PEAP LDAP password problem
Hello, I have usual problem for persons who wants to setup LDAP+PEAP integration. I want to setup WIFI with PEAP auth. via FreeRadius. The problem is that I can login with ldap login thought radtest testuser 123456 localhost 10 secret. But I can't do the same thought my wifi laptop(ldap login) but I can login on my laptop with local login (/etc/freeradius/users). I found several suggestion according my situation but I can't solve the problem. Delete :DEFAULT Auth-Type := LDAP Add : checkItem User-Password userPassword checkItem userPassword lmPassword It seems that is my direct ldap query don't have : User-Password = "" Atribute. log file ================================== rlm_realm: No '@' in User-Name = "username", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_realm: No '\' in User-Name = "username", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 2 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: '(&(uid=username)(objectClass=posixAccount))' radius_xlat: 'dc=company,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=company,dc=com, with filter (&(uid=username)(objectClass=posixAccount)) rlm_ldap: checking if remote access for username is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 211 to 100.100.128.139 port 6001 EAP-Message = 0x010402f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8 EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010 EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x944b46983edee9d6374c638b077a98b0 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 100.100.128.139:6001, id=212, length=347 User-Name = "username" NAS-IP-Address = 100.100.128.139 Called-Station-Id = "00-20-a6-64-66-a3:A" Calling-Station-Id = "00-18-de-4e-8f-1d" NAS-Identifier = "ORiNOCO-AP-700-64-66-a3" State = 0x944b46983edee9d6374c638b077a98b0 Framed-MTU = 1400 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400c01980000000b616030100861000008200807d0aa8cba27d582c350fe812e3a13585488f0fd2dd93ad428f2c412328332d3efe74a4a3ddd31f44aec192a4aafa6d96a78de561284fce538250b20fe110d972de06c41880703f3fe7326e4c5d44d1bb9d5dae51e5b05a5f7bd2e96ca9aa91ba2aaacaecc7f979d32ffd32857dcf70ef92b88a2ec2806593cd1888bbe61f6ece1403010001011603010020e1a93666bea97c8b068187f07c7a55b581fee2dc5f9b7ba1b8b920487c503178 Message-Authenticator = 0xd7ccfc59fba379f1f22b2d86f284967f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_realm: No '\' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 3 rlm_eap: EAP packet type response id 4 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(&(uid=user)(objectClass=posixAccount))' radius_xlat: 'dc=company,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=company,dc=com, with filter (&(uid=user)(objectClass=posixAccount)) rlm_ldap: checking if remote access for user is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 212 to 100.100.128.139 port 6001 EAP-Message = 0x0105003119001403010001011603010020fcb9a12ef0f4c6ee542c7448c19f2d0a90980fbeccc23732a37133106723dc53 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9f545f6b44154fe7443c4c9b8503f14d Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 100.100.128.139:6001, id=213, length=161 User-Name = "user" NAS-IP-Address = 100.100.128.139 Called-Station-Id = "00-20-a6-64-66-a3:A" Calling-Station-Id = "00-18-de-4e-8f-1d" NAS-Identifier = "ORiNOCO-AP-700-64-66-a3" State = 0x9f545f6b44154fe7443c4c9b8503f14d Framed-MTU = 1400 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 Message-Authenticator = 0xfb78e6a22ba9350c248c45488967f9e3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_realm: No '\' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 4 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(&(uid=user)(objectClass=posixAccount))' radius_xlat: 'dc=company,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=company,dc=com, with filter (&(uid=user)(objectClass=posixAccount)) rlm_ldap: checking if remote access for user is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 213 to 100.100.128.139 port 6001 EAP-Message = 0x010600201900170301001550a63ce907f8230086ea4cfe01fa4b04d285fa90fd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0491782a026ef1c37d38229aa2a09fd2 Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 100.100.128.139:6001, id=214, length=189 User-Name = "user" NAS-IP-Address = 100.100.128.139 Called-Station-Id = "00-20-a6-64-66-a3:A" Calling-Station-Id = "00-18-de-4e-8f-1d" NAS-Identifier = "ORiNOCO-AP-700-64-66-a3" State = 0x0491782a026ef1c37d38229aa2a09fd2 Framed-MTU = 1400 