<div dir="ltr">Hi, do you have a user who can read the password in the ldap.<div style>It might be in raddb/modules/ldap</div><div style><br></div><div style><pre class="" style="color:rgb(0,0,0);background-color:rgb(224,224,224)">
ldap {
server = <a href="http://ldap.yourorg.com">ldap.yourorg.com</a>
login = "cn=admin,o=My Org,c=US"
password = mypass
basedn = "ou=users,dc=yourorg,dc=com"
filter = "(posixAccount)(uid=%u))"
}</pre></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/6/19 Marco Streich <span dir="ltr"><<a href="mailto:marco.streich@kshp.ch" target="_blank">marco.streich@kshp.ch</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all<br>
<br>
We have deployed FreeRADIUS on OS X before, but our configuration was rather ugly. What we would do is authenticate users locally, having the machine attached to our OpenDirectory server directly using the Connect Network Account Server functionality provided by OS X.<br>
<br>
I have seen this question getting asked a lot but still wasn't able to fill my gap in understanding the whole process.<br>
<br>
We're now using FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu<br>
<br>
As a start, I'm now trying to get a simple user authentication working. What I have done so far is defining ldap {} in the ldap module and added ldap into the authorize {} section.<br>
<br>
I also uncommented Auth-Type LDAP { ldap } in the authenticate {} section. <= Bad?!<br>
<br>
The same for the virtual inner-tunnel.<br>
<br>
<br>
When I run radtest from my laptop, the authentication is successful:<br>
<br>
$ radtest a4 whatever 192.168.1.231 18120 secret<br>
<br>
Sending Access-Request of id 18 to 192.168.1.231 port 1812<br>
User-Name = "a4"<br>
User-Password = "whatever"<br>
NAS-IP-Address = 192.168.17.1<br>
NAS-Port = 18120<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
rad_recv: Access-Accept packet from host 192.168.1.231 port 1812, id=18, length=20<br>
<br>
When I try to authorize a supplicant connected to our switch which is configured to be the authenticator, debug shows me the following:<br>
<br>
...<br>
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=73, length=217<br>
User-Name = "a4"<br>
Service-Type = Framed-User<br>
Cisco-AVPair = "service-type=Framed"<br>
Framed-MTU = 9000<br>
Called-Station-Id = "AC-A0-16-58-EB-07"<br>
Calling-Station-Id = "00-23-32-CF-1D-A2"<br>
EAP-Message = 0x020b0007016134<br>
Message-Authenticator = 0xa3eaf856385eef096a4a8da0a9b938c3<br>
Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50007<br>
NAS-Port-Id = "GigabitEthernet0/7"<br>
NAS-IP-Address = 192.168.99.99<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "a4", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 11 length 7<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>
++[files] returns noop<br>
[ldap] performing user authorization for a4<br>
[ldap] expand: %{Stripped-User-Name} -><br>
[ldap] ... expanding second conditional<br>
[ldap] expand: %{User-Name} -> a4<br>
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=a4)<br>
[ldap] expand: dc=ldap,dc=hopro,dc=edu -> dc=ldap,dc=hopro,dc=edu<br>
[ldap] ldap_get_conn: Checking Id: 0<br>
[ldap] ldap_get_conn: Got Id: 0<br>
[ldap] attempting LDAP reconnection<br>
[ldap] (re)connect to <a href="http://ldap.hopro.edu:389" target="_blank">ldap.hopro.edu:389</a>, authentication 0<br>
[ldap] bind as / to <a href="http://ldap.hopro.edu:389" target="_blank">ldap.hopro.edu:389</a><br>
[ldap] waiting for bind result ...<br>
[ldap] Bind was successful<br>
[ldap] performing search in dc=ldap,dc=hopro,dc=edu, with filter (uid=a4)<br>
[ldap] No default NMAS login sequence<br>
[ldap] looking for check items in directory...<br>
[ldap] looking for reply items in directory...<br>
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?<br>
