EAP session matching the State variable.
With 2.0.0 sometimes I get this error message, that I have not seen before: rlm_eap: No EAP session matching the State variable. rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler ++[eap] returns invalid auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT This does not sound good, as there is no real load on the server and the same client will be authenticated some time later without configurational changes. If neccessary, I can provide the long log. Norbert Wegener
Norbert Wegener wrote:
With 2.0.0 sometimes I get this error message, that I have not seen before:
Much of the EAP code was edited in 2.0. It was extensively tested, but apparently there are still issues. That's what happens when changing working code, I guess...
rlm_eap: No EAP session matching the State variable.
Is this happening inside of a PEAP tunnel?
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown ... This does not sound good, as there is no real load on the server and the same client will be authenticated some time later without configurational changes.
If neccessary, I can provide the long log.
That would help... Alan DeKok.
-------- Original-Nachricht --------
Datum: Fri, 08 Feb 2008 10:53:48 +0100 Von: Alan DeKok <aland@deployingradius.com> An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: EAP session matching the State variable.
Norbert Wegener wrote:
With 2.0.0 sometimes I get this error message, that I have not seen before:
Much of the EAP code was edited in 2.0. It was extensively tested, but apparently there are still issues. That's what happens when changing working code, I guess...
rlm_eap: No EAP session matching the State variable.
Is this happening inside of a PEAP tunnel?
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown ... This does not sound good, as there is no real load on the server and the same client will be authenticated some time later without configurational changes.
If neccessary, I can provide the long log.
That would help...
Alan DeKok.
Hmm, i have the same error in 2.0.1. i did kind of a eap-tls-stress-test with a perl script based on the rad_eap_test script. there are a lot of "login oks" in my log-file, but about 5-10% are "login incorrect" with the same error-message as above. i did three stress-tests... here the result: Login OK Login incorrect 5290 281 3556 448 1986 14 Sebastian -- Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger
Sebastian Heil wrote:
Hmm, i have the same error in 2.0.1. i did kind of a eap-tls-stress-test with a perl script based on the rad_eap_test script. there are a lot of "login oks" in my log-file, but about 5-10% are "login incorrect" with the same error-message as above.
i did three stress-tests... here the result:
Login OK Login incorrect 5290 281
If the State variable is mostly zero, then it's a problem... even if authentication succeeds. Alan DeKok.
Sebastian Heil wrote:
Hmm, i have the same error in 2.0.1. i did kind of a eap-tls-stress-test with a perl script based on the rad_eap_test script. there are a lot of "login oks" in my log-file, but about 5-10% are "login incorrect" with the same error-message as above.
i did three stress-tests... here the result:
Login OK Login incorrect 5290 281
If the State variable is mostly zero, then it's a problem... even if authentication succeeds.
Alan DeKok.
Hi, i don't know, if it's my stupid configuration or the freeradius, that produces following: i have two virtual machines (both suse linux 10). on one machine, the freeradius-server is running, on the other machine, i have my little perl-script, that uses rad_eap_test. perl-script: --------------------- #!/usr/bin/perl $i = 0; while ($i<=50000) { $i++; &radtest; } sub radtest { $radiustest = `rad_eap_test -H ******* -P 1812 -S testing123 -u sl90001 -m IEEE8021X -e TLS -j /etc/raddb/certs/sl90001_chain.pem -k /etc/raddb/certs/host_sl90001_chain.pem -a /tmp/rootcerts.pem`; print $radiustest; } ------------------ if i run the script only one-time, the state-variable looks something like this: State = 0x066227990f682a3467daaa2d38adf01c If i run the script 3 or 4 times at the same time on my virtual-server, the freeradius-server gets some problems... after some time, the server produces such state-variables: example: State = 0x0000000000010d000000000000000000 Then, the server switches back to "normal" state-variables... example: State = 0x0000000003040db7c026e2b769757300 and then back to: State = 0x0000000004050d000000000000000000 if the complete debug is helpful, alan, i can send it to you... is there anything, i can try to test? Sebastian -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
Sebastian Heil wrote:
i don't know, if it's my stupid configuration or the freeradius, that produces following:
No. It's a bug. I committed a fix over the weekend. ...
Then, the server switches back to "normal" state-variables... example: State = 0x0000000003040db7c026e2b769757300
Even that is wrong.
is there anything, i can try to test?
$ cvs update $ cd src/modules/rlm_eap $ make clean $ make ... and re-run the tests. Alan DeKok.
LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install. This is proven by the ability to log in to the box, both locally and via SSH I installed freeRADIUS from the latest source and it is working also. freeRADIUS seems unable to find a password for the user during Authenication. I issue the following on my workstation david@belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20 And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds. What I cant work out is whether this is due to an LDAP or a RADIUS config problem.
