EAP-TTLS-PAP-LDAP
Trying to do EAP-TTLS-PAP with CRYPT passwd in LDAP.. The tunelling seems fine.. but up to comparing the password it will failed. Refer below logs & config Some says (http://felipe-alfaro.org/blog/category/radius/) PAP is tunneled inside EAP-TTLS through EAP-GTC... Tried that as well.. still same error.. gtc { auth_type = PAP [even trying to change to LDAP/OCE - still same error) } Error ==== auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Login incorrect: [jaroce2@ocemy015.com] (from client localhost port 0) TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 modcall: leaving group authenticate (returns invalid) for request 9 auth: Failed to validate the user. Login incorrect: [jaroce2@ocemy015.com] (from client OCE_JARING port 241 cli 00-11-5b-2d-b2-8e) With setting:- a) radiusd.conf ldapOCE { --some setting } authorize { eap Autz-Type OCE { ldapOCE } } authenticate { Auth-Type OCE { ldapOCE } eap } b) eap.conf eap { default_eap_type = ttls tls { --some setting } ttls { default_eap_type = md5 } c) users:- DEFAULT Realm == "my015.com", Autz-Type := OCE
No error detected (refer below debug logs).. only that radius cannot assign Auth-Type since i do not specify in users file.. I let radius detect by itself... but since in my users file.. there are a few lines that been specified with Auth-Type... it cannot figure it out on its own.. i've a few services refer to different LDAP tree.. So i need to specify the Auth-Type for other services... Any other solution...?? The EAP should follow line with OCE.. but I do not specify any Auth-Type on that line... DEFAULT NAS-Identifier == "Wireless-802.11", Autz-Type := Y5, Auth-Type :=Y5 DEFAULT Realm == "ocemy015.com", Autz-Type := OCE DEFAULT Autz-Type := LDAP, Auth-Type :=LDAP rad_recv: Access-Request packet from host 202.73.10.12:1814, id=20, length=216 Framed-MTU = 1466 NAS-IP-Address = 10.220.0.3 NAS-Identifier = "OCEPOP2" User-Name = "jaroce2@ocemy015.com" Service-Type = Framed-User NAS-Port = 241 NAS-Port-Type = Ethernet NAS-Port-Id = "ether16_241" Called-Station-Id = "00-11-95-dd-31-0a" Calling-Station-Id = "00-11-5b-2d-b2-8e" Connect-Info = "CONNECT Ethernet 2Mbps Full duplex" EAP-Message = 0x02010019016a61726f636532406f63656d793031352e636f6d Message-Authenticator = 0xf66af566c577294fbd2873cf99c82fd6 Proxy-State = 0x32 rad_rmspace_pair: User-Name now 'jaroce2@ocemy015.com' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '/' in User-Name = "jaroce2@ocemy015.com", skipping NULL due to config. modcall[authorize]: module "IPASS" returns noop for request 5 rlm_realm: Looking up realm "ocemy015.com" for User-Name = "jaroce2@ocemy015.com" rlm_realm: Found realm "ocemy015.com" rlm_realm: Adding Stripped-User-Name = "jaroce2" rlm_realm: Proxying request from user jaroce2 to realm ocemy015.com rlm_realm: Adding Realm = "ocemy015.com" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 1 length 25 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 19 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 Found Autz-Type OCE Processing the authorize section of radiusd.conf modcall: entering group OCE for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for jaroce2 radius_xlat: '(uid=jaroce2)' radius_xlat: 'ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 61.6.32.201:389, authentication 0 rlm_ldap: bind as cn=Sysadmin,ou=Applications,dc=jaring,dc=my/kh4l1f4h to 61.6.32.201:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my, with filter (uid=jaroce2) rlm_ldap: checking if remote access for jaroce2 is allowed by dialupAccess rlm_ldap: Added password {CRYPT}$1$ZRXMvi1s$zBQaHYkaxDjGi5zL2geNN0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP & op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: user jaroce2 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldapOCE" returns ok for request 5 modcall: leaving group OCE (returns ok) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 20 to 202.73.10.12 port 1814 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Framed-Protocol = PPP Service-Type = Framed-User EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6f8d462fc1d7a9ef273cff67a79b9225 Proxy-State = 0x32 Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 202.73.10.12:1814, id=21, length=269 Framed-MTU = 1466 NAS-IP-Address = 10.220.0.3 NAS-Identifier = "OCEPOP2" User-Name = "jaroce2@ocemy015.com" Service-Type = Framed-User NAS-Port = 241 NAS-Port-Type = Ethernet NAS-Port-Id = "ether16_241" Called-Station-Id = "00-11-95-dd-31-0a" Calling-Station-Id = "00-11-5b-2d-b2-8e" Connect-Info = "CONNECT Ethernet 2Mbps Full duplex" State = 0x6f8d462fc1d7a9ef273cff67a79b9225 EAP-Message = 0x0202003c158000000032160301002d01000029030186f82eb5952be3b8ceadc4a4edc478c2c08acc553c7f ee894a2a9361bfdcfbb5000002000a0100 Message-Authenticator = 0x9eabe246450cacd8dfd7f8ab25d623e9 Proxy-State = 0x33 rad_rmspace_pair: User-Name now 'jaroce2@ocemy015.com' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '/' in User-Name = "jaroce2@ocemy015.com", skipping