[ldap] user a4 authorized to use remote access<br>
[ldap] ldap_release_conn: Release Id: 0<br>
++[ldap] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] returns noop<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>
[eap] EAP Identity<br>
[eap] processing type md5<br>
rlm_eap_md5: Issuing Challenge<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 73 to 192.168.99.99 port 1645<br>
EAP-Message = 0x010c00160410f7b955ffcad777bb64a0c2591f2a1852<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xab1bf9b7ab17fdd1d339d19378335aaa<br>
Finished request 0.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=74, length=234<br>
User-Name = "a4"<br>
Service-Type = Framed-User<br>
Cisco-AVPair = "service-type=Framed"<br>
Framed-MTU = 9000<br>
Called-Station-Id = "AC-A0-16-58-EB-07"<br>
Calling-Station-Id = "00-23-32-CF-1D-A2"<br>
EAP-Message = 0x020c00060315<br>
Message-Authenticator = 0x265e5392ae96ffd2f0c96666a02c9035<br>
Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50007<br>
NAS-Port-Id = "GigabitEthernet0/7"<br>
State = 0xab1bf9b7ab17fdd1d339d19378335aaa<br>
NAS-IP-Address = 192.168.99.99<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "a4", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 12 length 6<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>
++[files] returns noop<br>
[ldap] performing user authorization for a4<br>
[ldap] expand: %{Stripped-User-Name} -><br>
[ldap] ... expanding second conditional<br>
[ldap] expand: %{User-Name} -> a4<br>
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=a4)<br>
[ldap] expand: dc=ldap,dc=hopro,dc=edu -> dc=ldap,dc=hopro,dc=edu<br>
[ldap] ldap_get_conn: Checking Id: 0<br>
[ldap] ldap_get_conn: Got Id: 0<br>
[ldap] performing search in dc=ldap,dc=hopro,dc=edu, with filter (uid=a4)<br>
[ldap] No default NMAS login sequence<br>
[ldap] looking for check items in directory...<br>
[ldap] looking for reply items in directory...<br>
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?<br>
[ldap] user a4 authorized to use remote access<br>
[ldap] ldap_release_conn: Release Id: 0<br>
++[ldap] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] returns noop<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP NAK<br>
[eap] EAP-NAK asked for EAP-Type/ttls<br>
[eap] processing type tls<br>
[tls] Initiate<br>
[tls] Start returned 1<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 74 to 192.168.99.99 port 1645<br>
EAP-Message = 0x010d00061520<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xab1bf9b7aa16ecd1d339d19378335aaa<br>
Finished request 1.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=75, length=356<br>
User-Name = "a4"<br>
Service-Type = Framed-User<br>
Cisco-AVPair = "service-type=Framed"<br>
Framed-MTU = 9000<br>
Called-Station-Id = "AC-A0-16-58-EB-07"<br>
Calling-Station-Id = "00-23-32-CF-1D-A2"<br>
EAP-Message = 0x020d008015800000007616030100710100006d030151c19a457c2d148d872abd670c09fe7719d9b316318eb0134b0db1b5ce12e57700003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100<br>
Message-Authenticator = 0x474af0e5e41006c5947328ada905bf63<br>
Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50007<br>
NAS-Port-Id = "GigabitEthernet0/7"<br>
State = 0xab1bf9b7aa16ecd1d339d19378335aaa<br>
NAS-IP-Address = 192.168.99.99<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "a4", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 13 length 128<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
TLS Length 118<br>
[ttls] Length Included<br>
[ttls] eaptls_verify returned 11<br>
[ttls] (other): before/accept initialization<br>
[ttls] TLS_accept: before/accept initialization<br>
[ttls] <<< TLS 1.0 Handshake [length 0071], ClientHello<br>
[ttls] TLS_accept: SSLv3 read client hello A<br>
[ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello<br>
[ttls] TLS_accept: SSLv3 write server hello A<br>
[ttls] >>> TLS 1.0 Handshake [length 084f], Certificate<br>
[ttls] TLS_accept: SSLv3 write certificate A<br>
[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange<br>
[ttls] TLS_accept: SSLv3 write key exchange A<br>
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone<br>
[ttls] TLS_accept: SSLv3 write server done A<br>
[ttls] TLS_accept: SSLv3 flush data<br>
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A<br>
In SSL Handshake Phase<br>
In SSL Accept mode<br>
[ttls] eaptls_process returned 13<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 75 to 192.168.99.99 port 1645<br>
EAP-Message = 0x010e040015c0000009eb160301003902000035030151c19a44f7368e4456fc7b31270848d83dbe071b6969f1e6f9d0d7adb8527c9400c01400000dff01000100000b000403000102160301084f0b00084b0008480003a33082039f30820287a003020102020101300d06092a864886f70d010105050030818f310b3009060355040613024348310b3009060355040813025a483110300e060355040713075a75657269636831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06092a864886f70d010901161069637461646d696e406b7368702e636831193017060355040313107261646975<br>
EAP-Message = 0x732e686f70726f2e656475301e170d3132313231393130353634305a170d3133313231393130353634305a307d310b3009060355040613024348310b3009060355040813025a4831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e61646531193017060355040313107261646975732e686f70726f2e656475311f301d06092a864886f70d010901161069637461646d696e406b7368702e636830820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd4065ec39decc5191947b7fae6df68b82333bce018385b48d641bfde2d9ba6294a786cd7e15b7d1824591d077af2a4c2fe<br>
EAP-Message = 0x7e66cbccd3f279171bb3e77936b8e6a92cbb0e17eb0abbcdac9945db8c11af0074d9480d263664e17d021663e0694dbfe839def4202ddede6958974bc82e8023c68adc741ab7c9e64027171b32d0d04c3e93cf1bd49947e3e462ed368fb71e8ce9fcff7414fe921494836b128635e0004e8ce29dc26a919f58d7c91f7181dcb1a71e404960f04ba20c51d42ff3872c3335cbb612ac48c6234a326c9d83f6416e32a070f6307496ca83066f071d92b29732c4045105a726e359388542437214e6480df09c8e4ce4149f53da2b449d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382<br>
EAP-Message = 0x0101000e14a8494074acd8a45fb6b8e3a4ed0966823b82d9aa29417ccfd1b47764a8ae60cf65b6cf411e686e0fd8748ca655495d30408f12afef47897e31af44e8833601af028f101df0a2534f680ce10df4c7d88c312af4a5b2fc3711d2ce021bbe0ab4e439d095c102005dbce074a0a90767729ea3f1edb88b2c7d4b9e5f727cb10c5309afb41d0acdd75548de5508de058b2d684e1390fe1d917da97c34bbc13548ef1fc71aa8b4bf52dc76ccaa537f96b2460e56faa0ed34b1a3b5e4d6b3f10458883ba6bf4cb38f9096300181038c2d471e21bb4a9184d7521ba143fcf19608677da5b9e3ecce9b4d47d6f0a3b44c85380c1bd4cd15e325160d28<br>
EAP-Message = 0x324bf7e31c3b00049f308204<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xab1bf9b7a915ecd1d339d19378335aaa<br>
Finished request 2.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=76, length=234<br>
User-Name = "a4"<br>
Service-Type = Framed-User<br>
Cisco-AVPair = "service-type=Framed"<br>
Framed-MTU = 9000<br>
Called-Station-Id = "AC-A0-16-58-EB-07"<br>
Calling-Station-Id = "00-23-32-CF-1D-A2"<br>
EAP-Message = 0x020e00061500<br>
Message-Authenticator = 0x37d15b32cc7d6ece0c91b13551cd0b93<br>
Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50007<br>
NAS-Port-Id = "GigabitEthernet0/7"<br>
State = 0xab1bf9b7a915ecd1d339d19378335aaa<br>
NAS-IP-Address = 192.168.99.99<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "a4", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 14 length 6<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
[ttls] Received TLS ACK<br>
[ttls] ACK handshake fragment handler<br>
[ttls] eaptls_verify returned 1<br>
[ttls] eaptls_process returned 13<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 76 to 192.168.99.99 port 1645<br>
