On Wed, 2009-09-09 at 08:02 +1200, Peter Lambrechtsen wrote:
On 9/09/2009, at 2:43 AM, Alan DeKok <aland@deployingradius.com> wrote:
Michael Fischer wrote:
I'm trying to set up 802.1x authentication on my Enterasys AccessPoints using freeradius and eDirectory.
Freeradius and eDirectory work like a charm when I use it for Cisco- VPN authentication.
Which is likely PAP (i.e. clear-text password).
rlm_ldap: Error reading Universal Password.Return Code = -1635
Go fix that.
eDirectory isn't returning the password. Therefore, FreeRADIUS doesn't have it, and cannot authenticate anyone.
Turn on universal password and allow user to retrieve password in your universal password policy. Then reset their password using imanager or via ldap and try again.
Alan DeKok.
Hi,
the strange thing is that I've never used anything else than universal password and my universal password policy does allow the user to read the password. I get the same error with the working Cisco-VPN configuration, see the debug output: Ready to process requests. rad_recv: Access-Request packet from host 10.99.4.1:1025, id=161, length=142 User-Name = "dfuernsin" User-Password = "xxxxxx" NAS-Port = 172 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "10.99.4.1" Calling-Station-Id = "10.3.4.97" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "10.3.4.97" NAS-IP-Address = 10.99.4.1 Cisco-AVPair = "ip:source-ip=10.3.4.97" rlm_ldap: - authorize rlm_ldap: performing user authorization for dfuernsin rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64 rlm_ldap: starting TLS rlm_ldap: bind as cn=admin,o=TGM/xxxxxx to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: checking if remote access for dfuernsin is allowed by dialupAccess rlm_ldap: Error reading Universal Password.Return Code = -1635 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11 rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user dfuernsin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. rlm_ldap: - authenticate rlm_ldap: login attempt by "dfuernsin" with password "xxxxxxx" rlm_ldap: user DN: cn=dfuernsin,ou=ITS,ou=People,o=TGM rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64 rlm_ldap: starting TLS rlm_ldap: bind as cn=dfuernsin,ou=ITS,ou=People,o=TGM/xxxxxx to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user dfuernsin authenticated succesfully Login OK: [dfuernsin] (from client firewall port 172 cli 10.3.4.97) Sending Access-Accept of id 161 to 10.99.4.1 port 1025 Class = 0x54474d2d495453 I guess that cannot be the problem then... lg, Mike -- Please stop top-quoting! email: michi.fischer@gmx.net