But in this way, I provided authorization for wifi in windows, ubuntu and android operating systems. I can not only do it for ios. I also verify with ttls + pap, only ios now gives an error. How can I authorize wireless networks as ttls + pap for iOS. The full debug output for ber_get_next failed; Debug: (17) ldap: User object found at DN "uid=can.dulkadiroglu,ou=Users,dc=samsun,dc=edu,dc=tr" Mon Apr 12 04:17:39 2021 : Debug: (17) ldap: Processing user attributes Mon Apr 12 04:17:39 2021 : Debug: (17) ldap: Attribute "userPassword" not found in LDAP object Mon Apr 12 04:17:39 2021 : Debug: (17) ldap: Attribute "radiusControlAttribute" not found in LDAP object Mon Apr 12 04:17:39 2021 : Debug: (17) ldap: Attribute "radiusRequestAttribute" not found in LDAP object Mon Apr 12 04:17:39 2021 : Debug: (17) ldap: Attribute "radiusReplyAttribute" not found in LDAP object Mon Apr 12 04:17:39 2021 : WARNING: (17) ldap: No "known good" password added. Ensure the admin user has permission to read the password attribute Mon Apr 12 04:17:39 2021 : WARNING: (17) ldap: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) Mon Apr 12 04:17:39 2021 : Debug: rlm_ldap (ldap): Released connection (0) Mon Apr 12 04:17:39 2021 : Info: Need 1 more connections to reach min connections (3) Mon Apr 12 04:17:39 2021 : Info: rlm_ldap (ldap): Opening additional connection (6), 1 of 30 pending slots used Mon Apr 12 04:17:39 2021 : Debug: rlm_ldap (ldap): Connecting to ldaps:// ldap.google.com:636 Mon Apr 12 04:17:39 2021 : Debug: rlm_ldap (ldap): New libldap handle 0x5631da71dd60 Mon Apr 12 04:17:39 2021 : Debug: rlm_ldap (ldap): Waiting for bind result... ber_get_next failed. Mon Apr 12 04:17:40 2021 : Debug: rlm_ldap (ldap): Bind successful Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authorize]: returned from ldap (rlm_ldap) Mon Apr 12 04:17:40 2021 : Debug: (17) [ldap] = ok Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authorize]: calling expiration (rlm_expiration) Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authorize]: returned from expiration (rlm_expiration) Mon Apr 12 04:17:40 2021 : Debug: (17) [expiration] = noop Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authorize]: calling logintime (rlm_logintime) Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authorize]: returned from logintime (rlm_logintime) Mon Apr 12 04:17:40 2021 : Debug: (17) [logintime] = noop Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authorize]: calling pap (rlm_pap) Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authorize]: returned from pap (rlm_pap) Mon Apr 12 04:17:40 2021 : Debug: (17) [pap] = noop Mon Apr 12 04:17:40 2021 : Debug: (17) if (User-Password) { Mon Apr 12 04:17:40 2021 : Debug: (17) if (User-Password) -> FALSE Mon Apr 12 04:17:40 2021 : Debug: (17) } # authorize = updated Mon Apr 12 04:17:40 2021 : Debug: (17) Found Auth-Type = eap Mon Apr 12 04:17:40 2021 : Debug: (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel Mon Apr 12 04:17:40 2021 : Debug: (17) authenticate { Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authenticate]: calling eap (rlm_eap) Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Expiring EAP session with state 0x14605457166441b9 Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Finished EAP session with state 0xca0fe817ca0eec20 Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Previous EAP request found for state 0xca0fe817ca0eec20, released from the list Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Peer sent packet with method EAP MD5 (4) Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Calling submodule eap_md5 to process data Mon Apr 12 04:17:40 2021 : ERROR: (17) eap_md5: Cleartext-Password is required for EAP-MD5 authentication Mon Apr 12 04:17:40 2021 : ERROR: (17) eap: Failed continuing EAP MD5 (4) session. EAP sub-module failed Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Sending EAP Failure (code 4) ID 1 length 4 Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Failed in