Hi, My first post: I'm trying to do 802.1x between Xsupplicant (through a Cisco switch) to Freeradius 1.1.7 using Novell eDirectory LDAP. I can successfully authenticate as a local user in the 'users' file but the LDAP side is eluding me. This is my first experience with 802.1x/EAP etc so I'm still learning. It looks to me like the inner authentication doesn't know which Auth Type to use but I don't know how to tell it. Everything I've says that you don't explicitly state the Auth Type so I don't really know what to do next. Here are the output from freeradius -X, radiusd.conf and eap.conf. Any help would be appreciated. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/imported_clients.cfg Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "ttls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/freeradius/cert-srv.pem" tls: certificate_file = "/etc/freeradius/cert-srv.pem" tls: CA_file = "/etc/freeradius/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/dev/null" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = no rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded LDAP ldap: server = "UK-AC-MAN-MTEST" ldap: port = 636 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=radiusadmin,ou=dir,o=ac,c=uk" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "/tmp/oak-test-publickeycert.pem" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "demand" ldap: password = "radius30" ldap: basedn = "c=uk" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "nspmdistributionpassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute uni_ldap-Ldap-Group rlm_ldap: Registering ldap_groupcmp for uni_ldap-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name uni_ldap rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x801214b0 Module: Instantiated ldap (uni_ldap) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.150.200.1:1645, id=235, length=133 User-Name = "anonymous" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-2A-98-B4-19" Calling-Station-Id = "00-0B-DB-8D-4B-12" EAP-Message = 0x0202000e01616e6f6e796d6f7573 Message-Authenticator = 0xb2fdb52ddd49a39af4a793920f226161 NAS-Port-Type = Ethernet NAS-Port = 50025 NAS-IP-Address = 10.150.200.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'c=uk' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to UK-AC-MAN-MTEST:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /tmp/oak-test-publickeycert.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: bind as cn=radiusadmin,ou=dir,o=ac,c=uk/radius30 to UK-AC-MAN-MTEST:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in c=uk, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "uni_ldap" returns notfound for request 0 rlm_eap: EAP packet type response id 2 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 181 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 235 to 10.150.200.1 port 1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0832a46dddb20ebc04b5f4e8bb744cb Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.150.200.1:1645, id=236, length=231 User-Name = "anonymous" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-2A-98-B4-19" Calling-Station-Id = "00-0B-DB-8D-4B-12" EAP-Message = 0x0203005e150016030100530100004f030147cc09506ffa93d49f47cfd7472481ab9f7226fa61fc2059bf2d95e106a83c6c00002800390038003500160013000a00330032002f000700050004001500120009001400110008000600030100 Message-Authenticator = 0xedae998ce19f622f20b4d24a38835afc NAS-Port-Type = Ethernet NAS-Port = 50025 State = 0xc0832a46dddb20ebc04b5f4e8bb744cb NAS-IP-Address = 10.150.200.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'c=uk' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in c=uk, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "uni_ldap" returns notfound for request 1 rlm_eap: EAP packet type response id 3 length 94 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 181 modcall[authorize]: module "files" returns ok for request 1 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0053], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0678], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 236 to 10.150.200.1 port 1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0104040a15c0000006d5160301004a02000046030147cc0b4c08c3e02e725aba579fbea1d707f44d1e29bd3eabe9d02d2e8bd0380820b10abb24401c99fb32ca2842619c9225c1aab278c7cf8e2f3d043f870d6e495700350016030106780b0006740006710002d4308202d030820239a003020102020102300d06092a864886f70d010105050030818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d0609 EAP-Message = 