EAP-Message = 0x010f040015c0000009eb9b30820383a003020102020900b75f4cb4031a50e3300d06092a864886f70d010105050030818f310b3009060355040613024348310b3009060355040813025a483110300e060355040713075a75657269636831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06092a864886f70d010901161069637461646d696e406b7368702e636831193017060355040313107261646975732e686f70726f2e656475301e170d3132313231393130353634305a170d3133313231393130353634305a30818f310b3009060355040613024348310b3009060355040813025a48<br>
EAP-Message = 0x3110300e060355040713075a75657269636831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06092a864886f70d010901161069637461646d696e406b7368702e636831193017060355040313107261646975732e686f70726f2e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100d63a0ad9924d4bbf29ea25b2abfa17eb9d47e36ad480ce8dc1ec454aaf6470396a570eebeec3363c818882061081437e5367266e30b91be77f4e37ea9a01e56221dcbeb6f52c2157da7a74b5b024f98e3f45670aa8b6968c4b939c6b80302c318bf66f63d4f116<br>
EAP-Message = 0x450cbb35f51f3565e121276f7fa61f2a326d432cc0cfbb94411671b3a3e3db42879419f0e18b86ba020a8d5c6e8c817f755891eb10876a57194f57780baef2b90997c16b03aab89d66833765b711bb66453be64883c0265ddc50c761525902e16cbfc7567962037f2b1ddd49e700ea4f94a55864ef801aad3315c688de2e6e15141ccedcdc016745a3ad46aef6223c66cadab19fe17cc3b7a50203010001a381f73081f4301d0603551d0e0416041442c8e782326f14866e14f0328f22ef21e5dca7683081c40603551d230481bc3081b9801442c8e782326f14866e14f0328f22ef21e5dca768a18195a4819230818f310b3009060355040613024348<br>
EAP-Message = 0x310b3009060355040813025a483110300e060355040713075a75657269636831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06092a864886f70d010901161069637461646d696e406b7368702e636831193017060355040313107261646975732e686f70726f2e656475820900b75f4cb4031a50e3300c0603551d13040530030101ff300d06092a864886f70d010105050003820101000b570cdc802ec347643ce7e5a81cd487273f8eb79f7580d9423e0ac121c39d23b8d7e606fa291515bfa8e232e845b04788cb14bbac1e67cdeded46cdead9957a88eb3c04075cbb2f9d66c81451f7<br>
EAP-Message = 0xc982a3f0ae66f5d41f3c2ff9<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xab1bf9b7a814ecd1d339d19378335aaa<br>
Finished request 3.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=77, length=234<br>
User-Name = "a4"<br>
Service-Type = Framed-User<br>
Cisco-AVPair = "service-type=Framed"<br>
Framed-MTU = 9000<br>
Called-Station-Id = "AC-A0-16-58-EB-07"<br>
Calling-Station-Id = "00-23-32-CF-1D-A2"<br>
EAP-Message = 0x020f00061500<br>
Message-Authenticator = 0x49c786eea0efa3a358db3c5c61d82830<br>
Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50007<br>
NAS-Port-Id = "GigabitEthernet0/7"<br>
State = 0xab1bf9b7a814ecd1d339d19378335aaa<br>
NAS-IP-Address = 192.168.99.99<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "a4", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 15 length 6<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
[ttls] Received TLS ACK<br>
[ttls] ACK handshake fragment handler<br>
[ttls] eaptls_verify returned 1<br>
[ttls] eaptls_process returned 13<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 77 to 192.168.99.99 port 1645<br>
EAP-Message = 0x011002091580000009eb6cf7c88612440aaa64dd8ca6d9533e4bd26a893bbee70e343d13c54accb14ee61b9e7ec6ee78090b76e0e353da5da86cfeb3f2c9381011e5f25cfb755e4dbcc8a78f37d906019e5a2c2225a03a5f2318e3bf8c56eb0b43ad64ac8ddebb84ca1352b5a80b4a8c8757c5a37352508833404ebd868c5dd0cc92b3df240cf05b1e721b7a90d8e0a060e4834fff2dc79a04353dab2492381d4488ab7e92257f4ed7fb3eb4053e22a3160301014b0c0001470300174104e284bd8b7ec8e3510d4a6bb593e671a0945af1e997ce5cc010d13fd0e76a68e71c034e1412d7fc4b26233ca3df8dba3463719b1fa33f4ab4934a7208005205<br>
