Hello,
I can
authenticate ldap users using the NTRadPing tool without a problem. But I
can’t do it through an Access Point. Can you help me?
I have the
AP(D-Link 2100 AP+) configure to WPA-EAP, Cipher
Type=Auto.
I list the
radius config and debug.
…
radiusd: ####
Loading Clients ####
client
localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client
172.22.0.21 {
ipaddr = 172.22.0.21
require_message_authenticator = no
secret = "si"
shortname = "xxxxx"
nastype = "other"
}
client
AP1-E1 {
ipaddr = 192.168.70.70
require_message_authenticator = no
secret = "si"
shortname = "AP1-E1"
nastype = "other"
}
…
radiusd: ####
Loading Virtual Servers ####
server
inner-tunnel {
modules {
Module:
Checking authenticate {...} for more modules to load
Module:
Linked to module rlm_pap
Module:
Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module:
Linked to module rlm_chap
Module:
Instantiating chap
Module:
Linked to module rlm_mschap
Module:
Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
…
Module:
Linked to module rlm_eap
Module:
Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module:
Linked to sub-module rlm_eap_md5
Module:
Instantiating eap-md5
Module:
Linked to sub-module rlm_eap_leap
Module:
Instantiating eap-leap
Module:
Linked to sub-module rlm_eap_gtc
Module:
Instantiating eap-gtc
gtc
{
challenge = "Password: "
auth_type = "PAP"
}
Module:
Linked to sub-module rlm_eap_tls
Module:
Instantiating eap-tls
tls
{
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module:
Linked to sub-module rlm_eap_ttls
Module:
Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module:
Linked to sub-module rlm_eap_peap
Module:
Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module:
Linked to sub-module rlm_eap_mschapv2
Module:
Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
…
Module:
Checking preacct {...} for more modules to load
Module:
Linked to module rlm_acct_unique
Module:
Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module:
Checking accounting {...} for more modules to load
Module:
Linked to module rlm_detail
Module:
Instantiating detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module:
Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module:
Checking session {...} for more modules to load
Module:
Checking post-proxy {...} for more modules to load
Module:
Checking post-auth {...} for more modules to load
} #
modules
} # server
radiusd: ####
Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on
authentication address * port 1812
Listening on
accounting address * port 1813
Listening on
command file /var/run/radiusd/radiusd.sock
Listening on
proxy address * port 1814
Ready to process
requests.
…
rad_recv:
Access-Request packet from host 192.168.70.70 port 1038, id=0, length=201
Message-Authenticator = 0x0bad8dc9bc9d09a88d777055e87bc06f
Service-Type = Framed-User
User-Name = "ldapuser"
Framed-MTU = 1488
Called-Station-Id = "00-22-B0-69-74-74:RadiusServer"
Calling-Station-Id = "00-1C-BF-63-43-7F"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0200000c0139303230313535
NAS-IP-Address = 192.168.70.70
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering
group authorize {...}
++[preprocess]
returns ok
++[chap] returns
noop
++[mschap]
returns noop
[suffix] No '@'
in User-Name = "ldapuser", looking up realm NULL
[suffix] No such
realm "NULL"
++[suffix]
returns noop
[eap] EAP packet
type response id 0 length 12
[eap] No EAP
Start, assuming it's an on-going EAP conversation
++[eap] returns
updated
++[unix] returns
notfound
++[files]
returns noop
[ldap] performing
user authorization for ldapuser
[ldap]
expand: %{Stripped-User-Name} ->
[ldap]
expand: %{User-Name} -> ldapuser
[ldap]
expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ldapuser)
[ldap]
expand: dc=test,dc=test,dc=pt -> dc=test,dc=test,dc=pt
rlm_ldap:
ldap_get_conn: Checking Id: 0
rlm_ldap:
ldap_get_conn: Got Id: 0
rlm_ldap:
attempting LDAP reconnection
rlm_ldap:
(re)connect to xxx.xxx.xxx.xxx:389, authentication 0
rlm_ldap: bind
as uid=borat,dc=test,dc=test,dc=pt/ldappassword to xxx.xxx.xxx.xxx:389
rlm_ldap:
waiting for bind result ...
rlm_ldap: Bind
was successful
rlm_ldap:
performing search in dc=test,dc=test,dc=pt, with filter (uid=ldapuser)
[ldap] looking
for check items in directory...
