FreeRadius OpenLDAP TTLS/PAP
I try to configure FreeRadius / OpenLDAP with a method of TTLS / PAP. but it does not work. how to do. thank you Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 41586, id=30, length=56 User-Name = "toto" User-Password = "\267\002n\235W\270=\207\343\327U\032\036\032w\372" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "toto", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for toto [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> toto [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=toto) [ldap] expand: dc=tem-tsp,dc=eu -> dc=tem-tsp,dc=eu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=tem-tsp,dc=eu, with filter (uid=toto) [ldap] Added User-Password = toto in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "toto" [ldap] looking for reply items in directory... [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "33" [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802 [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN [ldap] user toto authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Config already contains "known good" password. Ignoring Password-With-Header ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "�?n?W�=?��U???w�" [pap] Using clear text password "toto" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> toto attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 11 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 11 Sending Access-Reject of id 30 to 127.0.0.1 port 41586 Waking up in 4.9 seconds. Cleaning up request 11 ID 30 with timestamp +1966 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 41586, id=30, length=56 User-Name = "toto" User-Password = "\267\002n\235W\270=\207\343\327U\032\036\032w\372" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "toto", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for toto [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> toto [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=toto) [ldap] expand: dc=tem-tsp,dc=eu -> dc=tem-tsp,dc=eu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=tem-tsp,dc=eu, with filter (uid=toto) [ldap] Added User-Password = toto in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "toto" [ldap] looking for reply items in directory... [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "33" [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802 [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN [ldap] user toto authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Config already contains "known good" password. Ignoring Password-With-Header ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "�?n?W�=?��U???w�" [pap] Using clear text password "toto" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> toto attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 12 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 12 Sending Access-Reject of id 30 to 127.0.0.1 port 41586 Waking up in 4.9 seconds. Cleaning up request 12 ID 30 with timestamp +1974 Ready to process requests. ----- kahina akkouche -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-OpenLDAP-TTLS-PAP-tp57137... Sent from the FreeRadius - User mailing list archive at Nabble.com.
# # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "localhost" identity = "cn=admin,dc=tem-tsp,dc=eu" password = secret basedn = "dc=tem-tsp,dc=eu" password_attribute = Cleartext-Password filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)" # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 # seconds to wait for LDAP query to finish. default: 20 timeout = 4 # seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3 # # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no # cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the cerificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" # require_cert = "demand" } # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap ----- kahina akkouche -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-OpenLDAP-TTLS-PAP-tp57137... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (2)
-
akkouche -
Alan DeKok