiusd/radiusd.pid"</tt><br>
<tt> user = "radiusd"</tt><br>
<tt> group = "radiusd"</tt><br>
<tt> checkrad = "/usr/sbin/checkrad"</tt><br>
<tt> debug_level = 0</tt><br>
<tt> proxy_requests = no</tt><br>
<tt> security {</tt><br>
<tt> max_attributes = 200</tt><br>
<tt> reject_delay = 1</tt><br>
<tt> status_server = yes</tt><br>
<tt> }</tt><br>
<tt>}</tt><br>
<tt> client localhost {</tt><br>
<tt> ipaddr = 127.0.0.1</tt><br>
<tt> require_message_authenticator = no</tt><br>
<tt> secret = "testing123"</tt><br>
<tt> nastype = "other"</tt><br>
<tt> }</tt><br>
<tt> client 10.110.0.0/16 {</tt><br>
<tt> require_message_authenticator = no</tt><br>
<tt> secret = "radiustest"</tt><br>
<tt> shortname = "SMC_GS_LAN"</tt><br>
<tt> }</tt><br>
<tt>radiusd: #### Loading Realms and Home Servers ####</tt><br>
<tt> proxy server {</tt><br>
<tt> retry_delay = 5</tt><br>
<tt> retry_count = 3</tt><br>
<tt> default_fallback = no</tt><br>
<tt> dead_time = 120</tt><br>
<tt> wake_all_if_all_dead = no</tt><br>
<tt> }</tt><br>
<tt> home_server localhost {</tt><br>
<tt> ipaddr = 127.0.0.1</tt><br>
<tt> port = 1812</tt><br>
<tt> type = "auth"</tt><br>
<tt> secret = "testing123"</tt><br>
<tt> response_window = 20</tt><br>
<tt> max_outstanding = 65536</tt><br>
<tt> zombie_period = 40</tt><br>
<tt> status_check = "status-server"</tt><br>
<tt> ping_check = "none"</tt><br>
<tt> ping_interval = 30</tt><br>
<tt> check_interval = 30</tt><br>
<tt> num_answers_to_alive = 3</tt><br>
<tt> num_pings_to_alive = 3</tt><br>
<tt> revive_interval = 120</tt><br>
<tt> status_check_timeout = 4</tt><br>
<tt> }</tt><br>
<tt> home_server_pool my_auth_failover {</tt><br>
<tt> type = fail-over</tt><br>
<tt> home_server = localhost</tt><br>
<tt> }</tt><br>
<tt> realm example.com {</tt><br>
<tt> auth_pool = my_auth_failover</tt><br>
<tt> }</tt><br>
<tt> realm LOCAL {</tt><br>
<tt> }</tt><br>
<tt> realm NULL {</tt><br>
<tt> }</tt><br>
<tt> realm DEFAULT {</tt><br>
<tt> }</tt><br>
<tt>radiusd: #### Instantiating modules ####</tt><br>
<tt> instantiate {</tt><br>
<tt> Module: Linked to module rlm_exec</tt><br>
<tt> Module: Instantiating exec</tt><br>
<tt> exec {</tt><br>
<tt> wait = yes</tt><br>
<tt> input_pairs = "request"</tt><br>
<tt> shell_escape = yes</tt><br>
<tt> }</tt><br>
<tt> Module: Linked to module rlm_expr</tt><br>
<tt> Module: Instantiating expr</tt><br>
<tt> Module: Linked to module rlm_expiration</tt><br>
<tt> Module: Instantiating expiration</tt><br>
<tt> expiration {</tt><br>
<tt> reply-message = "Password Has Expired "</tt><br>
<tt> }</tt><br>
<tt> Module: Linked to module rlm_logintime</tt><br>
<tt> Module: Instantiating logintime</tt><br>
<tt> logintime {</tt><br>
<tt> reply-message = "You are calling outside your allowed timespan "</tt><br>
<tt> minimum-timeout = 60</tt><br>
<tt> }</tt><br>
<tt> }</tt><br>
<tt>radiusd: #### Loading Virtual Servers ####</tt><br>
<tt>server {</tt><br>
<tt> modules {</tt><br>
<tt> Module: Checking authenticate {...} for more modules to load</tt><br>
<tt> Module: Linked to module rlm_pap</tt><br>
<tt> Module: Instantiating pap</tt><br>
<tt> pap {</tt><br>
<tt> encryption_scheme = "auto"</tt><br>
<tt> auto_header = yes</tt><br>
<tt> }</tt><br>
<tt> Module: Linked to module rlm_chap</tt><br>
<tt> Module: Instantiating chap</tt><br>