EAP-Message = 0x5f010042df9b97e266190e04d0b6ea3fdaf36282b104caaee17a75acbccf6e74e427b6fa6a600c9db92fcbe7e34cffc49deb6a2e3949e17692845c03a7ab92d4daf19bee3788c1afcf23fbc5c9ddd487f335bd83d238cfe52f80ca59a6cc6ad58b3ecb7502ab687184733c42cd5de45e06cd101ae2e41f4943c01ac3379e928240ac532451599dce12979065ad088a056130f57d119038f40003d55fcebe5edd0acde65036f24fd69cc0fda63ff408c25ee9c3ad100bf0a90d6031a0034d064b8ecf8a5323d79e7d7b764d08105ea8c35c7548983060ce8f8577909b8a2c2049d78f99b0acc37a55b993519f1e475b7b4f9fff67e943f61c7a9f4a18fd<br>
EAP-Message = 0x05b6bbbc248c16030100040e000000<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xab1bf9b7af0becd1d339d19378335aaa<br>
Finished request 4.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=78, length=372<br>
User-Name = "a4"<br>
Service-Type = Framed-User<br>
Cisco-AVPair = "service-type=Framed"<br>
Framed-MTU = 9000<br>
Called-Station-Id = "AC-A0-16-58-EB-07"<br>
Calling-Station-Id = "00-23-32-CF-1D-A2"<br>
EAP-Message = 0x021000901580000000861603010046100000424104ee7b81c5eb47db38fd9999628065d8bc69504fd008ffcce581bf49a5dc349fac012b27f4d21db7352c31e8be8bc097f9fd3414f7160990963cd9ad8e53166e951403010001011603010030ed341f879e3591dedc6633d8a0376280178fe300950d293b30747d15b35f4867c69765e98c2f0a15bcb95a992cbc77a4<br>
Message-Authenticator = 0xe7c4329c24d68ad3919250d82c96961a<br>
Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50007<br>
NAS-Port-Id = "GigabitEthernet0/7"<br>
State = 0xab1bf9b7af0becd1d339d19378335aaa<br>
NAS-IP-Address = 192.168.99.99<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "a4", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 16 length 144<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
TLS Length 134<br>
[ttls] Length Included<br>
[ttls] eaptls_verify returned 11<br>
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange<br>
[ttls] TLS_accept: SSLv3 read client key exchange A<br>
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]<br>
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished<br>
[ttls] TLS_accept: SSLv3 read finished A<br>
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]<br>
[ttls] TLS_accept: SSLv3 write change cipher spec A<br>
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished<br>
[ttls] TLS_accept: SSLv3 write finished A<br>
[ttls] TLS_accept: SSLv3 flush data<br>
[ttls] (other): SSL negotiation finished successfully<br>
SSL Connection Established<br>
[ttls] eaptls_process returned 13<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 78 to 192.168.99.99 port 1645<br>
EAP-Message = 0x0111004515800000003b1403010001011603010030b0518066786178044d44483eb37026fdd8406df7f6eaae28282bc696f782e64198a16f06ecde63a263375845bf3304f7<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xab1bf9b7ae0aecd1d339d19378335aaa<br>
Finished request 5.<br>
Going to the next request<br>
Waking up in 4.8 seconds.<br>
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=79, length=275<br>
User-Name = "a4"<br>
Service-Type = Framed-User<br>
Cisco-AVPair = "service-type=Framed"<br>
Framed-MTU = 9000<br>
Called-Station-Id = "AC-A0-16-58-EB-07"<br>
Calling-Station-Id = "00-23-32-CF-1D-A2"<br>
EAP-Message = 0x0211002f1580000000251503010020f0c878ea3889abbd6850566e4a4b6b5e5777dc3f5e0f11789e9a9430219cc5b3<br>
Message-Authenticator = 0x69b565f9da2f3112f04fc8a2197444a4<br>
Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50007<br>
NAS-Port-Id = "GigabitEthernet0/7"<br>
State = 0xab1bf9b7ae0aecd1d339d19378335aaa<br>
NAS-IP-Address = 192.168.99.99<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "a4", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 17 length 47<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
TLS Length 37<br>
[ttls] Length Included<br>
[ttls] eaptls_verify returned 11<br>
[ttls] <<< TLS 1.0 Alert [length 0002], warning close_notify<br>
TLS Alert read:warning:close notify<br>
[ttls] WARNING: No data inside of the tunnel.<br>