[ldap] looking
for reply items in directory...
WARNING: No
"known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user
ldapuser authorized to use remote access
rlm_ldap:
ldap_release_conn: Release Id: 0
++[ldap] returns
ok
++[expiration]
returns noop
++[logintime]
returns noop
[pap] WARNING!
No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns
noop
Found Auth-Type
= EAP
+- entering
group authenticate {...}
[eap] EAP
Identity
[eap] processing
type tls
[tls] Initiate
[tls] Start
returned 1
++[eap] returns
handled
Sending
Access-Challenge of id 0 to 192.168.70.70 port 1038
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1f5a0c851f5b15f67ae48d03f8beffe6
Finished request
0.
Going to the
next request
Waking up in 4.9
seconds.
rad_recv:
Access-Request packet from host 192.168.70.70 port 1038, id=1, length=490
Message-Authenticator = 0xba2e0b898f91a1e37da464dd4a07b311
Service-Type = Framed-User
User-Name = "ldapuser"
Framed-MTU = 1488
State = 0x1f5a0c851f5b15f67ae48d03f8beffe6
Called-Station-Id = "00-22-B0-69-74-74:RadiusServer"
Calling-Station-Id = "00-1C-BF-63-43-7F"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0201011919800000010f160301010a0100010603014b69b17864a990f749baa2f53df13aca45cbccacb1f5bc685e3635514f1e42cb00003800390038003500880087008400160013000a00330032002f009a00990096004500440041000500040015001200090014001100080006000302010000a4002300a0d01907820de47ddfa68661ec44d31e5dd8dacaafdad2c82305e227265d28f850f8a524da4fe4c3b7c860c7de1c52e36def98c4cfb43292159ec293311df317029fc16077541d9238068a112f6e77a2935fa16efacb85cf609cbfff1577c0d2c9e859cee24b718b747fc925802b1e680e86d03e864c6b551b3108afeab659710248cb35aa
EAP-Message = 0x8575d2b42e895e1ec907d7e69d9e7386b69232cfa63df6d12d7da003
NAS-IP-Address = 192.168.70.70
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering
group authorize {...}
++[preprocess]
returns ok
++[chap] returns
noop
++[mschap]
returns noop
[suffix] No '@'
in User-Name = "ldapuser", looking up realm NULL
[suffix] No such
realm "NULL"
++[suffix]
returns noop
[eap] EAP packet
type response id 1 length 253
[eap] Continuing
tunnel setup.
++[eap] returns
ok
Found Auth-Type
= EAP
+- entering
group authenticate {...}
[eap] Request
found, released from the list
[eap] EAP/peap
[eap] processing
type peap
[peap]
processing EAP-TLS
TLS
Length 271
[peap] Length
Included
[peap]
eaptls_verify returned 11
[peap]
(other): before/accept initialization
[peap]
TLS_accept: before/accept initialization
[peap]
<<< TLS 1.0 Handshake [length 010a], ClientHello
[peap]
TLS_accept: SSLv3 read client hello A
[peap]
>>> TLS 1.0 Handshake [length 0030], ServerHello
[peap]
TLS_accept: SSLv3 write server hello A
[peap]
>>> TLS 1.0 Handshake [length 085e], Certificate
[peap]
TLS_accept: SSLv3 write certificate A
[peap]
>>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap]
TLS_accept: SSLv3 write key exchange A
[peap]
>>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]
TLS_accept: SSLv3 write server done A
[peap]
TLS_accept: SSLv3 flush data
[peap]
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake
Phase
In SSL Accept
mode
[peap]
eaptls_process returned 13
[peap]
EAPTLS_HANDLED
++[eap] returns
handled
Sending
Access-Challenge of id 1 to 192.168.70.70 port 1038
EAP-Message =
0x0102040019c000000ab316030100300200002c03014b69affea71157c286b09b1dcb48c1f8c7c3c073d302d7cc8d002c5b4f42e2be00003901000400230000160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574
EAP-Message =
0x686f72697479301e170d3130303230333134343231395a170d3131303230333134343231395a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b86c5396cfd7e7e922dbb26df4f4b69f25d3714a819fd36762ad32dc140e303d5ba97e0db2e28046c54d3019a5e2759ad37694fbc08b03d2
