EAP-TTLS with mschapv2 and edirectory
Hi, I'm trying to set up 802.1x authentication on my Enterasys AccessPoints using freeradius and eDirectory. Freeradius and eDirectory work like a charm when I use it for Cisco-VPN authentication. This is the debug-output: rad_recv: Access-Request packet from host 10.3.4.10:1088, id=153, length=131 Message-Authenticator = 0x9243250f00d4eaf9edcbe955c5106fe5 User-Name = "dfuernsin" NAS-IP-Address = 10.3.4.10 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00-1D-E0-64-67-4B" Called-Station-Id = "00-01-F4-1C-9B-89:TGM" EAP-Message = 0x0201000e0164667565726e73696e Framed-MTU = 1000 rlm_ldap: - authorize rlm_ldap: performing user authorization for dfuernsin rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64 rlm_ldap: starting TLS rlm_ldap: bind as cn=admin,o=TGM/xxxxxxx to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: Error reading Universal Password.Return Code = -1635 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11 rlm_ldap: user dfuernsin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. Sending Access-Challenge of id 153 to 10.3.4.10 port 1088 Class = 0x54474d2d495453 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc467576a8938958c1a53a68b8e75ff64 rad_recv: Access-Request packet from host 10.3.4.10:1088, id=154, length=141 Message-Authenticator = 0x0967d369610e907bd46340a8497b3cd1 User-Name = "dfuernsin" State = 0xc467576a8938958c1a53a68b8e75ff64 NAS-IP-Address = 10.3.4.10 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00-1D-E0-64-67-4B" Called-Station-Id = "00-01-F4-1C-9B-89:TGM" Framed-MTU = 1000 EAP-Message = 0x020200060315 rlm_ldap: - authorize rlm_ldap: performing user authorization for dfuernsin rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: Error reading Universal Password.Return Code = -1635 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11 rlm_ldap: user dfuernsin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. Sending Access-Challenge of id 154 to 10.3.4.10 port 1088 Class = 0x54474d2d495453 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc2b5e7347d4362c9837a8cdb5ae54cef rad_recv: Access-Request packet from host 10.3.4.10:1088, id=155, length=241 Message-Authenticator = 0xd03ac83eb22acb6875c887c94c819f4e User-Name = "dfuernsin" State = 0xc2b5e7347d4362c9837a8cdb5ae54cef NAS-IP-Address = 10.3.4.10 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00-1D-E0-64-67-4B" Called-Station-Id = "00-01-F4-1C-9B-89:TGM" Framed-MTU = 1000 EAP-Message = 0x0203006a1500160301005f0100005b03014aa65ba4b109ea3853a601da56bcfb3503d5da3b5141d5ae1d46dc029a00009b00003400390038003500160013000a00330032002f006600050004006500640063006200610060001500120009001400110008000600030100 rlm_ldap: - authorize rlm_ldap: performing user authorization for dfuernsin rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: Error reading Universal Password.Return Code = -1635 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11 rlm_ldap: user dfuernsin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Sending Access-Challenge of id 155 to 10.3.4.10 port 1088 Class = 0x54474d2d495453 EAP-Message = 0x010403e415c00000080c160301004a0200004603014aa65ba0b78781976e8fad382a31b4cbfac99b4a4b3bb7a15da50bb7a0cacbba205977e045237bf3b4079a8a6e0626197a60447cb1939ab691439bcbe1f82002b3003900160301069d0b0006990006960002cd308202c930820232a003020102020102300d06092a864886f70d010105050030819c310b3009060355040613024154310f300d060355040813065669656e6e61310f300d060355040713065669656e6e6131253023060355040a131c54474d202d2044696520536368756c652064657220546563686e696b310d300b060355040b130472616431311730150603550403130e54474d EAP-Message = 