hello i got my user "bernard" on my openldap database. see my ldapserch: radtest:# ldapsearch -x -b "dc=example,dc=com" uid=bernard # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: uid=bernard # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 #################################" but when i tried to authenticate bernard through freeradius i'ts fail. see the debug output. thank u so much guys. radtest:# freeradius -X FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Mar 10 2010 at 13:50:12 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.20.253 { require_message_authenticator = no secret = "testinglinagora" shortname = "labtest8021x" nastype = "cisco" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "10.75.128.251" port = 389 password = "test" identity = "cn=manager,ou=admins,ou=radius,dc=example,dc=com" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=users,ou=radius,dc=example,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "userPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "radiusGroupName" groupmembership_filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})" groupmembership_attribute = "radiusGroupName" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x8171ff8 Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.20.253 port 1645, id=106, length=153 User-Name = "bernard" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1A-A1-64-BB-1A" Calling-Station-Id = "00-18-8B-B5-26-B7" EAP-Message = 0x0202000c016265726e617264 Message-Authenticator = 0xcc5fc5a87a81a474f4171b85e6789f3d Cisco-NAS-Port = "FastEthernet0/24" NAS-Port = 50024 NAS-Port-Type = Ethernet NAS-IP-Address = 192.168.20.253 +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "bernard", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] Entering ldap_groupcmp() [files] expand: ou=users,ou=radius,dc=example,dc=com -> ou=users,ou=radius,dc=example,dc=com [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] ... expanding second conditional [files] expand: %{User-Name} -> bernard [files] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=bernard) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.75.128.251:389, authentication 0 [ldap] bind as cn=manager,ou=admins,ou=radius,dc=example,dc=com/test to 10.75.128.251:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=users,ou=radius,dc=example,dc=com, with filter (uid=bernard) [ldap] object not found rlm_ldap::ldap_groupcmp: search failed [ldap] ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for bernard [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> bernard [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=bernard) [ldap] expand: ou=users,ou=radius,dc=example,dc=com -> ou=users,ou=radius,dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=users,ou=radius,dc=example,dc=com, with filter (uid=bernard) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 106 to 192.168.20.253 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2b3e4ab22b3d5f3fba6933e793eadc35 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.20.253 port 1645, id=107, length=165 User-Name = "bernard" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1A-A1-64-BB-1A" Calling-Station-Id = "00-18-8B-B5-26-B7" EAP-Message = 0x020300060319 Message-Authenticator = 0xc84586b06705544163ffe219bcfddbce Cisco-NAS-Port = "FastEthernet0/24" NAS-Port = 50024 NAS-Port-Type = Ethernet State = 0x2b3e4ab22b3d5f3fba6933e793eadc35 NAS-IP-Address = 192.168.20.253 +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "bernard", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] Entering ldap_groupcmp() [files] expand: ou=users,ou=radius,dc=example,dc=com -> ou=users,ou=radius,dc=example,dc=com [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] ... expanding second conditional [files] expand: %{User-Name} -> bernard [files] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=bernard) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 *[ldap] performing search in ou=users,ou=radius,dc=example,dc=com, with filter (uid=bernard) [ldap] object not found rlm_ldap::ldap_groupcmp: search failed* [ldap] ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for bernard [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> bernard [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=bernard) [ldap] expand: ou=users,ou=radius,dc=example,dc=com -> ou=users,ou=radius,dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=users,ou=radius,dc=example,dc=com, with filter (uid=bernard) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] NAK asked for unsupported type PEAP [eap] No common EAP types found. [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 107 to 192.168.20.253 port 1645 EAP-Message = 0x04030004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 106 with timestamp +19 Waking up in 1.0 seconds. Cleaning up request 1 ID 107 with timestamp +19 Ready to process requests. *thanks for helping me*
On 03/11/2010 12:02 PM, omega bk wrote:
hello
i got my user "bernard" on my openldap database. see my ldapserch: radtest:# ldapsearch -x -b "dc=example,dc=com" uid=bernard ... [ldap] performing search in ou=users,ou=radius,dc=example,dc=com, with filter (uid=bernard) [ldap] object not found
They're not the same dn (and not a sub tree either). That's pretty obvious isn't it? Please try and figure the simple stuff out on your own before you ask others to help you, fair enough? Since the rlm_ldap is searching in ou=users,ou=radius,dc=example,dc=com and that's not where your users are located then one should ask the question why is it looking there? A quick look at the very debug output you posted shows the basedn is set to this. So fix the basedn so it matches where your users are actually located. You should be able to figure this out on your own. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
You really need to *READ* the messages you're posting. omega bk wrote:
i got my user "bernard" on my openldap database. see my ldapserch: radtest:# ldapsearch -x -b "dc=example,dc=com" uid=bernard ... # numResponses: 1 ... [ldap] performing search in ou=users,ou=radius,dc=example,dc=com, with filter (uid=bernard)
What could possibly be the problem?