Zitat von David W Bell <david@chaoscrypt.com>:
LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally and via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during Authenication.
I issue the following on my workstation
david@belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS config problem.
what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld if they (especially the latter) do not return a value for the field "userPassword" the problem is on the LDAP side. markus ---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
Markus Krause wrote:
Zitat von David W Bell <david@chaoscrypt.com>:
LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally and via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during Authenication.
I issue the following on my workstation
david@belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS config problem.
what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the field "userPassword" the problem is on the LDAP side.
markus
---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Markus.
I thought of that - and had done the 1st search and HAD noticed there was no LDAP password set # extended LDIF # # LDAPv3 # base <dc=dxi,dc=net> with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 99999 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 shadowLastChange: 13920 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 belld@trigger:~> I thought this was because LDAP was handing that aspect over to something else but your second command shows a password. belld@trigger:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld # extended LDIF # # LDAPv3 # base <dc=dxi,dc=net> with scope subtree # filter: uid=belld # requesting: ALL # # belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 99999 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 userPassword:: e2NyeXB0fWUvMmlHZW9tWXJHTG8= shadowLastChange: 13920 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 belld@trigger:~> Any further thoughts? David
Zitat von David W Bell <david@chaoscrypt.com>:
Markus Krause wrote:
Zitat von David W Bell <david@chaoscrypt.com>:
LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally and via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during Authenication.
I issue the following on my workstation
david@belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS config problem.
what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the field "userPassword" the problem is on the LDAP side.
markus
---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Markus.
I thought of that - and had done the 1st search and HAD noticed there was no LDAP password set
# extended LDIF # # LDAPv3 # base <dc=dxi,dc=net> with scope subtree # filter: uid=belld # requesting: ALL #
# belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 99999 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 shadowLastChange: 13920
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 belld@trigger:~>
I thought this was because LDAP was handing that aspect over to something else but your second command shows a password.
belld@trigger:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld # extended LDIF # # LDAPv3 # base <dc=dxi,dc=net> with scope subtree # filter: uid=belld # requesting: ALL #
# belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 99999 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 userPassword:: e2NyeXB0fWUvMmlHZW9tWXJHTG8= shadowLastChange: 13920
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 belld@trigger:~>
Any further thoughts?
David
not showing a userPassword field using an anonymous bind (the first command) as actually expected, as rootdn it should work. i assume the following command does reveal the userPassword as well: ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "uid=belld,ou=people,dc=dxi,dc=net" -w p455w0rd uid=belld i am wondering why the debug output of the freeradius says your binding as administrator, if the command above works this should not be necessary .. could you post your ldap section of your radiusd.conf? regards markus ---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
Markus Krause wrote:
> Zitat von David W Bell <david@chaoscrypt.com>:
>
>> Markus Krause wrote:
>>> Zitat von David W Bell <david@chaoscrypt.com>:
>>>
>>>> LDAP is installed and working out of the box, having been set to be
>>>> used for authenication during the SUSE install.
>>>>
>>>> This is proven by the ability to log in to the box, both locally
>>>> and via SSH
>>>>
>>>> I installed freeRADIUS from the latest source and it is working also.
>>>>
>>>> freeRADIUS seems unable to find a password for the user during
>>>> Authenication.
>>>>
>>>> I issue the following on my workstation
>>>>
>>>> david@belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" |
>>>> radclient 212.95.255.242:1812 auth testing
>>>> Received response ID 99, code 3, length = 20
>>>>
>>>> And see the following from freeRADIUS Listening on authentication
>>>> address * port 1812
>>>> Listening on accounting address * port 1813
>>>> Ready to process requests.
>>>> rad_recv: Access-Request packet from host 212.95.252.25 port 20758,
>>>> id=99, length=45
>>>> User-Name = "belld"
>>>> User-Password = "p455w0rd"
>>>> +- entering group authorize
>>>> ++[preprocess] returns ok
>>>> ++[chap] returns noop
>>>> ++[mschap] returns noop
>>>> rlm_realm: No '@' in User-Name = "belld", looking up realm NULL
>>>> rlm_realm: No such realm "NULL"
>>>> ++[suffix] returns noop
>>>> rlm_eap: No EAP-Message, not doing EAP
>>>> ++[eap] returns noop
>>>> ++[unix] returns notfound
>>>> ++[files] returns noop
>>>> rlm_ldap: - authorize
>>>> rlm_ldap: performing user authorization for belld
>>>> WARNING: Deprecated conditional expansion ":-". See "man unlang"
>>>> for details
>>>> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
>>>> expand: dc=dxi,dc=net -> dc=dxi,dc=net
>>>> rlm_ldap: ldap_get_conn: Checking Id: 0
>>>> rlm_ldap: ldap_get_conn: Got Id: 0
>>>> rlm_ldap: attempting LDAP reconnection
>>>> rlm_ldap: (re)connect to localhost:389, authentication 0
>>>> rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
>>>> localhost:389
>>>> rlm_ldap: waiting for bind result ...
