All friends:<div><br><div> I'm trying to setup freeradius against ldap and getting problems.</div><div><br></div><div>pap against LDAP works find,but others can not works find (eg:mschap) .</div></div><div><br></div>
<div>It mess up me .... </div><div><br></div><div><br></div><div>My debug info:</div><div><div>[root@image_server raddb]# /usr/sbin/radiusd -X</div><div>FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Oct 2 2012 at 21:32:33</div>
<div>Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. </div><div>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A </div><div>PARTICULAR PURPOSE. </div><div>You may redistribute copies of FreeRADIUS under the terms of the </div>
<div>GNU General Public License v2. </div><div>Starting - reading configuration files ...</div><div>including configuration file /etc/raddb/radiusd.conf</div><div>including configuration file /etc/raddb/proxy.conf</div><div>
including configuration file /etc/raddb/clients.conf</div><div>including files in directory /etc/raddb/modules/</div><div>including configuration file /etc/raddb/modules/linelog</div><div>including configuration file /etc/raddb/modules/sqlcounter_expire_on_login</div>
<div>including configuration file /etc/raddb/modules/mac2ip</div><div>including configuration file /etc/raddb/modules/<a href="http://detail.example.com">detail.example.com</a></div><div>including configuration file /etc/raddb/modules/always</div>
<div>including configuration file /etc/raddb/modules/acct_unique</div><div>including configuration file /etc/raddb/modules/dynamic_clients</div><div>including configuration file /etc/raddb/modules/detail</div><div>including configuration file /etc/raddb/modules/attr_filter</div>
<div>including configuration file /etc/raddb/modules/sql_log</div><div>including configuration file /etc/raddb/modules/ntlm_auth</div><div>including configuration file /etc/raddb/modules/inner-eap</div><div>including configuration file /etc/raddb/modules/cui</div>
<div>including configuration file /etc/raddb/modules/logintime</div><div>including configuration file /etc/raddb/modules/soh</div><div>including configuration file /etc/raddb/modules/mac2vlan</div><div>including configuration file /etc/raddb/modules/ippool</div>
<div>including configuration file /etc/raddb/modules/attr_rewrite</div><div>including configuration file /etc/raddb/modules/replicate</div><div>including configuration file /etc/raddb/modules/checkval</div><div>including configuration file /etc/raddb/modules/rediswho</div>
<div>including configuration file /etc/raddb/modules/opendirectory</div><div>including configuration file /etc/raddb/modules/detail.log</div><div>including configuration file /etc/raddb/modules/ldap</div><div>including configuration file /etc/raddb/modules/counter</div>
<div>including configuration file /etc/raddb/modules/files</div><div>including configuration file /etc/raddb/modules/smbpasswd</div><div>including configuration file /etc/raddb/modules/echo</div><div>including configuration file /etc/raddb/modules/perl</div>
<div>including configuration file /etc/raddb/modules/pam</div><div>including configuration file /etc/raddb/modules/expr</div><div>including configuration file /etc/raddb/modules/pap</div><div>including configuration file /etc/raddb/modules/mschap</div>
<div>including configuration file /etc/raddb/modules/unix</div><div>including configuration file /etc/raddb/modules/smsotp</div><div>including configuration file /etc/raddb/modules/sradutmp</div><div>including configuration file /etc/raddb/modules/expiration</div>
<div>including configuration file /etc/raddb/modules/redis</div><div>including configuration file /etc/raddb/modules/wimax</div><div>including configuration file /etc/raddb/modules/chap</div><div>including configuration file /etc/raddb/modules/passwd</div>
<div>including configuration file /etc/raddb/modules/preprocess</div><div>including configuration file /etc/raddb/modules/policy</div><div>including configuration file /etc/raddb/modules/realm</div><div>including configuration file /etc/raddb/modules/otp</div>
<div>including configuration file /etc/raddb/modules/radutmp</div><div>including configuration file /etc/raddb/modules/etc_group</div><div>including configuration file /etc/raddb/modules/exec</div><div>including configuration file /etc/raddb/modules/digest</div>