<tt> Module: Linked to module rlm_mschap</tt><br>
<tt> Module: Instantiating mschap</tt><br>
<tt> mschap {</tt><br>
<tt> use_mppe = yes</tt><br>
<tt> require_encryption = no</tt><br>
<tt> require_strong = no</tt><br>
<tt> with_ntdomain_hack = no</tt><br>
<tt> }</tt><br>
<tt> Module: Linked to module rlm_unix</tt><br>
<tt> Module: Instantiating unix</tt><br>
<tt> unix {</tt><br>
<tt> radwtmp = "/var/log/radius/radwtmp"</tt><br>
<tt> }</tt><br>
<tt> Module: Linked to module rlm_ldap</tt><br>
<tt> Module: Instantiating ldap</tt><br>
<tt> ldap {</tt><br>
<tt> server = "hamburgauth01.hamburg.mummert.de"</tt><br>
<tt> port = 389</tt><br>
<tt> password = "*******"</tt><br>
<tt> identity = "cn=radiusadmin,o=admin"</tt><br>
<tt> net_timeout = 1</tt><br>
<tt> timeout = 4</tt><br>
<tt> timelimit = 3</tt><br>
<tt> tls_mode = no</tt><br>
<tt> start_tls = no</tt><br>
<tt> tls_require_cert = "allow"</tt><br>
<tt> tls {</tt><br>
<tt> start_tls = yes</tt><br>
<tt> cacertfile = "/etc/raddb/certs/AUTH-TREE_CA.b64"</tt><br>
<tt> require_cert = "demand"</tt><br>
<tt> }</tt><br>
<tt> basedn = "o=data"</tt><br>
<tt> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"</tt><br>
<tt> base_filter = "(objectclass=radiusprofile)"</tt><br>
<tt> password_attribute = "nspmPassword"</tt><br>
<tt> auto_header = no</tt><br>
<tt> access_attr = "dialupAccess"</tt><br>
<tt> access_attr_used_for_allow = yes</tt><br>
<tt> groupname_attribute = "cn"</tt><br>
<tt> groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"</tt><br>
<tt> dictionary_mapping = "/etc/raddb/ldap.attrmap"</tt><br>
<tt> ldap_debug = 0</tt><br>
<tt> ldap_connections_number = 5</tt><br>
<tt> compare_check_items = no</tt><br>
<tt> do_xlat = yes</tt><br>
<tt> edir_account_policy_check = yes</tt><br>
<tt> set_auth_type = yes</tt><br>
<tt> }</tt><br>
<tt>rlm_ldap: Registering ldap_groupcmp for Ldap-Group</tt><br>
<tt>rlm_ldap: Registering ldap_xlat with xlat_name ldap</tt><br>
<tt>rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap</tt><br>
<tt>rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$</tt><br>
<tt>rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$</tt><br>
<tt>rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type</tt><br>
<tt>rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use</tt><br>
<tt>rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id</tt><br>
<tt>rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id</tt><br>
<tt>rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password</tt><br>
<tt>rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password</tt><br>
<tt>rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password</tt><br>
<tt>rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password</tt><br>
<tt>rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT</tt><br>
<tt>rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration</tt><br>
<tt>rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address</tt><br>
<tt>rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type</tt><br>
<tt>rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol</tt><br>
<tt>rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address</tt><br>
<tt>rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask</tt><br>
<tt>rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route</tt><br>
