<html><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><META name="Author" content="Novell GroupWise WebAccess"></head><body style='font-family: Tahoma, sans-serif; font-size: 13px; '><DIV>OK. I'm stuck. I don't understand what I am doing wrong.</DIV>
<DIV>I have installed freeradius with version 2.1.1-6.1 for SLE 10 SP2.</DIV>
<DIV>I fumbled my way through LDAP authentication to edirectory (probably in all the wrong ways I'm sure).</DIV>
<DIV>The issue I have now is that the attributes I set in the user file:</DIV>
<DIV> </DIV>
<DIV>DEFAULT Huntgroup-Name == WirelessGear, Ldap-Group == "cn=WirelessAllowed,o=integrity"</DIV>
<DIV> Tunnel-Type = VLAN,</DIV>
<DIV> Tunnel-Medium-Type = IEEE-802,</DIV>
<DIV> Tunnel-Private-Group-Id = 10</DIV>
<DIV> </DIV>
<DIV>The attributes are not included in the Access-Accept when using radtest or a XP workstation using the Novell 802.1x client.</DIV>
<DIV>Below is the debug:</DIV>
<DIV> </DIV>
<DIV>rad_recv: Access-Request packet from host 10.1.0.24 port 32888, id=30, length=59<BR> User-Name = "testuser"<BR> User-Password = "password"<BR> NAS-IP-Address = 10.1.0.24<BR> NAS-Port = 0<BR>+- entering group authorize {...}<BR>++[preprocess] returns ok<BR>[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.1.0.24/auth-detail-20090725<BR>[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.24/auth-detail-20090725<BR>[auth_log] expand: %t -> Sat Jul 25 08:20:43 2009<BR>++[auth_log] returns ok<BR>++[chap] returns noop<BR>++[mschap] returns noop<BR>[suffix] No <A href="mailto:'@'">'@'</A> in User-Name = "testuser", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[eap] No EAP-Message, not doing EAP<BR>++[eap] returns noop<BR>++[unix] returns notfound<BR>++[files] returns noop<BR>[ldap] performing user authorization for testuser<BR>[ldap] expand: %{Stripped-User-Name} -> <BR>[ldap] expand: %{User-Name} -> testuser<BR>[ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=testuser)<BR>[ldap] expand: o=integrity -> o=integrity<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: attempting LDAP reconnection<BR>rlm_ldap: (re)connect to oes1.nteg.net:389, authentication 0<BR>rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64<BR>rlm_ldap: starting TLS<BR>rlm_ldap: bind as cn=ldapuser,o=integrity/ldappass to oes1.nteg.net:389<BR>rlm_ldap: waiting for bind result ...<BR>rlm_ldap: Bind was successful<BR>rlm_ldap: performing search in o=integrity, with filter (cn=testuser)<BR>[ldap] Added the eDirectory password password in check items as Cleartext-Password<BR>[ldap] looking for check items in directory...<BR>[ldap] looking for reply items in directory...<BR>[ldap] user testuser authorized to use remote access<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>++[ldap] returns ok<BR>++[expiration] returns noop<BR>++[logintime] returns noop<BR>WARNING: Please update your configuration, and remove 'Auth-Type = Local'<BR>WARNING: Use the PAP or CHAP modules instead.<BR>User-Password in the request is correct.<BR>+- entering group post-auth {...}<BR>[reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/10.1.0.24/reply-detail-20090725<BR>[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.24/reply-detail-20090725<BR>[reply_log] expand: %t -> Sat Jul 25 08:20:43 2009<BR>++[reply_log] returns ok<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: attempting LDAP reconnection<BR>rlm_ldap: (re)connect to oes1.nteg.net:389, authentication 0<BR>rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64<BR>rlm_ldap: starting TLS<BR>rlm_ldap: bind as cn=testuser,o=integrity/password to oes1.nteg.net:389<BR>rlm_ldap: waiting for bind result ...<BR>rlm_ldap: Bind was successful<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>++[ldap] returns ok<BR>++[exec] returns noop<BR>Sending Access-Accept of id 30 to 10.1.0.24 port 32888<BR>Finished request 0.<BR>Going to the next request<BR>Waking up in 4.9 seconds.<BR>Cleaning up request 0 ID 30 with timestamp +27<BR>Ready to process requests.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>However when I use an XP client and no Novell client or ntradping I see the attributes and I am assigned the correct VLAN</DIV>
<DIV>Here is the debug below:</DIV>
<DIV> </DIV>
<DIV><BR>rad_recv: Access-Request packet from host 10.1.0.5 port 1541, id=6, length=48<BR> User-Name = "testuser"<BR> CHAP-Password = 0xa734db980a0367669cce38acbf8badf1bc<BR>+- entering group authorize {...}<BR>++[preprocess] returns ok<BR>[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.1.0.5/auth-detail-20090725<BR>[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.5/auth-detail-20090725<BR>[auth_log] expand: %t -> Sat Jul 25 08:18:16 2009<BR>++[auth_log] returns ok<BR>[chap] Setting 'Auth-Type := CHAP'<BR>++[chap] returns ok<BR>++[mschap] returns noop<BR>[suffix] No <A href="mailto:'@'">'@'</A> in User-Name = "testuser", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[eap] No EAP-Message, not doing EAP<BR>++[eap] returns noop<BR>++[unix] returns notfound<BR>rlm_ldap: Entering ldap_groupcmp()<BR>[files] expand: o=integrity -> o=integrity<BR>[files] expand: %{Stripped-User-Name} -> <BR>[files] expand: %{User-Name} -> testuser<BR>[files] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=testuser)<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: attempting LDAP reconnection<BR>rlm_ldap: (re)connect to oes1.nteg.net:389, authentication 0<BR>rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64<BR>rlm_ldap: starting TLS<BR>rlm_ldap: bind as cn=ldapuser,o=integrity/ldappass to oes1.nteg.net:389<BR>rlm_ldap: waiting for bind result ...