add that in (actually tried that before as well), still does not work, but the logging looks a little different now: ***** [ldap] performing user authorization for marguin2 [ldap] expand: (uid=%u) -> (uid=marguin2) [ldap] expand: ou=people,dc=currensee,dc=com -> ou=people,dc=currensee,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=currensee,dc=com, with filter (uid=marguin2) [ldap] checking if remote access for marguin2 is allowed by radiusFilterId [ldap] looking for check items in directory... rlm_ldap: userPassword -> Password-With-Header == "{CRYPT}tGS8HbszeyDmM" [ldap] looking for reply items in directory... rlm_ldap: radiusFilterId -> Filter-Id = "wireless" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user marguin2 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ***** so now the password is not clear text in the log as it was before but still seeing that no good password error....but then there is that line towards the bottom that sasys user authorized to use remote access... do i need to configure Filter-Id or something in the sites-enabled/default or innertunnel or something like that? -m On 10/31/2011 12:19 PM, freeradius-users-request@lists.freeradius.org wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: cisco WAP/FreeRadius/OpenLDAP (Phil Mayers) 2. RE: IPv6 ready? (Sergio NNX) 3. Re: IPv6 ready? (Phil Mayers) 4. RE: IPv6 ready? (Sergio NNX) 5. Re: IPv6 ready? (Phil Mayers) 6. Re: IPv6 ready? (Johan Meiring) 7. RE: IPv6 ready? (Sergio NNX)
----------------------------------------------------------------------
Message: 1 Date: Mon, 31 Oct 2011 14:53:02 +0000 From: Phil Mayers<p.mayers@imperial.ac.uk> Subject: Re: cisco WAP/FreeRadius/OpenLDAP To: freeradius-users@lists.freeradius.org Message-ID:<4EAEB64E.5080300@imperial.ac.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 31/10/11 14:03, Matthew Arguin wrote:
Phil, I just confirmed that it is tagged with the {CRYPT} or {SHA} (i have tried both). also, i changed the user that is binding to be the manager CN which has full access to the ldap for mod etc to rule that out. Ah. I've just seen that you are running 2.1.7 from your original email.
The default LDAP attribute mappings were updated after that version to include this line in "ldap.attrmap":
checkitem Password-With-Header userPassword
...you should:
a. Add that line to your "ldap.attrmap", see if it makes any difference b. Plan an upgrade to 2.1.12
------------------------------
Message: 2 Date: Mon, 31 Oct 2011 15:32:07 +0000 From: Sergio NNX<sfhacker@hotmail.com> Subject: RE: IPv6 ready? To:<freeradius-users@lists.freeradius.org> Message-ID:<BAY147-W5460081D972A7B951D126CCD60@phx.gbl> Content-Type: text/plain; charset="iso-8859-1"
Thank you all for your help. I added two more listen blocks in radiusd.conf and I updated detail { ... with the following: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} and it works but ..... (there's always a but). if we use an IPv6 address, then Packet-Src-APv6-Address value will be, for instance, 0:0:0:0:0:0:0:0, and the path becomes :
${radacctdir}/0:0:0:0:0:0:0:0/detail-%Y%m%d.log
but FR crashes since it cannot create a folder with that name. Is there any way of overcoming this issue? replace : with . or so???
Thanks again for your help.
Sergio.
Date: Mon, 31 Oct 2011 08:52:46 +0000 From: A.L.M.Buxey@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: IPv6 ready?
Hi,
Just wondering if FR supports IPv6 addresses since I'm unable to start the server when using IPv6.
yes. we use it fine with IPv6 - both receiving and sending RADIUS packets.
Another question is: are you aware of any (client) tool for testing FR when using IPv6 addresses? eapol_test doesn't seem to know anything about :: or ::1
eapol_test - use hostnames (eg in /etc/hosts ?) ?
Do the below lines from radiusd.conf require any change when IPv6?
... ... detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d.log
yes, Client-IP-Address doesnt exist in IPv6 world - you can use one of the source address attributes instead
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
so now the password is not clear text in the log as it was before but still seeing that no good password error....but then there is that line towards the bottom that sasys user authorized to use remote access... do i need to configure Filter-Id or something in the sites-enabled/default or innertunnel or something like that?
getting confused with authorization and authentication? check your requirements in LDAP - do they match (eg CN/DN?) have you got PAP listed after the ldap and is the auto_header enabled in the pap module? alan
participants (2)
-
Alan Buxey -
Matthew Arguin