NULL due to config. modcall[authorize]: module "IPASS" returns noop for request 6 rlm_realm: Looking up realm "ocemy015.com" for User-Name = "jaroce2@ocemy015.com" rlm_realm: Found realm "ocemy015.com" rlm_realm: Adding Stripped-User-Name = "jaroce2" rlm_realm: Proxying request from user jaroce2 to realm ocemy015.com rlm_realm: Adding Realm = "ocemy015.com" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 2 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 19 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 Found Autz-Type OCE Processing the authorize section of radiusd.conf modcall: entering group OCE for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for jaroce2 radius_xlat: '(uid=jaroce2)' radius_xlat: 'ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my, with filter (uid=jaroce2) rlm_ldap: checking if remote access for jaroce2 is allowed by dialupAccess rlm_ldap: Added password {CRYPT}$1$ZRXMvi1s$zBQaHYkaxDjGi5zL2geNN0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP & op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: user jaroce2 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldapOCE" returns ok for request 6 modcall: leaving group OCE (returns ok) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 21 to 202.73.10.12 port 1814 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Framed-Protocol = PPP Service-Type = Framed-User EAP-Message = 0x0103040a15c0000006f1160301004a02000046030144b70003608201d67571c6b0b8e90af392f94fcfd408 987fb99af1ad06a5a02620e8a88c919eb766ca2a2893ad7e552bd5348071e5638448deb60aa9eb709ccfa6000a0016030106940b000690 00068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111 300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a 6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365 EAP-Message = 0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f 6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603 550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f 6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a 864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003 EAP-Message = 0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7 d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177 d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d 25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2 e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09 EAP-Message = 0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60e fa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d01010405003081 9f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d6520436974793115 3013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69 656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf7b50f803a4bf2fad1484ad156677437 Proxy-State = 0x33 Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host 202.73.10.12:1814, id=22, length=215 Framed-MTU = 1466 NAS-IP-Address = 10.220.0.3 NAS-Identifier = "OCEPOP2" User-Name = "jaroce2@ocemy015.com" Service-Type = Framed-User NAS-Port = 241 NAS-Port-Type = Ethernet NAS-Port-Id = "ether16_241" Called-Station-Id = "00-11-95-dd-31-0a" Calling-Station-Id = "00-11-5b-2d-b2-8e" Connect-Info = "CONNECT Ethernet 2Mbps Full duplex" State = 0xf7b50f803a4bf2fad1484ad156677437 EAP-Message = 0x020300061500 Message-Authenticator = 0x37401c244125eb3618d68d4f8a6414f3 Proxy-State = 0x34 rad_rmspace_pair: User-Name now 'jaroce2@ocemy015.com' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '/' in User-Name = "jaroce2@ocemy015.com", skipping NULL due to config. modcall[authorize]: module "IPASS" returns noop for request 7 rlm_realm: Looking up realm "ocemy015.com" for User-Name = "jaroce2@ocemy015.com" rlm_realm: Found realm "ocemy015.com" rlm_realm: Adding Stripped-User-Name = "jaroce2" rlm_realm: Proxying request from user jaroce2 to realm ocemy015.com rlm_realm: Adding Realm = "ocemy015.com" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 19 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 Found Autz-Type OCE Processing the authorize section of radiusd.conf modcall: entering group OCE for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for jaroce2 radius_xlat: '(uid=jaroce2)' radius_xlat: 'ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my, with filter (uid=jaroce2) rlm_ldap: checking if remote access for jaroce2 is allowed by dialupAccess rlm_ldap: Added password {CRYPT}$1$ZRXMvi1s$zBQaHYkaxDjGi5zL2geNN0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP & op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: user jaroce2 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldapOCE" returns ok for request 7 modcall: leaving group OCE (returns ok) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 22 to 202.73.10.12 port 1814 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Framed-Protocol = PPP Service-Type = Framed-User EAP-Message = 0x010402fb1580000006f1170d3036303132343133323630375a30819f310b30090603550406130243413111 300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a 