<div>including configuration file /etc/raddb/eap.conf</div><div>including configuration file /etc/raddb/policy.conf</div><div>including files in directory /etc/raddb/sites-enabled/</div><div>including configuration file /etc/raddb/sites-enabled/default</div>
<div>main {</div><div> user = "radiusd"</div><div> group = "radiusd"</div><div> allow_core_dumps = no</div><div>}</div><div>including dictionary file /etc/raddb/dictionary</div><div>
main {</div><div> name = "radiusd"</div><div> prefix = "/usr"</div><div> localstatedir = "/var"</div><div> sbindir = "/usr/sbin"</div><div> logdir = "/var/log/radius"</div>
<div> run_dir = "/var/run/radiusd"</div><div> libdir = "/usr/lib/freeradius"</div><div> radacctdir = "/var/log/radius/radacct"</div><div> hostname_lookups = no</div>
<div> max_request_time = 30</div><div> cleanup_delay = 5</div><div> max_requests = 1024</div><div> pidfile = "/var/run/radiusd/radiusd.pid"</div><div> checkrad = "/usr/sbin/checkrad"</div>
<div> debug_level = 0</div><div> proxy_requests = yes</div><div> log {</div><div> stripped_names = no</div><div> auth = no</div><div> auth_badpass = no</div><div> auth_goodpass = no</div>
<div> }</div><div> security {</div><div> max_attributes = 200</div><div> reject_delay = 1</div><div> status_server = yes</div><div> }</div><div>}</div><div>radiusd: #### Loading Realms and Home Servers ####</div>
<div> proxy server {</div><div> retry_delay = 5</div><div> retry_count = 3</div><div> default_fallback = no</div><div> dead_time = 120</div><div> wake_all_if_all_dead = no</div><div> }</div>
<div> home_server localhost {</div><div> ipaddr = 127.0.0.1</div><div> port = 1812</div><div> type = "auth"</div><div> secret = "testing123"</div><div> response_window = 20</div>
<div> max_outstanding = 65536</div><div> require_message_authenticator = yes</div><div> zombie_period = 40</div><div> status_check = "status-server"</div><div> ping_interval = 30</div>
<div> check_interval = 30</div><div> num_answers_to_alive = 3</div><div> num_pings_to_alive = 3</div><div> revive_interval = 120</div><div> status_check_timeout = 4</div><div> coa {</div>
<div> irt = 2</div><div> mrt = 16</div><div> mrc = 5</div><div> mrd = 30</div><div> }</div><div> }</div><div> home_server_pool my_auth_failover {</div><div> type = fail-over</div><div> home_server = localhost</div>
<div> }</div><div> realm <a href="http://example.com">example.com</a> {</div><div> auth_pool = my_auth_failover</div><div> }</div><div> realm LOCAL {</div><div> }</div><div>radiusd: #### Loading Clients ####</div><div>
client localhost {</div><div> ipaddr = 172.19.88.94</div><div> require_message_authenticator = no</div><div> secret = "testing123"</div><div> nastype = "other"</div><div> }</div>
<div> client <a href="http://172.19.109.0/24">172.19.109.0/24</a> {</div><div> require_message_authenticator = yes</div><div> secret = "****"</div><div> shortname = "hillstone_vpn_device"</div>
<div> nastype = "other"</div><div> }</div><div>radiusd: #### Instantiating modules ####</div><div> instantiate {</div><div> Module: Linked to module rlm_exec</div><div> Module: Instantiating module "exec" from file /etc/raddb/modules/exec</div>
<div> exec {</div><div> wait = no</div><div> input_pairs = "request"</div><div> shell_escape = yes</div><div> }</div><div> Module: Linked to module rlm_expr</div><div> Module: Instantiating module "expr" from file /etc/raddb/modules/expr</div>
<div> Module: Linked to module rlm_expiration</div><div> Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration</div><div> expiration {</div><div> reply-message = "Password Has Expired "</div>
<div> }</div><div> Module: Linked to module rlm_logintime</div><div> Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime</div><div> logintime {</div><div> reply-message = "You are calling outside your allowed timespan "</div>
<div> minimum-timeout = 60</div><div> }</div><div> }</div><div>radiusd: #### Loading Virtual Servers ####</div><div>server { # from file /etc/raddb/radiusd.conf</div><div> modules {</div><div> Module: Creating Auth-Type = digest</div>
<div> Module: Creating Auth-Type = LDAP</div><div> Module: Creating Post-Auth-Type = REJECT</div><div> Module: Checking authenticate {...} for more modules to load</div><div> Module: Linked to module rlm_pap</div><div> Module: Instantiating module "pap" from file /etc/raddb/modules/pap</div>