EAP select Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authenticate]: returned from eap (rlm_eap) Mon Apr 12 04:17:40 2021 : Debug: (17) [eap] = invalid Mon Apr 12 04:17:40 2021 : Debug: (17) } # authenticate = invalid Mon Apr 12 04:17:40 2021 : Debug: (17) Failed to authenticate the user Mon Apr 12 04:17:40 2021 : Debug: (17) Using Post-Auth-Type Reject Mon Apr 12 04:17:40 2021 : Debug: (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel Mon Apr 12 04:17:40 2021 : Debug: (17) Post-Auth-Type REJECT { Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) Mon Apr 12 04:17:40 2021 : Debug: %{User-Name} Mon Apr 12 04:17:40 2021 : Debug: Parsed xlat tree: Mon Apr 12 04:17:40 2021 : Debug: attribute --> User-Name Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: EXPAND %{User-Name} Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: --> can.dulkadiroglu Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: Matched entry DEFAULT at line 11 Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: EAP-Message = 0x04010004 allowed by EAP-Message =* 0x Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: Attribute "EAP-Message" allowed by 1 rules, disallowed by 0 rules Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: Message-Authenticator = 0x00000000000000000000000000000000 allowed by Message-Authenticator =* 0x Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: Attribute "Message-Authenticator" allowed by 1 rules, disallowed by 0 rules Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) Mon Apr 12 04:17:40 2021 : Debug: (17) [attr_filter.access_reject] = updated Mon Apr 12 04:17:40 2021 : Debug: (17) update outer.session-state { Mon Apr 12 04:17:40 2021 : Debug: (17) &Module-Failure-Message := &request:Module-Failure-Message -> 'eap_md5: Cleartext-Password is required for EAP-MD5 authentication' Mon Apr 12 04:17:40 2021 : Debug: (17) } # update outer.session-state = noop Mon Apr 12 04:17:40 2021 : Debug: (17) } # Post-Auth-Type REJECT = updated Mon Apr 12 04:17:40 2021 : Auth: (17) Login incorrect (eap_md5: Cleartext-Password is required for EAP-MD5 authentication): [can.dulkadiroglu/<via Auth-Type = eap>] (from client localhost port 2 cli fa33e5c54a33 via TLS tunnel) Mon Apr 12 04:17:40 2021 : Debug: (17) } # server inner-tunnel Mon Apr 12 04:17:40 2021 : Debug: (17) Virtual server sending reply Mon Apr 12 04:17:40 2021 : Debug: (17) EAP-Message = 0x04010004 Mon Apr 12 04:17:40 2021 : Debug: (17) Message-Authenticator = 0x00000000000000000000000000000000 Mon Apr 12 04:17:40 2021 : Debug: (17) eap_ttls: Got tunneled Access-Reject Mon Apr 12 04:17:40 2021 : ERROR: (17) eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Sending EAP Failure (code 4) ID 6 length 4 Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Failed in EAP select Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[authenticate]: returned from eap (rlm_eap) Mon Apr 12 04:17:40 2021 : Debug: (17) [eap] = invalid Mon Apr 12 04:17:40 2021 : Debug: (17) } # authenticate = invalid Mon Apr 12 04:17:40 2021 : Debug: (17) Failed to authenticate the user Mon Apr 12 04:17:40 2021 : Debug: (17) Using Post-Auth-Type Reject Mon Apr 12 04:17:40 2021 : Debug: (17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default Mon Apr 12 04:17:40 2021 : Debug: (17) Post-Auth-Type REJECT { Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) Mon Apr 12 04:17:40 2021 : Debug: %{User-Name} Mon Apr 12 04:17:40 2021 : Debug: Parsed xlat tree: Mon Apr 12 04:17:40 2021 : Debug: attribute --> User-Name Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: EXPAND %{User-Name} Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: --> can.dulkadiroglu Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: Matched entry DEFAULT at line 11 Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: EAP-Message = 0x04060004 allowed by EAP-Message =* 0x Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: Attribute "EAP-Message" allowed by 1 rules, disallowed by 0 