>>>> rlm_ldap: Bind was successful
>>>> rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
>>>> rlm_ldap: looking for check items in directory...
>>>> rlm_ldap: looking for reply items in directory...
>>>> WARNING: No "known good" password was found in LDAP. Are you sure
>>>> that
>>>> the user is configured correctly?
>>>> rlm_ldap: user belld authorized to use remote access
>>>> rlm_ldap: ldap_release_conn: Release Id: 0
>>>> ++[ldap] returns ok
>>>> ++[expiration] returns noop
>>>> ++[logintime] returns noop
>>>> rlm_pap: WARNING! No "known good" password found for the user.
>>>> Authentication may fail because of this.
>>>> ++[pap] returns noop
>>>> auth: No authenticate method (Auth-Type) configuration found for the
>>>> request: Rejecting the user
>>>> auth: Failed to validate the user.
>>>> Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0)
>>>> Found Post-Auth-Type Reject
>>>> +- entering group REJECT
>>>> expand: %{User-Name} -> belld
>>>> attr_filter: Matched entry DEFAULT at line 11
>>>> ++[attr_filter.access_reject] returns updated
>>>> Delaying reject of request 0 for 1 seconds
>>>> Going to the next request
>>>> Waking up in 0.9 seconds.
>>>> Sending delayed reject for request 0
>>>> Sending Access-Reject of id 99 to 212.95.252.25 port 20758
>>>> Waking up in 4.9 seconds.
>>>>
>>>> What I cant work out is whether this is due to an LDAP or a RADIUS
>>>> config problem.
>>>>
>>>
>>> what is the result of the following commands (using a terminal):
>>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld
>>> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
>>> "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
>>>
>>> if they (especially the latter) do not return a value for the field
>>> "userPassword" the problem is on the LDAP side.
>>>
>>> markus
>>>
>>>
>>> ----------------------------------------------------------------------
>>> This message was sent using https://webmail.biochem.mpg.de
>>> If you encounter any problems please report to rz-linux@biochem.mpg.de
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>> Thanks Markus.
>>
>> I thought of that - and had done the 1st search and HAD noticed there
>> was no LDAP password set
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=dxi,dc=net> with scope subtree
>> # filter: uid=belld
>> # requesting: ALL
>> #
>>
>> # belld, people, dxi.net
>> dn: uid=belld,ou=people,dc=dxi,dc=net
>> cn: David Bell
>> gidNumber: 100
>> givenName: David
>> homeDirectory: /home/belld
>> loginShell: /bin/bash
>> objectClass: top
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> objectClass: inetOrgPerson
>> shadowInactive: -1
>> shadowMax: 99999
>> shadowMin: 0
>> shadowWarning: 7
>> sn: Bell
>> uid: belld
>> uidNumber: 1000
>> shadowLastChange: 13920
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>> belld@trigger:~>
>>
>> I thought this was because LDAP was handing that aspect over to
>> something else but your second command shows a password.
>>
>> belld@trigger:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
>> "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=dxi,dc=net> with scope subtree
>> # filter: uid=belld
>> # requesting: ALL
>> #
>>
>> # belld, people, dxi.net
>> dn: uid=belld,ou=people,dc=dxi,dc=net
>> cn: David Bell
>> gidNumber: 100
>> givenName: David
>> homeDirectory: /home/belld
>> loginShell: /bin/bash
>> objectClass: top
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> objectClass: inetOrgPerson
>> shadowInactive: -1
>> shadowMax: 99999
>> shadowMin: 0
>> shadowWarning: 7
>> sn: Bell
>> uid: belld
>> uidNumber: 1000
>> userPassword:: e2NyeXB0fWUvMmlHZW9tWXJHTG8=
>> shadowLastChange: 13920
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>> belld@trigger:~>
>>
>> Any further thoughts?
>>
>> David
>
> not showing a userPassword field using an anonymous bind (the first
> command) as actually expected, as rootdn it should work. i assume the
> following command does reveal the userPassword as well:
> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D
> "uid=belld,ou=people,dc=dxi,dc=net" -w p455w0rd uid=belld
>
> i am wondering why the debug output of the freeradius says your
> binding as administrator, if the command above works this should not
> be necessary .. could you post your ldap section of your radiusd.conf?
