PEAP + local = OK, same config + LDAP failed
Hi, still fighting with ldap :-) If I authenticate the user local without an ldap-entry in the radiusd.conf everything works fine, but if I uncomment the ldap-entry, nothing works anymore! I thought the users file is inspected first? my log: see attachment Thanks Florian -- -------------------------------------------------------------- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813 Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 600 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded LDAP ldap: server = "131.188.3.53" ldap: port = 400 ldap: net_timeout = 1 ldap: timeout = 24 ldap: timelimit = 23 ldap: identity = "cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernberg,c=DE" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "XXXX" ldap: basedn = "ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE" ldap: filter = "(Userid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "NT-Password" ldap: access_attr = "uid" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP fauUserid mapped to RADIUS User-Password rlm_ldap: LDAP uid mapped to RADIUS LM-Password rlm_ldap: LDAP uid mapped to RADIUS NT-Password conns: 0x817a680 Module: Instantiated ldap (ldap) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/var/log/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 131.188.4.191:20000, id=241, length=147 NAS-Port-Id = "2049/2" Calling-Station-Id = "00-90-4B-8F-B7-3B" Called-Station-Id = "00-0B-0E-03-00-42:FAU-SEC" Service-Type = Framed-User EAP-Message = 0x0201000e01756e727a776c616e31 User-Name = "unrzwlan1" NAS-Identifier = "Trapeze" NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 131.188.4.191 Message-Authenticator = 0xbd3c523c917afa00ab0f56c9e86de875 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for unrzwlan1 radius_xlat: '(Userid=unrzwlan1)' radius_xlat: 'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 131.188.3.53:400, authentication 0 rlm_ldap: bind as cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernberg,c=DE/zope148FP to 131.188.3.53:400 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter (Userid=unrzwlan1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 0 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 rlm_realm: No '@' in User-Name = "unrzwlan1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched entry unrzwlan1 at line 7 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 241 to 131.188.4.191:20000 Tunnel-Private-Group-Id:0 := "rlan79" EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x270ffa52f6cd54af2c0e23d0edac5903 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 131.188.4.191:20000, id=241, length=147 Sending duplicate reply to client airbrush:20000 - ID: 241 Re-sending Access-Challenge of id 241 to 131.188.4.191:20000 --- Walking the entire request list --- Cleaning up request 0 ID 241 with timestamp 42ae84e9 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 131.188.4.191:20000, id=242, length=263 NAS-Port-Id = "2049/2" Calling-Station-Id = "00-90-4B-8F-B7-3B" Called-Station-Id = "00-0B-0E-03-00-42:FAU-SEC" Service-Type = Framed-User User-Name = "unrzwlan1" State = 0x270ffa52f6cd54af2c0e23d0edac5903 EAP-Message = 0x0202007019800000006616030100610100005d030142ae84fb6d8a3add919e04d99c35263d3cab507a157253592b98a043caa55d29208cdc759f490505a45bd83ac57f57818afae99b53aa94aafd200cf06c164d9828001600040005000a000900640062000300060013001200630100 NAS-Identifier = "Trapeze" NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 131.188.4.191 Message-Authenticator = 0x2b70fce6511fd7e4f80dc2cd4aee58d4 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for unrzwlan1 radius_xlat: '(Userid=unrzwlan1)' radius_xlat: 'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter (Userid=unrzwlan1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 1 rlm_eap: EAP packet type response id 2 length 112 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 rlm_realm: No '@' in User-Name = "unrzwlan1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 users: Matched entry unrzwlan1 at line 7 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 242 to 131.188.4.191:20000 Tunnel-Private-Group-Id:0 := "rlan79" EAP-Message = 0x0103040a19c0000006f1160301004a02000046030142ae84f482c0b5f71d5ffac71e34881b4b61a555f0df5ab95e99f96ea38c580f202c61ba5008bccc69ba96534586b7ecfeef862915d3f0fdd3eca3255a9bc3b1e200040016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365 EAP-Message = 0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003 EAP-Message = 0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09 EAP-Message = 0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2adab79082d449df51e30fef35e67fe6 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 131.188.4.191:20000, id=242, length=263 Sending duplicate reply to client airbrush:20000 - ID: 242 Re-sending Access-Challenge of id 242 to 131.188.4.191:20000 --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 131.188.4.191:20000, id=243, length=157 