rules Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: Message-Authenticator = 0x00000000000000000000000000000000 allowed by Message-Authenticator =* 0x Mon Apr 12 04:17:40 2021 : Debug: (17) attr_filter.access_reject: Attribute "Message-Authenticator" allowed by 1 rules, disallowed by 0 rules Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) Mon Apr 12 04:17:40 2021 : Debug: (17) [attr_filter.access_reject] = updated Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]: calling eap (rlm_eap) Mon Apr 12 04:17:40 2021 : Debug: (17) eap: Reply already contained an EAP-Message, not inserting EAP-Failure Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]: returned from eap (rlm_eap) Mon Apr 12 04:17:40 2021 : Debug: (17) [eap] = noop Mon Apr 12 04:17:40 2021 : Debug: (17) policy remove_reply_message_if_eap { Mon Apr 12 04:17:40 2021 : Debug: (17) if (&reply:EAP-Message && &reply:Reply-Message) { Mon Apr 12 04:17:40 2021 : Debug: (17) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE Mon Apr 12 04:17:40 2021 : Debug: (17) else { Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]: calling noop (rlm_always) Mon Apr 12 04:17:40 2021 : Debug: (17) modsingle[post-auth]: returned from noop (rlm_always) Mon Apr 12 04:17:40 2021 : Debug: (17) [noop] = noop Mon Apr 12 04:17:40 2021 : Debug: (17) } # else = noop Mon Apr 12 04:17:40 2021 : Debug: (17) } # policy remove_reply_message_if_eap = noop Mon Apr 12 04:17:40 2021 : Debug: (17) } # Post-Auth-Type REJECT = updated Mon Apr 12 04:17:40 2021 : Auth: (17) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed): [can.dulkadiroglu/<via Auth-Type = eap>] (from client localhost port 2 cli fa33e5c54a33) Mon Apr 12 04:17:40 2021 : Debug: (17) Delaying response for 1.000000 seconds Mon Apr 12 04:17:40 2021 : Debug: Waking up in 0.5 seconds. Mon Apr 12 04:17:41 2021 : Debug: (12) Cleaning up request packet ID 248 with timestamp +80 Mon Apr 12 04:17:41 2021 : Debug: (13) Cleaning up request packet ID 249 with timestamp +80 Mon Apr 12 04:17:41 2021 : Debug: (14) Cleaning up request packet ID 250 with timestamp +80 Mon Apr 12 04:17:41 2021 : Debug: Waking up in 0.3 seconds. Mon Apr 12 04:17:41 2021 : Debug: (17) Sending delayed response Mon Apr 12 04:17:41 2021 : Debug: (17) Sent Access-Reject Id 253 from 10.50.2.140:1812 to 10.50.2.166:58160 length 44 Mon Apr 12 04:17:41 2021 : Debug: (17) EAP-Message = 0x04060004 Mon Apr 12 04:17:41 2021 : Debug: (17) Message-Authenticator = 0x00000000000000000000000000000000 Mon Apr 12 04:17:41 2021 : Debug: Waking up in 2.6 seconds. Mon Apr 12 04:17:44 2021 : Debug: (15) Cleaning up request packet ID 251 with timestamp +83 Mon Apr 12 04:17:44 2021 : Debug: (16) Cleaning up request packet ID 252 with timestamp +83 Mon Apr 12 04:17:44 2021 : Debug: Waking up in 1.3 seconds. Mon Apr 12 04:17:45 2021 : Debug: (17) Cleaning up request packet ID 253 with timestamp +83 Mon Apr 12 04:17:45 2021 : Info: Ready to process requests Vahap Can DULKADİROĞLU *Bilgi İşlem Daire Başkanlığı **/ Elektronik ve Haberleşme Mühendisi* *can.dulkadiroglu@samsun.edu.tr <can.dulkadiroglu@samsun.edu.tr>* 0(362) 313 00 55 - 1454 Canik Yerleşkesi Gürgenyatak Mahallesi Merkez Sokak No:40-2/1 CANİK/SAMSUN www.samsun.edu.tr *SAMSUN ÜNİVERSİTESİ* *‘‘Nitelikli Toplum İçin, Nitelikli Üniversite’’* Alan DeKok <aland@deployingradius.com>, 14 Nis 2021 Çar, 14:30 tarihinde şunu yazdı:
On Apr 14, 2021, at 2:21 AM, Vahap Can Dulkadiroğlu < can.dulkadiroglu@samsun.edu.tr> wrote:
We are using google ldap. How will we solve this problem. Whatever I did, this problem was not solved.--"The server doesn't have permission to read the "known good" passwords from LDAP"
It's Google. You can't.
If you want to do WiFi authentication and use Google for LDAP, your choices are:
a) TTLS + PAP
b) no WiFi authentication
c) don't use Google for LDAP
That's it.
We also get this error. I don't know the meaning of this error.--" ber_get_next failed."
It depends... the full debug output would be useful.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html