>
> regards
> markus
>
> ----------------------------------------------------------------------
> This message was sent using https://webmail.biochem.mpg.de
> If you encounter any problems please report to rz-linux@biochem.mpg.de
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Config as requested - I did uncomment and configure the identity section
- is this not required?
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "localhost"
identity = "cn=Administrator,dc=dxi,dc=net"
password = trPic4n03
basedn = "dc=dxi,dc=net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS
extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't
verify.)
#
# The default is "allow"
# require_cert = "demand"
}
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = no
#
# Group membership checking. Disabled by default.
#
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes #
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
#ldap_debug = 0x0028
}
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
Zitat von David W Bell <david@chaoscrypt.com>:
Markus Krause wrote:
Zitat von David W Bell <david@chaoscrypt.com>:
Markus Krause wrote:
Zitat von David W Bell <david@chaoscrypt.com>:
LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally and via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during Authenication.
I issue the following on my workstation
david@belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS config problem.
what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the field "userPassword" the problem is on the LDAP side.
markus
---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
------------------------------------------------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Markus.
I thought of that - and had done the 1st search and HAD noticed there was no LDAP password set
# extended LDIF # # LDAPv3 # base <dc=dxi,dc=net> with scope subtree # filter: uid=belld # requesting: ALL #
# belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 99999 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 shadowLastChange: 13920
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 belld@trigger:~>
I thought this was because LDAP was handing that aspect over to something else but your second command shows a password.
belld@trigger:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld # extended LDIF # # LDAPv3 # base <dc=dxi,dc=net> with scope subtree # filter: uid=belld # requesting: ALL #
# belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 99999 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 userPassword:: e2NyeXB0fWUvMmlHZW9tWXJHTG8= shadowLastChange: 13920
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 belld@trigger:~>
Any further thoughts?
David
not showing a userPassword field using an anonymous bind (the first command) as actually expected, as rootdn it should work. i assume the following command does reveal the userPassword as well: ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "uid=belld,ou=people,dc=dxi,dc=net" -w p455w0rd uid=belld
i am wondering why the debug output of the freeradius says your binding as administrator, if the command above works this should not be necessary .. could you post your ldap section of your radiusd.conf?
regards markus
---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Config as requested - I did uncomment and configure the identity section - is this not required?
ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "localhost" identity = "cn=Administrator,dc=dxi,dc=net" password = trPic4n03 basedn = "dc=dxi,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20 timeout = 4
# seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3
# # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no
# cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd
# Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the cerificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" # require_cert = "demand" }
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # password_attribute = userPassword
# Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # edir_account_policy_check = no
# # Group membership checking. Disabled by default. # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName
# compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) #ldap_debug = 0x0028 }
# # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. #
afaik the identity values has to be configured, if you are using the ldap part for more than binding ("check if a password is correct") e.g. for use with PEAP as the radius server then needs access to possibly protected fields like sambalmpassword. what happens/changes if you comment out identity and password? (regarding debug etc.) m. ---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
Markus Krause wrote:
Zitat von David W Bell <david@chaoscrypt.com>:
Markus Krause wrote:
Zitat von David W Bell <david@chaoscrypt.com>:
Markus Krause wrote:
Zitat von David W Bell <david@chaoscrypt.com>:
LDAP is installed and working out of the box, having been set to be used for authenication during the SUSE install.
This is proven by the ability to log in to the box, both locally and via SSH
I installed freeRADIUS from the latest source and it is working also.
freeRADIUS seems unable to find a password for the user during Authenication.
I issue the following on my workstation
david@belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" | radclient 212.95.255.242:1812 auth testing Received response ID 99, code 3, length = 20
And see the following from freeRADIUS Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 20758, id=99, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 99 to 212.95.252.25 port 20758 Waking up in 4.9 seconds.
What I cant work out is whether this is due to an LDAP or a RADIUS config problem.
what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the field "userPassword" the problem is on the LDAP side.
markus
----------------------------------------------------------------------
This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
------------------------------------------------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Markus.
I thought of that - and had done the 1st search and HAD noticed there was no LDAP password set
# extended LDIF # # LDAPv3 # base <dc=dxi,dc=net> with scope subtree # filter: uid=belld # requesting: ALL #
# belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 99999 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 shadowLastChange: 13920
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 belld@trigger:~>
I thought this was because LDAP was handing that aspect over to something else but your second command shows a password.
belld@trigger:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld # extended LDIF # # LDAPv3 # base <dc=dxi,dc=net> with scope subtree # filter: uid=belld # requesting: ALL #
# belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 99999 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 userPassword:: e2NyeXB0fWUvMmlHZW9tWXJHTG8= shadowLastChange: 13920
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 belld@trigger:~>
Any further thoughts?