6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e7420636572746966696361746531 21301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d 0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52cc EAP-Message = 0xb99b41e80ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a 1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381 ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e 1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e 63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e EAP-Message = 0x31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365727469 6669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d1304053003 0101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743f dc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8 f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c51603010004 EAP-Message = 0x0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x72dce9b7a77986474ff02c3969a61113 Proxy-State = 0x34 Finished request 7 Going to the next request --- Walking the entire request list --- Waking up in 2 seconds... rad_recv: Access-Request packet from host 202.73.10.12:1814, id=23, length=409 Framed-MTU = 1466 NAS-IP-Address = 10.220.0.3 NAS-Identifier = "OCEPOP2" User-Name = "jaroce2@ocemy015.com" Service-Type = Framed-User NAS-Port = 241 NAS-Port-Type = Ethernet NAS-Port-Id = "ether16_241" Called-Station-Id = "00-11-95-dd-31-0a" Calling-Station-Id = "00-11-5b-2d-b2-8e" Connect-Info = "CONNECT Ethernet 2Mbps Full duplex" State = 0x72dce9b7a77986474ff02c3969a61113 EAP-Message = 0x020400c81580000000be16030100861000008200802341c2779273ae281a27779473d8ed419e99960f32c2 3b1c039a1375aca953a7471fefacd95dc62f99694c5e978848a43c4338f2b3883a8da396d5222ebf2e9167d1ff10e2a894a5a54b04a332 0e01c71942038dbcaa9bc8270e260d0f456c5d2b9263144f7b892ea6b17a0665235eb771455338a6a6d5a4cadba19e5de785a914030100 010116030100282d7702a5c85bb95a5f50397748a82d9704435586553fcfe6dfe21ab12d2ad770675feaa6d109bfe6 Message-Authenticator = 0x13f423390144c1ce2959e3338dd5cddd Proxy-State = 0x35 rad_rmspace_pair: User-Name now 'jaroce2@ocemy015.com' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '/' in User-Name = "jaroce2@ocemy015.com", skipping NULL due to config. modcall[authorize]: module "IPASS" returns noop for request 8 rlm_realm: Looking up realm "ocemy015.com" for User-Name = "jaroce2@ocemy015.com" rlm_realm: Found realm "ocemy015.com" rlm_realm: Adding Stripped-User-Name = "jaroce2" rlm_realm: Proxying request from user jaroce2 to realm ocemy015.com rlm_realm: Adding Realm = "ocemy015.com" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 4 length 200 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry DEFAULT at line 19 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 Found Autz-Type OCE Processing the authorize section of radiusd.conf modcall: entering group OCE for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for jaroce2 radius_xlat: '(uid=jaroce2)' radius_xlat: 'ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my, with filter (uid=jaroce2) rlm_ldap: checking if remote access for jaroce2 is allowed by dialupAccess rlm_ldap: Added password {CRYPT}$1$ZRXMvi1s$zBQaHYkaxDjGi5zL2geNN0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP & op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: user jaroce2 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldapOCE" returns ok for request 8 modcall: leaving group OCE (returns ok) for request 8 modcall: leaving group OCE (returns ok) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 8 modcall: leaving group authenticate (returns handled) for request 8 Sending Access-Challenge of id 23 to 202.73.10.12 port 1814 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Framed-Protocol = PPP Service-Type = Framed-User EAP-Message = 0x0105003d15800000003314030100010116030100288659a2b78a274b717ac1b8bf139eb525b05a0e9a694b 72e6a4e6ed3c1778505495aa9ee7b32acafb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5fe274409d7706e1604ff620c6127976 Proxy-State = 0x35 Finished request 8 Going to the next request --- Walking the entire request list --- Cleaning up request 5 ID 20 with timestamp 44b70001 Waking up in 2 seconds... rad_recv: Access-Request packet from host 202.73.10.12:1814, id=24, length=296 Framed-MTU = 1466 NAS-IP-Address = 10.220.0.3 NAS-Identifier = "OCEPOP2" User-Name = "jaroce2@ocemy015.com" Service-Type = Framed-User NAS-Port = 241 NAS-Port-Type = Ethernet NAS-Port-Id = "ether16_241" Called-Station-Id = "00-11-95-dd-31-0a" Calling-Station-Id = "00-11-5b-2d-b2-8e" Connect-Info = "CONNECT Ethernet 2Mbps Full duplex" State = 0x5fe274409d7706e1604ff620c6127976 EAP-Message = 0x0205005715800000004d1703010048b645119ae14f1c156bb2e3b69bd88bb186fc2cf221206ebdcc4ae1cb dcfae0ab7a32d8cac7622c63b8e814905a560d43c8daae1451d22298ba548e2c6321606160affc5f06ebe8c1 Message-Authenticator = 0x9b6c55824f48dfc98d759efe2022f9cc Proxy-State = 0x36 rad_rmspace_pair: User-Name now 'jaroce2@ocemy015.com' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '/' in