Hi All,

 

I want to use FreeRadius to administer network equipement. I use also OpenLDAP to stock information about users. FreeRADIUS and OpenLDAP are installed on the same server FreeBSD 7.0.

I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty (ssh/telnet).

 

To resume :

 

Windows XP -> ssh or telnet -> Cisco 2950 (client radius/authenticator/NAS) -> EAPoRadius (I suppose) -> FreeRADIUS & OpenLDAP

 

For the moment, I don’t install/configure supplicant on the Windows XP, I don’t know if it’s require because I don’t want to use FreeRADIUS to auhtenticate my Windows session. I have an active directory to do this.

 

I configure slapd.conf, radius.conf, clients.conf, module ldap etc … and it’s works. And now I would like to add some check-item like NAS-IP-Address and Caliing-Station-ID. But I don’t succeed :s, I use checkval to do this.

 

I have 2 questions :

 

-          Why my calling-station-id in the request is a IP and not a MAC ?

-          When I authenticate on the cisco 2950, I have in my log « rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50, what is the problem ???

 

I think I have numerous problem, If you see one of them, could you inform me ? I am a novice with freeradius (and openldap also :s ). I could give you all information you need to help me to fix my problem.

 

Thanks for your help,

 

Regards

 

Francçois MEHAULT

 

 

On my cisco 2950 :

 

aaa new-model

aaa authentication login default local group radius

aaa authorization exec default group radius local

aaa authorization network default group radius

 

My ldap.attrmap :

 

checkItem       Calling-Station-Id              radiusCallingStationId

checkItem       NAS-IP-Address                  radiusNASIpAddress

 

Extract of my openldap :

 

 

dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
radiusGroupName: stagiaire
radiusCallingStationId: 192.168.0.80   -> I put a IP address and not a Mac address because in the request it’s a IP and not a mac, I don’t know why…
radiusNASIpAddress: 192.168.0.60   -> in fact, the NAS IP is 192.168.0.50, but I put .60 to have Access-Reject
userPassword: {SSHA}tOoPUvtVW5O3+StoxScmQLiGFTO5l/+z
 

 

 

 

<12:34>[labobe2:~]# radiusd -X

FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.0, built on Apr 16 2009 at 12:03:36

Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE.

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License v2.

Starting - reading configuration files ...

including configuration file /usr/local/etc/raddb/radiusd.conf

[…]

including configuration file /usr/local/etc/raddb/sites-enabled/control-socket

group = freeradius

user = freeradius

including dictionary file /usr/local/etc/raddb/dictionary

main {

        prefix = "/usr/local"

        localstatedir = "/var"

        logdir = "/var/log"

        libdir = "/usr/local/lib/freeradius-2.1.4"

        radacctdir = "/var/log/radacct"

        hostname_lookups = no

        max_request_time = 30

        cleanup_delay = 5

        max_requests = 1024

        allow_core_dumps = no

        pidfile = "/var/run/radiusd/radiusd.pid"

        checkrad = "/usr/local/sbin/checkrad"

        debug_level = 0

        proxy_requests = yes

 log {

        stripped_names = no

        auth = no

        auth_badpass = no

        auth_goodpass = no

 }

 security {

        max_attributes = 200

        reject_delay = 1

        status_server = yes

 }

}

radiusd: #### Loading Realms and Home Servers ####

 proxy server {

        retry_delay = 5

        retry_count = 3

        default_fallback = no

        dead_time = 120

        wake_all_if_all_dead = no

 }

 home_server localhost {

        ipaddr = 127.0.0.1

        port = 1812

        type = "auth"

        secret = "testing123"

        response_window = 20

        max_outstanding = 65536

        require_message_authenticator = no

        zombie_period = 40

        status_check = "status-server"

        ping_interval = 30

        check_interval = 30

        num_answers_to_alive = 3

        num_pings_to_alive = 3

        revive_interval = 120

        status_check_timeout = 4

        irt = 2

        mrt = 16

        mrc = 5

        mrd = 30

 }

 home_server_pool my_auth_failover {

        type = fail-over

        home_server = localhost

 }

 realm example.com {

        auth_pool = my_auth_failover

 }

 realm LOCAL {

 }

radiusd: #### Loading Clients ####

 client localhost {

        ipaddr = 127.0.0.1

        require_message_authenticator = no

        secret = "testing123"

        nastype = "other"