0x2a864886f70d0109011610646f63746f72406d63632e61632e756b301e170d3037313030393132333033375a170d3039313030383132333033375a3081b3310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573312330210603550403131a617574686b2e6974732e6d616e636865737465722e61632e756b311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b30819f300d06092a864886f7 EAP-Message = 0x0d010101050003818d0030818902818100d5258fbe611cf7570cb24a9cd31d8004cba7df05cdf398fdb534ecb6daf6ffa6c625109c28a5abdf7683d550ae63c947469a4f534667c1e7e9900ce2571bbc9863c89c02f09094040a7316068d2654e13941efdd6b416b990a6000d3ff2df46f10032ebc9f425768e81426df5c42adc1b7400f48155398b10257000f803e11630203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181005337fab657d2a50deb2ff3e9bb30eea51460f2f2f0e503becf43dd9999157573cf79058e6a64db78d133a3127388b8b832ed391df2d76d0946969c EAP-Message = 0x15a95ec6b646d277600da84a495c2ed1ab6868dc929fdb6ddabe82ee2cb9f8271061a7751be8eaa9af337e47f8113005622ca49b046f0caa54c406f510cc847d5096c816e000039730820393308202fca0030201020209009f72c65766f4a47d300d06092a864886f70d010105050030818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e6163 EAP-Message = 0x2e756b301e170d3037313030393132323234395a170d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd4ebc02ff3c0e978da7391662d94acba Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.150.200.1:1645, id=237, length=143 User-Name = "anonymous" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-2A-98-B4-19" Calling-Station-Id = "00-0B-DB-8D-4B-12" EAP-Message = 0x020400061500 Message-Authenticator = 0xb2297c6c1d2f44a2c0383f0eb0a979a2 NAS-Port-Type = Ethernet NAS-Port = 50025 State = 0xd4ebc02ff3c0e978da7391662d94acba NAS-IP-Address = 10.150.200.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'c=uk' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in c=uk, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "uni_ldap" returns notfound for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 181 modcall[authorize]: module "files" returns ok for request 2 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 237 to 10.150.200.1 port 1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010502df1580000006d53039313030383132323234395a30818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b30819f300d06092a864886f70d010101050003818d0030818902818100e2ea754f630847ce8e3632f5a82c3a2cafa32e1c50cdf502765994d69cbf94bc0a7272630c8628bc742e161efa24ec817c5d23fa038ffc01 EAP-Message = 0x5e1e462e0c80d87d71d6b8d0ea7d29d5548dc865a3db029f41e81dc11d65f88e8abba59f69398ce9c917d0ee220c75482846b769dd79b49733ab86e584cd86a2531c1c4f1dd729dd0203010001a381f63081f3301d0603551d0e04160414a8c429b59d09f0217be4ab2b402dfcc3d9e181e63081c30603551d230481bb3081b88014a8c429b59d09f0217be4ab2b402dfcc3d9e181e6a18194a4819130818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355 EAP-Message = 0x040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b8209009f72c65766f4a47d300c0603551d13040530030101ff300d06092a864886f70d010105050003818100008623e013bbe32deff3a86b4feed8192477afd740213d6b5f8d3dda0248c3a7a434763ad837b62160e3582f36f6f15ca649c96a8fed4fc4fed8c44e6afab88b37e0797007b54653d90807c41e8c24937212fcfe8a4ca5ad1af34bd70f2fad8e88d2e36d55f173435eb8f65fe0d506c5bfb764e0a4f32f964bac9a3c0994a15716030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdcf5b1027af5a8d41d900d1b97ee15ba Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.150.200.1:1645, id=238, length=341 User-Name = "anonymous" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-2A-98-B4-19" Calling-Station-Id = "00-0B-DB-8D-4B-12" EAP-Message = 0x020500cc15001603010086100000820080cda7f11fecdd0b16c60e8b1a016b57df2dcdd50a8dd08a9527318d7040b968f1178e57bf9aba455f6c9cee87555eab4f440cd348812da9ba957bc86a662197a0e8fd0657825d02fc70bcec4c9c939cef43d2e0de32d4395c84e04cb464e184c4eae1bec6fd93ed5b9a9b91e73c391d36a9759b9255aaf0ff8e46e7dfb7b9267014030100010116030100309359828a9fdbc456a4bad192e204bcaaecd4cf283a8f9523e0f2dff4efe7cda10445b5e9a113ec25b7f8f5a60e639e4d Message-Authenticator = 0xbd3d53b67e7c3a09dcb25edf8bda1626 NAS-Port-Type = Ethernet NAS-Port = 50025 State = 0xdcf5b1027af5a8d41d900d1b97ee15ba NAS-IP-Address = 10.150.200.