User-Name = "jaroce2@ocemy015.com", skipping NULL due to config. modcall[authorize]: module "IPASS" returns noop for request 9 rlm_realm: Looking up realm "ocemy015.com" for User-Name = "jaroce2@ocemy015.com" rlm_realm: Found realm "ocemy015.com" rlm_realm: Adding Stripped-User-Name = "jaroce2" rlm_realm: Proxying request from user jaroce2 to realm ocemy015.com rlm_realm: Adding Realm = "ocemy015.com" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 5 length 87 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 users: Matched entry DEFAULT at line 19 modcall[authorize]: module "files" returns ok for request 9 modcall: leaving group authorize (returns updated) for request 9 Found Autz-Type OCE Processing the authorize section of radiusd.conf modcall: entering group OCE for request 9 rlm_ldap: - authorize rlm_ldap: performing user authorization for jaroce2 radius_xlat: '(uid=jaroce2)' radius_xlat: 'ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my, with filter (uid=jaroce2) rlm_ldap: checking if remote access for jaroce2 is allowed by dialupAccess rlm_ldap: Added password {CRYPT}$1$ZRXMvi1s$zBQaHYkaxDjGi5zL2geNN0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP & op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: user jaroce2 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldapOCE" returns ok for request 9 modcall: leaving group OCE (returns ok) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '/' in User-Name = "jaroce2@ocemy015.com", skipping NULL due to config. modcall[authorize]: module "IPASS" returns noop for request 9 rlm_realm: Looking up realm "ocemy015.com" for User-Name = "jaroce2@ocemy015.com" rlm_realm: Found realm "ocemy015.com" rlm_realm: Adding Stripped-User-Name = "jaroce2" rlm_realm: Proxying request from user jaroce2 to realm ocemy015.com rlm_realm: Adding Realm = "ocemy015.com" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 9 users: Matched entry DEFAULT at line 19 modcall[authorize]: module "files" returns ok for request 9 modcall: leaving group authorize (returns ok) for request 9 Found Autz-Type OCE Processing the authorize section of radiusd.conf modcall: entering group OCE for request 9 rlm_ldap: - authorize rlm_ldap: performing user authorization for jaroce2 radius_xlat: '(uid=jaroce2)' radius_xlat: 'ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my, with filter (uid=jaroce2) rlm_ldap: checking if remote access for jaroce2 is allowed by dialupAccess rlm_ldap: Added password {CRYPT}$1$ZRXMvi1s$zBQaHYkaxDjGi5zL2geNN0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP & op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: user jaroce2 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldapOCE" returns ok for request 9 modcall: leaving group OCE (returns ok) for request 9 auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Login incorrect: [jaroce2@ocemy015.com] (from client localhost port 0) TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 modcall: leaving group authenticate (returns invalid) for request 9 auth: Failed to validate the user. Login incorrect: [jaroce2@ocemy015.com] (from client OCE_JARING port 241 cli 00-11-5b-2d-b2-8e) ----- Original Message ----- From: "Alan DeKok" <aland@nitros9.org> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Friday, July 14, 2006 1:44 PM Subject: Re: EAP-TTLS-PAP-LDAP
"Rohaizam Abu Bakar" <haizam@myjaring.net> wrote:
Login incorrect: [jaroce2@ocemy015.com] (from client localhost port 0) TTLS: Got tunneled Access-Reject
So.... read the *previous* debug logs to see why it was rejected.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rohaizam Abu Bakar wrote:
rlm_ldap: Added password {CRYPT}$1$ZRXMvi1s$zBQaHYkaxDjGi5zL2geNN0 in
That's your problem. The CVS version of FreeRadius has auto_header which will detect the {type} in the password, strip it and put the password in the right place. Try that. Or, write an external script (run via exec) to manipulate the request correctly. A couple more things: 1. You're doing the LDAP query on *every* radius request, which is pointless for the EAP conversation. You can rework the config so that doesn't happen - see the list archives for "eap AND 127.0.0.1" 2. You put your LDAP server admin name, password and IP into the debug output. I'd change those ASAP...
Thanks Phil.. what a stupid move to paste all that passwd.. I've changed it as soon as i get ur mail... thanks again... cannot find any article related to repeating LDAP query for EAP... pls help.. I think the problem coz by RADIUS cannot figure out to set Auth-Type and then it require plain passwd.. When I change password to plain. with the same setting.. it's working... --haizam ----- Original Message ----- From: "Phil Mayers" <p.mayers@imperial.ac.uk> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Friday, July 14, 2006 5:26 PM Subject: Re: EAP-TTLS-PAP-LDAP
Rohaizam Abu Bakar wrote:
rlm_ldap: Added password {CRYPT}$1$ZRXMvi1s$zBQaHYkaxDjGi5zL2geNN0 in
That's your problem.