<div> pap {</div><div> encryption_scheme = "auto"</div><div> auto_header = no</div><div> }</div><div> Module: Linked to module rlm_chap</div><div> Module: Instantiating module "chap" from file /etc/raddb/modules/chap</div>
<div> Module: Linked to module rlm_mschap</div><div> Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap</div><div> mschap {</div><div> use_mppe = yes</div><div> require_encryption = no</div>
<div> require_strong = no</div><div> with_ntdomain_hack = no</div><div> allow_retry = yes</div><div> }</div><div> Module: Linked to module rlm_digest</div><div> Module: Instantiating module "digest" from file /etc/raddb/modules/digest</div>
<div> Module: Linked to module rlm_unix</div><div> Module: Instantiating module "unix" from file /etc/raddb/modules/unix</div><div> unix {</div><div> radwtmp = "/var/log/radius/radwtmp"</div><div>
}</div><div> Module: Linked to module rlm_ldap</div><div> Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap</div><div> ldap {</div><div> server = "***.***.***.***" <- my ldap server</div>
<div> port = 389</div><div> password = "***"</div><div> identity = "cn=admin,dc=****,dc=com"</div><div> net_timeout = 1</div><div> timeout = 4</div><div> timelimit = 3</div>
<div> tls_mode = no</div><div> start_tls = no</div><div> tls_require_cert = "allow"</div><div> tls {</div><div> start_tls = no</div><div> require_cert = "allow"</div>
<div> }</div><div> basedn = "dc=****,dc=com"</div><div> filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"</div><div> base_filter = "(objectclass=person)"</div><div>
auto_header = no</div><div> access_attr_used_for_allow = yes</div><div> groupname_attribute = "cn"</div><div> groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"</div>
<div> groupmembership_attribute = "radius_users"</div><div> dictionary_mapping = "/etc/raddb/ldap.attrmap"</div><div> ldap_debug = 0</div><div> ldap_connections_number = 5</div>
<div> compare_check_items = no</div><div> do_xlat = yes</div><div> set_auth_type = yes</div><div> keepalive {</div><div> interval = 3</div><div> }</div><div> }</div><div>rlm_ldap: Registering ldap_groupcmp for Ldap-Group</div>
<div>rlm_ldap: Registering ldap_xlat with xlat_name ldap</div><div>rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap</div><div>rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$</div>
<div>rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$</div><div>rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type</div><div>rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use</div><div>
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id</div><div>rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id</div><div>rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password</div>
<div>rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header</div><div>rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT</div><div>rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration</div><div>
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address</div><div>rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type</div><div>rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol</div>
<div>rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address</div><div>rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask</div><div>rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route</div>
<div>rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing</div><div>rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id</div><div>rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU</div><div>rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression</div>
<div>rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host</div><div>rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service</div><div>rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port</div>
<div>rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number</div><div>rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id</div><div>rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network</div>
<div>rlm_ldap: LDAP radiusClass mapped to RADIUS Class</div><div>rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout</div><div>rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout</div><div>rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action</div>
<div>rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service</div><div>rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node</div><div>rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group</div>