<BR>rlm_ldap: Bind was successful<BR>rlm_ldap: performing search in o=integrity, with filter (cn=testuser)<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>[files] expand: (|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{check:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dtestuser\2co\3dintegrity))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtestuser\2co\3dintegrity)))<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: performing search in cn=WirelessDisabled,o=integrity, with filter (|(&(objectClass=GroupOfNames)(member=cn\3dtestuser\2co\3dintegrity))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtestuser\2co\3dintegrity)))<BR>rlm_ldap: object not found or got ambiguous search result<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>rlm_ldap::ldap_groupcmp: Group cn=WirelessDisabled,o=integrity not found or user is not a member.<BR>rlm_ldap: Entering ldap_groupcmp()<BR>[files] expand: o=integrity -> o=integrity<BR>[files] expand: (|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{check:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dtestuser\2co\3dintegrity))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtestuser\2co\3dintegrity)))<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: performing search in cn=WirelessAllowed,o=integrity, with filter (|(&(objectClass=GroupOfNames)(member=cn\3dtestuser\2co\3dintegrity))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtestuser\2co\3dintegrity)))<BR>rlm_ldap::ldap_groupcmp: User found in group cn=WirelessAllowed,o=integrity<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>[files] users: Matched entry DEFAULT at line 4<BR>++[files] returns ok<BR>[ldap] performing user authorization for testuser<BR>[ldap] expand: %{Stripped-User-Name} -> <BR>[ldap] expand: %{User-Name} -> testuser<BR>[ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=testuser)<BR>[ldap] expand: o=integrity -> o=integrity<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: performing search in o=integrity, with filter (cn=testuser)<BR>[ldap] Added the eDirectory password password in check items as Cleartext-Password<BR>[ldap] looking for check items in directory...<BR>[ldap] looking for reply items in directory...<BR>[ldap] user testuser authorized to use remote access<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>++[ldap] returns ok<BR>++[expiration] returns noop<BR>++[logintime] returns noop<BR>Found Auth-Type = CHAP<BR>+- entering group CHAP {...}<BR>[chap] login attempt by "testuser" with CHAP password<BR>[chap] Using clear text password "password" for user testuser authentication.<BR>[chap] chap user testuser authenticated succesfully<BR>++[chap] returns ok<BR>+- entering group post-auth {...}<BR>[reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/10.1.0.5/reply-detail-20090725<BR>[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.5/reply-detail-20090725<BR>[reply_log] expand: %t -> Sat Jul 25 08:18:16 2009<BR>++[reply_log] returns ok<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: attempting LDAP reconnection<BR>rlm_ldap: (re)connect to oes1.nteg.net:389, authentication 0<BR>rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64<BR>rlm_ldap: starting TLS<BR>rlm_ldap: bind as cn=testuser,o=integrity/password to oes1.nteg.net:389<BR>rlm_ldap: waiting for bind result ...<BR>rlm_ldap: Bind was successful<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>++[ldap] returns ok<BR>++[exec] returns noop<BR>Sending Access-Accept of id 6 to 10.1.0.5 port 1541<BR> Service-Type = Login-User<BR> Tunnel-Type:0 == VLAN<BR> Tunnel-Medium-Type:0 == IEEE-802<BR> Tunnel-Private-Group-Id:0 == "10"<BR>Finished request 0.<BR>Going to the next request<BR>Waking up in 4.9 seconds.<BR>Cleaning up request 0 ID 6 with timestamp +9<BR>Ready to process requests.</DIV>
<DIV> </DIV>
<DIV>I will not even pretend to know what I am doing wrong.</DIV>
<DIV>I don't understand why I receive the following errors as well:</DIV>
<DIV>WARNING: Please update your configuration, and remove 'Auth-Type = Local'<BR>WARNING: Use the PAP or CHAP modules instead.<BR></DIV>
<DIV>This is all that is in the users file and I cannot find Auth-Type = Local in any other file:</DIV>
<DIV> </DIV>
<DIV>DEFAULT Huntgroup-Name == WirelessGear, Ldap-Group == "cn=WirelessAllowed,o=integrity"<BR> Tunnel-Type = VLAN,<BR> Tunnel-Medium-Type = IEEE-802,<BR> Tunnel-Private-Group-Id = 10</DIV>
<DIV> </DIV>
<DIV>Thank you in advance for your time and patience. </DIV><br/><div style='clear: both;'></div><br/></body></html>