[eap] NAK asked for unsupported type PEAP [eap] No common EAP types found.
You might want to fix that, too. Alan DeKok.
thank u both, i folowed your advices. i changed the basedn to *basedn = "dc=example,dc=com"* i can* successfully* perform a * ldapsearch -x -b "dc=example,dc=com" uid=bernard* but i got the same result in debug output file it could be a trivial question but i'im really stuck, don't know why ######################################## radtest:~# freeradius -X FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Mar 10 2010 at 13:50:12 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.20.253 { require_message_authenticator = no secret = "testinglinagora" shortname = "labtest8021x" nastype = "cisco" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "10.75.128.251" port = 389 password = "test" identity = "cn=manager,ou=admins,ou=radius,dc=example,dc=com" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } *basedn = "dc=example,dc=com"* filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "userPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "radiusGroupName" groupmembership_filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))" groupmembership_attribute = "radiusGroupName" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x8171e18 Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.20.253 port 1645, id=117, length=153 *User-Name = "bernard"* Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1A-A1-64-BB-1A" Calling-Station-Id = "00-18-8B-B5-26-B7" EAP-Message = 0x0203000c016265726e617264 Message-Authenticator = 0x7b7d5330ed9607e3e768d67d1e11c850 Cisco-NAS-Port = "FastEthernet0/24" NAS-Port = 50024 NAS-Port-Type = Ethernet NAS-IP-Address = 192.168.20.253 +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "bernard", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ldap] Entering ldap_groupcmp() [files] * expand: dc=example,dc=com -> dc=example,dc=com* [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] ... expanding second conditional [files] expand: %{User-Name} -> bernard [files] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=bernard) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.75.128.251:389, authentication 0 [ldap] bind as cn=manager,ou=admins,ou=radius,dc=example,dc=com/test to 10.75.128.251:389 [ldap] waiting for bind result ... [ldap] Bind was successful *[ldap] performing search in dc=example,dc=com, with filter (uid=bernard) [ldap] object not found rlm_ldap::ldap_groupcmp: search failed* [ldap] ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for bernard [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> bernard [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=bernard) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 * [ldap] performing search in dc=example,dc=com, with filter (uid=bernard) [ldap] object not found [ldap] search failed* [ldap] ldap_release_conn: Release Id: 0 *++[ldap] returns notfound No authenticate method (Auth-Type) configuration found for the request: Rejecting the user* *Failed to authenticate the user.* Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 117 to 192.168.20.253 port 1645 Waking up in 4.9 seconds. Cleaning up request 0 ID 117 with timestamp +21 Ready to process requests. thank u so much
On Fri, Mar 12, 2010 at 10:26 PM, omega bk <omegabk@gmail.com> wrote:
thank u both, i folowed your advices. i changed the basedn to *basedn = "dc=example,dc=com"*
i can* successfully* perform a * ldapsearch -x -b "dc=example,dc=com" uid=bernard*
I beg to differ, you can successfully connect to your ldap server and perform a search. But you got this back: # search result search: 2 result: 0 Success # numResponses: 1 Means that ldap search didn't find anything. I suspect your BaseDN is wrong, plus you probably need a proxy user to login with as well. As you may not have enough rights to search. You should solve those issues first, before you start digging into your FR config.
yep you're right. i fixed it thanks u so much 2010/3/12 Peter Lambrechtsen <plambrechtsen@gmail.com>
On Fri, Mar 12, 2010 at 10:26 PM, omega bk <omegabk@gmail.com> wrote:
thank u both, i folowed your advices. i changed the basedn to *basedn = "dc=example,dc=com"*
i can* successfully* perform a * ldapsearch -x -b "dc=example,dc=com" uid=bernard*
I beg to differ, you can successfully connect to your ldap server and perform a search.
But you got this back:
# search result search: 2 result: 0 Success
# numResponses: 1
Means that ldap search didn't find anything.
I suspect your BaseDN is wrong, plus you probably need a proxy user to login with as well. As you may not have enough rights to search.
