On 14/05/12 15:58, Steve Hopps wrote:
I'll post the full log. It should be pulling from OpenLDAP. I had to
It's not. You haven't configured it to do that.
Module: Instantiating module "ldap" from file /etc/freeradius/radiusd.conf ldap { server = "localhost" port = 389
Ok, you have LDAP configured
rad_recv: Access-Request packet from host 6.6.6.6 port 37880, id=0, length=119 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x020000090174657374 Message-Authenticator = 0xcfdd7846ad5afe2989a9f95268623b3a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop [ldap] performing user authorization for test
"ldap" is running in the "outer" tunnel; that's probably not where you want it. You need to put it in the "inner" tunnel. Compare and contrast sites-enabled/default and sites-enabled/inner-tunnel.
/etc/freeradius/sites-enabled/inner-tunnel
Note above, once the EAP outer tunnel has succeeded, further processing happens in the "sites-enabled/inner-tunnel" virtual server.
+- entering group authorize {...} ++[chap] returns noop ++[control] returns noop ++[mschap] returns noop ++[unix] returns updated
^^^ this is the problem; the "unix" module is running inside the tunnel and extracting the password for the user "test" from the local /etc/passwd file Comment this line out. Then replace it with "ldap"
[suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group PAP {...} [pap] login attempt with password "test123" [pap] Using CRYPT password "*" [pap] Passwords don't match ++[pap] returns reject
...and it fails.