EAP-Message =
0xed836feeac8a599b268410d77e15160bd5cab44dc763c97898b8bffeba36ae5c14913bf44ced0427f5ee12f2232958d3f2b70a3041c794dd24091ffe85e8f8d4bbb7a787a301a8c1dc902cc95b1dc810e7539a391366deca63ce30c51a889717b865961d1aef3dd308b12431bc8b401d247c8a97e7c968ee6a9652809bcc95cbdab84d1a3fe9968916f7a0115448827b960af7203527b17990519d26ec1cd7a3fa35dee8ddb488a917d27790afc11347f393a272f8a456106a08a3b28f7007e69fafa5a61a693ac30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010094945d
EAP-Message =
0x22948e117c5f66d8b5d23a05004dc7141b85059576c06616919c5357136e434b2b1ff34e6ebcc5960d22fff1cfe0456c531603e238de97f9160d792ef10b748ce0b49c01625e24a712ce5f0a2fb284117bbd355bd598b566d07cfe45d21670d5344de9fde5e581862121fa80c957cb6000fa418d958d3b09bda9e05bfa5b0806ea0decb18a2d566906224f3cd04e4fcdacbbeaa8772cba4b3fb165c64a66e3886d006700cd65d0d943f386be08582a020d1f070a9e625e6824500a2810cda4f3ef919f2495b158a67c76a71196c404b794ee6d3cfc9d6c878259d3e6afc5daa28a0e4d6e8ab1ff8a6cebb2397215952dfd4253ea689454bd4294fd2633
EAP-Message = 0x0004ab308204a73082038fa0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1f5a0c851e5815f67ae48d03f8beffe6
Finished request
1.
Going to the
next request
Waking up in 4.9
seconds.
…
rad_recv:
Access-Request packet from host 192.168.70.70 port 1038, id=9, length=303
Message-Authenticator = 0x40181150ae53bc834616acde8bded5ce
Service-Type = Framed-User
User-Name = "ldapuser"
Framed-MTU = 1488
State = 0x1f5a0c85175315f67ae48d03f8beffe6
Called-Station-Id = "00-22-B0-69-74-74:RadiusServer"
Calling-Station-Id = "00-1C-BF-63-43-7F"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02090060190017030100203740cd6052be3de4a2dae33ed1e4699866af641dee6261f14e9493e21b49db0217030100305406714a1fee8d73edfa87c60a0046641329975a279ecbc1b2ee7dec5e9d60b9bc61efd8b9e8e5304a341f7eee16e533
NAS-IP-Address = 192.168.70.70
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering
group authorize {...}
++[preprocess]
returns ok
++[chap] returns
noop
++[mschap]
returns noop
[suffix] No '@'
in User-Name = "ldapuser", looking up realm NULL
[suffix] No such
realm "NULL"
++[suffix]
returns noop
[eap] EAP packet
type response id 9 length 96
[eap] Continuing
tunnel setup.
++[eap] returns
ok
Found Auth-Type
= EAP
+- entering
group authenticate {...}
[eap] Request
found, released from the list
[eap] EAP/peap
[eap] processing
type peap
[peap]
processing EAP-TLS
[peap]
eaptls_verify returned 7
[peap] Done
initial handshake
[peap]
eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session
established. Decoding tunneled attributes.
[peap] Received
EAP-TLV response.
[peap] Had
sent TLV failure. User was rejected earlier in this session.
[eap] Handler
failed in EAP/peap
[eap] Failed in
EAP select
++[eap] returns
invalid
Failed to
authenticate the user.
Using
Post-Auth-Type Reject
+- entering
group REJECT {...}
[attr_filter.access_reject]
expand: %{User-Name} -> ldapuser
attr_filter:
Matched entry DEFAULT at line 11
++[attr_filter.access_reject]
returns updated
Delaying reject
of request 9 for 1 seconds
Going to the
next request
Waking up in 0.9
seconds.
Sending delayed
reject for request 9
Sending
Access-Reject of id 9 to 192.168.70.70 port 1038
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.4
seconds.
I did cut some debug info, in order to not exceed the max message limit of 100K.
I think the problem is here:
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required
for EAP-MD5 authentication
but in eap.conf is:
eap{
default_eap_type = peap
…
Peap{
default_eap_type
= mschapv2
}
}
Sorry I’m not familiar enough with
wifi to understand what wrong.