Freeradius 2.0.4 + OpenLDAP Problem (Cleartext-Password)
Hello everybody!! I have FreeRADIUS 1.1.7 + openldap using EAP-PEAP authentication, perfectly working. Now, I want to use the same openldap database, but with FreeRADIUS 2.0.4, but I can't get success authentication. is it necesary additional parameters of configuration for Freeradius 2.0.4? How or Where can I configure User-Password instead Cleartext-Password? OpenLDAP database needs changes for FreeRADIUS 2.0.4? ----------------------- Similar error I got, when I configured EAP-PEAP without OpenLDAP database(Using users file), like in FreeRADIUS 1.1.7: "temporal1" User-Password == "temporal1" But, when I changed User-Password with Cleartext-Password: "temporal1" Cleartext-Password := "temporal1" I got success authentication. ----------------------- But,I need to continue using my OpenLDAP database, somebody can help me how to achieve that? Thanks in advance! German --------------------------------- Yahoo! Deportes Beta ¡No te pierdas lo último sobre el torneo clausura 2008! Entérate aquí http://deportes.yahoo.com User-Name = "temporal1" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-20-a6-53-a6-a0:WLAN" Calling-Station-Id = "00-0e-9b-d3-72-7c" NAS-Identifier = "Avaya-AP-8-53-a6-a0" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202000e0174656d706f72616c31 Message-Authenticator = 0x55f6f02dad97274f983156eb619450fb +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "temporal1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound rlm_ldap: Entering ldap_groupcmp() expand: ou=users,ou=radius,dc=wireless,dc=mired,dc=mx -> ou=users,ou=radius,dc=wireless,dc=mired,dc=mx WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=temporal1) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.2:389, authentication 0 rlm_ldap: bind as uid=riu,ou=admin mail,dc=server,dc=mired,dc=mx/mypass to 192.168.1.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,ou=radius,dc=wireless,dc=mired,dc=mx, with filter (uid=temporal1) rlm_ldap: ldap_release_conn: Release Id: 0 expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=wireless,dc=mired,dc=mx, with filter (&(cn=academicos)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=RETY750916,ou=users,ou=radius,dc=wireless,dc=mired,dc=mx, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group academicos rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 139 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for temporal1 WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=temporal1) expand: ou=users,ou=radius,dc=wireless,dc=mired,dc=mx -> ou=users,ou=radius,dc=wireless,dc=mired,dc=mx rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=wireless,dc=mired,dc=mx, with filter (uid=temporal1) rlm_ldap: Added User-Password = TEMPORAL1 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user temporal1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3dd6d0a73dd5c9876db8a2af8cd70725 Finished request 0. Going to the next request Waking up in 4.9 seconds. User-Name = "temporal1" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-20-a6-53-a6-a0:WLAN" Calling-Station-Id = "00-0e-9b-d3-72-7c" NAS-Identifier = "Avaya-AP-8-53-a6-a0" State = 0x3dd6d0a73dd5c9876db8a2af8cd70725 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0203005019800000004616030100410100003d0301483350f485457ef321d7205f1d3f11970f19adf7ebc2d32dd5fe9d61348b073d00001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xcdc119224a6d29ca585372b3f0012c87 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "temporal1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 70 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x0104040019c0000008bb160301004a020000460301483351a9de21a09971d6806ac111570bb67068775f5b7cb355d205df07a04a7120c185d9c8284e73c089835ce33f5016d405fa2977103be2fdc67e7f217d14a83d000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303531393232333931365a170d3039303531393232333931365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100aefc44eb6a1faf3ffc80b7173e182478cf969ea5a6b85736363a5949f060 EAP-Message = 0xf2d0025f992bebe4372a32e13f3f4dfa44b06bc8557b551c09bd106ab680565a1a89492101573ec0debedb699bf16cee097dd36bd5144121f05bf76f68afba7b03efb9330b5774073da4974d385fc2996956b2a94b9515543523e27e8b5b7d93a01b6288b9b3b1ba65eae13ec1763e8cabb8f5f1ad1643d2c6268dc0cf5afa726dc133a10c34957b5bca0308e88f315966169eae2d2649cf679d017fa786bec3225d47614e15f4ea1e5cfda71ea827d61258fa132f73bddb0eafebc096b89ffa772cfe6aefa2285070a0f6aa850467ccb79c732979e5517ed7126da3787a7e7c77a30203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d01010405000382010100118cb9122ef424f0c7a440f733b07990001c1fb80ac009f9457638ac24564dd4c1731c9b2de99a2706e036b7cdb578847b1a48c88b4f4de9c54c034865788fe3d11269e1e56ae5ea0536aa3f9284fe272eba7d3ae7d5bb5a179a8e44b7f2569bac8a871ecaf3e7978f402f246c847db9ea337182451039bbd64c357af615c2ce2581ff660dcf3e3c1ea423c12081f58da942a5ea7c12a487843398f333f3f45f27042570ca7c5ede5e43a701330ee04970972a0c3df08ae158600d9525478885d53ea753fa3b9e91dccf8b548a1574ff24fb8cf053eb2d7eeeed705ee758769a820ea157b5b4 