Hi, I would say that you can't test direcly your EAP auth using radtest because radtest doesn't send a EAP-Message into its requests. You have two choices here, use radclient with correct params to test EAP ou take a real windows clients and configure auth to be EAP. Regards, -- Sebastien Cantos <scantos@technodiva.com> Network / System Manager Neopost DIVA
-----Message d'origine----- De : freeradius-users-bounces+scantos=technodiva.com@lists.freeradi us.org [mailto:freeradius-users-bounces+scantos=technodiva.com@lists. freeradius.org] De la part de rwakim@mind-techno.fr Envoyé : lundi 2 janvier 2006 11:46 À : freeradius-users@lists.freeradius.org Objet : FreeRadius and Openldap authentication
Hello,
I'm pretty new to ldap and radius, I try to put and 802.x authentication but I have difficulties setting it up correctly.
Here is my problem:
When I start the radtest binary:
radtest "test" "supersecret" localhost 2 testing123
Here is the result:
Sending Access-Request of id 45 to 127.0.0.1:1812 User-Name = "test" User-Password = "supersecret" NAS-IP-Address = lavoisier NAS-Port = 2 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=45, length=20
Here is the log on the radius server (Started with radiusd -X):
rad_recv: Access-Request packet from host 127.0.0.1:61292, id=50, length=56 User-Name = "test" User-Password = "supersecret" NAS-IP-Address = 255.255.255.255 NAS-Port = 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 3 users: Matched entry DEFAULT at line 78 users: Matched entry DEFAULT at line 160 modcall[authorize]: module "files" returns ok for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=fr, with filter (uid=test) rlm_ldap: checking if remote access for test is allowed by radiusFilterId rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value Enterasys:version=1:policy=Enterprise User & op=11 rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message modcall[authenticate]: module "eap" returns fail for request 3 modcall: group authenticate returns fail for request 3 auth: Failed to validate the user. Login incorrect: [test] (from client localhost port 2) Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 50 to 127.0.0.1:61292 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 50 with timestamp 43b8f992 Nothing to do. Sleeping until we see a request.
For the moment I have one box running Openldap on a debian/SPARC and one box running Freeradius on a FreeBSD 5.3/SPARC
The LDAP user info:
dn: cn=test,ou=users, dc=fr userPassword:: e1NIQX1jTWc1Y3dTazFuUEdMZW56UUw5UEdpV1pHSVU9 ou: ou=mind-techno,dc=fr objectClass: top objectClass: person objectClass: pilotPerson objectClass: radiusProfile janetMailbox: test@mind-techno.fr sn: test cn: test
The SLDAPD conf file:
access to dn="cn=.*,dc=fr" attr=userPassword by dn="cn=admin,dc=fr" write by anonymous auth by self write by * none
The RADIUS radiusd.conf file:
ldap { server = "galilee.mind-techno.fr"
identity = "cn=emanager,dc=fr" password = "XXXXXXXXXXXXXX"
basedn = "dc=fr"
filter = "(uid=%u)" # base_filter = "(objectclass=radiusprofile)"
start_tls = no
access_attr = "radiusFilterId"
dictionary_mapping = ${raddbdir}/ldap.attrmap #authtype = ldap
ldap_connections_number = 5
password_attribute = "userPassword" timeout = 4 timelimit = 3 net_timeout = 1 }
authenticate {
# Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap }
# # Allow EAP authentication. eap }
The RADIUS users file:
DEFAULT Auth-Type := EAP Fall-Through = 1 # Reply-Message = "LDAP"
I must admit I'm pretty lost in all this, And that any help will be nice.
I would be grateful if you had a how-to or tutorial on how to build a easy and working 802.x authentication with a Radius/LDAP system.
Best regards,
-- M. Robert Wakim Mind Technologies
24 rue Victor Hugo 94220 Charenton-Le-Pont FRANCE
tel : +33 (0)1 41 79 09 40 Fax : +33 (0)1 43 68 80 32
Email : rwakim@mind-techno.fr web : http://www.mind-techno.fr
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html