0x20436c69656e742053534c311c301a06092a864886f70d010901160d6974734074676d2e61632e6174301e170d3039303132363135303931395a170d3130303132363135303931395a30819e310b3009060355040613024154310f300d060355040813065669656e6e61310f300d060355040713065669656e6e6131253023060355040a131c54474d202d2044696520536368756c652064657220546563686e696b310d300b060355040b1304726164313119301706035504031310526f6f74206365727469666963617465311c301a06092a864886f70d010901160d6974734074676d2e61632e617430819f300d06092a864886f70d010101050003 EAP-Message = 0x818d0030818902818100afcebd714b483a8a5248285e080efc98c463327d4d76ba572326e4c585de64c946dcc1ac55b96f93542a67f546c6f29161b22b6152ef36ed6e17e50cac6f69cd3cfe791d39e10478e60e767ead1fe7af84a93c2143744ddb9efc3ceeeb6050f57f914ac3ed4ac32f59003a6661e9749e1a38846ed21b8015bad99935b8f774cf0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100c0c9edb6e0f7f54cdf49341bc3d31695b8a7318d1c7bc738ae316bcb4990842d5f034550ae6bc201220d38123e239cbfbb258b19e0b335461eb9e616c85402494ed2 EAP-Message = 0x38765b36ad92c6726e697e9232aa61aa3ee705521ccb59b91dbcf4475df14af87342965b0c58fe6dd3d8750193a4a91e964029b0ba452ee46d3be0a1d8af0003c3308203bf30820328a00302010202090090e75d8098036885300d06092a864886f70d010105050030819c310b3009060355040613024154310f300d060355040813065669656e6e61310f300d060355040713065669656e6e6131253023060355040a131c54474d202d2044696520536368756c652064657220546563686e696b310d300b060355040b130472616431311730150603550403130e54474d20436c69656e742053534c311c301a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x72e9a4df87e4335cee24c2dbc1c9dde3 rad_recv: Access-Request packet from host 10.3.4.10:1088, id=156, length=141 Message-Authenticator = 0xea43378afe10a29865cc0b2c502015c4 User-Name = "dfuernsin" State = 0x72e9a4df87e4335cee24c2dbc1c9dde3 NAS-IP-Address = 10.3.4.10 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00-1D-E0-64-67-4B" Called-Station-Id = "00-01-F4-1C-9B-89:TGM" Framed-MTU = 1000 EAP-Message = 0x020400061500 rlm_ldap: - authorize rlm_ldap: performing user authorization for dfuernsin rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: Error reading Universal Password.Return Code = -1635 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11 rlm_ldap: user dfuernsin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. Sending Access-Challenge of id 156 to 10.3.4.10 port 1088 Class = 0x54474d2d495453 EAP-Message = 0x010503e415c00000080c06092a864886f70d010901160d6974734074676d2e61632e6174301e170d3039303132363135303931395a170d3131303132363135303931395a30819c310b3009060355040613024154310f300d060355040813065669656e6e61310f300d060355040713065669656e6e6131253023060355040a131c54474d202d2044696520536368756c652064657220546563686e696b310d300b060355040b130472616431311730150603550403130e54474d20436c69656e742053534c311c301a06092a864886f70d010901160d6974734074676d2e61632e617430819f300d06092a864886f70d010101050003818d0030818902 EAP-Message = 0x818100d1f5ae5fc44ca6966ed3217a38b384bce4c658868c6f8b7a1de9929348ba50c2070908a56f9c457532e6e83930ad12680ebd6494deda9215b1e401c1d9a2728782877d3bd20405861d8fafd07a79625db7c6ec0c526d5c76ada7a7f3b736c9afd4a59a78f4a3630006020208163418ecc5fbe40a3d2d6d6de4c962512548801b0203010001a382010530820101301d0603551d0e04160414b1f43b24b586334fa7c4d2a08bcc48f581e8f1fd3081d10603551d230481c93081c68014b1f43b24b586334fa7c4d2a08bcc48f581e8f1fda181a2a4819f30819c310b3009060355040613024154310f300d060355040813065669656e6e61310f30 EAP-Message = 0x0d060355040713065669656e6e6131253023060355040a131c54474d202d2044696520536368756c652064657220546563686e696b310d300b060355040b130472616431311730150603550403130e54474d20436c69656e742053534c311c301a06092a864886f70d010901160d6974734074676d2e61632e617482090090e75d8098036885300c0603551d13040530030101ff300d06092a864886f70d010105050003818100a93705a500a9f692697fbafd7a4380ac915c099012ad7e5b7fa81bcf88a194503a21d078015fdcc8b6002c7271e83185f5dd0a1930b833563f58721af1bab7d3a80f55e587a878f9efac9531cc56f6bce90c22ca458b EAP-Message = 