<tt>rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing</tt><br>
<tt>rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id</tt><br>
<tt>rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU</tt><br>
<tt>rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression</tt><br>
<tt>rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host</tt><br>
<tt>rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service</tt><br>
<tt>rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port</tt><br>
<tt>rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number</tt><br>
<tt>rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id</tt><br>
<tt>rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network</tt><br>
<tt>rlm_ldap: LDAP radiusClass mapped to RADIUS Class</tt><br>
<tt>rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout</tt><br>
<tt>rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout</tt><br>
<tt>rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action</tt><br>
<tt>rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service</tt><br>
<tt>rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node</tt><br>
<tt>rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group</tt><br>
<tt>rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link</tt><br>
<tt>rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network</tt><br>
<tt>rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone</tt><br>
<tt>rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit</tt><br>
<tt>rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port</tt><br>
<tt>rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message</tt><br>
<tt>conns: 0x81690c8</tt><br>
<tt> Module: Linked to module rlm_eap</tt><br>
<tt> Module: Instantiating eap</tt><br>
<tt> eap {</tt><br>
<tt> default_eap_type = "peap"</tt><br>
<tt> timer_expire = 60</tt><br>
<tt> ignore_unknown_eap_types = no</tt><br>
<tt> cisco_accounting_username_bug = no</tt><br>
<tt> }</tt><br>
<tt> Module: Linked to sub-module rlm_eap_md5</tt><br>
<tt> Module: Instantiating eap-md5</tt><br>
<tt> Module: Linked to sub-module rlm_eap_leap</tt><br>
<tt> Module: Instantiating eap-leap</tt><br>
<tt> Module: Linked to sub-module rlm_eap_gtc</tt><br>
<tt> Module: Instantiating eap-gtc</tt><br>
<tt> gtc {</tt><br>
<tt> challenge = "Password: "</tt><br>
<tt> auth_type = "PAP"</tt><br>
<tt> }</tt><br>
<tt> Module: Linked to sub-module rlm_eap_tls</tt><br>
<tt> Module: Instantiating eap-tls</tt><br>
<tt> tls {</tt><br>
<tt> rsa_key_exchange = no</tt><br>
<tt> dh_key_exchange = yes</tt><br>
<tt> rsa_key_length = 512</tt><br>
<tt> dh_key_length = 512</tt><br>
<tt> verify_depth = 0</tt><br>
<tt> pem_file_type = yes</tt><br>
<tt> private_key_file = "/etc/raddb/certs/server.pem"</tt><br>
<tt> certificate_file = "/etc/raddb/certs/server.pem"</tt><br>
<tt> CA_file = "/etc/raddb/certs/ca.pem"</tt><br>
<tt> private_key_password = "whatever"</tt><br>
<tt> dh_file = "/etc/raddb/certs/dh"</tt><br>
<tt> random_file = "/etc/raddb/certs/random"</tt><br>
<tt> fragment_size = 1024</tt><br>
<tt> include_length = yes</tt><br>
<tt> check_crl = no</tt><br>
<tt> cipher_list = "DEFAULT"</tt><br>
<tt> make_cert_command = "/etc/raddb/certs/bootstrap"</tt><br>
<tt> }</tt><br>
<tt> Module: Linked to sub-module rlm_eap_ttls</tt><br>