<div>rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link</div><div>rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network</div><div>rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone</div>
<div>rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit</div><div>rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port</div><div>rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message</div><div>
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type</div><div>rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type</div><div>rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id</div>
<div>rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password</div><div>rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password</div><div>rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password</div><div>conns: 0x940deb0</div>
<div> Module: Linked to module rlm_eap</div><div> Module: Instantiating module "eap" from file /etc/raddb/eap.conf</div><div> eap {</div><div> default_eap_type = "md5"</div><div> timer_expire = 60</div>
<div> ignore_unknown_eap_types = no</div><div> cisco_accounting_username_bug = no</div><div> max_sessions = 4096</div><div> }</div><div> Module: Linked to sub-module rlm_eap_md5</div><div> Module: Instantiating eap-md5</div>
<div> Module: Linked to sub-module rlm_eap_leap</div><div> Module: Instantiating eap-leap</div><div> Module: Linked to sub-module rlm_eap_gtc</div><div> Module: Instantiating eap-gtc</div><div> gtc {</div><div> challenge = "Password: "</div>
<div> auth_type = "PAP"</div><div> }</div><div> Module: Linked to sub-module rlm_eap_tls</div><div> Module: Instantiating eap-tls</div><div> tls {</div><div> rsa_key_exchange = no</div><div> dh_key_exchange = yes</div>
<div> rsa_key_length = 512</div><div> dh_key_length = 512</div><div> verify_depth = 0</div><div> CA_path = "/etc/raddb/certs"</div><div> pem_file_type = yes</div><div> private_key_file = "/etc/raddb/certs/yuwanfu.key"</div>
<div> certificate_file = "/etc/raddb/certs/yuwanfu.crt"</div><div> CA_file = "/etc/raddb/certs/ca.pem"</div><div> private_key_password = "manifold"</div><div> dh_file = "/etc/raddb/certs/dh"</div>
<div> random_file = "/etc/raddb/certs/random"</div><div> fragment_size = 1024</div><div> include_length = yes</div><div> check_crl = no</div><div> cipher_list = "DEFAULT"</div>
<div> cache {</div><div> enable = no</div><div> lifetime = 24</div><div> max_entries = 255</div><div> }</div><div> verify {</div><div> }</div><div> ocsp {</div><div> enable = no</div>
<div> override_cert_url = yes</div><div> url = "<a href="http://127.0.0.1/ocsp/">http://127.0.0.1/ocsp/</a>"</div><div> }</div><div> }</div><div> Module: Linked to sub-module rlm_eap_ttls</div>
<div> Module: Instantiating eap-ttls</div><div> ttls {</div><div> default_eap_type = "md5"</div><div> copy_request_to_tunnel = no</div><div> use_tunneled_reply = no</div><div> virtual_server = "inner-tunnel"</div>
<div> include_length = yes</div><div> }</div><div> Module: Linked to sub-module rlm_eap_peap</div><div> Module: Instantiating eap-peap</div><div> peap {</div><div> default_eap_type = "mschapv2"</div>
<div> copy_request_to_tunnel = no</div><div> use_tunneled_reply = no</div><div> proxy_tunneled_request_as_eap = yes</div><div> virtual_server = "inner-tunnel"</div><div> soh = no</div>
<div> }</div><div> Module: Linked to sub-module rlm_eap_mschapv2</div><div> Module: Instantiating eap-mschapv2</div><div> mschapv2 {</div><div> with_ntdomain_hack = no</div><div> send_error = no</div><div>
}</div><div> Module: Checking authorize {...} for more modules to load</div><div> Module: Linked to module rlm_preprocess</div><div> Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess</div>
<div> preprocess {</div><div> huntgroups = "/etc/raddb/huntgroups"</div><div> hints = "/etc/raddb/hints"</div><div> with_ascend_hack = no</div><div> ascend_channels_per_line = 23</div>
<div> with_ntdomain_hack = no</div><div> with_specialix_jetstream_hack = no</div><div> with_cisco_vsa_hack = no</div><div> with_alvarion_vsa_hack = no</div><div> }</div><div> Module: Linked to module rlm_realm</div>
<div> Module: Instantiating module "suffix" from file /etc/raddb/modules/realm</div><div> realm suffix {</div><div> format = "suffix"</div><div> delimiter = "@"</div><div> ignore_default = no</div>
