Am 17.12.2013 12:22, schrieb Arran Cudbard-Bell:
I know. But the password is ok and works with OpenSuse 12.3 and FR 2.x The response seems to be triggered by a mismatch of FR and OpenSuse 13.1 and eDir. If you get packet captures of each then we can do a comparison and figure out what changes.
-Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
Here is a part of the result from radiusd -X. Do you want a wireshark capture too? Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy address * port 1814 Listening on proxy address * port 1814 Ready to process requests rad_recv: Access-Request packet from host 192.168.200.6 port 32770, id=87, length=215 User-Name = 'foo' Calling-Station-Id = '84-4b-f5-39-8a-f8' Called-Station-Id = 'd8-24-bd-2e-4c-c0:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec806000400e552b040e3' NAS-IP-Address = 192.168.200.6 NAS-Identifier = 'xxx' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '150' EAP-Message = 0x0202000a0170726f6265 Message-Authenticator = 0x918dcc4fcbdefa81607d26e56be961ad (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) ? if (!User-Name) (0) ? if (!User-Name) -> FALSE (0) ? if (User-Name != "%{tolower:%{User-Name}}") (0) expand: "%{tolower:%{User-Name}}" -> 'foo' (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) ? if (User-Name =~ / /) (0) ? if (User-Name =~ / /) -> FALSE (0) ? if (User-Name =~ /@.*@/ ) (0) ? if (User-Name =~ /@.*@/ ) -> FALSE (0) ? if (User-Name =~ /\\.\\./ ) (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) ? if (User-Name =~ /\\.$/) (0) ? if (User-Name =~ /\\.$/) -> FALSE (0) ? if (User-Name =~ /@\\./) (0) ? if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [mschap] = noop (0) suffix : No '@' in User-Name = "foo", looking up realm NULL (0) suffix : Found realm "NULL" (0) suffix : Adding Stripped-User-Name = "foo" (0) suffix : Adding Realm = "NULL" (0) suffix : Authentication realm is LOCAL (0) [suffix] = ok (0) eap : EAP packet type response id 2 length 10 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_md5 to process EAP data rlm_eap_md5: Issuing Challenge (0) eap : New EAP session, adding 'State' attribute to reply 0x2813582828105cdd (0) [eap] = handled (0) } # authenticate = handled Sending Access-Challenge of id 87 from 192.168.1.56 port 1812 to 192.168.200.6 port 32770 EAP-Message = 0x0103001604109fd6f971b8b39a9e70ac72f7924821d6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2813582828105cdd2c29910179c66dfc (0) Finished request 0. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host 192.168.200.6 port 32770, id=88, length=229 User-Name = 'foo' Calling-Station-Id = '84-4b-f5-39-8a-f8' Called-Station-Id = 'd8-24-bd-2e-4c-c0:test' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=8b0ec806000400e552b040e3' NAS-IP-Address = 192.168.200.6 NAS-Identifier = 'xxx' Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '150' EAP-Message = 0x020300060319 State = 0x2813582828105cdd2c29910179c66dfc Message-Authenticator = 0x3225e79c9679af40be71f2f6c951c86a (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) ? if (!User-Name) (1) ? if (!User-Name) -> FALSE (1) ? if (User-Name != "%{tolower:%{User-Name}}") (1) expand: "%{tolower:%{User-Name}}" -> 'foo' (1) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) ? if (User-Name =~ / /) (1) ? if (User-Name =~ / /) -> FALSE (1) ? if (User-Name =~ /@.*@/ ) (1) ? if (User-Name =~ /@.*@/ ) -> FALSE (1) ? if (User-Name =~ /\\.\\./ ) (1) ? if (User-Name =~ /\\.\\./ ) -> FALSE (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) ? if (User-Name =~ /\\.$/) (1) ? if (User-Name =~ /\\.$/) -> FALSE (1) ? if (User-Name =~ /@\\./) (1) ? if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [mschap] = noop (1) suffix : No '@' in User-Name = "foo", looking up realm NULL (1) suffix : Found realm "NULL" (1) suffix : Adding Stripped-User-Name = "foo" (1) suffix : Adding Realm = "NULL" (1) suffix : Authentication realm is LOCAL (1) [suffix] = ok (1) eap : EAP packet type response id 3 length 6 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop rlm_ldap (ldap): Reserved connection (0) (1) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=foo)' (1) ldap : expand: "o=org" -> 'o=org' (1) ldap : Performing search in 'o=org' with filter '(cn=foo)' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "cn=foo,ou=test,o=org" (1) ERROR: ldap : Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to 192.168.1.35:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (1) [ldap] = fail (1) } # authorize = fail (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject : expand: "%{User-Name}" -> 'foo' (1) attr_filter.access_reject : Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) ldap : expand: "." -> '.' (1) ldap : expand: "Authenticated at %S" -> 'Authenticated at 2013-12-17 13:22:30' rlm_ldap (ldap): Reserved connection (1) (1) ldap : Using user DN from request "cn=foo,ou=test,o=org" (1) ldap : Modifying object with DN "cn=foo,ou=test,o=org" (1) ldap : Waiting for modify result... rlm_ldap (ldap): Released connection (1) (1) [ldap] = reject (1) } # Post-Auth-Type REJECT = reject (1) Finished request 1. Waking up in 0.2 seconds. Waking up in 0.7 seconds. (1) Sending delayed reject Sending Access-Reject of id 88 from 192.168.1.56 port 1812 to 192.168.200.6 port 32770 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 87 with timestamp +28 Waking up in 1.0 seconds. (1) Cleaning up request packet ID 88 with timestamp +28 Ready to process requests