 }

 client 192.168.0.50 {

        require_message_authenticator = no

        secret = "cherche"

        shortname = "swlabo"

        nastype = "cisco"

 }

radiusd: #### Instantiating modules ####

 instantiate {

 Module: Linked to module rlm_exec

 Module: Instantiating exec

  exec {

        wait = no

        input_pairs = "request"

        shell_escape = yes

  }

 Module: Linked to module rlm_expr

 Module: Instantiating expr

 Module: Linked to module rlm_expiration

 Module: Instantiating expiration

  expiration {

        reply-message = "Password Has Expired  "

  }

 Module: Linked to module rlm_logintime

 Module: Instantiating logintime

  logintime {

        reply-message = "You are calling outside your allowed timespan  "

        minimum-timeout = 60

  }

 }

radiusd: #### Loading Virtual Servers ####

server inner-tunnel {

 modules {

 Module: Checking authenticate {...} for more modules to load

 Module: Linked to module rlm_pap

 Module: Instantiating pap

  pap {

        encryption_scheme = "auto"

        auto_header = no

  }

 Module: Linked to module rlm_chap

 Module: Instantiating chap

 Module: Linked to module rlm_mschap

 Module: Instantiating mschap

  mschap {

        use_mppe = yes

        require_encryption = no

        require_strong = no

        with_ntdomain_hack = no

  }

 Module: Linked to module rlm_unix

 Module: Instantiating unix

  unix {

        radwtmp = "/var/log/radwtmp"

  }

 Module: Linked to module rlm_eap

 Module: Instantiating eap

  eap {

        default_eap_type = "md5"

        timer_expire = 60

        ignore_unknown_eap_types = no

        cisco_accounting_username_bug = no

        max_sessions = 2048

  }

 Module: Linked to sub-module rlm_eap_md5

 Module: Instantiating eap-md5

 Module: Linked to sub-module rlm_eap_leap

 Module: Instantiating eap-leap

 Module: Linked to sub-module rlm_eap_gtc

 Module: Instantiating eap-gtc

   gtc {

        challenge = "Password: "

        auth_type = "PAP"

   }

 Module: Linked to sub-module rlm_eap_tls

 Module: Instantiating eap-tls

   tls {

        rsa_key_exchange = no

        dh_key_exchange = yes

        rsa_key_length = 512

        dh_key_length = 512

        verify_depth = 0

        pem_file_type = yes

        private_key_file = "/usr/local/etc/raddb/certs/server.pem"

        certificate_file = "/usr/local/etc/raddb/certs/server.pem"

        CA_file = "/usr/local/etc/raddb/certs/ca.pem"

        private_key_password = "whatever"

        dh_file = "/usr/local/etc/raddb/certs/dh"

        random_file = "/usr/local/etc/raddb/certs/random"

        fragment_size = 1024

        include_length = yes

        check_crl = no

        cipher_list = "DEFAULT"

        make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"

    cache {

        enable = no

        lifetime = 24

        max_entries = 255

    }

   }

 Module: Linked to sub-module rlm_eap_ttls

 Module: Instantiating eap-ttls

   ttls {

        default_eap_type = "md5"

        copy_request_to_tunnel = no

        use_tunneled_reply = no

        virtual_server = "inner-tunnel"

   }

 Module: Linked to sub-module rlm_eap_peap

 Module: Instantiating eap-peap

   peap {

        default_eap_type = "mschapv2"

        copy_request_to_tunnel = no

        use_tunneled_reply = no

        proxy_tunneled_request_as_eap = yes

        virtual_server = "inner-tunnel"

   }

 Module: Linked to sub-module rlm_eap_mschapv2

 Module: Instantiating eap-mschapv2

   mschapv2 {

        with_ntdomain_hack = no

   }

 Module: Checking authorize {...} for more modules to load

 Module: Linked to module rlm_realm

 Module: Instantiating suffix

  realm suffix {

        format = "suffix"

        delimiter = "@"

        ignore_default = no

        ignore_null = no

  }

 Module: Linked to module rlm_files

 Module: Instantiating files

  files {

        usersfile = "/usr/local/etc/raddb/users"

        acctusersfile = "/usr/local/etc/raddb/acct_users"

        preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"

        compat = "no"