<tt> Module: Instantiating eap-ttls</tt><br>
<tt> ttls {</tt><br>
<tt> default_eap_type = "md5"</tt><br>
<tt> copy_request_to_tunnel = yes</tt><br>
<tt> use_tunneled_reply = yes</tt><br>
<tt> }</tt><br>
<tt> Module: Linked to sub-module rlm_eap_peap</tt><br>
<tt> Module: Instantiating eap-peap</tt><br>
<tt> peap {</tt><br>
<tt> default_eap_type = "mschapv2"</tt><br>
<tt> copy_request_to_tunnel = yes</tt><br>
<tt> use_tunneled_reply = yes</tt><br>
<tt> proxy_tunneled_request_as_eap = yes</tt><br>
<tt> }</tt><br>
<tt> Module: Linked to sub-module rlm_eap_mschapv2</tt><br>
<tt> Module: Instantiating eap-mschapv2</tt><br>
<tt> mschapv2 {</tt><br>
<tt> with_ntdomain_hack = no</tt><br>
<tt> }</tt><br>
<tt> Module: Checking authorize {...} for more modules to load</tt><br>
<tt> Module: Linked to module rlm_preprocess</tt><br>
<tt> Module: Instantiating preprocess</tt><br>
<tt> preprocess {</tt><br>
<tt> huntgroups = "/etc/raddb/huntgroups"</tt><br>
<tt> hints = "/etc/raddb/hints"</tt><br>
<tt> with_ascend_hack = no</tt><br>
<tt> ascend_channels_per_line = 23</tt><br>
<tt> with_ntdomain_hack = no</tt><br>
<tt> with_specialix_jetstream_hack = no</tt><br>
<tt> with_cisco_vsa_hack = no</tt><br>
<tt> with_alvarion_vsa_hack = no</tt><br>
<tt> }</tt><br>
<tt> Module: Linked to module rlm_realm</tt><br>
<tt> Module: Instantiating suffix</tt><br>
<tt> realm suffix {</tt><br>
<tt> format = "suffix"</tt><br>
<tt> delimiter = "@"</tt><br>
<tt> ignore_default = no</tt><br>
<tt> ignore_null = no</tt><br>
<tt> }</tt><br>
<tt> Module: Linked to module rlm_files</tt><br>
<tt> Module: Instantiating files</tt><br>
<tt> files {</tt><br>
<tt> usersfile = "/etc/raddb/users"</tt><br>
<tt> acctusersfile = "/etc/raddb/acct_users"</tt><br>
<tt> preproxy_usersfile = "/etc/raddb/preproxy_users"</tt><br>
<tt> compat = "no"</tt><br>
<tt> }</tt><br>
<tt> Module: Checking preacct {...} for more modules to load</tt><br>
<tt> Module: Linked to module rlm_acct_unique</tt><br>
<tt> Module: Instantiating acct_unique</tt><br>
<tt> acct_unique {</tt><br>
<tt> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"</tt><br>
<tt> }</tt><br>
<tt> Module: Checking accounting {...} for more modules to load</tt><br>
<tt> Module: Linked to module rlm_detail</tt><br>
<tt> Module: Instantiating detail</tt><br>
<tt> detail {</tt><br>
<tt> detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"</tt><br>
<tt> header = "%t"</tt><br>
<tt> detailperm = 384</tt><br>
<tt> dirperm = 493</tt><br>
<tt> locking = no</tt><br>
<tt> log_packet_header = no</tt><br>
<tt> }</tt><br>
<tt> Module: Linked to module rlm_radutmp</tt><br>
<tt> Module: Instantiating radutmp</tt><br>
<tt> radutmp {</tt><br>
<tt> filename = "/var/log/radius/radutmp"</tt><br>
<tt> username = "%{User-Name}"</tt><br>
<tt> case_sensitive = yes</tt><br>
<tt> check_with_nas = yes</tt><br>
<tt> perm = 384</tt><br>
<tt> callerid = yes</tt><br>
<tt> }</tt><br>
<tt> Module: Linked to module rlm_attr_filter</tt><br>
<tt> Module: Instantiating attr_filter.accounting_response</tt><br>
<tt> attr_filter attr_filter.accounting_response {</tt><br>
<tt> attrsfile = "/etc/raddb/attrs.accounting_response"</tt><br>
<tt> key = "%{User-Name}"</tt><br>
<tt> }</tt><br>
<tt> Module: Checking session {...} for more modules to load</tt><br>