EAP-Message = 0xa0750995694ed4b3130eea99 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3dd6d0a73cd2c9876db8a2af8cd70725 Finished request 1. Going to the next request Waking up in 4.9 seconds. User-Name = "temporal1" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-20-a6-53-a6-a0:WLAN" Calling-Station-Id = "00-0e-9b-d3-72-7c" NAS-Identifier = "Avaya-AP-8-53-a6-a0" State = 0x3dd6d0a73cd2c9876db8a2af8cd70725 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061900 Message-Authenticator = 0xcc57a33616442858d1ff03ff4d392bf8 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "temporal1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x010503fc1940b3e10927517142d20aca8b6bfe8d0004ab308204a73082038fa003020102020900ad7745c335b8f9af300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303531393232333931355a170d3038303631383232333931355a308193310b30090603 EAP-Message = 0x55040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c22b84747eb6dbffd145ad73ea401cadcd70928d7a20dd7ba4753cacad6eadc6723fd2c7fc1974248b66ebd0b760886b8e7e0faf3e88f3b5ca16a4ec5a44706250a8c2740589e7248402167cb6a440 EAP-Message = 0xe501c3dd2db58bac21122ba16db6f31ab3ed57f33fec53d3a7fe2b015be100e4feaa5c4e6d35fdc6a315e0d3297444f41f43116659f383e381c0d0d6d7425f1597699bc535b11f5c6bc3c72c72a8a72947b8e0fd0b0f67e2d43ce8bd3e70a93dababba8070c39e3178762704f42156813672a35f3b306ec994340c5a6290c6ca04ae2ff563b3670d3f898b8526df0ff73dbf470e6fe622db7e5a59fd709dfdb042fe352d1078b693c11b31ccccd5cb68190203010001a381fb3081f8301d0603551d0e04160414586bacb4f8629ef9bdd097817b29a258f15a050f3081c80603551d230481c03081bd8014586bacb4f8629ef9bdd097817b29a258f15a EAP-Message = 0x050fa18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ad7745c335b8f9af300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100064c7c582032b2416ec0ca9ba609174071748b3a5a4723e8dbdc18c4514fa2f266f306f2c9f46b3bc37378b633045c4296db EAP-Message = 0x9e5ee30aa059fc32 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3dd6d0a73fd3c9876db8a2af8cd70725 Finished request 2. Going to the next request Waking up in 4.9 seconds. User-Name = "temporal1" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-20-a6-53-a6-a0:WLAN" Calling-Station-Id = "00-0e-9b-d3-72-7c" NAS-Identifier = "Avaya-AP-8-53-a6-a0" State = 0x3dd6d0a73fd3c9876db8a2af8cd70725 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 Message-Authenticator = 0x19e5d2c0dd47034a67366569932803d9 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "temporal1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x010600d51900fa20504c21743fdcb28c94527095e4bf87f8c9ebbba34400532e82551128434a2a68843619bcbe798630caaec366ec67991327067eb1777e1bcfc1cccc2fc0ec4b80943004ad7e80b9c4431ef84c990eac035d5f9c74b8555739fec5b1bc985fcd95769e31c854d7d61c2d82d97bdb776a153262f818e15c330b59d6e6c2d44cd2d73ee0fff9c4613d98f474a8555b2921f28181c03f803b8dcf740b18a1c13041a95bb3820bea7dfecffc8145308c5e95d161b51a33645bcaceafcb383c3ce03546e7b657bd16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3dd6d0a73ed0c9876db8a2af8cd70725 Finished request 3. Going to the next request Waking up in 4.8 seconds. User-Name = "temporal1" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-20-a6-53-a6-a0:WLAN" Calling-Station-Id = "00-0e-9b-d3-72-7c" NAS-Identifier = "Avaya-AP-8-53-a6-a0" State = 0x3dd6d0a73ed0c9876db8a2af8cd70725 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02060140198000000136160301010610000102010088203cd15a638c3638db51513d27aea3f9c5998b101e07924c7d517cd0fab8898daeba330f704bd5b4fa9a8828c7953243d2b783656866a56d7f933e668d74a1252a8d86b817d1b59e1fddc96ba0f5a4949b5b94f75f024e765da8093100aa83f6cc70625c83f10f95836b0c6d4ced72d019a7a39fb09cd599706d993cdbb9c1ba3c5670825c9df790652c28435fd7023ddef755be876e81239e19cf7ee62bff25b5aac2256af336d38e10c4cb8e472564dc5f6f3b4ea012adfdd9101dea6d340581e574633fdb2cbe7204d36e9a027924b9a2955bbdf82204b4a6ef667c885a0a1ce1542ff1a1ff EAP-Message = 0x3bfb40169caae4c580856ad2e941e127bff6a175b3c2a58114030100010116030100209df955e11155d458796366521047a8eaed81de51d31191e76245fc062c8e1b76 Message-Authenticator = 0x79a99d679c69ae0c9e1619f36db388ad +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "temporal1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 