NAS-Port-Id = "2049/2" Calling-Station-Id = "00-90-4B-8F-B7-3B" Called-Station-Id = "00-0B-0E-03-00-42:FAU-SEC" Service-Type = Framed-User User-Name = "unrzwlan1" State = 0x2adab79082d449df51e30fef35e67fe6 EAP-Message = 0x020300061900 NAS-Identifier = "Trapeze" NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 131.188.4.191 Message-Authenticator = 0xeeae09a6983f98f4797e2ab21b079e0a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for unrzwlan1 radius_xlat: '(Userid=unrzwlan1)' radius_xlat: 'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter (Userid=unrzwlan1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 2 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 rlm_realm: No '@' in User-Name = "unrzwlan1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 users: Matched entry unrzwlan1 at line 7 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 243 to 131.188.4.191:20000 Tunnel-Private-Group-Id:0 := "rlan79" EAP-Message = 0x010402f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8 EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010 EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdba2ec94e26cdc90dca70222ef508eac Finished request 2 Going to the next request Cleaning up request 1 ID 242 with timestamp 42ae84ef Waking up in 1 seconds... rad_recv: Access-Request packet from host 131.188.4.191:20000, id=243, length=157 Sending duplicate reply to client airbrush:20000 - ID: 243 Re-sending Access-Challenge of id 243 to 131.188.4.191:20000 --- Walking the entire request list --- Cleaning up request 2 ID 243 with timestamp 42ae84f4 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 131.188.4.191:20000, id=244, length=343 NAS-Port-Id = "2049/2" Calling-Station-Id = "00-90-4B-8F-B7-3B" Called-Station-Id = "00-0B-0E-03-00-42:FAU-SEC" Service-Type = Framed-User User-Name = "unrzwlan1" State = 0xdba2ec94e26cdc90dca70222ef508eac EAP-Message = 0x020400c01980000000b616030100861000008200800272f9e3da8dfdf922f90edd808a815aa811991a4bb5bbc8055a29708017f47e39fddc4c88609d21414596954126a2c47134ebb0abbe07bc14cb8d50b17bf10a1ddf10449ebbd2b54b5161a81d8fadfc67039c5434db801a30f5345a620121fce28c0b9f82e461e650609fde6265cbb8ad58adc1c96dff63233c66f14fda55f7140301000101160301002045608365036d776dcd85c6c1f64f0c90f8f68605fe8cfb43237aad4ad281931b NAS-Identifier = "Trapeze" NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 131.188.4.191 Message-Authenticator = 0xd6efe0639615d7c891d4400c6cdaf8e6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for unrzwlan1 radius_xlat: '(Userid=unrzwlan1)' radius_xlat: 'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter (Userid=unrzwlan1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 3 rlm_eap: EAP packet type response id 4 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 rlm_realm: No '@' in User-Name = "unrzwlan1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 users: Matched entry unrzwlan1 at line 7 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 244 to 131.188.4.191:20000 Tunnel-Private-Group-Id:0 := "rlan79" EAP-Message = 0x01050031190014030100010116030100200d82935c4fba5b2fbe1b7b4c598ea32344947c2581d55055f0641fa5799add8a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9d81b76d29d5bb96bf1dc5aff91eca54 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 131.188.4.191:20000, id=244, length=343 Sending duplicate reply to client airbrush:20000 - ID: 244 Re-sending Access-Challenge of id 244 to 131.188.4.191:20000 --- Walking the entire request list --- Cleaning up request 3 ID 244 with timestamp 42ae84fa Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 131.188.4.191:20000, id=245, length=157 NAS-Port-Id = "2049/2" Calling-Station-Id = "00-90-4B-8F-B7-3B" Called-Station-Id = "00-0B-0E-03-00-42:FAU-SEC" Service-Type = Framed-User User-Name = "unrzwlan1" State = 0x9d81b76d29d5bb96bf1dc5aff91eca54 EAP-Message = 0x020500061900 NAS-Identifier = "Trapeze" NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 131.188.4.191 Message-Authenticator = 0x98dfeebf52628428dc408c9f62f82eae Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for unrzwlan1 radius_xlat: '(Userid=unrzwlan1)' radius_xlat: 'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter (Userid=unrzwlan1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 4 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 rlm_realm: No '@' in User-Name = "unrzwlan1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 users: Matched entry unrzwlan1 at line 7 modcall[authorize]: module "files" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 245 to 131.188.4.191:20000 Tunnel-Private-Group-Id:0 := "rlan79" EAP-Message = 0x01060020190017030100155ebdd4ec256eaf20b4bb360814046973b7278911f5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5550b1e72047a615aabba5f7ff3d2ca4 Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 131.188.4.191:20000, id=245, length=157 Sending duplicate reply to client airbrush:20000 - ID: 245 Re-sending Access-Challenge of id 245 to 131.188.4.191:20000 --- Walking