<tt> Module: Checking post-proxy {...} for more modules to load</tt><br>
<tt> Module: Checking post-auth {...} for more modules to load</tt><br>
<tt> Module: Instantiating attr_filter.access_reject</tt><br>
<tt> attr_filter attr_filter.access_reject {</tt><br>
<tt> attrsfile = "/etc/raddb/attrs.access_reject"</tt><br>
<tt> key = "%{User-Name}"</tt><br>
<tt> }</tt><br>
<tt> }</tt><br>
<tt>}</tt><br>
<tt>radiusd: #### Opening IP addresses and Ports ####</tt><br>
<tt>listen {</tt><br>
<tt> type = "auth"</tt><br>
<tt> ipaddr = *</tt><br>
<tt> port = 0</tt><br>
<tt>}</tt><br>
<tt>listen {</tt><br>
<tt> type = "acct"</tt><br>
<tt> ipaddr = *</tt><br>
<tt> port = 0</tt><br>
<tt>}</tt><br>
<tt>main {</tt><br>
<tt> snmp = no</tt><br>
<tt> smux_password = ""</tt><br>
<tt> snmp_write_access = no</tt><br>
<tt>}</tt><br>
<tt>Listening on authentication address * port 1812</tt><br>
<tt>Listening on accounting address * port 1813</tt><br>
<tt>Ready to process requests.</tt><br>
<br>
<br>
<tt>used ntradping to try to aithenticate with PAP - successfully. Note that the password used to bind to edir is "test345":</tt><br>
<br>
<br>
<tt>rad_recv: Access-Request packet from host 10.110.9.60 port 57834, id=19, length=55</tt><br>
<tt> User-Name = "test user@realm"</tt><br>
<tt> User-Password = "test345"</tt><br>
<tt>+- entering group authorize</tt><br>
<tt>++[preprocess] returns ok</tt><br>
<tt>++[chap] returns noop</tt><br>
<tt>++[mschap] returns noop</tt><br>
<tt> rlm_realm: Looking up realm "realm" for User-Name = "test user@realm"</tt><br>
<tt> rlm_realm: Found realm "DEFAULT"</tt><br>
<tt> rlm_realm: Adding Stripped-User-Name = "test user"</tt><br>
<tt> rlm_realm: Adding Realm = "DEFAULT"</tt><br>
<tt> rlm_realm: Authentication realm is LOCAL.</tt><br>
<tt>++[suffix] returns noop</tt><br>
<tt>rlm_ldap: - authorize</tt><br>
<tt>rlm_ldap: performing user authorization for test user</tt><br>
<tt>WARNING: Deprecated conditional expansion ":-". See "man unlang" for details</tt><br>
<tt> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test user)</tt><br>
<tt> expand: o=data -> o=data</tt><br>
<tt>rlm_ldap: ldap_get_conn: Checking Id: 0</tt><br>
<tt>rlm_ldap: ldap_get_conn: Got Id: 0</tt><br>
<tt>rlm_ldap: attempting LDAP reconnection</tt><br>
<tt>rlm_ldap: (re)connect to hamburgauth01.hamburg.mummert.de:389, authentication 0</tt><br>
<tt>rlm_ldap: setting TLS CACert File to /etc/raddb/certs/AUTH-TREE_CA.b64</tt><br>
<tt>rlm_ldap: setting TLS Require Cert to demand</tt><br>
<tt>rlm_ldap: starting TLS</tt><br>
<tt>rlm_ldap: bind as cn=radiusadmin,o=admin/******** to hamburgauth01.hamburg.mummert.de:389</tt><br>
<tt>rlm_ldap: waiting for bind result ...</tt><br>
<tt>rlm_ldap: Bind was successful</tt><br>
<tt>rlm_ldap: performing search in o=data, with filter (uid=test user)</tt><br>
<tt>rlm_ldap: checking if remote access for test user is allowed by dialupAccess</tt><br>
<tt>rlm_ldap: Added the eDirectory password test345 in check items as Cleartext-Password</tt><br>
<tt>rlm_ldap: No default NMAS login sequence</tt><br>
<tt>rlm_ldap: looking for check items in directory...</tt><br>
<tt>rlm_ldap: LDAP attribute radiusAuthType as RADIUS attribute Auth-Type == LDAP</tt><br>
<tt>rlm_ldap: looking for reply items in directory...</tt><br>