The CVS version of FreeRadius has auto_header which will detect the {type} in the password, strip it and put the password in the right place. Try that. Or, write an external script (run via exec) to manipulate the request correctly.
A couple more things:
1. You're doing the LDAP query on *every* radius request, which is pointless for the EAP conversation. You can rework the config so that doesn't happen - see the list archives for "eap AND 127.0.0.1"
2. You put your LDAP server admin name, password and IP into the debug output. I'd change those ASAP... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi I am trying to compile 1.1.2 and I am stuch at the _boo_DynaLoader undefined symbol error extracting global C symbols from `../modules/rlm_eap/types/rlm_eap_peap/.libs/ rlm_eap_peap.a' extracting global C symbols from `../modules/rlm_eap/types/rlm_eap_mschapv2/.libs/ rlm_eap_mschapv2.a' extracting global C symbols from `../modules/rlm_eap/types/rlm_eap_gtc/.libs/rlm_eap_gtc.a' extracting global C symbols from `../modules/rlm_sql/drivers/rlm_sql_iodbc/.libs/ rlm_sql_iodbc.a' (cd .libs && gcc -c -fno-builtin -fno-rtti -fno-exceptions "radiusdS.c") cc1: warning: command line option "-fno-rtti" is valid for C++/ObjC++ but not for C rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -o radiusd acct.o auth.o client.o conffile.o exec.o files.o log.o mainconfig.o modules.o modcall.o nas.o proxy.o radiusd.o radius_snmp.o request_list.o session.o smux.o threads.o util.o valuepair.o version.o timestr.o xlat.o ../modules/rlm_acct_unique/.libs/ rlm_acct_unique.a ../modules/rlm_always/.libs/rlm_always.a ../modules/rlm_attr_filter/.libs/ rlm_attr_filter.a ../modules/rlm_attr_rewrite/.libs/rlm_attr_rewrite.a ../modules/rlm_chap/.libs/ rlm_chap.a ../modules/rlm_dbm/.libs/rlm_dbm.a ../modules/rlm_detail/.libs/rlm_detail.a ../ modules/rlm_digest/.libs/rlm_digest.a ../modules/rlm_eap/.libs/rlm_eap.a ../modules/ rlm_exec/.libs/rlm_exec.a ../modules/rlm_expr/.libs/rlm_expr.a ../modules/ rlm_fastusers/.libs/rlm_fastusers.a ../modules/rlm_files/.libs/rlm_files.a ../modules/ rlm_krb5/.libs/rlm_krb5.a -lkrb5 -lcom_err -lcrypto ../modules/rlm_ldap/.libs/rlm_ldap.a - lldap_r ../modules/rlm_mschap/.libs/rlm_mschap.a ../modules/rlm_ns_mta_md5/.libs/ rlm_ns_mta_md5.a ../modules/rlm_otp/.libs/rlm_otp.a -lcrypto -lcrypto ../modules/ rlm_pam/.libs/rlm_pam.a -lpam ../modules/rlm_pap/.libs/rlm_pap.a ../modules/ rlm_passwd/.libs/rlm_passwd.a ../modules/rlm_perl/.libs/rlm_perl.a -L/usr/local/lib -L/ System/Library/Perl/5.8.6/darwin-thread-multi-2level/CORE -lperl -lm -lc ../modules/ rlm_preprocess/.libs/rlm_preprocess.a ../modules/rlm_radutmp/.libs/rlm_radutmp.a ../ modules/rlm_realm/.libs/rlm_realm.a ../modules/rlm_sql/.libs/rlm_sql.a ../modules/ rlm_sql_log/.libs/rlm_sql_log.a ../modules/rlm_sqlcounter/.libs/rlm_sqlcounter.a ../modules/ rlm_unix/.libs/rlm_unix.a ../modules/rlm_checkval/.libs/rlm_checkval.a ../modules/rlm_eap/ types/rlm_eap_md5/.libs/rlm_eap_md5.a ../modules/rlm_eap/types/rlm_eap_leap/.libs/ rlm_eap_leap.a ../modules/rlm_eap/types/rlm_eap_tls/.libs/rlm_eap_tls.a -lcrypto -lcrypto ../ modules/rlm_eap/types/rlm_eap_ttls/.libs/rlm_eap_ttls.a -lcrypto -lcrypto ../modules/ rlm_eap/types/rlm_eap_sim/.libs/rlm_eap_sim.a ../modules/rlm_eap/types/ rlm_eap_peap/.libs/rlm_eap_peap.a /Users/admin/Desktop/freeradius-1.1.2/src/modules/ rlm_eap/libeap/.libs/libeap.a -lcrypto -lcrypto ../modules/rlm_eap/types/ rlm_eap_mschapv2/.libs/rlm_eap_mschapv2.a ../modules/rlm_eap/types/rlm_eap_gtc/.libs/ rlm_eap_gtc.a ../modules/rlm_sql/drivers/rlm_sql_iodbc/.libs/rlm_sql_iodbc.a -L/usr/lib - liodbc ../modules/rlm_eap/libeap/.libs/libeap.a /Users/admin/Desktop/freeradius-1.1.2/src/ lib/.libs/libradius.a -lresolv -lpthread -lcrypto -lssl -lcrypto ../lib/.libs/libradius.a /usr/lib/ libltdl.a -ldl /usr/bin/ld: Undefined symbols: _boot_DynaLoader collect2: ld returned 1 exit status rm -f .libs/radiusdS.o make[4]: *** [radiusd] Error 1 make[3]: *** [common] Error 2 make[2]: *** [all] Error 2 make[1]: *** [common] Error 2 make: *** [all] Error 2 How do i get going with 1.1.2 as It works perfectly fine with 1.0.5?? Regards & Thanks ================ Mahesh S Kudva ----------------------------------------------- Robosoft Technologies - Come home to Technology