  }

 Module: Checking session {...} for more modules to load

 Module: Linked to module rlm_radutmp

 Module: Instantiating radutmp

  radutmp {

        filename = "/var/log/radutmp"

        username = "%{User-Name}"

        case_sensitive = yes

        check_with_nas = yes

        perm = 384

        callerid = yes

  }

 Module: Checking post-proxy {...} for more modules to load

 Module: Checking post-auth {...} for more modules to load

 Module: Linked to module rlm_attr_filter

 Module: Instantiating attr_filter.access_reject

  attr_filter attr_filter.access_reject {

        attrsfile = "/usr/local/etc/raddb/attrs.access_reject"

        key = "%{User-Name}"

  }

 }

}

 modules {

 Module: Checking authenticate {...} for more modules to load

 Module: Linked to module rlm_ldap

 Module: Instantiating ldap

  ldap {

        server = "127.0.0.1"

        port = 389

        password = "secret"

        identity = "cn=root,dc=netplus,dc=fr"

        net_timeout = 1

        timeout = 4

        timelimit = 3

        tls_mode = no

        start_tls = no

        tls_require_cert = "allow"

   tls {

        start_tls = no

        require_cert = "allow"

   }

        basedn = "dc=netplus,dc=fr"

        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

        base_filter = "(objectclass=radiusprofile)"

        auto_header = no

        access_attr_used_for_allow = yes

        groupname_attribute = "cn"

        groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"

        groupmembership_attribute = "radiusGroupName"

        dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"

        ldap_debug = 0

        ldap_connections_number = 5

        compare_check_items = no

        do_xlat = yes

        set_auth_type = yes

  }

rlm_ldap: Registering ldap_groupcmp for Ldap-Group

rlm_ldap: Registering ldap_xlat with xlat_name ldap

rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap

rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$

rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$

rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type

rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use

rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id

rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id

rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password

rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password

rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password

rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password

rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password

rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT

rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration

rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address

rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type

rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol

rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address

rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask

rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route

rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing

rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id

rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU

rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression

rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host

rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service

rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port

rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number

rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id

rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network

rlm_ldap: LDAP radiusClass mapped to RADIUS Class

rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout

rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout

rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action

rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service

rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node

rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group

rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link

rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network

rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone

rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit

rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port

rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message

rlm_ldap: LDAP radiusVSA mapped to RADIUS Cisco-AVPair

conns: 0x2852c240

 Module: Checking authorize {...} for more modules to load

 Module: Linked to module rlm_preprocess

 Module: Instantiating preprocess

  preprocess {

        huntgroups = "/usr/local/etc/raddb/huntgroups"

        hints = "/usr/local/etc/raddb/hints"

        with_ascend_hack = no

        ascend_channels_per_line = 23

        with_ntdomain_hack = no

        with_specialix_jetstream_hack = no

        with_cisco_vsa_hack = no

        with_alvarion_vsa_hack = no

  }

 Module: Linked to module rlm_checkval

 Module: Instantiating station-check

  checkval station-check {

        item-name = "Calling-Station-Id"

        check-name = "Calling-Station-Id"

        data-type = "string"

        notfound-reject = no

  }

rlm_checkval: Registered name Calling-Station-Id for attribute 31

 Module: Instantiating nas-check

  checkval nas-check {

        item-name = "NAS-IP-Address"

        check-name = "NAS-IP-Address"

        data-type = "ipaddr"

        notfound-reject = no

  }

rlm_checkval: Registered name NAS-IP-Address for attribute 4

 Module: Checking preacct {...} for more modules to load

 Module: Linked to module rlm_acct_unique

 Module: Instantiating acct_unique

  acct_unique {

        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"

  }

 Module: Checking accounting {...} for more modules to load

 Module: Linked to module rlm_detail

 Module: Instantiating detail

  detail {

        detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d"

        header = "%t"

        detailperm = 384

        dirperm = 493

        locking = no

        log_packet_header = no

  }

 Module: Instantiating attr_filter.accounting_response

  attr_filter attr_filter.accounting_response {

        attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"

        key = "%{User-Name}"

  }

 Module: Checking session {...} for more modules to load

 Module: Checking post-proxy {...} for more modules to load

 Module: Checking post-auth {...} for more modules to load

 }

radiusd: #### Opening IP addresses and Ports ####

listen {

        type = "auth"

        ipaddr = *

        port = 0

}

listen {

        type = "acct"

        ipaddr = *

        port = 0

}

listen {

        type = "control"

 listen {

        socket = "/var/run/radiusd/radiusd.sock"

 }

}

Listening on authentication address * port 1812

Listening on accounting address * port 1813

Listening on command file /var/run/radiusd/radiusd.sock

Listening on proxy address * port 1814

Ready to process requests.