<tt>rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute Service-Type = Login-User</tt><br>
<tt>rlm_ldap: user test user authorized to use remote access</tt><br>
<tt>rlm_ldap: ldap_release_conn: Release Id: 0</tt><br>
<tt>++[ldap] returns ok</tt><br>
<tt> rlm_eap: No EAP-Message, not doing EAP</tt><br>
<tt>++[eap] returns noop</tt><br>
<tt>++[unix] returns notfound</tt><br>
<tt>++[files] returns noop</tt><br>
<tt>++[expiration] returns noop</tt><br>
<tt>++[logintime] returns noop</tt><br>
<tt>rlm_pap: Found existing Auth-Type, not changing it.</tt><br>
<tt>++[pap] returns noop</tt><br>
<tt> rad_check_password: Found Auth-Type LDAP</tt><br>
<tt>auth: type "LDAP"</tt><br>
<tt>+- entering group LDAP</tt><br>
<tt>rlm_ldap: - authenticate</tt><br>
<tt>rlm_ldap: login attempt by "test user" with password "test345"</tt><br>
<tt>rlm_ldap: user DN: cn=test user,ou=users,o=data</tt><br>
<tt>rlm_ldap: (re)connect to hamburgauth01.hamburg.mummert.de:389, authentication 1</tt><br>
<tt>rlm_ldap: setting TLS CACert File to /etc/raddb/certs/AUTH-TREE_CA.b64</tt><br>
<tt>rlm_ldap: setting TLS Require Cert to demand</tt><br>
<tt>rlm_ldap: starting TLS</tt><br>
<tt>rlm_ldap: bind as cn=test user,ou=users,o=data/test345 to hamburgauth01.hamburg.mummert.de:389</tt><br>
<tt>rlm_ldap: waiting for bind result ...</tt><br>
<tt>rlm_ldap: Bind was successful</tt><br>
<tt>rlm_ldap: user test user authenticated succesfully</tt><br>
<tt>++[ldap] returns ok</tt><br>
<tt>Login OK: [test user@realm/test345] (from client SMC_GS_LAN port 0)</tt><br>
<tt>+- entering group post-auth</tt><br>
<tt>++[ldap] returns noop</tt><br>
<tt>++[exec] returns noop</tt><br>
<tt>Sending Access-Accept of id 19 to 10.110.9.60 port 57834</tt><br>
<tt> Service-Type = Login-User</tt><br>
<tt>Finished request 0.</tt><br>
<tt>Going to the next request</tt><br>
<tt>Waking up in 4.9 seconds.</tt><br>
<tt>Cleaning up request 0 ID 19 with timestamp +15</tt><br>
<tt>Ready to process requests.</tt><br>
<br>
<br>
<tt>Now changed ntradping to use CHAP, everything else left as before, incl. the password:</tt><br>
<br>
<br>
<tt>rad_recv: Access-Request packet from host 10.110.9.60 port 57851, id=20, length=56</tt><br>
<tt> User-Name = "test user@realm"</tt><br>
<tt> CHAP-Password = 0x161b57b44ca4d299bb697e24be03e881a8</tt><br>
<tt>+- entering group authorize</tt><br>
<tt>++[preprocess] returns ok</tt><br>
<tt> rlm_chap: Setting 'Auth-Type := CHAP'</tt><br>
<tt>++[chap] returns ok</tt><br>
<tt>++[mschap] returns noop</tt><br>
<tt> rlm_realm: Looking up realm "realm" for User-Name = "test user@realm"</tt><br>
<tt> rlm_realm: Found realm "DEFAULT"</tt><br>
<tt> rlm_realm: Adding Stripped-User-Name = "test user"</tt><br>
<tt> rlm_realm: Adding Realm = "DEFAULT"</tt><br>
<tt> rlm_realm: Authentication realm is LOCAL.</tt><br>
<tt>++[suffix] returns noop</tt><br>
<tt>rlm_ldap: - authorize</tt><br>
<tt>rlm_ldap: performing user authorization for test user</tt><br>
<tt>WARNING: Deprecated conditional expansion ":-". See "man unlang" for details</tt><br>
<tt> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test user)</tt><br>
<tt> expand: o=data -> o=data</tt><br>
<tt>rlm_ldap: ldap_get_conn: Checking Id: 0</tt><br>
<tt>rlm_ldap: ldap_get_conn: Got Id: 0</tt><br>
<tt>rlm_ldap: performing search in o=data, with filter (uid=test user)</tt><br>
