Hello, I can authenticate ldap users using the NTRadPing tool without a problem. But I cant do it through an Access Point. Can you help me? I have the AP(D-Link 2100 AP+) configure to WPA-EAP, Cipher Type=Auto. I list the radius config and debug. radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 172.22.0.21 { ipaddr = 172.22.0.21 require_message_authenticator = no secret = "si" shortname = "xxxxx" nastype = "other" } client AP1-E1 { ipaddr = 192.168.70.70 require_message_authenticator = no secret = "si" shortname = "AP1-E1" nastype = "other" } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.70.70 port 1038, id=0, length=201 Message-Authenticator = 0x0bad8dc9bc9d09a88d777055e87bc06f Service-Type = Framed-User User-Name = "ldapuser" Framed-MTU = 1488 Called-Station-Id = "00-22-B0-69-74-74:RadiusServer" Calling-Station-Id = "00-1C-BF-63-43-7F" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000c0139303230313535 NAS-IP-Address = 192.168.70.70 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for ldapuser [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> ldapuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ldapuser) [ldap] expand: dc=test,dc=test,dc=pt -> dc=test,dc=test,dc=pt rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to xxx.xxx.xxx.xxx:389, authentication 0 rlm_ldap: bind as uid=borat,dc=test,dc=test,dc=pt/ldappassword to xxx.xxx.xxx.xxx:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=test,dc=test,dc=pt, with filter (uid=ldapuser) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user ldapuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.70.70 port 1038 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f5a0c851f5b15f67ae48d03f8beffe6 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.70.70 port 1038, id=1, length=490 Message-Authenticator = 0xba2e0b898f91a1e37da464dd4a07b311 Service-Type = Framed-User User-Name = "ldapuser" Framed-MTU = 1488 State = 0x1f5a0c851f5b15f67ae48d03f8beffe6 Called-Station-Id = "00-22-B0-69-74-74:RadiusServer" Calling-Station-Id = "00-1C-BF-63-43-7F" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201011919800000010f160301010a0100010603014b69b17864a990f749baa2f53df13aca 45cbccacb1f5bc685e3635514f1e42cb00003800390038003500880087008400160013000a00 330032002f009a00990096004500440041000500040015001200090014001100080006000302 010000a4002300a0d01907820de47ddfa68661ec44d31e5dd8dacaafdad2c82305e227265d28 f850f8a524da4fe4c3b7c860c7de1c52e36def98c4cfb43292159ec293311df317029fc16077 541d9238068a112f6e77a2935fa16efacb85cf609cbfff1577c0d2c9e859cee24b718b747fc9 25802b1e680e86d03e864c6b551b3108afeab659710248cb35aa EAP-Message = 0x8575d2b42e895e1ec907d7e69d9e7386b69232cfa63df6d12d7da003 NAS-IP-Address = 192.168.70.70 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 271 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 010a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0030], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.70.70 port 1038 EAP-Message = 0x0102040019c000000ab316030100300200002c03014b69affea71157c286b09b1dcb48c1f8 c7c3c073d302d7cc8d002c5b4f42e2be00003901000400230000160301085e0b00085a000857 0003a6308203a23082028aa003020102020101300d06092a864886f70d010104050030819331 0b3009060355040613024652310f300d06035504081306526164697573311230100603550407 1309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e 06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 03131d4578616d706c6520436572746966696361746520417574 EAP-Message = 0x686f72697479301e170d3130303230333134343231395a170d313130323033313434323139 5a307c310b3009060355040613024652310f300d060355040813065261646975733115301306 0355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c652053 65727665722043657274696669636174653120301e06092a864886f70d010901161161646d69 6e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f0030 