Rohaizam Abu Bakar wrote:
Thanks Phil.. what a stupid move to paste all that passwd.. I've changed it as soon as i get ur mail... thanks again...
cannot find any article related to repeating LDAP query for EAP... pls help..
You don't need to worry about the EAP. The EAP is working fine. It's the PAP request that lives inside the EAP that's failing.
I think the problem coz by RADIUS cannot figure out to set Auth-Type and then it require plain passwd.. When I change password to plain. with the same setting.. it's working...
It's definitely not that. Auth-Type is being set to Local, probably by the default entries in the "users" file, and the server is therefore trying to compare the passwords in the PAP requests with the ones frmo LDAP, which is correct. But as I said, your LDAP directory contains password of the form "{crypt}sombytes". This is breaking it. You have three choices: 1. Upgrade the server to a version which can correctly deal with the "{type}" prefixes. 2. Re-format the passwords, either in the LDAP directory or with an external script, so that the {type} is stripped and the value set in the Crypt-Password attribute. For example, in radiusd.conf: modules { ldap { server = ... basedn = ... # do NOT copy the password attribute here, do it # in ldap.attrmap instead - see below for why # password_attribute # other config items } exec strip_password_header { wait = yes program = "/usr/local/bin/strip_password_header.sh" input_pairs = config output_pairs = config } } authorize { preprocess eap files Autz-Type ttls-inner-bit { ldap strip_password_header } } authenticate { eap } ...and in users: # Match the PAP "inside" bit of EAP-TTLS and set the Autz-Type so # that we only run the ldap query and crypt password rewrite then # Also set Auth-Type to Local so the radius server will check the # passwords DEFAULT Client-IP-Address == 127.0.0.1, Autz-Type := ttls-inner-bit, Auth-Type := Local ...and in ldap.attrmap: checkItem Crypt-Password userPassword ...and in /usr/local/bin/strip_password_header.sh: #!/bin/sh stripped_pw=`echo $CRYPT_PASSWORD | sed -e 's/^{crypt}//g'` echo "Crypt-Password := \"$stripped_pw\"" Basically, what this does is: * do EAP * when the inner PAP request happens * fetch the "{crypt}foobar" from LDAP * rewrite it to "foobar" with a script * let the radius server compare the passwords 3. Stop copying the password over at all, and authenticate the PAP bit with an LDAP simple bind to the directory. See the archives for many posts about "LDAP simple bind PAP"
I think I'm having similar problems. Trying to do EAP-TTLS against LDAP with passwords stored in ssha-1 I get the following in my debug: rlm_ldap: Added password {SSHA}sBKY63Qm0H8T/Rx25tveoZfGaYd9Rjk45TCrWA== in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user mda authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: group authorize returns ok for request 4 rad_check_password: Found Auth-Type ldap auth: type "LDAP" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. The above seems to indicate to me that I was authorized, but not authenticated? Although in my radiusd.conf, I do have the following which I assumed was correct: pap { encryption_scheme = sha1 } Cheers Matt Ashfield mda@unb.ca -----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Phil Mayers Sent: July 15, 2006 8:09 AM To: FreeRadius users mailing list Subject: Re: EAP-TTLS-PAP-LDAP Rohaizam Abu Bakar wrote:
Thanks Phil.. what a stupid move to paste all that passwd.. I've changed it as soon as i get ur mail... thanks again...
cannot find any article related to repeating LDAP query for EAP... pls help..
