Hi, I write better my error in my log, the problem I suppose that is these lines: Invalid operator for item EAP-Type: reverting to '==' rlm_ldap: Pairs do not match. Rejecting user. rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns reject for request 5 Here I put the end of my log file: rad_recv: Access-Request packet from host 192.168.20.4:1645, id=97, length=240 User-Name = "vlan3" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0xdc1ea9dbac4ed1f33ebb580a3c1c4a73 EAP-Message = 0x020600501900170301002088ea976b1bef6fd3a9bd5599650e83cd848cf424e51a204996c8941600f71b871703010020323a6993eede0a3f70fda756d35c73463b1f49efe677a830e25ab51d09220b6f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "276" NAS-Port = 276 State = 0xb0d694dd7c79d212c6f91ec33dceddf1 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "vlan3", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 6 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for vlan3 radius_xlat: '(uid=vlan3)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=vlan3) rlm_ldap: Added password vlan3 in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCiscoAVPair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11 rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 3 & op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value IEEE-802 & op=11 rlm_ldap: user vlan3 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - vlan3 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of vlan3 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to vlan3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "vlan3", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 6 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for vlan3 radius_xlat: '(uid=vlan3)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=vlan3) rlm_ldap: Added password vlan3 in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCiscoAVPair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11 rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 3 & op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value IEEE-802 & op=11 Invalid operator for item EAP-Type: reverting to '==' rlm_ldap: Pairs do not match. Rejecting user. rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns reject for request 5 modcall: leaving group authorize (returns reject) for request 5 Invalid user (rlm_ldap: Pairs do not match): [vlan3/<no User-Password attribute>] (from client cn-radius port 276 cli 000c.f135.f1ba) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 97 to 192.168.20.4 port 1645 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "3" Tunnel-Medium-Type:0 = IEEE-802 EAP-Message = 0x01070050190017030100207e6749688570ab3f6990aa513c84e1d57d72b0c19700ac8d067ab772d8a483221703010020698cbf6325fc65cc53a2c5f38ded1ceda6937e856568c4d62dfaf798a05261d3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe4aede9badece66c821fb17e67e9d969 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=98, length=240 User-Name = "vlan3" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0x3a85a008df8442db44495e79eec73a91 EAP-Message = 0x0207005019001703010020717b9678780436411ce8d845e6a7afe99d179bcb45bb1b4f5d992ce5694899eb1703010020341bafcfa52a2e0e5c8c9e8decbf4c57ae787f9eb9a2116a8bc00d83ac2ff2b2 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "276" NAS-Port = 276 State = 0xe4aede9badece66c821fb17e67e9d969 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "vlan3", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for vlan3 radius_xlat: '(uid=vlan3)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=vlan3) rlm_ldap: Added password vlan3 in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCiscoAVPair as Cisco-AVPair, value ssid=VLAN3 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11 rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 3 & op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value IEEE-802 & op=11 rlm_ldap: user vlan3 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 6 modcall: leaving group authenticate (returns invalid) for request 6 auth: Failed to validate the user. Login incorrect: [vlan3/<no User-Password attribute>] (from client ap-test-ivan port 276 cli 000c.f135.f1ba) Delaying request 6 for 1 seconds Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=98, length=240 Sending Access-Reject of id 98 to 192.168.20.4 port 1645 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... What is wrong? Thanks, bye Antonio
on 17/05/2006 14.11 Mitchell, Michael J said the following:
Hi Antonio,
ldap: compare_check_items = no
You need to set "compare_check_items = yes" in the ldap module configuration? The default is "no".
regards, Mike