0x950c0b8bd8f07773e654c74153aa54c20bfe9c0ec6c4330b00267c19cb777433bfabf26680f70f881972160301010d0c0001090040b0e40717d408c7bd95e486445a58ca90105eeb618a3cb101fedfa1f30852a72fb8585db5f4876611a2bdb3114e7806a3499aa7ab9fdaecd98b24b49dd737c7730001020040188269e7cb45c48d98c9afaf784b98f4097dc6cbacf7317ce7e57bc2dacae876e0a5d27d2accd4f5240e2228b99397b4d5cb25420942cbbdfc51b4e644cd3111008061c8942076db0af63f340a6e3658f5e512fcf58f5e087ef2f0619b78c225311d16046e6a769f383c23baadd1c35251c5b3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9c3953fde1abb5c5aebec8ebfc86a1bb rad_recv: Access-Request packet from host 10.3.4.10:1088, id=157, length=141 Message-Authenticator = 0x3d7ea6f61b767389629d49596205cbd9 User-Name = "dfuernsin" State = 0x9c3953fde1abb5c5aebec8ebfc86a1bb NAS-IP-Address = 10.3.4.10 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00-1D-E0-64-67-4B" Called-Station-Id = "00-01-F4-1C-9B-89:TGM" Framed-MTU = 1000 EAP-Message = 0x020500061500 rlm_ldap: - authorize rlm_ldap: performing user authorization for dfuernsin rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: Error reading Universal Password.Return Code = -1635 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11 rlm_ldap: user dfuernsin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. Sending Access-Challenge of id 157 to 10.3.4.10 port 1088 Class = 0x54474d2d495453 EAP-Message = 0x0106006215800000080c4735a6c865221013a00e96f493261b33521a8a8db63b2eeaa24bbd1fbbfc067771b65a0811beec00e57b7699eda4802ca8e81aabeca2dad6fd539cc217fb20f99d55eeb228d6da1110ae9c86e2f2f216030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5661a0f5ce45e239b4bc70859f6a2bf9 rad_recv: Access-Request packet from host 10.3.4.10:1088, id=158, length=275 Message-Authenticator = 0x1b944ca85d6a4c92fa947f1637831748 User-Name = "dfuernsin" State = 0x5661a0f5ce45e239b4bc70859f6a2bf9 NAS-IP-Address = 10.3.4.10 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00-1D-E0-64-67-4B" Called-Station-Id = "00-01-F4-1C-9B-89:TGM" Framed-MTU = 1000 EAP-Message = 0x0206008c150016030100461000004200403239103fe96393b4442f69821e1784ab56e448c25d9a02d3b76fd0201fc53bdf165556558f1539d40400185a164646a89aba0412c2e205ca7828ce2ba98b5aa114030100010116030100308b32065275900efdd52cf6124e1f032aca7d1f771bf611b925590b7412b935621bbd62f33a4bc4b97ee483a5a62e8dca rlm_ldap: - authorize rlm_ldap: performing user authorization for dfuernsin rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: Error reading Universal Password.Return Code = -1635 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11 rlm_ldap: user dfuernsin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Sending Access-Challenge of id 158 to 10.3.4.10 port 1088 Class = 0x54474d2d495453 EAP-Message = 0x0107004515800000003b140301000101160301003040dc94e72be53bf55ddf8e541c965363d17b6a5afcd21214d85ead7b55840e0c48e144c6967f3431d935d8ea893dd23f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x37827b68d6e2834e52f9b31f421d6b57 rad_recv: Access-Request packet from host 10.3.4.10:1088, id=159, length=327 Message-Authenticator = 0xeaeace0d6f9aaa5a9b076145efdf883e User-Name = "dfuernsin" State = 0x37827b68d6e2834e52f9b31f421d6b57 NAS-IP-Address = 10.3.4.10 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00-1D-E0-64-67-4B" Called-Station-Id = "00-01-F4-1C-9B-89:TGM" Framed-MTU = 1000 EAP-Message = 0x020700c015001703010020509e2651521db9d8f55ea9236544febdd1847d3d90824b31e7e4b065cce3be5f1703010090cd17c1519d0a3444677865909a065f47f58b4a429faa437acaefd64fcde712221684a961867da9ca7c65ac67c87a736bbd2ec83b4fa5620def3c9956dc47c89f0ba1cfc1119b276190b960dcc5feb1ab8ef37f84bfa605f215956585e7235faf28e1a5693cd43753121cebfbe74f628a8085c0844def4a1031da34e452d3cec56bf86dfdd77790388a97af5de4b1af82 rlm_ldap: - authorize rlm_ldap: performing user authorization for dfuernsin rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: Error reading Universal Password.Return Code = -1635 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11 rlm_ldap: user dfuernsin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. TTLS: Got tunneled request User-Name = "dfuernsin" MS-CHAP-Challenge = 0x45343e241414cc6e2b419a80ca3c0679 MS-CHAP2-Response = 0xf90021c10a7e8786f207105e79fcf645fcea00000000000000000e9d76ed745951eb086371741cc54c64e7ec7e2ac6a29979 FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "dfuernsin" MS-CHAP-Challenge = 0x45343e241414cc6e2b419a80ca3c0679 MS-CHAP2-Response = 0xf90021c10a7e8786f207105e79fcf645fcea00000000000000000e9d76ed745951eb086371741cc54c64e7ec7e2ac6a29979 FreeRADIUS-Proxied-To = 127.0.0.1 NAS-IP-Address = 10.3.4.10 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00-1D-E0-64-67-4B" Called-Station-Id = "00-01-F4-1C-9B-89:TGM" Framed-MTU = 1000 rlm_ldap: - authorize rlm_ldap: performing user authorization for dfuernsin rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: Error reading Universal Password.Return Code = -1635 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11 rlm_ldap: user dfuernsin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. Login incorrect: [dfuernsin] (from client localhost port 2 cli 00-1D-E0-64-67-4B) TTLS: Got tunneled reply RADIUS code 3 Class = 0x54474d2d495453 MS-CHAP-Error = "\371E=691 R=1" Login incorrect: [dfuernsin] (from client management port 2 cli 00-1D-E0-64-67-4B) And here is my config: ldap { server = "localhost" identity = "cn=admin,o=TGM" password = xxxxxxx basedn = "o=TGM" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=tgmPerson)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = yes tls_cacertfile = /etc/raddb/certs/rootder.b64 # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # edir_account_policy_check=yes # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member= %{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember= %{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes } Can somebody help me? Thanks, Mike -- Please stop top-quoting! email: michi.fischer@gmx.net
Michael Fischer wrote:
I'm trying to set up 802.1x authentication on my Enterasys AccessPoints using freeradius and eDirectory.
Freeradius and eDirectory work like a charm when I use it for Cisco-VPN authentication.
Which is likely PAP (i.e. clear-text password).
rlm_ldap: Error reading Universal Password.Return Code = -1635
Go fix that. eDirectory isn't returning the password. Therefore, FreeRADIUS doesn't have it, and cannot authenticate anyone. Alan DeKok.
On 9/09/2009, at 2:43 AM, Alan DeKok <aland@deployingradius.com> wrote:
Michael Fischer wrote:
I'm trying to set up 802.1x authentication on my Enterasys AccessPoints using freeradius and eDirectory.
Freeradius and eDirectory work like a charm when I use it for Cisco- VPN authentication.
Which is likely PAP (i.e. clear-text password).
rlm_ldap: Error reading Universal Password.Return Code = -1635
Go fix that.
eDirectory isn't returning the password. Therefore, FreeRADIUS doesn't have it, and cannot authenticate anyone.
Turn on universal password and allow user to retrieve password in your universal password policy. Then reset their password using imanager or via ldap and try again.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, 2009-09-09 at 08:02 +1200, Peter Lambrechtsen wrote:
On 9/09/2009, at 2:43 AM, Alan DeKok <aland@deployingradius.com> wrote:
Michael Fischer wrote:
I'm trying to set up 802.1x authentication on my Enterasys AccessPoints using freeradius and eDirectory.
Freeradius and eDirectory work like a charm when I use it for Cisco- VPN authentication.
Which is likely PAP (i.e. clear-text password).
rlm_ldap: Error reading Universal Password.Return Code = -1635
Go fix that.
eDirectory isn't returning the password. Therefore, FreeRADIUS doesn't have it, and cannot authenticate anyone.
Turn on universal password and allow user to retrieve password in your universal password policy. Then reset their password using imanager or via ldap and try again.
Alan DeKok.