You don't need to worry about the EAP. The EAP is working fine. It's the PAP request that lives inside the EAP that's failing.
I think the problem coz by RADIUS cannot figure out to set Auth-Type and then it require plain passwd.. When I change password to plain. with the same setting.. it's working...
It's definitely not that. Auth-Type is being set to Local, probably by the default entries in the "users" file, and the server is therefore trying to compare the passwords in the PAP requests with the ones frmo LDAP, which is correct. But as I said, your LDAP directory contains password of the form "{crypt}sombytes". This is breaking it. You have three choices: 1. Upgrade the server to a version which can correctly deal with the "{type}" prefixes. 2. Re-format the passwords, either in the LDAP directory or with an external script, so that the {type} is stripped and the value set in the Crypt-Password attribute. For example, in radiusd.conf: modules { ldap { server = ... basedn = ... # do NOT copy the password attribute here, do it # in ldap.attrmap instead - see below for why # password_attribute # other config items } exec strip_password_header { wait = yes program = "/usr/local/bin/strip_password_header.sh" input_pairs = config output_pairs = config } } authorize { preprocess eap files Autz-Type ttls-inner-bit { ldap strip_password_header } } authenticate { eap } ...and in users: # Match the PAP "inside" bit of EAP-TTLS and set the Autz-Type so # that we only run the ldap query and crypt password rewrite then # Also set Auth-Type to Local so the radius server will check the # passwords DEFAULT Client-IP-Address == 127.0.0.1, Autz-Type := ttls-inner-bit, Auth-Type := Local ...and in ldap.attrmap: checkItem Crypt-Password userPassword ...and in /usr/local/bin/strip_password_header.sh: #!/bin/sh stripped_pw=`echo $CRYPT_PASSWORD | sed -e 's/^{crypt}//g'` echo "Crypt-Password := \"$stripped_pw\"" Basically, what this does is: * do EAP * when the inner PAP request happens * fetch the "{crypt}foobar" from LDAP * rewrite it to "foobar" with a script * let the radius server compare the passwords 3. Stop copying the password over at all, and authenticate the PAP bit with an LDAP simple bind to the directory. See the archives for many posts about "LDAP simple bind PAP" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nope, it's in my authorize section which is: authorize { preprocess chap mschap suffix eap ldap } My authenticate section (notice LDAP is commented out): authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix # Auth-Type LDAP { # ldap # } eap } The first line in my users file for my Access Point is: DEFAULT Auth-Type = ldap Fall-Through = 1 Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 mda@unb.ca -----Original Message----- From: Thibault Le Meur [mailto:Thibault.LeMeur@supelec.fr] Sent: July 18, 2006 1:00 PM To: mda@unb.ca; 'FreeRadius users mailing list' Subject: RE : EAP-TTLS-PAP-LDAP
rad_check_password: Found Auth-Type ldap auth: type "LDAP" ERROR: Unknown value specified for Auth-Type. Cannot
Is the ldap module defined in your authenticate section ? Regards, Thibault
"Matt Ashfield" <mda@unb.ca> wrote:
My authenticate section (notice LDAP is commented out): ... The first line in my users file for my Access Point is: DEFAULT Auth-Type = ldap
You configured the server to NOT do LDAP authentication, and then told it to do LDAP authentication. It's not surprising it doesn't work. Alan DeKok.
Nope, it's in my authorize section which is:
Sure it is since the password is read from the LDAP authorize backend ;-)
My authenticate section (notice LDAP is commented out): authenticate {
# Auth-Type LDAP { # ldap # } }
The first line in my users file for my Access Point is: DEFAULT Auth-Type = ldap Fall-Through = 1
With this users file, your user will be authenticated with the Authenticate module associated with Auth-Type=ldap. However there is no such authenticate module defined in your radiusd.conf. If you want to authenticate users with an LDAP bind, you need tto uncomment the previous LDAP lines from the authenticate section and to use the following users file: DEFAULT Auth-Type = LDAP Fall-Through = 1 Can you try these ? Regards, Thibault
Hi all, I think i'm having problems too with EAP-TTLS / PAP with LDAP password stored in ssha-1. I've newest release of freeradius : 1.1.2. In debug mode : rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user wifilsh authorized to use remote access rlm_ldap: ldap_release_conn: Release Id:0 modcall[autohrize]: module "ldap1" return ok for request 0 users: Matched entry DEFAULT at line 172 modcall[autohrize]: module "files" return ok for request 0 rlm_eap: No EAP-Message, not doing EAP ... rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" return noop for request 0 ... modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request : Rejecting the user auth: Failed to validate the user. and i tried several configurations in my radiusd.conf : pap { encryption_scheme = sha1 (or auto_header = yes, encryption_scheme=ssha) } EAP-TTLS / PAP authentication works good with clear password. Can i use realm rlm_pap to crypt password in SSHA-1 ? Do anyone have an idea for these problems ? Thanks, Guillaume Matt Ashfield wrote:
I think I'm having similar problems. Trying to do EAP-TTLS against LDAP with passwords stored in ssha-1 I get the following in my debug:
rlm_ldap: Added password {SSHA}sBKY63Qm0H8T/Rx25tveoZfGaYd9Rjk45TCrWA== in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user mda authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: group authorize returns ok for request 4 rad_check_password: Found Auth-Type ldap auth: type "LDAP" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user.
