Calling-Station-Id in EAP/PEAP ??
Hi! Is it possible to use verification of Calling-Station-Id in EAP/PEAP ? My users file: foo Auth-Type := EAP, User-Password == "mypass", Calling-Station-Id == "0123456789ab" and I have an error: rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select When I use := insteed of == in Calling-Station-Id == "anything" then freeradius always authorize me, so I think it doesn't chceck it... -- Norboro
-"Norbert Grochal" <norboro@celpol.pl> wrote:
Is it possible to use verification of Calling-Station-Id in EAP/PEAP ?
Yes.
and I have an error:
rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting.
Go back and read the rest of the debug log. Alan DeKok.
Hi, at the moment i trying to get my ldap authetication working with redundant ldap directorys. I made a second ldap modul and the following entry at the authentication part Redundant{ ldap1 ldap2 } I fired up an second ldap directoy which is replicated by first one. My problem is that if i kill ldap1 i cant get an result from ldap2. Bit the database and directory is the same! rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.4:389, authentication 0 rlm_ldap: bind as cn=freeradius,ou=admins,ou=radius,dc=XXX,dc=de/freeradius to 192.168.1.4:389 rlm_ldap: cn=freeradius,ou=admins,ou=radius,dc=XXX,dc=de bind to 192.168.1.4:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap1" returns fail for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for Notebook-XXX.de radius_xlat: '(&(uid=Notebook-AK.XXX.de)(objectclass=radiusprofile))' radius_xlat: 'ou=users,ou=radius,dc=XXX,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.5:389, authentication 0 rlm_ldap: bind as cn=freeradius,ou=admins,ou=radius,dc=XXX,dc=de/freeradius to 192.168.1.5:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,ou=radius,dc=XXX,dc=de, with filter (&(uid=Notebook-AK.XXX.de)(objectclass=radiusprofile)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap2" returns notfound for request 0 modcall: group redundant returns notfound for request 0 modcall: group authorize returns updated for request 0 The second problem is that if both ldap1 an d ldap2 are down the eap-tls modul which is for authorisation goes on and authenticates the user.. How can i change that that? I want to configure the server,that if ldap failes the whole process fails and the user is rejected. What will i have to add to my redundant part? Hope this is understandable? Mit freundlichen Grüßen Armin
=?iso-8859-1?Q?Armin_Kr=E4mer?= <Kraemer.Armin@web.de> wrote:
I fired up an second ldap directoy which is replicated by first one.
My problem is that if i kill ldap1 i cant get an result from ldap2. Bit the database and directory is the same!
The response of the LDAP server indicates that's not true.
rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap2" returns notfound for request 0
See?
The second problem is that if both ldap1 an d ldap2 are down the eap-tls modul which is for authorisation goes on and authenticates the user..
Because the authentication is done via certificates, not by LDAP.
How can i change that that? I want to configure the server,that if ldap failes the whole process fails and the user is rejected. What will i have to add to my redundant part?
Read doc/configurable_failover. Use the "always" module to return a reject. Alan DeKok.
participants (3)
-
Alan DeKok -
Armin Krämer -
Norbert Grochal