<div> ignore_null = no</div><div> }</div><div> Module: Linked to module rlm_files</div><div> Module: Instantiating module "files" from file /etc/raddb/modules/files</div><div> files {</div><div> usersfile = "/etc/raddb/users"</div>
<div> acctusersfile = "/etc/raddb/acct_users"</div><div> preproxy_usersfile = "/etc/raddb/preproxy_users"</div><div> compat = "no"</div><div> }</div><div> Module: Checking preacct {...} for more modules to load</div>
<div> Module: Linked to module rlm_acct_unique</div><div> Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique</div><div> acct_unique {</div><div> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"</div>
<div> }</div><div> Module: Checking accounting {...} for more modules to load</div><div> Module: Linked to module rlm_detail</div><div> Module: Instantiating module "detail" from file /etc/raddb/modules/detail</div>
<div> detail {</div><div> detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"</div><div> header = "%t"</div><div> detailperm = 384</div>
<div> dirperm = 493</div><div> locking = no</div><div> log_packet_header = no</div><div> }</div><div> Module: Linked to module rlm_radutmp</div><div> Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp</div>
<div> radutmp {</div><div> filename = "/var/log/radius/radutmp"</div><div> username = "%{User-Name}"</div><div> case_sensitive = yes</div><div> check_with_nas = yes</div><div>
perm = 384</div><div> callerid = yes</div><div> }</div><div> Module: Linked to module rlm_attr_filter</div><div> Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter</div>
<div> attr_filter attr_filter.accounting_response {</div><div> attrsfile = "/etc/raddb/attrs.accounting_response"</div><div> key = "%{User-Name}"</div><div> relaxed = no</div><div>
}</div><div> Module: Checking session {...} for more modules to load</div><div> Module: Checking post-proxy {...} for more modules to load</div><div> Module: Checking post-auth {...} for more modules to load</div><div> Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter</div>
<div> attr_filter attr_filter.access_reject {</div><div> attrsfile = "/etc/raddb/attrs.access_reject"</div><div> key = "%{User-Name}"</div><div> relaxed = no</div><div> }</div><div>
} # modules</div><div>} # server</div><div>radiusd: #### Opening IP addresses and Ports ####</div><div>listen {</div><div> type = "auth"</div><div> ipaddr = *</div><div> port = 0</div><div>
}</div><div>listen {</div><div> type = "acct"</div><div> ipaddr = *</div><div> port = 0</div><div>}</div><div> ... adding new socket proxy address * port 7291</div><div>Listening on authentication address * port 1812</div>
<div>Listening on accounting address * port 1813</div><div>Listening on proxy address * port 1814</div><div>Ready to process requests.</div></div><div><br></div><div><br></div><div><br></div><div>auth-type:pap</div><div><br>
</div><div><div>[root@image_server raddb]# radtest -t pap zengyueming 12345 172.19.88.94 0 testing123</div><div>Sending Access-Request of id 178 to 172.19.88.94 port 1812</div><div> User-Name = "zengyueming"</div>
<div> User-Password = "12345"</div><div> NAS-IP-Address = 172.19.88.94</div><div> NAS-Port = 0</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div><div>rad_recv: Access-Accept packet from host 172.19.88.94 port 1812, id=178, length=20</div>
</div><div><br></div><div>debug info:</div><div><div>rad_recv: Access-Request packet from host 172.19.88.94 port 7292, id=178, length=81</div><div> User-Name = "zengyueming"</div><div> User-Password = "12345"</div>
<div> NAS-IP-Address = 172.19.88.94</div><div> NAS-Port = 0</div><div> Message-Authenticator = 0xfcd39a49c0c669ad844baf9d58fda87a</div><div># Executing section authorize from file /etc/raddb/sites-enabled/default</div>
<div>+- entering group authorize {...}</div><div>++[preprocess] returns ok</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "zengyueming", looking up realm NULL</div>
<div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] No EAP-Message, not doing EAP</div><div>++[eap] returns noop</div><div>[files] users: Matched entry DEFAULT at line 205</div><div>
++[files] returns ok</div><div>[ldap] performing user authorization for zengyueming</div><div>[ldap] expand: %{Stripped-User-Name} -> </div><div>[ldap] ... expanding second conditional</div><div>[ldap] expand: %{User-Name} -> zengyueming</div>
