We're using EAP-TTLS and checking against LDAP for password validation on our wireless access points (Cisco). It looks like the radius server is sending two requests to the LDAP server for every login. The first is for anonymous, which I think is for the EAP-TTLS tunnel, which doesn't match any username in LDAP. The second one is for the actual username and matches a LDAP username and authenticates OK. Our users are getting logged in OK, but the people managing the LDAP servers are complaining about the anonymous attempts. I've been trying to get the radius server to deal with the anonymous attempts itself, but havn't been able to. I'm hoping someone here can give me some ideas. I'll attach info from the config files and logs. We have some local authentication for MAC addresses, everything else goes to LDAP. users -------------------------------------------------------------------- # We have some MAC based authentication that occurs locally, not sent to # Make MAC based authentication skip LDAP DEFAULT User-Name =~ "[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]" Auth-Type := Reject, Fall-Through = Yes # MAC authentication 004096411ddd User-Password == "004096411ddd" Auth-Type := Accept radiusd.conf ------------------------------------------------------------- ldap { server = "ldaptest.louisville.edu" identity = "cn=ldaptest,ou=common,o=ul" password = xxxxx basedn = "ou=people,o=ul" filter = "(&(cn=%{Stripped-User-Name:-%{User-Name}})(uoflWireStatus=ACTV))" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } radius log file ---------------------------------------------------------- Nov 4 18:12:15 hermes radiusd[10287]: Processing the authorize section of radiusd.conf Nov 4 18:12:15 hermes radiusd[10287]: modcall: entering group authorize for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall: entering group redundant for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authorize]: calling files (rlm_files) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authorize]: returned from files (rlm_files) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall[authorize]: module "files" returns notfound for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall: group redundant returns notfound for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authorize]: calling eap (rlm_eap) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: rlm_eap: EAP packet type response id 8 length 71 Nov 4 18:12:15 hermes radiusd[10287]: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authorize]: returned from eap (rlm_eap) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall[authorize]: module "eap" returns updated for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authorize]: calling ldap (rlm_ldap) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: - authorize Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: performing user authorization for anonymous Nov 4 18:12:15 hermes radiusd[10287]: radius_xlat: '(&(cn=anonymous)(uoflWireStatus=ACTV))' Nov 4 18:12:15 hermes radiusd[10287]: radius_xlat: 'ou=people,o=ul' Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: ldap_get_conn: Checking Id: 0 Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: ldap_get_conn: Got Id: 0 Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: performing search in ou=people,o=ul, with filter (&(cn=anonymous)(uoflWireStatus=ACTV)) Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: object not found or got ambiguous search result Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: search failed Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: ldap_release_conn: Release Id: 0 Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authorize]: returned from ldap (rlm_ldap) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall[authorize]: module "ldap" returns notfound for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall: group authorize returns updated for request 165 Nov 4 18:12:15 hermes radiusd[10287]: rad_check_password: Found Auth-Type EAP Nov 4 18:12:15 hermes radiusd[10287]: auth: type "EAP" Nov 4 18:12:15 hermes radiusd[10287]: Processing the authenticate section of radiusd.conf Nov 4 18:12:15 hermes radiusd[10287]: modcall: entering group authenticate for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authenticate]: calling eap (rlm_eap) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: rlm_eap: Request found, released from the list Nov 4 18:12:15 hermes radiusd[10287]: rlm_eap: EAP/ttls Nov 4 18:12:15 hermes radiusd[10287]: rlm_eap: processing type ttls Nov 4 18:12:15 hermes radiusd[10287]: rlm_eap_ttls: Authenticate Nov 4 18:12:15 hermes radiusd[10287]: rlm_eap_tls: processing TLS Nov 4 18:12:15 hermes radiusd[10287]: rlm_eap_tls: Length Included Nov 4 18:12:15 hermes radiusd[10287]: eaptls_verify returned 11 Nov 4 18:12:15 hermes radiusd[10287]: eaptls_process returned 7 Nov 4 18:12:15 hermes radiusd[10287]: rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. Nov 4 18:12:15 hermes radiusd[10287]: Processing the authorize section of radiusd.conf Nov 4 18:12:15 hermes radiusd[10287]: modcall: entering group authorize for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall: entering group redundant for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authorize]: calling files (rlm_files) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authorize]: returned from files (rlm_files) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall[authorize]: module "files" returns