310 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled EAP-Message = 0x0107003119001403010001011603010020f54bae3cd49c93d813734f616a8c3201ebc9c26416e88382fd46c88db64ddc8d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3dd6d0a739d1c9876db8a2af8cd70725 Finished request 4. Going to the next request Waking up in 4.8 seconds. User-Name = "temporal1" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-20-a6-53-a6-a0:WLAN" Calling-Station-Id = "00-0e-9b-d3-72-7c" NAS-Identifier = "Avaya-AP-8-53-a6-a0" State = 0x3dd6d0a739d1c9876db8a2af8cd70725 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700061900 Message-Authenticator = 0xc88d46fc398be3abf214a9b1eb767756 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "temporal1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled EAP-Message = 0x01080020190017030100156ea40735a4cf89f4626ce63b4ce1cf092e6ad3eed1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3dd6d0a738dec9876db8a2af8cd70725 Finished request 5. Going to the next request Waking up in 4.8 seconds. User-Name = "temporal1" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-20-a6-53-a6-a0:WLAN" Calling-Station-Id = "00-0e-9b-d3-72-7c" NAS-Identifier = "Avaya-AP-8-53-a6-a0" State = 0x3dd6d0a738dec9876db8a2af8cd70725 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800251900170301001a4436081b763f21812f4545f999ac3ca58d64fa44bd807dfa391d Message-Authenticator = 0xed2a31854da81f2c2607352f7038f884 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "temporal1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 37 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - temporal1 PEAP: Got tunneled identity of temporal1 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to temporal1 +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "temporal1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 8 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: Entering ldap_groupcmp() expand: ou=users,ou=radius,dc=wireless,dc=mired,dc=mx -> ou=users,ou=radius,dc=wireless,dc=mired,dc=mx WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=temporal1) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=wireless,dc=mired,dc=mx, with filter (uid=temporal1) rlm_ldap: ldap_release_conn: Release Id: 0 expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=wireless,dc=mired,dc=mx, with filter (&(cn=academicos)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=RETY750916,ou=users,ou=radius,dc=wireless,dc=mired,dc=mx, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group academicos rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 139 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled PEAP: Got tunneled Access-Challenge ++[eap] returns handled EAP-Message = 0x0109003a1900170301002f176828ea998680bf5cbb0a089f240536fd49f7a9984d36023a331abdf4af139efdf8ed5afbadd7ec7b926a1c86d530 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3dd6d0a73bdfc9876db8a2af8cd70725 Finished request 6. Going to the next request Waking up in 4.8 seconds. User-Name = "temporal1" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-20-a6-53-a6-a0:WLAN" Calling-Station-Id = "00-0e-9b-d3-72-7c" NAS-Identifier = "Avaya-AP-8-53-a6-a0" State = 0x3dd6d0a73bdfc9876db8a2af8cd70725 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0209005b19001703010050056dc48b30e8cfce865753a81c19410868b44ccdc765162103a41cb362cbe3c0c3da3a0ba2e060f77d1914e2bbac6d1528650fa7b33eedd05d30623cd432cf9fb158e4ef5506d7fc6426b4adee4f5b4b Message-Authenticator = 0xc20c98af65ea96e29c26cc568c9b668e +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "temporal1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 91 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Setting User-Name to temporal1 +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "temporal1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 9 length 68 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: Entering ldap_groupcmp() expand: ou=users,ou=radius,dc=wireless,dc=mired,dc=mx -> ou=users,ou=radius,dc=wireless,dc=mired,dc=mx WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=temporal1) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=wireless,dc=mired,dc=mx, with filter (uid=temporal1) rlm_ldap: ldap_release_conn: Release Id: 0 expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,ou=radius,dc=wireless,dc=mired,dc=mx, with filter (&(cn=academicos)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=RETY750916,ou=users,ou=radius,dc=wireless,dc=mired,dc=mx, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group academicos rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 139 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for temporal1 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [temporal1/<via Auth-Type = EAP>] (from client WLAN port 0 via TLS tunnel) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled EAP-Message = 0x010a00261900170301001b1eb8a5f200d206368fbae80686e7042566c959114b2868fce2f0e0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3dd6d0a73adcc9876db8a2af8cd70725 Finished request 7. Going to the next request Waking up in 4.8 seconds. User-Name = "temporal1" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00-20-a6-53-a6-a0:WLAN" Calling-Station-Id = "00-0e-9b-d3-72-7c" NAS-Identifier = "Avaya-AP-8-53-a6-a0" State = 0x3dd6d0a73adcc9876db8a2af8cd70725 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a00261900170301001ba4d540bec66a46cd132819b8612d89fac136ed00afa7a8fd61e51e Message-Authenticator = 0x28a2d71520b5d7318fe1bcb6df931269 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "temporal1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 10 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [temporal1/<via Auth-Type = EAP>] (from client WLAN port 0 cli 00-0e-9b-d3-72-7c) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> temporal1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Cleaning up request 0 ID 232 with timestamp +39 Cleaning up request 1 ID 233 with timestamp +39 Cleaning up request 2 ID 234 with timestamp +39 Cleaning up request 3 ID 235 with timestamp +39 Waking up in 0.1 seconds. Cleaning up request 4 ID 236 with timestamp +39 Cleaning up request 5 ID 237 with timestamp +39 Cleaning up request 6 ID 238 with timestamp +39 Cleaning up request 7 ID 239 with timestamp +39 Waking up in 1.0 seconds. Cleaning up request 8 ID 240 with timestamp +39 Ready to process requests.
Hi all , sorry for my english! I configured a freeradius on the first machine , on the second machine i configured OpenLdap. i have configred freeraduis in order to communicate with openldap by editing the *users* file like this : *DEFAULT Auth-Type = LDAP Fall-Through = 1* now i want to test if freeradius can realy communicate with openldap but i don't know how ca i do this test. have any any ideas please. Best regards, uness
Type radtest on the radius server command line and you will get the parameters for testing. Ivan Kalik Kalik Informatika ISP Dana 29/5/2008, "youness hsina" <youness.hsina@gmail.com> piše:
Hi all , sorry for my english! I configured a freeradius on the first machine , on the second machine i configured OpenLdap. i have configred freeraduis in order to communicate with openldap by editing the *users* file like this :
*DEFAULT Auth-Type = LDAP Fall-Through = 1*
now i want to test if freeradius can realy communicate with openldap but i don't know how ca i do this test. have any any ideas please. Best regards, uness
i have already made a test in radius server with this commande : *#radtest test test localhost 0 test * it works correctly! But i have this user : login : yhsina password : yhsina in an ldap server . my question is how can i interogate my ldap server using this user *"yhsina"* in order to be sure that radius server communicate correctly with the ldap server. thank you very much for your help (sorry for my english)
What you refer to as login is identity in ldap section of radiusd.conf. Ivan Kalik Kalik Informatika ISP Dana 29/5/2008, "youness hsina" <youness.hsina@gmail.com> piše:
i have already made a test in radius server with this commande :
*#radtest test test localhost 0 test * it works correctly!
But i have this user : login : yhsina password : yhsina in an ldap server . my question is how can i interogate my ldap server using this user *"yhsina"* in order to be sure that radius server communicate correctly with the ldap server.
thank you very much for your help (sorry for my english)
i decommented all the lines who have relation with ldap in radiusd.conf file. here is ths radiusdconf file : ldap { server = "iut-velizy.uvsq.fr" # identity = "ou=Manager,dc=iut-velizy,dc=uvsq,dc=fr" # password = mypass basedn = "ou=Manager,dc=iut-velizy,dc=uvsq,dc=fr" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = yes access_attr = "dialupAccess" ldap_connections_number = 5 # password_attribute = nspmPassword # password_attribute = userPassword # edir_account_policy_check=no # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes } [....] authorize { ldap } [.....] authenticate { Auth-Type LDAP { ldap } } thank you very much for your help
participants (4)
-
Alan DeKok -
German Hernandez -
Ivan Kalik -
youness hsina