<div>[ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=zengyueming)</div><div>[ldap] expand: dc=***,dc=com -> dc=***,dc=com</div><div> [ldap] ldap_get_conn: Checking Id: 0</div><div> [ldap] ldap_get_conn: Got Id: 0</div>
<div> [ldap] performing search in dc=***,dc=com, with filter (cn=zengyueming)</div><div>[ldap] looking for check items in directory...</div><div> [ldap] userPassword -> Cleartext-Password == "{MD5}85Q3W/VY9rt11BfdBNzdfQ=="</div>
<div> [ldap] userPassword -> Password-With-Header == "{MD5}85Q3W/VY9rt11BfdBNzdfQ=="</div><div>[ldap] looking for reply items in directory...</div><div>[ldap] user zengyueming authorized to use remote access</div>
<div> [ldap] ldap_release_conn: Release Id: 0</div><div>++[ldap] returns ok</div><div>++[expiration] returns noop</div><div>++[logintime] returns noop</div><div>[pap] WARNING: Auth-Type already set. Not setting to PAP</div>
<div>++[pap] returns noop</div><div>Found Auth-Type = LDAP</div><div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group LDAP {...}</div><div>[ldap] login attempt by "zengyueming" with password "12345"</div>
<div>[ldap] user DN: cn=zengyueming,dc=***,dc=com</div><div> [ldap] (re)connect to <a href="http://121.14.36.18:389">121.14.36.18:389</a>, authentication 1</div><div> [ldap] bind as cn=zengyueming,dc=***,dc=com/12345 to <a href="http://121.14.36.18:389">121.14.36.18:389</a></div>
<div> [ldap] waiting for bind result ...</div><div> [ldap] Bind was successful</div><div>[ldap] user zengyueming authenticated succesfully</div><div>++[ldap] returns ok</div><div># Executing section post-auth from file /etc/raddb/sites-enabled/default</div>
<div>+- entering group post-auth {...}</div><div>++[exec] returns noop</div><div>Sending Access-Accept of id 178 to 172.19.88.94 port 7292</div><div>Finished request 2.</div><div>Going to the next request</div><div>Cleaning up request 1 ID 235 with timestamp +187</div>
<div>Waking up in 4.9 seconds.</div><div>Cleaning up request 2 ID 178 with timestamp +192</div><div>Ready to process requests.</div></div><div><br></div><div><br></div><div><br></div><div>ayth-type:mschap</div><div><div>[root@image_server raddb]# radtest -t mschap zengyueming *** 172.19.88.94 0 testing123 </div>
<div>Sending Access-Request of id 105 to 172.19.88.94 port 1812</div><div> User-Name = "zengyueming"</div><div> NAS-IP-Address = 172.19.88.94</div><div> NAS-Port = 0</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div>
<div> MS-CHAP-Challenge = 0x5c860a588b7838bd</div><div> MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000050415ad773b0c365d4d2b9904f8cddb8868f7fdb6f1b8232</div><div>rad_recv: Access-Reject packet from host 172.19.88.94 port 1812, id=105, length=38</div>
<div> MS-CHAP-Error = "\000E=691 R=1"</div></div><div><br></div><div><br></div><div>debug info:</div><div><div>rad_recv: Access-Request packet from host 172.19.88.94 port 7292, id=105, length=137</div><div>
User-Name = "zengyueming"</div><div> NAS-IP-Address = 172.19.88.94</div><div> NAS-Port = 0</div><div> Message-Authenticator = 0x783862198b00104a3473e7fd4ed0f6f3</div><div> MS-CHAP-Challenge = 0x5c860a588b7838bd</div>
<div> MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000050415ad773b0c365d4d2b9904f8cddb8868f7fdb6f1b8232</div><div># Executing section authorize from file /etc/raddb/sites-enabled/default</div>
<div>+- entering group authorize {...}</div><div>++[preprocess] returns ok</div><div>++[chap] returns noop</div><div>[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'</div><div>++[mschap] returns ok</div>
<div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "zengyueming", looking up realm NULL</div><div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] No EAP-Message, not doing EAP</div>
<div>++[eap] returns noop</div><div>[files] users: Matched entry DEFAULT at line 205</div><div>++[files] returns ok</div><div>[ldap] performing user authorization for zengyueming</div><div>[ldap] expand: %{Stripped-User-Name} -> </div>
<div>[ldap] ... expanding second conditional</div><div>[ldap] expand: %{User-Name} -> zengyueming</div><div>[ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=zengyueming)</div><div>[ldap] expand: dc=***,dc=com -> dc=***,dc=com</div>
<div> [ldap] ldap_get_conn: Checking Id: 0</div><div> [ldap] ldap_get_conn: Got Id: 0</div><div> [ldap] performing search in dc=***,dc=com, with filter (cn=zengyueming)</div><div>[ldap] looking for check items in directory...</div>