David
not showing a userPassword field using an anonymous bind (the first command) as actually expected, as rootdn it should work. i assume the following command does reveal the userPassword as well: ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "uid=belld,ou=people,dc=dxi,dc=net" -w p455w0rd uid=belld
i am wondering why the debug output of the freeradius says your binding as administrator, if the command above works this should not be necessary .. could you post your ldap section of your radiusd.conf?
regards markus
---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Config as requested - I did uncomment and configure the identity section - is this not required?
ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "localhost" identity = "cn=Administrator,dc=dxi,dc=net" password = trPic4n03 basedn = "dc=dxi,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20 timeout = 4
# seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3
# # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no
# cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd
# Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the cerificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" # require_cert = "demand" }
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # password_attribute = userPassword
# Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # edir_account_policy_check = no
# # Group membership checking. Disabled by default. # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) #ldap_debug = 0x0028 }
# # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. #
afaik the identity values has to be configured, if you are using the ldap part for more than binding ("check if a password is correct") e.g. for use with PEAP as the radius server then needs access to possibly protected fields like sambalmpassword.
what happens/changes if you comment out identity and password? (regarding debug etc.)
m.
---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html With the identity/password section commented out it is still the same Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 31542, id=208, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 208 to 212.95.252.25 port 31542 Waking up in 4.9 seconds. Cleaning up request 0 ID 208 with timestamp +3 Ready to process requests.
Anything else you can suggest poking at ? Thanks again for your time
Zitat von David W Bell <david@chaoscrypt.com>:
Markus Krause wrote:
Zitat von David W Bell <david@chaoscrypt.com>:
Markus Krause wrote:
Zitat von David W Bell <david@chaoscrypt.com>:
Markus Krause wrote:
Zitat von David W Bell <david@chaoscrypt.com>:
> LDAP is installed and working out of the box, having been set to be > used for authenication during the SUSE install. > > This is proven by the ability to log in to the box, both > locally and via SSH > > I installed freeRADIUS from the latest source and it is working also. > > freeRADIUS seems unable to find a password for the user during > Authenication. > > I issue the following on my workstation > > david@belld-ubuntu:~$ echo "User-Name = belld,Password=p455w0rd" | > radclient 212.95.255.242:1812 auth testing > Received response ID 99, code 3, length = 20 > > And see the following from freeRADIUS Listening on authentication > address * port 1812 > Listening on accounting address * port 1813 > Ready to process requests. > rad_recv: Access-Request packet from host 212.95.252.25 port 20758, > id=99, length=45 > User-Name = "belld" > User-Password = "p455w0rd" > +- entering group authorize > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > rlm_realm: No '@' in User-Name = "belld", looking up realm NULL > rlm_realm: No such realm "NULL" > ++[suffix] returns noop > rlm_eap: No EAP-Message, not doing EAP > ++[eap] returns noop > ++[unix] returns notfound > ++[files] returns noop > rlm_ldap: - authorize > rlm_ldap: performing user authorization for belld > WARNING: Deprecated conditional expansion ":-". See "man > unlang" for details > expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) > expand: dc=dxi,dc=net -> dc=dxi,dc=net > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to localhost:389, authentication 0 > rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to > localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > WARNING: No "known good" password was found in LDAP. Are you sure that > the user is configured correctly? > rlm_ldap: user belld authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > ++[ldap] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > rlm_pap: WARNING! No "known good" password found for the user. > Authentication may fail because of this. > ++[pap] returns noop > auth: No authenticate method (Auth-Type) configuration found for the > request: Rejecting the user > auth: Failed to validate the user. > Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) > Found Post-Auth-Type Reject > +- entering group REJECT > expand: %{User-Name} -> belld > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 0 for 1 seconds > Going to the next request > Waking up in 0.9 seconds. > Sending delayed reject for request 0 > Sending Access-Reject of id 99 to 212.95.252.25 port 20758 > Waking up in 4.9 seconds. > > What I cant work out is whether this is due to an LDAP or a RADIUS > config problem. >
what is the result of the following commands (using a terminal): ldapsearch -x -h localhost -b "dc=dxi,dc=net" uid=belld ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld
if they (especially the latter) do not return a value for the field "userPassword" the problem is on the LDAP side.
markus
---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
------------------------------------------------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Markus.