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02060022190017030100170c1a8d4e36f76ec984c2802da6ffc5ba177ee6d24fa2b6 Message-Authenticator = 0x2d07b6b5d35b4a8a62e04fee324d7d37 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_realm: No '\' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 5 rlm_eap: EAP packet type response id 6 length 34 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(&(uid=user)(objectClass=posixAccount))' radius_xlat: 'dc=company,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=company,dc=com, with filter (&(uid=user)(objectClass=posixAccount)) rlm_ldap: checking if remote access for user is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - user rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x0206000b0165726f6e6b6f PEAP: Got tunneled identity of user PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to user PEAP: Sending tunneled request EAP-Message = 0x0206000b0165726f6e6b6f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_realm: No '\' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 5 rlm_eap: EAP packet type response id 6 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(&(uid=user)(objectClass=posixAccount))' radius_xlat: 'dc=company,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=company,dc=com, with filter (&(uid=user)(objectClass=posixAccount)) rlm_ldap: checking if remote access for user is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010700201a0107001b106ed1ec90bcd32cc73c262c2156f4e35b65726f6e6b6f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe6b54da771c6c9951580aa2c13a974f1 PEAP: Processing from tunneled session code 0x8014b458 11 EAP-Message = 0x010700201a0107001b106ed1ec90bcd32cc73c262c2156f4e35b65726f6e6b6f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe6b54da771c6c9951580aa2c13a974f1 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 214 to 100.100.128.139 port 6001 EAP-Message = 0x010700371900170301002cf7b661ce86c13ad322a5ee1424937977095638f0df2a81f3fbf1edf93d3130ce91835ab86ea73ee239dc5de0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3bc371fff6daef9820ca18ec1a95d748 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 100.100.128.139:6001, id=215, length=243 User-Name = "user" NAS-IP-Address = 100.100.128.139 Called-Station-Id = "00-20-a6-64-66-a3:A" Calling-Station-Id = "00-18-de-4e-8f-1d" NAS-Identifier = "ORiNOCO-AP-700-64-66-a3" State = 0x3bc371fff6daef9820ca18ec1a95d748 Framed-MTU = 1400 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700581900170301004d60cb0ad1df28d5131e19ea9db9006aae8b2fab7987ddf7b12b0ef50d864f1b1a813ef2867eb0af3f119842d120c90c8713f1bc573de395d46e26d4b755c9a81b1c2b725fb8c124cc009c7cb77a Message-Authenticator = 0x446d0653078e6318ed2fcab66426a52f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_realm: No '\' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 88 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(&(uid=user)(objectClass=posixAccount))' radius_xlat: 'dc=company,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=company,dc=com, with filter (&(uid=user)(objectClass=posixAccount)) rlm_ldap: checking if remote access for user is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020700411a0207003c31d882c1781c00f76d0e243209bf9bacbd00000000000000005e5fe71c20fb537939dabaa9e0a5e252eeb22bbc2cb884bc0065726f6e6b6f PEAP: Setting User-Name to user PEAP: Adding old state with e6 b5 PEAP: Sending tunneled request EAP-Message = 0x020700411a0207003c31d882c1781c00f76d0e243209bf9bacbd00000000000000005e5fe71c20fb537939dabaa9e0a5e252eeb22bbc2cb884bc0065726f6e6b6f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user" State = 0xe6b54da771c6c9951580aa2c13a974f1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_realm: No '\' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 65 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(&(uid=user)(objectClass=posixAccount))' radius_xlat: 'dc=company,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=company,dc=com, with filter (&(uid=user)(objectClass=posixAccount)) rlm_ldap: checking if remote access for user is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for user with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x8014e3d0 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 215 to 100.100.128.139 port 6001 EAP-Message = 0x010800261900170301001bb07f823ff790eaac7e023f39cdfa2c13c74448e9b40ce1b6c0335f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8b12accaa14d0c6f0c8e3d6d75bd953f Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 