<div> [ldap] userPassword -> Cleartext-Password == "{MD5}85Q3W/VY9rt11BfdBNzdfQ=="</div><div> [ldap] userPassword -> Password-With-Header == "{MD5}85Q3W/VY9rt11BfdBNzdfQ=="</div><div>[ldap] looking for reply items in directory...</div>
<div>[ldap] user zengyueming authorized to use remote access</div><div> [ldap] ldap_release_conn: Release Id: 0</div><div>++[ldap] returns ok</div><div>++[expiration] returns noop</div><div>++[logintime] returns noop</div>
<div>[pap] WARNING: Auth-Type already set. Not setting to PAP</div><div>++[pap] returns noop</div><div>Found Auth-Type = MSCHAP</div><div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group MS-CHAP {...}</div>
<div>[mschap] Told to do MS-CHAPv1 with NT-Password</div><div>[mschap] MS-CHAP-Response is incorrect.</div><div>++[mschap] returns reject</div><div>Failed to authenticate the user.</div><div>Using Post-Auth-Type Reject</div>
<div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group REJECT {...}</div><div>[attr_filter.access_reject] expand: %{User-Name} -> zengyueming</div><div>attr_filter: Matched entry DEFAULT at line 11</div>
<div>++[attr_filter.access_reject] returns updated</div><div>Delaying reject of request 3 for 1 seconds</div><div>Going to the next request</div><div>Waking up in 0.4 seconds.</div><div>Sending delayed reject for request 3</div>
<div>Sending Access-Reject of id 105 to 172.19.88.94 port 7292</div><div> MS-CHAP-Error = "\000E=691 R=1"</div><div>Waking up in 4.9 seconds.</div><div>Cleaning up request 3 ID 105 with timestamp +301</div>
<div>Ready to process requests.</div></div><div><br></div><div><br></div><div><br></div><div>my config file list:</div><div><div>[root@image_server raddb]# ll sites-enabled/</div><div>total 0</div><div>lrwxrwxrwx 1 root radiusd 26 Jul 10 13:37 default -> ../sites-available/default</div>
</div><div><br></div><div><div>[root@image_server raddb]# cat sites-enabled/default|grep -v '#'|grep -v ^$</div><div>authorize {</div><div> preprocess</div><div> chap</div><div> mschap</div><div>
digest</div><div> suffix</div><div> eap {</div><div> ok = return</div><div> }</div><div> files</div><div> ldap</div><div> expiration</div><div> logintime</div>
<div> pap</div><div>}</div><div>authenticate {</div><div> Auth-Type PAP {</div><div> pap</div><div> }</div><div> Auth-Type CHAP {</div><div> chap</div><div> }</div>
<div> Auth-Type MS-CHAP {</div><div> mschap</div><div> }</div><div> digest</div><div> unix</div><div> Auth-Type LDAP {</div><div> ldap</div><div> }</div>
<div> eap</div><div>}</div><div>preacct {</div><div> preprocess</div><div> acct_unique</div><div> suffix</div><div> files</div><div>}</div><div>accounting {</div><div> detail</div>
<div> unix</div><div> radutmp</div><div> exec</div><div> attr_filter.accounting_response</div><div>}</div><div>session {</div><div> radutmp</div><div>}</div><div>post-auth {</div><div> exec</div>
<div> Post-Auth-Type REJECT {</div><div> attr_filter.access_reject</div><div> }</div><div>}</div><div>pre-proxy {</div><div>}</div><div>post-proxy {</div><div> eap</div><div>}</div></div>
<div><br></div><div><br></div><div><br></div><div><div>[root@image_server raddb]# cat ldap.attrmap |grep -v ^#|grep -v ^$</div><div>checkItem $GENERIC$ radiusCheckItem</div><div>replyItem $GENERIC$ radiusReplyItem</div>
<div>checkItem Auth-Type radiusAuthType</div><div>checkItem Simultaneous-Use radiusSimultaneousUse</div><div>checkItem Called-Station-Id radiusCalledStationId</div>
<div>checkItem Calling-Station-Id radiusCallingStationId</div><div>checkItem LM-Password dBCSPwd</div><div>checkitem Password-With-Header userPassword</div><div>
checkItem SMB-Account-CTRL-TEXT acctFlags</div><div>checkItem Expiration radiusExpiration</div><div>checkItem NAS-IP-Address radiusNASIpAddress</div><div>replyItem Service-Type radiusServiceType</div>
<div>replyItem Framed-Protocol radiusFramedProtocol</div><div>replyItem Framed-IP-Address radiusFramedIPAddress</div><div>replyItem Framed-IP-Netmask radiusFramedIPNetmask</div>
<div>replyItem Framed-Route radiusFramedRoute</div><div>replyItem Framed-Routing radiusFramedRouting</div><div>replyItem Filter-Id radiusFilterId</div>
<div>replyItem Framed-MTU radiusFramedMTU</div><div>replyItem Framed-Compression radiusFramedCompression</div><div>replyItem Login-IP-Host radiusLoginIPHost</div>
<div>replyItem Login-Service radiusLoginService</div><div>replyItem Login-TCP-Port radiusLoginTCPPort</div><div>replyItem Callback-Number radiusCallbackNumber</div>