[ttls] eaptls_process returned 7<br>
[ttls] Session established. Proceeding to decode tunneled attributes.<br>
[ttls] SSL_read Error<br>
[eap] Handler failed in EAP/ttls<br>
[eap] Failed in EAP select<br>
++[eap] returns invalid<br>
Failed to authenticate the user.<br>
Using Post-Auth-Type Reject<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group REJECT {...}<br>
[attr_filter.access_reject] expand: %{User-Name} -> a4<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 6 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 6<br>
Sending Access-Reject of id 79 to 192.168.99.99 port 1645<br>
EAP-Message = 0x04110004<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
Waking up in 3.7 seconds.<br>
...<br>
<br>
>[ttls] WARNING: No data inside of the tunnel.<br>
<br>
At this moment, I cannot wrap my mind around what is going on here.<br>
<br>
I understand that ldap tries to authenticate the user by itself, instead of handing it to the LDAP server. But what is different when I run radtest?<br>
<br>
Debug from radtest:<br>
...<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group LDAP {...}<br>
[ldap] login attempt by "a4" with password "whatever"<br>
[ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu<br>
[ldap] (re)connect to <a href="http://ldap.hopro.edu:389" target="_blank">ldap.hopro.edu:389</a>, authentication 1<br>
[ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to <a href="http://ldap.hopro.edu:389" target="_blank">ldap.hopro.edu:389</a><br>
[ldap] waiting for bind result ...<br>
[ldap] Bind was successful<br>
[ldap] user a4 authenticated successfully<br>
++[ldap] returns ok<br>
...<br>
<br>
<br>
Would someone from you guys guide me in the right direction?<br>
<br>
Thank you in advance<br>
<br>
Marco<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><span style="font-family:arial;font-size:small">-- </span><br style="font-family:arial;font-size:small"><span style="font-family:arial;font-size:small">Un saludo.</span><br style="font-family:arial;font-size:small">
<span style="font-family:arial;font-size:small">____________________</span><br style="font-family:arial;font-size:small"><br style="font-family:arial;font-size:small"><span style="font-family:arial;font-size:small">Roberto Ortega</span><br style="font-family:arial;font-size:small">
<span style="font-family:arial;font-size:small">Profesor de Informática.</span><br style="font-family:arial;font-size:small"><a href="http://www.proyectoret.es/" style="color:rgb(17,85,204);font-family:arial;font-size:small" target="_blank">http://www.proyectoret.es</a><br style="font-family:arial;font-size:small">
<br style="font-family:arial;font-size:small"><span style="font-family:arial;font-size:small">Escuelas San José Valencia</span><br style="font-family:arial;font-size:small"><span style="font-family:arial;font-size:small">Avd.Cortes Valencianas nº1</span><br style="font-family:arial;font-size:small">
<span style="font-family:arial;font-size:small">46015 Valencia</span><br style="font-family:arial;font-size:small"><span style="font-family:arial;font-size:small">R4600489A</span><br style="font-family:arial;font-size:small">
<span style="font-family:arial;font-size:small">Tf:963499011 ext. 262</span><br style="font-family:arial;font-size:small"><span style="font-family:arial;font-size:small">Fax:963488835</span><br style="font-family:arial;font-size:small">
<a href="http://www.escuelassj.com/" style="color:rgb(17,85,204);font-family:arial;font-size:small" target="_blank">http://www.escuelassj.com</a><br style="font-family:arial;font-size:small"><br style="font-family:arial;font-size:small">
<span style="font-family:arial;font-size:small">No imprimas este correo si no es necesario. Protejamos el medio ambiente.</span><br></div>
</div>