Hi,
the strange thing is that I've never used anything else than universal password and my universal password policy does allow the user to read the password. I get the same error with the working Cisco-VPN configuration, see the debug output: Ready to process requests. rad_recv: Access-Request packet from host 10.99.4.1:1025, id=161, length=142 User-Name = "dfuernsin" User-Password = "xxxxxx" NAS-Port = 172 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "10.99.4.1" Calling-Station-Id = "10.3.4.97" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "10.3.4.97" NAS-IP-Address = 10.99.4.1 Cisco-AVPair = "ip:source-ip=10.3.4.97" rlm_ldap: - authorize rlm_ldap: performing user authorization for dfuernsin rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64 rlm_ldap: starting TLS rlm_ldap: bind as cn=admin,o=TGM/xxxxxx to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: checking if remote access for dfuernsin is allowed by dialupAccess rlm_ldap: Error reading Universal Password.Return Code = -1635 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11 rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user dfuernsin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. rlm_ldap: - authenticate rlm_ldap: login attempt by "dfuernsin" with password "xxxxxxx" rlm_ldap: user DN: cn=dfuernsin,ou=ITS,ou=People,o=TGM rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64 rlm_ldap: starting TLS rlm_ldap: bind as cn=dfuernsin,ou=ITS,ou=People,o=TGM/xxxxxx to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user dfuernsin authenticated succesfully Login OK: [dfuernsin] (from client firewall port 172 cli 10.3.4.97) Sending Access-Accept of id 161 to 10.99.4.1 port 1025 Class = 0x54474d2d495453 I guess that cannot be the problem then... lg, Mike -- Please stop top-quoting! email: michi.fischer@gmx.net
Freeradius and eDirectory work like a charm when I use it for Cisco- VPN authentication.
Which is likely PAP (i.e. clear-text password).
rlm_ldap: Error reading Universal Password.Return Code = -1635
Go fix that.
eDirectory isn't returning the password. Therefore, FreeRADIUS doesn't have it, and cannot authenticate anyone.
Turn on universal password and allow user to retrieve password in your universal password policy. Then reset their password using imanager or via ldap and try again.
the strange thing is that I've never used anything else than universal password and my universal password policy does allow the user to read the password.
There is a link to the document explaining how to set this up in ldap module. Have you read that?
I get the same error with the working Cisco-VPN configuration, see the debug output:
Yes, but ...
Ready to process requests. rad_recv: Access-Request packet from host 10.99.4.1:1025, id=161, length=142 User-Name = "dfuernsin" User-Password = "xxxxxx" NAS-Port = 172 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "10.99.4.1" Calling-Station-Id = "10.3.4.97" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "10.3.4.97" NAS-IP-Address = 10.99.4.1 Cisco-AVPair = "ip:source-ip=10.3.4.97"
It's a PAP request. ...
rlm_ldap: bind as cn=dfuernsin,ou=ITS,ou=People,o=TGM/xxxxxx to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user dfuernsin authenticated succesfully ...
And you are doing "bind as user" authentication.
I guess that cannot be the problem then...
Yes, it can. Ivan Kalik Kalik Informatika ISP
Michael Fischer wrote:
the strange thing is that I've never used anything else than universal password and my universal password policy does allow the user to read the password.
No, it doesn't. The debug log disagrees with you.
I get the same error with the working Cisco-VPN configuration, see the debug output: ... rlm_ldap: Error reading Universal Password.Return Code = -1635
See? A quick check of "google" shows: http://www.novell.com/documentation/ndsedir86/readme/winreadme.html
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
Which is the same error as with PEAP.
rlm_ldap: bind as cn=dfuernsin,ou=ITS,ou=People,o=TGM/xxxxxx to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful
That is different than PEAP. In this case, FreeRADIUS is handing the username && password to eDirectory for authentication. eDirectory returns success/failure.
I guess that cannot be the problem then...
Yes, it *is* the problem. Fix eDirectory so that it doesn't return error 1635. Nothing else will solve the problem. Alan DeKok.
Michael Fischer wrote:
the strange thing is that I've never used anything else than universal password and my universal password policy does allow the user to read the password.
Freeradius uses admin user account to retrieve the attributes. Can that one retrieve the password? Ivan Kalik Kalik Informatika ISP
On 9/09/2009, at 9:58 PM, "Ivan Kalik" <tnt@kalik.net> wrote:
Michael Fischer wrote:
the strange thing is that I've never used anything else than universal password and my universal password policy does allow the user to read the password.
Freeradius uses admin user account to retrieve the attributes. Can that one retrieve the password?