The above seems to indicate to me that I was authorized, but not authenticated?
Although in my radiusd.conf, I do have the following which I assumed was correct: pap { encryption_scheme = sha1 }
Cheers
Matt Ashfield mda@unb.ca
-----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Phil Mayers Sent: July 15, 2006 8:09 AM To: FreeRadius users mailing list Subject: Re: EAP-TTLS-PAP-LDAP
Rohaizam Abu Bakar wrote:
Thanks Phil.. what a stupid move to paste all that passwd.. I've changed it as soon as i get ur mail... thanks again...
cannot find any article related to repeating LDAP query for EAP... pls help..
You don't need to worry about the EAP. The EAP is working fine. It's the PAP request that lives inside the EAP that's failing.
I think the problem coz by RADIUS cannot figure out to set Auth-Type and then it require plain passwd.. When I change password to plain. with the same setting.. it's working...
It's definitely not that. Auth-Type is being set to Local, probably by the default entries in the "users" file, and the server is therefore trying to compare the passwords in the PAP requests with the ones frmo LDAP, which is correct. But as I said, your LDAP directory contains password of the form "{crypt}sombytes". This is breaking it. You have three choices:
1. Upgrade the server to a version which can correctly deal with the "{type}" prefixes.
2. Re-format the passwords, either in the LDAP directory or with an external script, so that the {type} is stripped and the value set in the Crypt-Password attribute. For example, in radiusd.conf:
modules { ldap { server = ... basedn = ... # do NOT copy the password attribute here, do it # in ldap.attrmap instead - see below for why # password_attribute
# other config items }
exec strip_password_header { wait = yes program = "/usr/local/bin/strip_password_header.sh" input_pairs = config output_pairs = config } }
authorize { preprocess eap files Autz-Type ttls-inner-bit { ldap strip_password_header } }
authenticate { eap }
...and in users:
# Match the PAP "inside" bit of EAP-TTLS and set the Autz-Type so # that we only run the ldap query and crypt password rewrite then # Also set Auth-Type to Local so the radius server will check the # passwords DEFAULT Client-IP-Address == 127.0.0.1, Autz-Type := ttls-inner-bit, Auth-Type := Local
...and in ldap.attrmap:
checkItem Crypt-Password userPassword
...and in /usr/local/bin/strip_password_header.sh:
#!/bin/sh
stripped_pw=`echo $CRYPT_PASSWORD | sed -e 's/^{crypt}//g'` echo "Crypt-Password := \"$stripped_pw\""
Basically, what this does is: * do EAP * when the inner PAP request happens * fetch the "{crypt}foobar" from LDAP * rewrite it to "foobar" with a script * let the radius server compare the passwords
3. Stop copying the password over at all, and authenticate the PAP bit with an LDAP simple bind to the directory. See the archives for many posts about "LDAP simple bind PAP" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Rohaizam Abu Bakar" <haizam@myjaring.net> wrote:
No error detected (refer below debug logs)
Really?
auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user.
Try using the correct password to log in. Alan DeKok.
I don't think it's becoz of wrong password.. It's seems coz by radius cannot set Auth-Type and cannot read crypt password... When change to plain pasword.. then it's work.. --haizam ----- Original Message ----- From: "Alan DeKok" <aland@nitros9.org> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Friday, July 14, 2006 11:28 PM Subject: Re: EAP-TTLS-PAP-LDAP
"Rohaizam Abu Bakar" <haizam@myjaring.net> wrote:
No error detected (refer below debug logs)
Really?
auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user.
Try using the correct password to log in.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to put the parameters in which files, to set up the TTLS / PAP ? -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TTLS-PAP-LDAP-tp2752336p5713663.... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (9)
-
akkouche -
Alan DeKok -
Guillaume CAPIOD -
jeff donovan -
Mahesh S Kudva -
Matt Ashfield -
Phil Mayers -
Rohaizam Abu Bakar -
Thibault Le Meur