<div>replyItem Callback-Id radiusCallbackId</div><div>replyItem Framed-IPX-Network radiusFramedIPXNetwork</div><div>replyItem Class radiusClass</div>
<div>replyItem Session-Timeout radiusSessionTimeout</div><div>replyItem Idle-Timeout radiusIdleTimeout</div><div>replyItem Termination-Action radiusTerminationAction</div>
<div>replyItem Login-LAT-Service radiusLoginLATService</div><div>replyItem Login-LAT-Node radiusLoginLATNode</div><div>replyItem Login-LAT-Group radiusLoginLATGroup</div>
<div>replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink</div><div>replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork</div><div>replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone</div>
<div>replyItem Port-Limit radiusPortLimit</div><div>replyItem Login-LAT-Port radiusLoginLATPort</div><div>replyItem Reply-Message radiusReplyMessage</div>
<div>replyItem Tunnel-Type radiusTunnelType</div><div>replyItem Tunnel-Medium-Type radiusTunnelMediumType</div><div>replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId</div>
<div>checkItem Cleartext-Password userPassword</div><div>checkItem NT-Password ntPassword</div><div>checkItem NT-Password sambaNtPassword</div></div><div><br>
</div><div><br></div><div><div>[root@image_server raddb]# cat users |grep -v '#'|grep -v ^$</div><div>DEFAULT Framed-Protocol == PPP</div><div> Framed-Protocol = PPP,</div><div> Framed-Compression = Van-Jacobson-TCP-IP</div>
<div>DEFAULT Hint == "CSLIP"</div><div> Framed-Protocol = SLIP,</div><div> Framed-Compression = Van-Jacobson-TCP-IP</div><div>DEFAULT Hint == "SLIP"</div><div> Framed-Protocol = SLIP</div>
<div>DEFAULT Auth-Type = LDAP</div><div> Fall-Through = 1</div></div><div><br></div><div><br></div><div><br></div><div><div>[root@image_server raddb]# cat modules/ldap |grep -v '#'|grep -v ^$ </div><div>ldap {</div>
<div> server = "***.***.***.***"</div><div> identity = "cn=admin,dc=***,dc=com"</div><div> password = ***</div><div> basedn = "dc=***,dc=com"</div><div> filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"</div>
<div> base_filter = "(objectclass=person)"</div><div> groupname_attribute = cn</div><div> groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"</div>
<div> groupmembership_attribute = radius_users</div><div> ldap_connections_number = 5</div><div> timeout = 4</div><div> timelimit = 3</div><div> net_timeout = 1</div><div> tls {</div>
<div> start_tls = no</div><div> }</div><div> dictionary_mapping = ${confdir}/ldap.attrmap</div><div> edir_account_policy_check = no</div><div> keepalive {</div><div> idle = 60</div>
<div> probes = 3</div><div> interval = 3</div><div> }</div><div>}</div></div><div><br></div><div><br></div><div><div>[root@image_server raddb]# cat eap.conf |grep -v '#'|grep -v ^$ </div>
<div> eap {</div><div> default_eap_type = md5</div><div> timer_expire = 60</div><div> ignore_unknown_eap_types = no</div><div> cisco_accounting_username_bug = no</div>
<div> max_sessions = 4096</div><div> md5 {</div><div> }</div><div> leap {</div><div> }</div><div> gtc {</div><div> auth_type = PAP</div>
<div> }</div><div> tls {</div><div> certdir = ${confdir}/certs</div><div> cadir = ${confdir}/certs</div><div> private_key_password = manifold</div>
<div> private_key_file = ${certdir}/yuwanfu.key</div><div> certificate_file = ${certdir}/yuwanfu.crt</div><div> CA_file = ${cadir}/ca.pem</div><div> dh_file = ${certdir}/dh</div>
<div> random_file = ${certdir}/random</div><div> CA_path = ${cadir}</div><div> cipher_list = "DEFAULT"</div><div> ecdh_curve = "prime256v1"</div>
<div> cache {</div><div> enable = no</div><div> max_entries = 255</div><div> }</div><div> verify {</div>
<div> }</div><div> ocsp {</div><div> enable = no</div><div> override_cert_url = yes</div><div> url = "<a href="http://127.0.0.1/ocsp/">http://127.0.0.1/ocsp/</a>"</div>
<div> }</div><div> }</div><div> ttls {</div><div> default_eap_type = md5</div><div> copy_request_to_tunnel = no</div><div>
use_tunneled_reply = no</div><div> virtual_server = "inner-tunnel"</div><div> }</div><div> peap {</div><div> default_eap_type = mschapv2</div>
<div> copy_request_to_tunnel = no</div><div> use_tunneled_reply = no</div><div> virtual_server = "inner-tunnel"</div><div> }</div>
<div> mschapv2 {</div><div> }</div><div> }</div></div><div><br></div><div><br></div><div>thanks all.</div><div><br></div><div><br></div><div><br></div>