notfound for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall: group redundant returns notfound for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authorize]: calling eap (rlm_eap) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: rlm_eap: No EAP-Message, not doing EAP Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authorize]: returned from eap (rlm_eap) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall[authorize]: module "eap" returns noop for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authorize]: calling ldap (rlm_ldap) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: - authorize Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: performing user authorization for testuser Nov 4 18:12:15 hermes radiusd[10287]: radius_xlat: '(&(cn=testuser)(uoflWireStatus=ACTV))' Nov 4 18:12:15 hermes radiusd[10287]: radius_xlat: 'ou=people,o=ul' Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: ldap_get_conn: Checking Id: 0 Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: ldap_get_conn: Got Id: 0 Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: performing search in ou=people,o=ul, with filter (&(cn=testuser)(uoflWireStatus=ACTV)) Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: looking for check items in directory... Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: Adding uoflWireStatus as uoflWireStatus, value ACTV & op=21 Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: looking for reply items in directory... Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: user testuser authorized to use remote access Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: ldap_release_conn: Release Id: 0 Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authorize]: returned from ldap (rlm_ldap) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall[authorize]: module "ldap" returns ok for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall: group authorize returns ok for request 165 Nov 4 18:12:15 hermes radiusd[10287]: rad_check_password: Found Auth-Type LDAP Nov 4 18:12:15 hermes radiusd[10287]: auth: type "LDAP" Nov 4 18:12:15 hermes radiusd[10287]: Processing the authenticate section of radiusd.conf Nov 4 18:12:15 hermes radiusd[10287]: modcall: entering group Auth-Type for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authenticate]: calling ldap (rlm_ldap) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: - authenticate Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: login attempt by "testuser" with password "xxxxx" Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: user DN: cn=testuser,ou=people,o=ul Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: (re)connect to ldap.louisville.edu:389, authentication 1 Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: bind as cn=testuser,ou=people,o=ul/xxxxx to ldap.louisville.edu:389 Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: waiting for bind result ... Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: Bind was successful Nov 4 18:12:15 hermes radiusd[10287]: rlm_ldap: user testuser authenticated succesfully Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall[authenticate]: module "ldap" returns ok for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall: group Auth-Type returns ok for request 165 Nov 4 18:12:15 hermes radiusd[10287]: Login OK: [testuser] (from client localhost port 0) Nov 4 18:12:15 hermes radiusd[10287]: TTLS: Got tunneled Access-Accept Nov 4 18:12:15 hermes radiusd[10287]: rlm_eap: Freeing handler Nov 4 18:12:15 hermes radiusd[10287]: modsingle[authenticate]: returned from eap (rlm_eap) for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall[authenticate]: module "eap" returns ok for request 165 Nov 4 18:12:15 hermes radiusd[10287]: modcall: group authenticate returns ok for request 165 Nov 4 18:12:15 hermes radiusd[10287]: Login OK: [anonymous] (from client air-02b-1.mitc port 38605 cli 0005.4e44.6b64) Nov 4 18:12:15 hermes radiusd[10287]: Finished request 165 radius debug output ------------------------------------------------------ rad_recv: Access-Request packet from host 10.255.200.1:1645, id=160, length=218 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "000f.3446.7d80" Calling-Station-Id = "0005.4e44.6b64" Service-Type = Login-User Message-Authenticator = 0xd230db4f9d60f9468b8000adb4e7b62c EAP-Message = 0x0208004715800000003d1703010038d1fc558225df702e06ea38da314f362be1b0f41437f7cbac8b51a6995662e82fd1952d96d34e1abd7375b6e26f9bb475e225edf18d1c9f8a NAS-Port-Type = Wireless-802.11 NAS-Port = 38605 State = 0x953d8bee5235a79f4b6ec98f699d8a58 NAS-IP-Address = 10.255.200.1 NAS-Identifier = "AIR-02B-1.MITC" TTLS tunnel data in 0000: 00 00 00 01 40 00 00 10 68 6b 66 69 65 64 30 31 TTLS tunnel data in 0010: 00 00 00 02 40 00 00 10 4d 65 72 6c 69 6e 30 33 TTLS: Got tunneled request User-Name = "testuser" User-Password = "xxxxx" FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "testuser" User-Password = "xxxxx" FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Got tunneled reply RADIUS code 2 Sending Access-Accept of id 160 to 10.255.200.1:1645 MS-MPPE-Recv-Key = 0xa658138cf63b9875896ed04b0b1113b630d0be68c9f0c4689da969d89ee15402 MS-MPPE-Send-Key = 0xd3303f466f0e7b69f931b89e53e62cd6a370da24ab2fbb220f5d725adf9776c0 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" -- Hans K. Fiedler Information Technology Network Analyst Communications Services hans@hermes.louisville.edu University of Louisville 502-852-7427 Louisville, Ky. 40292