100.100.128.139:6001, id=216, length=193 User-Name = "user" NAS-IP-Address = 100.100.128.139 Called-Station-Id = "00-20-a6-64-66-a3:A" Calling-Station-Id = "00-18-de-4e-8f-1d" NAS-Identifier = "ORiNOCO-AP-700-64-66-a3" State = 0x8b12accaa14d0c6f0c8e3d6d75bd953f Framed-MTU = 1400 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800261900170301001b45b602e857c5b518dcbb213f9a82d53af11486f45a392431f4fc11 Message-Authenticator = 0x4cbc5e10e73739446acfdbb116669e3a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_realm: No '\' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 7 rlm_eap: EAP packet type response id 8 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(&(uid=user)(objectClass=posixAccount))' radius_xlat: 'dc=company,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=company,dc=com, with filter (&(uid=user)(objectClass=posixAccount)) rlm_ldap: checking if remote access for user is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 100.100.128.139:6001, id=216, length=193 Sending Access-Reject of id 216 to 100.100.128.139 port 6001 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 3 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1033, id=237, length=58 User-Name = "user" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_realm: No '\' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 8 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat: '(&(uid=user)(objectClass=posixAccount))' radius_xlat: 'dc=company,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=company,dc=com, with filter (&(uid=user)(objectClass=posixAccount)) rlm_ldap: checking if remote access for useris allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 8 modcall: leaving group authorize (returns ok) for request 8 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 8 rlm_ldap: - authenticate rlm_ldap: login attempt by "username" with password "password" rlm_ldap: user DN: uid=username,ou=People,dc=company,dc=com rlm_ldap: (re)connect to ldap1.company:389, authentication 1 rlm_ldap: setting TLS CACert File to /etc/cert/cert.pem rlm_ldap: starting TLS rlm_ldap: bind as uid=username,ou=People,dc=company,dc=com/password to ldap1.in.company:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user username authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 8 modcall: leaving group LDAP (returns ok) for request 8 Sending Access-Accept of id 237 to 127.0.0.1 port 1033 Finished request 8 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 209 with timestamp 47c2cee7 Cleaning up request 1 ID 210 with timestamp 47c2cee7 Cleaning up request 2 ID 211 with timestamp 47c2cee7 Cleaning up request 3 ID 212 with timestamp 47c2cee7 Cleaning up request 4 ID 213 with timestamp 47c2cee7 Cleaning up request 5 ID 214 with timestamp 47c2cee7 Cleaning up request 6 ID 215 with timestamp 47c2cee7 Cleaning up request 7 ID 216 with timestamp 47c2cee7 Waking up in 5 seconds... ================================== Thank you Era
Alexey Eronko wrote:
I have usual problem for persons who wants to setup LDAP+PEAP integration. I want to setup WIFI with PEAP auth. via FreeRadius. The problem is that I can login with ldap login thought radtest testuser 123456 localhost 10 secret.
Which probably does LDAP bind. That's not what you need for PEAP to work.
It seems that is my direct ldap query don't have : User-Password = "" Atribute.
Then you can't do PEAP. PEAP needs access to the users cleartext password. Configure a password in LDAP for the user, and PEAP will work. Alan DeKok.
Hi! I have several services who use LDAP (openldap). For example Linux(via pam),apache,svn. On my ldap server passwords stored in encrypted hash. Do I right understand you that I need add another field(nt hash) for radius authorization? I don't want to store clear text password in my LDAP. Another important question for my is : Does freeradius support MAC filtering. I need this feature for my WIFI network. Thanks a lot Alexey Alexey Eronko wrote:
I have usual problem for persons who wants to setup LDAP+PEAP integration. I want to setup WIFI with PEAP auth. via FreeRadius. The problem is that I can login with ldap login thought radtest testuser 123456 localhost 10 secret.
Which probably does LDAP bind. That's not what you need for PEAP to work.
It seems that is my direct ldap query don't have : User-Password = "" Atribute.
Then you can't do PEAP. PEAP needs access to the users cleartext password. Configure a password in LDAP for the user, and PEAP will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Alexey Eronko