Can't authenticate using LDAP (ldap+mysql+eap_ttls)
Hello, I have configured freeradius (testing server) to try to authenticate using LDAP and if a user is not found in LDAP database, then try SQL. If I try authenticate using user found in SQL database - I get authorizated, authenticated and connected. But if I try authenticate as a user found in LDAP database - authentication fails in inner tunnel: server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test.user", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 6 length 79 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for test.user [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> test.user [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test.user) [ldap] expand: ou=Users, dc=xxxxxx, dc=lt -> ou=Users, dc=xxxxxx, dc=lt [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Users, dc=xxxxxx, dc=lt, with filter (uid=test.user) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user test.user authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for test.user with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel *It says "Found Auth-Type = EAP" although in sites-enabled/inner-tunnel I have uncommented: Auth-Type LDAP { ldap } By the way, if I try to autnenticate using same user via radtest server, of course, don't go into the inner-tunnel and so I get authenticated. I'm adding full radius log. Thanks.
Hi,
*It says "Found Auth-Type = EAP" although in sites-enabled/inner-tunnel I have uncommented:
Auth-Type LDAP { ldap }
but if inner-tunnel is invoked that means its an EAP session being used....
By the way, if I try to autnenticate using same user via radtest server, of course, don't go into the inner-tunnel and so I get authenticated.
if you read the config files you will see that you can directly poke the inner-tunnel on the localhost by using the right port - assuming you are using a recent version of freeradius. you should also be using the eap testing tools rather than radtest if you want to directly simulate the types of packets being sent to your server (otherwise you are comparing apples and oranges...or HTTP to SSH!) alan
Hi,
*It says "Found Auth-Type = EAP" although in sites-enabled/inner-tunnel I have uncommented:
Auth-Type LDAP { ldap }
but if inner-tunnel is invoked that means its an EAP session being used....
Of course! How did I miss that! So I should use EAP-TTLS/PAP? But how do I do that?
By the way, if I try to autnenticate using same user via radtest server, of course, don't go into the inner-tunnel and so I get authenticated.
if you read the config files you will see that you can directly poke the inner-tunnel on the localhost by using the right port - assuming you are using a recent version of freeradius. you should also be using the eap testing tools rather than radtest if you want to directly simulate the types of packets being sent to your server (otherwise you are comparing apples and oranges...or HTTP to SSH!)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Pagarbiai, Edgaras Lukoševičius Kauno kolegijos kompiuterių centro administratorius Pramones 20, Kaunas. edgaras@kauko.lt
participants (2)
-
Alan Buxey -
Edgaras