<tt>rlm_ldap: checking if remote access for test user is allowed by dialupAccess</tt><br>
<tt>rlm_ldap: Added the eDirectory password test345 in check items as Cleartext-Password</tt><br>
<tt>rlm_ldap: No default NMAS login sequence</tt><br>
<tt>rlm_ldap: looking for check items in directory...</tt><br>
<tt>rlm_ldap: LDAP attribute radiusAuthType as RADIUS attribute Auth-Type == LDAP</tt><br>
<tt>rlm_ldap: looking for reply items in directory...</tt><br>
<tt>rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute Service-Type = Login-User</tt><br>
<tt>rlm_ldap: user test user authorized to use remote access</tt><br>
<tt>rlm_ldap: ldap_release_conn: Release Id: 0</tt><br>
<tt>++[ldap] returns ok</tt><br>
<tt> rlm_eap: No EAP-Message, not doing EAP</tt><br>
<tt>++[eap] returns noop</tt><br>
<tt>++[unix] returns notfound</tt><br>
<tt>++[files] returns noop</tt><br>
<tt>++[expiration] returns noop</tt><br>
<tt>++[logintime] returns noop</tt><br>
<tt>rlm_pap: Found existing Auth-Type, not changing it.</tt><br>
<tt>++[pap] returns noop</tt><br>
<tt> rad_check_password: Found Auth-Type LDAP</tt><br>
<tt>auth: type "LDAP"</tt><br>
<tt>+- entering group LDAP</tt><br>
<tt>rlm_ldap: - authenticate</tt><br>
<tt>rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password".</tt><br>
<tt>++[ldap] returns invalid</tt><br>
<tt>auth: Failed to validate the user.</tt><br>
<tt>Login incorrect: [test user@realm/<CHAP-Password>] (from client SMC_GS_LAN port 0)</tt><br>
<tt> Found Post-Auth-Type Reject</tt><br>
<tt>+- entering group REJECT</tt><br>
<tt>rlm_ldap: ldap_get_conn: Checking Id: 0</tt><br>
<tt>rlm_ldap: ldap_get_conn: Got Id: 0</tt><br>
<tt>rlm_ldap: attempting LDAP reconnection</tt><br>
<tt>rlm_ldap: (re)connect to hamburgauth01.hamburg.mummert.de:389, authentication 0</tt><br>
<tt>rlm_ldap: setting TLS CACert File to /etc/raddb/certs/AUTH-TREE_CA.b64</tt><br>
<tt>rlm_ldap: setting TLS Require Cert to demand</tt><br>
<tt>rlm_ldap: starting TLS</tt><br>
<tt>rlm_ldap: bind as cn=test user,ou=users,o=data/aest345 to hamburgauth01.hamburg.mummert.de:389</tt><br>
<tt>rlm_ldap: waiting for bind result ...</tt><br>
<tt>rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf</tt><br>
<tt>rlm_ldap: eDirectory account policy check failed.</tt><br>
<tt>rlm_ldap: NDS error: failed authentication (-669)</tt><br>
<tt>rlm_ldap: ldap_release_conn: Release Id: 0</tt><br>
<tt>++[ldap] returns reject</tt><br>
<tt>Delaying reject of request 1 for 1 seconds</tt><br>
<tt>Going to the next request</tt><br>
<tt>Sending delayed reject for request 1</tt><br>
<tt>Sending Access-Reject of id 20 to 10.110.9.60 port 57851</tt><br>
<tt> Service-Type = Login-User</tt><br>
<tt> Reply-Message = "NDS error: failed authentication (-669)"</tt><br>
<tt>Waking up in 2.9 seconds.</tt><br>
<tt>Cleaning up request 1 ID 20 with timestamp +28</tt><br>
<tt>Ready to process requests.</tt><br>
<br>
<br>
<tt>ldap bind fails because the password is now "aest345"!!! this happens to whatever password is typed in at the client: the first char os replaced with an "a", so auth always fails. Funnily, if i set the account's password to "abcd345" CHAP troes to authenticate with "bbcd345".... any ideas?</tt><br>
<br>
<tt>Thanks, Lothar</tt><br>
</body></html>