That will be the problem. He will need to change the universal password policy to allow admin to retrieve password as well. And make sure the user he uses in fr is a admin user.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I am investigaitng using the Simultaneous-Use feature with freeradius 2.1.6. We currently have users that log in both with and without realms. In radutmp we log the stripped username (i.e. no realm component). Since the radutmp data has no realm part for the username, how do I get the Simultaneous-Use code to check the username without the realm component? Currently the realm portion is carried through until the accounting processing (for radutmp). For example, # radwho -r | grep pebenopi fred,fred,PPP,S315138101,Wed 11:28,192.168.1.101,201.229.41.119 fred,fred,PPP,S315305457,Wed 20:53,192.168.1.101,66.247.201.44 fred,fred,PPP,S317335857,Wed 10:40,192.168.1.101,201.229.26.67
From users
fred@comfort Auth-Type := Accept, Simultaneous-Use := 1 Exec-Program-Wait = "/custome_auth_binary" , Fall-Through = no If I understand correctly, fred@comfort will pass Sinultaneous-Use because radutmp is logging these as just "fred". Thanks, -craig __________ Information from ESET Smart Security, version of virus signature database 4411 (20090909) __________ The message was checked by ESET Smart Security. http://www.eset.com
Craig Campbell wrote:
We currently have users that log in both with and without realms.
Well... then you have to manage that.
In radutmp we log the stripped username (i.e. no realm component).
Why?
Since the radutmp data has no realm part for the username, how do I get the Simultaneous-Use code to check the username without the realm component? Currently the realm portion is carried through until the accounting processing (for radutmp).
I don't understand. You give radutmp a stripped user name, but you don't give the session checking a stripped user name? If you want to check the stripped user name... then use it.
If I understand correctly, fred@comfort will pass Sinultaneous-Use because radutmp is logging these as just "fred".
Yes. Because you told it to treat them as different users. If you want the simultaneous checking to check the stripped user name, then strip the user name... Alan DeKok.
From: "Alan DeKok" <aland@deployingradius.com>
"If you want to check the stripped user name... then use it."
How can I control this? I am assuming you are referring to proxy.con realm configuration? "Why you ask?" The 'powers that be' have declared that the same userid may log in via multiple realms (access technologies) up to a certain connection limit. So user@realm1 and user@realm2 count as 2 connections for user. In their original form, radius would view them as two distinct userids. I need the form 'user@realm' for authentication right after the simultaneous-use check. How, specifically, can I get the Simultaneous-Use function to use the Stripped-User-Name (proxy.conf)? and yet use the original User-Name for the remainder of the processing? (I have seen references to variable in some cases having a form of %{prefix:User-Name} but am unclear of how/where that can/should be used. I have searched the internet, the docs available, and some of the source code in attempting to understand freeradius, only posting questions when I am truly puzzled. Indications of "how" to do (or NOT do) something are most appreciated. This is a significant upgrade effort, and I'm ok with re-designing how things are achieved, if I can determine WHAT the 'best way' should be. I have NO control over the rules that apply to users and accounts in the real world. (I especially love when they CONTRADICT! - Marketing...) Thanks, -craig ----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Thursday, September 10, 2009 4:16 AM Subject: Re: Checkrad / Simultaneous-Use clarification please
Craig Campbell wrote:
We currently have users that log in both with and without realms.
Well... then you have to manage that.
In radutmp we log the stripped username (i.e. no realm component).
Why?
Since the radutmp data has no realm part for the username, how do I get the Simultaneous-Use code to check the username without the realm component? Currently the realm portion is carried through until the accounting processing (for radutmp).
I don't understand. You give radutmp a stripped user name, but you don't give the session checking a stripped user name?
If you want to check the stripped user name... then use it.
If I understand correctly, fred@comfort will pass Sinultaneous-Use because radutmp is logging these as just "fred".
Yes. Because you told it to treat them as different users.
If you want the simultaneous checking to check the stripped user name, then strip the user name...
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Information from ESET Smart Security, version of virus signature database 4412 (20090909) __________
The message was checked by ESET Smart Security.
__________ Information from ESET Smart Security, version of virus signature database 4412 (20090909) __________ The message was checked by ESET Smart Security. http://www.eset.com
From: "Alan DeKok" <aland@deployingradius.com>
"If you want to check the stripped user name... then use it."
How can I control this? I am assuming you are referring to proxy.con realm configuration?
"Why you ask?"
The 'powers that be' have declared that the same userid may log in via multiple realms (access technologies) up to a certain connection limit. So user@realm1 and user@realm2 count as 2 connections for user. In their original form, radius would view them as two distinct userids.
I need the form 'user@realm' for authentication right after the simultaneous-use check.
Strip username and pass User-Name + Realm to authentication script. Ivan Kalik Kalik Informatika ISP
participants (5)
-
Alan DeKok -
Craig Campbell -
Ivan Kalik -
Michael Fischer -
Peter Lambrechtsen