the entire request list --- Cleaning up request 4 ID 245 with timestamp 42ae8500 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 131.188.4.191:20000, id=246, length=188 NAS-Port-Id = "2049/2" Calling-Station-Id = "00-90-4B-8F-B7-3B" Called-Station-Id = "00-0B-0E-03-00-42:FAU-SEC" Service-Type = Framed-User User-Name = "unrzwlan1" State = 0x5550b1e72047a615aabba5f7ff3d2ca4 EAP-Message = 0x020600251900170301001acf257b5d5175a6d6c603a5d139f8bd828d2bd6dbe8844fccf2cd NAS-Identifier = "Trapeze" NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 131.188.4.191 Message-Authenticator = 0x775a859495ddaf5afa961b101bdfe4c0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for unrzwlan1 radius_xlat: '(Userid=unrzwlan1)' radius_xlat: 'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter (Userid=unrzwlan1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 5 rlm_eap: EAP packet type response id 6 length 37 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 rlm_realm: No '@' in User-Name = "unrzwlan1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 users: Matched entry unrzwlan1 at line 7 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - unrzwlan1 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of unrzwlan1 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to unrzwlan1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for unrzwlan1 radius_xlat: '(Userid=unrzwlan1)' radius_xlat: 'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter (Userid=unrzwlan1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 5 rlm_eap: EAP packet type response id 6 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 rlm_realm: No '@' in User-Name = "unrzwlan1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 users: Matched entry unrzwlan1 at line 7 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: group authenticate returns handled for request 5 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: group authenticate returns handled for request 5 Sending Access-Challenge of id 246 to 131.188.4.191:20000 Tunnel-Private-Group-Id:0 := "rlan79" EAP-Message = 0x0107003a1900170301002f7b538daa1741a491b722435b2a31abfc91bb8c57ef305215e4068899f8b32a4b12f3814070ecb62de13b28567f5b29 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x608c84a6c7bdebe11497b75e98da27ab Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 131.188.4.191:20000, id=246, length=188 Sending duplicate reply to client airbrush:20000 - ID: 246 Re-sending Access-Challenge of id 246 to 131.188.4.191:20000 --- Walking the entire request list --- Cleaning up request 5 ID 246 with timestamp 42ae8506 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 131.188.4.191:20000, id=246, length=188 NAS-Port-Id = "2049/2" Calling-Station-Id = "00-90-4B-8F-B7-3B" Called-Station-Id = "00-0B-0E-03-00-42:FAU-SEC" Service-Type = Framed-User User-Name = "unrzwlan1" State = 0x5550b1e72047a615aabba5f7ff3d2ca4 EAP-Message = 0x020600251900170301001acf257b5d5175a6d6c603a5d139f8bd828d2bd6dbe8844fccf2cd NAS-Identifier = "Trapeze" NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 131.188.4.191 Message-Authenticator = 0x775a859495ddaf5afa961b101bdfe4c0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for unrzwlan1 radius_xlat: '(Userid=unrzwlan1)' radius_xlat: 'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter (Userid=unrzwlan1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 6 rlm_eap: EAP packet type response id 6 length 37 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 rlm_realm: No '@' in User-Name = "unrzwlan1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 users: Matched entry unrzwlan1 at line 7 modcall[authorize]: module "files" returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 6 modcall: group authenticate returns invalid for request 6 auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [unrzwlan1/<no User-Password attribute>] (from client airbrush port 0 cli 00-90-4B-8F-B7-3B) Delaying request 6 for 1 seconds Finished request 6 Going to the next request
Never used EAP, but perhaps this will be helpful. rlm_ldap: - authorize rlm_ldap: performing user authorization for unrzwlan1 radius_xlat: '(Userid=unrzwlan1)' radius_xlat: 'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter (Userid=unrzwlan1) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 6 That looks pretty clear to me that either this user does not exist in your ldap directory. Perhaps you have the search filter incorrect? Or, the user you are binding with does not have access to read that users entry. rlm_ldap: bind as cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernberg,c=DE/zope148FP to 131.188.3.53:400 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful What happens if you do an ldapsearch from command line? # ldapsearch -D "cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernberg,c=DE" -w zope148FP -b "ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE" "(Userid=unrzwlan1)"
participants (2)
-
Dustin Doris -
Florian Prester