Francesc Zacarias wrote:
We're trying to set up Freeradius wtih 8021x. Freeradius should query a OpenLDAP server for autentication and check if the user belongs to certain groups and return different VLAN IDs depending on that.
Those are two completely independent things. Get them working independently, they should work together.
Unfortunately, we're having issues with the LDAP autentication part.
So what did you configure? Did you read raddb/sites-available/default, and look for ldap"?
I'm looking at the ldap queries performed by freeradius it is only checking if the user exists. No password check at all.
Read it again. It does this:
[ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SASL}testuser4@SPOTIFY.NET" [ldap] looking for reply items in directory...
Is that really the cleartext-password of the user? Really? Did you read raddb/sites-available/inner-tunnel, and follow the instructions at the top (in 2.1.12)
This the output of freeradius -X while using our test laptop:
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:12:30
Well, upgrading wouldn't hurt.
Notice the lines:
[eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password.
You've said that the LDAP server contains cleartext passwords. Yet the debug log shows it doesn't. And this entry shows the server doesn't have the cleartext passwords. Fix that.
I wonder what is this module doing.
MSCHAP? Alan DeKok.