Cisco AP, FreeRADIUS and Fedora Directory Server
Hello, I'm trying to authenticate Windows users via Cisco AP 1100, freeradius and Fedora Directory Server (FDS) combination. I configured FDS and radiusd.conf and other configuration files according to ldap_howto found in freeradius documentation. I managed to authorize users but authentication doesn't work. Here is the log of radiusd -X. I have to make it work urgently. Has anybody suggestions? rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:21645, id=91, length=170 User-Name = "yilmaz" Framed-MTU = 1400 Called-Station-Id = "0012.dae5.02d0" Calling-Station-Id = "00a0.c5fb.a044" Service-Type = Login-User Message-Authenticator = 0xb5aae70f920a25df14d59908548ecadf EAP-Message = 0x020a00261900170301001b242f66ff01fc8cabcc0f2e8203235bec935abdc9dac564949a1b82 NAS-Port-Type = Wireless-802.11 NAS-Port = 674 State = 0x5a4c45339a4de6925fbb158c95df2d80 NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 17 modcall[authorize]: module "preprocess" returns ok for request 17 modcall[authorize]: module "chap" returns noop for request 17 modcall[authorize]: module "mschap" returns noop for request 17 rlm_realm: No '@' in User-Name = "yilmaz", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 17 rlm_eap: EAP packet type response id 10 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 17 users: Matched entry DEFAULT at line 152 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Personel,dc=deu,dc=edu,dc=tr' radius_xlat: '(uid=yilmaz)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Personel,dc=deu,dc=edu,dc=tr, with filter (uid=yilmaz) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(&(uid=yilmaz)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Personel,dc=deu,dc=edu,dc=tr, with filter (&(radiusGroupName=disabled)(&(uid=yilmaz)(objectclass=radiusprofile))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=yilmaz, ou=Personel,dc=deu,dc=edu,dc=tr, with filter (objectclass=*) rlm_ldap::groupcmp: Group disabled not found ????or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Personel,dc=deu,dc=edu,dc=tr' radius_xlat: '(&(uid=yilmaz)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Personel,dc=deu,dc=edu,dc=tr, with filter (&(radiusGroupName=kablosuz)(&(uid=yilmaz)(objectclass=radiusprofile))) rlm_ldap::ldap_groupcmp: User found in group kablosuz rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 222 modcall[authorize]: module "files" returns ok for request 17 rlm_ldap: - authorize rlm_ldap: performing user authorization for yilmaz radius_xlat: '(uid=yilmaz)' radius_xlat: 'ou=Personel,dc=deu,dc=edu,dc=tr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Personel,dc=deu,dc=edu,dc=tr, with filter (uid=yilmaz) rlm_ldap: performing search in uid=kablosuz,ou=Radius,ou=Profil,dc=deu,dc=edu,dc=tr, with filter (objectclass=radiusprofile) rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user yilmaz authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 17 modcall: leaving group authorize (returns updated) for request 17 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 17 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 17 modcall: leaving group authenticate (returns invalid) for request 17 auth: Failed to validate the user. Delaying request 17 for 1 seconds Finished request 17 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:21645, id=91, length=170 Sending Access-Reject of id 91 to xxx.xxx.xxx.xxx port 21645 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Cleaning up request 9 ID 83 with timestamp 4532acc3 Cleaning up request 10 ID 84 with timestamp 4532acc3 Cleaning up request 11 ID 85 with timestamp 4532acc3 Cleaning up request 12 ID 86 with timestamp 4532acc3 Cleaning up request 13 ID 87 with timestamp 4532acc3 Cleaning up request 14 ID 88 with timestamp 4532acc3 Cleaning up request 15 ID 89 with timestamp 4532acc3 Cleaning up request 16 ID 90 with timestamp 4532acc3 Cleaning up request 17 ID 91 with timestamp 4532acc3 Nothing to do. Sleeping until we see a request.
Hi, On 10/15/06, Mustafa Şenay <mustubuntu@gmail.com> wrote:
according to ldap_howto found in freeradius documentation. I managed to authorize users but authentication doesn't work. Here is the log of
Hm, well, sort of, as you get:
rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session.
Probably wrong password. One cannot really be sure as you left out those "earlier in this session" parts of the _full_ debug output. regards K. Hoercher
Hm, well, sort of, as you get:
rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session.
Probably wrong password. One cannot really be sure as you left out those "earlier in this session" parts of the _full_ debug output.
Same password works when binding to LDAP server from different client applications, sucha as GQ. So I'm pretty sure that password is correct. I'm not sure that how will RADIUS server know to check password against LDAP server while EAP is in place?
On 10/16/06, Mustafa Şenay <mustubuntu@gmail.com> wrote:
Same password works when binding to LDAP server from different client applications, sucha as GQ. So I'm pretty sure that password is correct.
That doesn't mean it works for PEAP too (probably not). See below.
I'm not sure that how will RADIUS server know to check password against LDAP server while EAP is in place?
It's not so much EAP in general, but the PEAP (i.e. MSCHAPv2 part). However search this list's archive, see documentation etc. and the pertinent parts of the server's debug output you still chose not to provide here. regards K. Hoercher
It's not so much EAP in general, but the PEAP (i.e. MSCHAPv2 part). However search this list's archive, see documentation etc. and the pertinent parts of the server's debug output you still chose not to provide here.
regards K. Hoercher
Is there a way to get clear password after PEAP plugin has processed EAP message and gained password to check against users file? Mustafa
"=?ISO-8859-2?Q?Mustafa_=AAenay?=" <mustubuntu@gmail.com> wrote:
Same password works when binding to LDAP server from different client applications, sucha as GQ. So I'm pretty sure that password is correct.
That doesn't matter. Read ALL OF THE DEBUGGING LOG. IT WILL TELL YOU WHAT IS GOING ON. If you DO NOT read it, you WILL NOT solve the problem.
I'm not sure that how will RADIUS server know to check password against LDAP server while EAP is in place?
It doesn't. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
"=?ISO-8859-2?Q?Mustafa_=AAenay?=" <mustubuntu@gmail.com> wrote:
Does this mean that EAP plugin only checks "users" file to authenticate users with their passwords?
No. It means that EAP doesn't supply a password, so it doesn't exist, and can't be checked against LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (3)
-
Alan DeKok -
K. Hoercher -
Mustafa Şenay