I thought of that - and had done the 1st search and HAD noticed there was no LDAP password set
# extended LDIF # # LDAPv3 # base <dc=dxi,dc=net> with scope subtree # filter: uid=belld # requesting: ALL #
# belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 99999 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 shadowLastChange: 13920
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 belld@trigger:~>
I thought this was because LDAP was handing that aspect over to something else but your second command shows a password.
belld@trigger:~> ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "cn=Administrator,dc=dxi,dc=net" -w trPic4n03 uid=belld # extended LDIF # # LDAPv3 # base <dc=dxi,dc=net> with scope subtree # filter: uid=belld # requesting: ALL #
# belld, people, dxi.net dn: uid=belld,ou=people,dc=dxi,dc=net cn: David Bell gidNumber: 100 givenName: David homeDirectory: /home/belld loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson shadowInactive: -1 shadowMax: 99999 shadowMin: 0 shadowWarning: 7 sn: Bell uid: belld uidNumber: 1000 userPassword:: e2NyeXB0fWUvMmlHZW9tWXJHTG8= shadowLastChange: 13920
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 belld@trigger:~>
Any further thoughts?
David
not showing a userPassword field using an anonymous bind (the first command) as actually expected, as rootdn it should work. i assume the following command does reveal the userPassword as well: ldapsearch -x -h localhost -b "dc=dxi,dc=net" -D "uid=belld,ou=people,dc=dxi,dc=net" -w p455w0rd uid=belld
i am wondering why the debug output of the freeradius says your binding as administrator, if the command above works this should not be necessary .. could you post your ldap section of your radiusd.conf?
regards markus
---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
------------------------------------------------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Config as requested - I did uncomment and configure the identity section - is this not required?
ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "localhost" identity = "cn=Administrator,dc=dxi,dc=net" password = trPic4n03 basedn = "dc=dxi,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20 timeout = 4
# seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3
# # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no
# cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd
# Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the cerificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" # require_cert = "demand" }
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # password_attribute = userPassword
# Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # edir_account_policy_check = no
# # Group membership checking. Disabled by default. # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName
# compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) #ldap_debug = 0x0028 }
# # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. #
afaik the identity values has to be configured, if you are using the ldap part for more than binding ("check if a password is correct") e.g. for use with PEAP as the radius server then needs access to possibly protected fields like sambalmpassword.
what happens/changes if you comment out identity and password? (regarding debug etc.)
m.
---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html With the identity/password section commented out it is still the same Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 212.95.252.25 port 31542, id=208, length=45 User-Name = "belld" User-Password = "p455w0rd" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "belld", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 208 to 212.95.252.25 port 31542 Waking up in 4.9 seconds. Cleaning up request 0 ID 208 with timestamp +3 Ready to process requests.
Anything else you can suggest poking at ?
Thanks again for your time
hmm, i'll test this tomorrow on my (virtual) testing machine (it is running sles10sp1) and post my config and log output, maybe this reveals something... regards markus ---------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
UNCLASSIFIED
Config as requested - I did uncomment and configure the identity section - is this not required?
ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "localhost" identity = "cn=Administrator,dc=dxi,dc=net" password = trPic4n03 basedn = "dc=dxi,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20 timeout = 4
# seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3
# # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no
# cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd
# Certificate Verification requirements. Can
be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the cerificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" # require_cert = "demand" }
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # password_attribute = userPassword
I think you need to un-comment this line --^ Regards, Frank Ranner
Ranner, Frank MR wrote:
UNCLASSIFIED
Config as requested - I did uncomment and configure the identity section - is this not required?
ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "localhost" identity = "cn=Administrator,dc=dxi,dc=net" password = trPic4n03 basedn = "dc=dxi,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20 timeout = 4
# seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3
# # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no
# cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd
# Certificate Verification requirements. Can
be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the cerificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" # require_cert = "demand" }
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # password_attribute = userPassword
Thanks for the tip - tried it and it didnt work
Worth a try tho - so thanks David rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "p455w0rd" rlm_pap: Using clear text password "{crypt}e/2iGeomYrGLo" rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 17 to 212.95.252.25 port 32116 Waking up in 4.9 seconds. Cleaning up request 0 ID 17 with timestamp +3 Ready to process requests.
David W Bell wrote:
Ranner, Frank MR wrote:
UNCLASSIFIED
Config as requested - I did uncomment and configure the identity section - is this not required?
ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "localhost" identity = "cn=Administrator,dc=dxi,dc=net" password = trPic4n03 basedn = "dc=dxi,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20 timeout = 4
# seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3
# # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no
# cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd
# Certificate Verification requirements. Can
be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the cerificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" # require_cert = "demand" }
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # password_attribute = userPassword
Thanks for the tip - tried it and it didnt work
Worth a try tho - so thanks
David
rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "p455w0rd" rlm_pap: Using clear text password "{crypt}e/2iGeomYrGLo" rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 17 to 212.95.252.25 port 32116 Waking up in 4.9 seconds. Cleaning up request 0 ID 17 with timestamp +3 Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking at this it seems that the LDAP record is holding the password with a certain encryption and that Radius needs to be told to encrypt the password it has passed to it in that format. Anyone know what the LDAP encryption would be, and how to influence RADIUS's treatment of the password. David
David W Bell wrote:
David W Bell wrote:
Ranner, Frank MR wrote:
UNCLASSIFIED
Config as requested - I did uncomment and configure the identity section - is this not required?
ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "localhost" identity = "cn=Administrator,dc=dxi,dc=net" password = trPic4n03 basedn = "dc=dxi,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20 timeout = 4
# seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3
# # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no
# cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd
# Certificate Verification requirements. Can
be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the cerificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" # require_cert = "demand" }
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # password_attribute = userPassword
Thanks for the tip - tried it and it didnt work
Worth a try tho - so thanks
David
rlm_ldap: - authorize rlm_ldap: performing user authorization for belld WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld) expand: dc=dxi,dc=net -> dc=dxi,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld) rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user belld authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "p455w0rd" rlm_pap: Using clear text password "{crypt}e/2iGeomYrGLo" rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [belld/p455w0rd] (from client 212.95.252.25 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> belld attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 17 to 212.95.252.25 port 32116 Waking up in 4.9 seconds. Cleaning up request 0 ID 17 with timestamp +3 Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking at this it seems that the LDAP record is holding the password with a certain encryption and that Radius needs to be told to encrypt the password it has passed to it in that format.
Anyone know what the LDAP encryption would be, and how to influence RADIUS's treatment of the password.
David
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Now fixed. All I had to do in the end was add the line for "userPassword" and then change this from no to yes pap { auto_header = yes } in my radiusd.conf file which allows radius to work out how to encrypt the password - in this case I *THINK* against a /etc/shadow format hash david@belld-ubuntu:~$ radtest belld p455w0rd 212.95.255.242 10 testing Sending Access-Request of id 129 to 212.95.255.242 port 1812 User-Name = "belld" User-Password = "p455w0rd" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Accept packet from host 212.95.255.242:1812, id=129, length=20 Thanks for everyones help in this
UNCLASSIFIED
-----Original Message-----
Looking at this it seems that the LDAP record is holding the password with a certain encryption and that Radius needs to be told to encrypt the password it has passed to it in that format.
Anyone know what the LDAP encryption would be, and how to influence RADIUS's treatment of the password.
David
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Now fixed.
All I had to do in the end was add the line for "userPassword" and then change this from no to yes
pap { auto_header = yes }
in my radiusd.conf file which allows radius to work out how to encrypt
the password - in this case I *THINK* against a /etc/shadow format hash
From man slappasswd
-h scheme If -h is specified, one of the following RFC 2307 schemes may be specified: {CRYPT}, {MD5}, {SMD5}, {SSHA}, and {SHA}. The default is {SSHA}. Note that scheme names may need to be protected, due to { and }, from expansion by the user's command inter- preter. {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a seed. {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter with a seed. {CRYPT} uses the crypt(3). {CLEARTEXT} indicates that the new password should be added to userPassword as clear text. Regards Frank Ranner
is there anything, i can try to test?
$ cvs update $ cd src/modules/rlm_eap $ make clean $ make
... and re-run the tests.
i am sorry, but my server doesn't have any internet-access... so, i can't use cvs for updating. is there another easy way to test your patch, alan? Sebastian -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
I am runnning those tests at the moment with the modified version. I will post the result of 70000 authentications later. Norbert Wegener Sebastian Heil wrote:
is there anything, i can try to test?
$ cvs update $ cd src/modules/rlm_eap $ make clean $ make
... and re-run the tests.
i am sorry, but my server doesn't have any internet-access... so, i can't use cvs for updating.
is there another easy way to test your patch, alan?
Sebastian
As usually, Alan has made a great job. After more than 70000 eap authentications everything is still working fine. The bug is obviously fixed. Thanks Alan Norbert Wegener Norbert Wegener wrote:
I am runnning those tests at the moment with the modified version. I will post the result of 70000 authentications later.
Norbert Wegener
Sebastian Heil wrote:
is there anything, i can try to test?
$ cvs update $ cd src/modules/rlm_eap $ make clean $ make
... and re-run the tests.
i am sorry, but my server doesn't have any internet-access... so, i can't use cvs for updating.
is there another easy way to test your patch, alan?