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'c=uk' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in c=uk, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "uni_ldap" returns notfound for request 3 rlm_eap: EAP packet type response id 5 length 204 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 181 modcall[authorize]: module "files" returns ok for request 3 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 238 to 10.150.200.1 port 1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0106004515800000003b1403010001011603010030fa6e3ed9aba9a9143704b2966519c8790e3daa798cb5635a178667b5f202608c34253a7619429fc1359257458d08ffaa Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2cdab0db7a1a4dbef203ff7f2aa6e371 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.150.200.1:1645, id=239, length=249 User-Name = "anonymous" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-2A-98-B4-19" Calling-Station-Id = "00-0B-DB-8D-4B-12" EAP-Message = 0x0206007015001703010020e79b2ceee38e5efd7c85a8dc5a8dd328e8bd99e4673e79dc93e24c57d15a63a91703010040d3ec1e7faa959b6845f772a41d909bfb5230f4060b2437e4605a8187cf3d9f5b63588e76802caad0d34d338162adfacf583dfffc999f39cdff2bcf335a75eeae Message-Authenticator = 0xc86b007da48b72277e6325f27cfd4453 NAS-Port-Type = Ethernet NAS-Port = 50025 State = 0x2cdab0db7a1a4dbef203ff7f2aa6e371 NAS-IP-Address = 10.150.200.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'c=uk' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in c=uk, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "uni_ldap" returns notfound for request 4 rlm_eap: EAP packet type response id 6 length 112 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 181 modcall[authorize]: module "files" returns ok for request 4 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = "raduser1" User-Password = "raduser10" FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "raduser1" User-Password = "raduser10" FreeRADIUS-Proxied-To = 127.0.0.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "raduser1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for raduser1 radius_xlat: '(uid=raduser1)' radius_xlat: 'c=uk' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in c=uk, with filter (uid=raduser1) rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user raduser1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "uni_ldap" returns ok for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 modcall[authorize]: module "files" returns notfound for request 4 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 4 modcall: leaving group authorize (returns ok) for request 4 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 4 modcall[post-auth]: module "uni_ldap" returns noop for request 4 modcall: leaving group REJECT (returns noop) for request 4 TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user. Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 4 modcall[post-auth]: module "uni_ldap" returns noop for request 4 modcall: leaving group REJECT (returns noop) for request 4 Delaying request 4 for 1 seconds Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.150.200.1:1645, id=239, length=249 Sending Access-Reject of id 239 to 10.150.200.1 port 1645 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 235 with timestamp 47cc0b4c Cleaning up request 1 ID 236 with timestamp 47cc0b4c Cleaning up request 2 ID 237 with timestamp 47cc0b4c Cleaning up request 3 ID 238 with timestamp 47cc0b4c Cleaning up request 4 ID 239 with timestamp 47cc0b4c Nothing to do. Sleeping until we see a request. prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid user = freerad group = freerad max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf $INCLUDE /etc/freeradius/imported_clients.cfg snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype=MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes authtype=MS-CHAP } ldap uni_ldap { server = "UK-AC-MAN-MTEST" identity = "cn=radiusadmin,ou=dir,o=ac,c=uk" password = xxxxxxxx port = 636 basedn = "c=uk" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no tls_cacertfile = /tmp/oak-test-publickeycert.pem tls_require_cert = "demand" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = nspmdistributionpassword edir_account_policy_check=yes timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = yes } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess chap mschap suffix uni_ldap ## added out of sequence eap files pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { uni_ldap Post-Auth-Type REJECT { uni_ldap } } pre-proxy { } post-proxy { eap } eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/cert-srv.pem certificate_file = ${raddbdir}/cert-srv.pem CA_file = ${raddbdir}/root.pem dh_file = /dev/null random_file = /dev/urandom fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = no } mschapv2 { } } Thanks, Mike -- Mike Richardson Networks IT Services, University of Manchester *Plain text only please - attachments stripped on arrival*