You should solve those issues first, before you start digging into your FR config.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, i just want to understand. why [ldap] Added User-Password = test in check items , and how to replace it by Cleartext-Password. Is ldap returns password non crypted? is ldap use 'Auth-Type = Local' ? cause in my users files i just use this. DEFAULT Huntgroup-Name == labtest8021x, Ldap-Group == labtest8021x, User-Profile := "cn=labtest8021x,ou=profiles,ou=radius,dc=example,dc=com" Tunnel-Type = VLAN, Tunnel-Medium-type = IEEE-802, Tunnel-Private-Group-ID = 100, Fall-Through = no i don't really understand how ldap deals back information. Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.20.253 port 1645, id=129, length=153 User-Name = "bernard" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1A-A1-64-BB-1A" Calling-Station-Id = "00-18-8B-B5-26-B7" EAP-Message = 0x0202000c016265726e617264 Message-Authenticator = 0xd1135be7c82704b37a76a55d1cfb5091 Cisco-NAS-Port = "FastEthernet0/24" NAS-Port = 50024 NAS-Port-Type = Ethernet NAS-IP-Address = 192.168.20.253 +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "bernard", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ldap] Entering ldap_groupcmp() [files] expand: dc=example,dc=com -> dc=example,dc=com [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] ... expanding second conditional [files] expand: %{User-Name} -> bernard [files] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=bernard) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.75.128.251:389, authentication 0 [ldap] bind as cn=manager,ou=admins,ou=radius,dc=example,dc=com/test to 10.75.128.251:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=example,dc=com, with filter (cn=bernard) [ldap] ldap_release_conn: Release Id: 0 [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] ... expanding second conditional [files] expand: %{User-Name} -> bernard [files] expand: (&(cn=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)) -> (&(cn=bernard)(objectclass=radiusprofile)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (&(radiusGroupName=labtest8021x)(&(cn=bernard)(objectclass=radiusprofile))) rlm_ldap::ldap_groupcmp: User found in group labtest8021x [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 72 ++[files] returns ok [ldap] performing user authorization for bernard [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> bernard [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=bernard) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (cn=bernard) [ldap] performing search in cn=labtest8021x,ou=profiles,ou=radius,dc=example,dc=com, with filter (objectclass=radiusprofile) [ldap] radiusFramedRouting -> Framed-Routing = None [ldap] radiusFramedIPNetmask -> Framed-IP-Netmask = 255.255.254.0 [ldap] radiusFramedProtocol -> Framed-Protocol = PPP [ldap] radiusServiceType -> Service-Type = Framed-User [ldap] Added User-Password = test in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user bernard authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! *=> how it's not in my users files* !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: Please update your configuration, and remove 'Auth-Type = Local' * => how that came to local?* WARNING: Use the PAP or CHAP modules instead. *=> same question* No User-Password or CHAP-Password attribute in the request. Cannot perform authentication. Failed to authenticate the user. Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 129 to 192.168.20.253 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "100" Framed-Routing = None Framed-IP-Netmask = 255.255.254.0 Framed-Protocol = PPP Service-Type = Framed-User Waking up in 4.9 seconds. Cleaning up request 0 ID 129 with timestamp +17 Ready to process requests. thank u so much
hello, i'm trying to work around but i'm stuck. just want to understand this: the ldap add *"User-Password* = test" in check items where to change this attribute to* Cleartext-Password* to perform pap ? i tried the password_radius_attribute but nothing thank you for your help.
On 03/12/2010 09:41 AM, omega bk wrote:
hello,
i'm trying to work around but i'm stuck.
just want to understand this:
the ldap add *"User-Password* = test" in check items where to change this attribute to* Cleartext-Password* to perform pap ?
You really only need to ask your questions once. Asking multiple times within a few hours is rude. People will answer you when they have the time and if they have the answer. We are not your personal help desk. Everybody responding on this list does so voluntarily without pay. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On 03/12/2010 06:44 AM, omega bk wrote:
i just want to understand.
why [ldap] Added User-Password = test in check items , and how to replace it by Cleartext-Password. Is ldap returns password non crypted? is ldap use 'Auth-Type = Local' ?
In the raddb directory is a file called ldap.attrmap. When you find a user in ldap it will retrieve all the check items listed there that it can find associated with the user. The file maps the ldap attribute name to a radius attribute name and adds it as a check item to the request. You most likely have a line in the ldap.attrmap file which maps an ldap attribute to User-Password. The User-Password radius attribute is deprecated, just like it clearly says in the debug output. The radius User-Password attribute has been replaced by Cleartext-Password. Change you ldap mapping so the Cleartext-Password is returned instead of User-Password. It is possible to prepend the cleartext password with a {hash-type} prefix if the password is actually hashed (e.g. {crypt}). This is documented in raddb/modules/pap. Which type of password is compatible with which authentication method is documented here: http://deployingradius.com/documents/protocols/compatibility.html The use of check items, the role of authorization & authentication is documented in doc/aaa.txt. LDAP processing is documented in doc/ldap_howto.txt. Please try and read the documentation before you ask questions. The reason we know the answers is because we read the documentation ;-)
i don't really understand how ldap deals back information.
-- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
participants (4)
-
Alan DeKok -
John Dennis -
omega bk -
Peter Lambrechtsen