Sebastian
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Norbert Wegener wrote:
As usually, Alan has made a great job. After more than 70000 eap authentications everything is still working fine. The bug is obviously fixed.
<whew>!
Thanks for the testing. We can release 2.0.2 this week.
Alan DeKok.
After 60000 "login oks" i stopped my 4 perl-scripts. not a single "login incorrect"! nice job, alan. i am waiting for the official version 2.0.2. :-) Sebastian -- Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger
Hi,
i am sorry, but my server doesn't have any internet-access... so, i can't use cvs for updating.
use CVS on another machine, tar up the resulting CVS checkout, copy it to the server and recompile. it must have networking or some sort to be a radius server, n'est pas? ;-) alan
The complete log is at http:// www.wegener-net.de/freeradius/ (url destroyed) In line 116518 a client gets a reject, in 119715 the same client an accept. Norbert Wegener Alan DeKok wrote:
Norbert Wegener wrote:
With 2.0.0 sometimes I get this error message, that I have not seen before:
Much of the EAP code was edited in 2.0. It was extensively tested, but apparently there are still issues. That's what happens when changing working code, I guess...
rlm_eap: No EAP session matching the State variable.
Is this happening inside of a PEAP tunnel?
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown
...
This does not sound good, as there is no real load on the server and the same client will be authenticated some time later without configurational changes.
If neccessary, I can provide the long log.
That would help...
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Norbert Wegener wrote:
The complete log is at http:// www.wegener-net.de/freeradius/ (url destroyed) In line 116518 a client gets a reject, in 119715 the same client an accept.
... State = 0x0000000000030d000000000000000000 ... It's a 64-bit machine... I'll be damned if I can figure out why the State attribute is (almost) all zeros. I updated the code in rlm_eap to fix one problem, and apparently created another... All I can guess is that the code generating 32-bit random numbers somehow has them promoted to 64-bit numbers, and then the lower 32-bits get ignored... I think I have access to a 64-bit machine where I can get take a look at this. Alan DeKok.
Norbert Wegener wrote:
The complete log is at http:// www.wegener-net.de/freeradius/ (url destroyed) In line 116518 a client gets a reject, in 119715 the same client an accept.
... State = 0x0000000000030d000000000000000000 ... ... All I can guess is that the code generating 32-bit random numbers somehow has them promoted to 64-bit numbers, and then the lower 32-bits get ignored... the ISAAC (random number generator) libraries do use registers to hold the numbers while it is generating them. registers on a 64 machines are 64 bit right?
Joe
Joe Vieira wrote:
the ISAAC (random number generator) libraries do use registers to hold the numbers while it is generating them. registers on a 64 machines are 64 bit right?
That may be it. If you can delete the "register" references in src/lib/isaac.c && re-test, it would help. A simple check is that the State attribute looks like random garbage, rather than being mostly zeros. Alan DeKok.
Alan DeKok wrote:
Norbert Wegener wrote:
The complete log is at http:// www.wegener-net.de/freeradius/ (url destroyed) In line 116518 a client gets a reject, in 119715 the same client an accept.
... State = 0x0000000000030d000000000000000000 ...
It's a 64-bit machine... I'll be damned if I can figure out why the State attribute is (almost) all zeros. I have no access to that machine and didn't expect processor information to be relevant: That is, what I got as information about the processor:
cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 15 model : 2 model name : Intel(R) Celeron(R) CPU 2.40GHz stepping : 9 cpu MHz : 2405.622 cache size : 128 KB fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 2 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe up cid xtpr bogomips : 4815.15
I updated the code in rlm_eap to fix one problem, and apparently created another...
All I can guess is that the code generating 32-bit random numbers somehow has them promoted to 64-bit numbers, and then the lower 32-bits get ignored...
I think I have access to a 64-bit machine where I can get take a look at this.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well.. some amount of time later - I have access to a 64-bit machine - cvs.freeradius.org won't let me do checkouts from the machine Something about reverse DNS, I think... - some cursing later... - freeradius builds - wpa_supplicant doesn't making EAP testing with a local client difficult - sending packets from a remote machine doesn't seem to work making EAP testing with a remote client difficult After some fighting, I managed to get some EAP testing done. The result is that I *don't* see a State variable that's almost all zeros. So I'm at a bit of a loss for what's going on. If someone who *does* see this problem can give me remote SSH access to a machine, it might permit me to debug it. Otherwise, I have no idea what's going wrong, and it's impossible for me to reproduce it. As a result, it's impossible for me to fix it. Alan DeKok.
participants (8)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
David W Bell -
Joe Vieira -
Markus Krause -
Norbert Wegener -
Ranner, Frank MR -
Sebastian Heil