 

 

 

 

 

Then I launch my putty and log on the cisco :

 

 

 

 

 

rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=117, length=80

        NAS-IP-Address = 192.168.0.50

        NAS-Port = 1

        NAS-Port-Type = Virtual

        User-Name = "fmehault"

        Calling-Station-Id = "192.168.0.80"      à  it’s not a MAC address, why ???

        User-Password = "toto"

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "fmehault", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

++[unix] returns notfound

rlm_ldap: Entering ldap_groupcmp()

[files]         expand: dc=netplus,dc=fr -> dc=netplus,dc=fr

[files] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details

[files]         expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=fmehault)

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: attempting LDAP reconnection

rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0

rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 127.0.0.1:389

rlm_ldap: waiting for bind result ...

rlm_ldap: Bind was successful

rlm_ldap: performing search in dc=netplus,dc=fr, with filter (uid=fmehault)

rlm_ldap: ldap_release_conn: Release Id: 0

[files]         expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr)))

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(cn=administrateur)(|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))))

rlm_ldap: object not found

rlm_ldap: ldap_release_conn: Release Id: 0

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: performing search in cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr, with filter (objectclass=*)

rlm_ldap::groupcmp: Group administrateur not found or user not a member

rlm_ldap: ldap_release_conn: Release Id: 0

rlm_ldap: Entering ldap_groupcmp()

[files]         expand: dc=netplus,dc=fr -> dc=netplus,dc=fr

[files]         expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr)))

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: performing search in dc=netplus,dc=fr, with filter (&(cn=stagiaire)(|(&(objectClass=GroupOfNames)(member=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dFrancois MEHAULT\2cou\3dUtilisateurs\2cdc\3dnetplus\2cdc\3dfr))))

rlm_ldap: object not found

rlm_ldap: ldap_release_conn: Release Id: 0

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: performing search in cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr, with filter (objectclass=*)

rlm_ldap::ldap_groupcmp: User found in group stagiaire

rlm_ldap: ldap_release_conn: Release Id: 0

[files] users: Matched entry DEFAULT at line 224

[files]         expand: Utilisateur: %{User-name}, group: Stagiaire -> Utilisateur: fmehault, group: Stagiaire

++[files] returns ok

[ldap] performing user authorization for fmehault

[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details

[ldap]  expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=fmehault)

[ldap]  expand: dc=netplus,dc=fr -> dc=netplus,dc=fr

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: performing search in dc=netplus,dc=fr, with filter (uid=fmehault)

rlm_ldap: performing search in cn=stagiaire,ou=Profiles,dc=netplus,dc=fr, with filter (objectclass=radiusprofile)

rlm_ldap: radiusServiceType -> Service-Type = NAS-Prompt-User

[ldap] looking for check items in directory...

rlm_ldap: radiusNASIpAddress -> NAS-IP-Address == 192.168.0.60

rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "192.168.0.80"

[ldap] looking for reply items in directory...

WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?

[ldap] Setting Auth-Type = LDAP

[ldap] user fmehault authorized to use remote access

rlm_ldap: ldap_release_conn: Release Id: 0

++[ldap] returns ok

rlm_checkval: Item Name: Calling-Station-Id, Value: 192.168.0.80

rlm_checkval: Value Name: Calling-Station-Id, Value: 192.168.0.80

++[station-check] returns ok

rlm_checkval: Item Name: NAS-IP-Address, Value: À¨     à what is the problem ???

rlm_checkval: Value Name: NAS-IP-Address, Value: 192.168.0.60   (I put 192.168.0.60 instead of 192.168.0.50 to be reject )

++[nas-check] returns noop

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.

++[pap] returns noop

Found Auth-Type = LDAP

+- entering group LDAP {...}

[ldap] login attempt by "fmehault" with password "toto"

[ldap] user DN: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr

rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1

rlm_ldap: bind as cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr/toto to 127.0.0.1:389

rlm_ldap: waiting for bind result ...

rlm_ldap: Bind was successful

[ldap] user fmehault authenticated succesfully

++[ldap] returns ok

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 117 to 192.168.0.50 port 1812

        Reply-Message = "Utilisateur: fmehault, group: Stagiaire"

        Service-Type = NAS-Prompt-User

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 0 ID 117 with timestamp +237

Ready to process requests.