82010a0282010100b86c5396cfd7e7e922dbb26df4f4b69f25d3714a819fd36762ad32dc140e 303d5ba97e0db2e28046c54d3019a5e2759ad37694fbc08b03d2 EAP-Message = 0xed836feeac8a599b268410d77e15160bd5cab44dc763c97898b8bffeba36ae5c14913bf44c ed0427f5ee12f2232958d3f2b70a3041c794dd24091ffe85e8f8d4bbb7a787a301a8c1dc902c c95b1dc810e7539a391366deca63ce30c51a889717b865961d1aef3dd308b12431bc8b401d24 7c8a97e7c968ee6a9652809bcc95cbdab84d1a3fe9968916f7a0115448827b960af7203527b1 7990519d26ec1cd7a3fa35dee8ddb488a917d27790afc11347f393a272f8a456106a08a3b28f 7007e69fafa5a61a693ac30203010001a317301530130603551d25040c300a06082b06010505 070301300d06092a864886f70d0101040500038201010094945d EAP-Message = 0x22948e117c5f66d8b5d23a05004dc7141b85059576c06616919c5357136e434b2b1ff34e6e bcc5960d22fff1cfe0456c531603e238de97f9160d792ef10b748ce0b49c01625e24a712ce5f 0a2fb284117bbd355bd598b566d07cfe45d21670d5344de9fde5e581862121fa80c957cb6000 fa418d958d3b09bda9e05bfa5b0806ea0decb18a2d566906224f3cd04e4fcdacbbeaa8772cba 4b3fb165c64a66e3886d006700cd65d0d943f386be08582a020d1f070a9e625e6824500a2810 cda4f3ef919f2495b158a67c76a71196c404b794ee6d3cfc9d6c878259d3e6afc5daa28a0e4d 6e8ab1ff8a6cebb2397215952dfd4253ea689454bd4294fd2633 EAP-Message = 0x0004ab308204a73082038fa0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f5a0c851e5815f67ae48d03f8beffe6 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.70.70 port 1038, id=9, length=303 Message-Authenticator = 0x40181150ae53bc834616acde8bded5ce Service-Type = Framed-User User-Name = "ldapuser" Framed-MTU = 1488 State = 0x1f5a0c85175315f67ae48d03f8beffe6 Called-Station-Id = "00-22-B0-69-74-74:RadiusServer" Calling-Station-Id = "00-1C-BF-63-43-7F" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02090060190017030100203740cd6052be3de4a2dae33ed1e4699866af641dee6261f14e94 93e21b49db0217030100305406714a1fee8d73edfa87c60a0046641329975a279ecbc1b2ee7d ec5e9d60b9bc61efd8b9e8e5304a341f7eee16e533 NAS-IP-Address = 192.168.70.70 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> ldapuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 9 to 192.168.70.70 port 1038 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds. I did cut some debug info, in order to not exceed the max message limit of 100K. I think the problem is here: [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication but in eap.conf is: eap{ default_eap_type = peap Peap{ default_eap_type = mschapv2 } } Sorry Im not familiar enough with wifi to understand what wrong.
On Thu, Feb 4, 2010 at 6:00 PM, José Campos <jjscampos@gmail.com> wrote:
I can authenticate ldap users using the NTRadPing tool without a problem. But I can’t do it through an Access Point. Can you help me?
What LDAP server do you use? IIRC OpenLDAP, AD, and Lotus Domino needs different configuration. Also what client are you using? Do you use additional 3rd party supplicant?
rlm_ldap: performing search in dc=test,dc=test,dc=pt, with filter (uid=ldapuser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
Like the message said, No "known good" password was found in LDAP. I'm guessing it's not OpenLDAP. -- Fajar
The server is OpenLDAP. José Campos -----Mensagem original----- De: freeradius-users-bounces+jjscampos=gmail.com@lists.freeradius.org [mailto:freeradius-users-bounces+jjscampos=gmail.com@lists.freeradius.org] Em nome de Fajar A. Nugraha Enviada: quinta-feira, 4 de Fevereiro de 2010 13:22 Para: FreeRadius users mailing list Assunto: Re: ldap+wireless wpa-eap On Thu, Feb 4, 2010 at 6:00 PM, José Campos <jjscampos@gmail.com> wrote:
I can authenticate ldap users using the NTRadPing tool without a problem. But I cant do it through an Access Point. Can you help me?
What LDAP server do you use? IIRC OpenLDAP, AD, and Lotus Domino needs different configuration. Also what client are you using? Do you use additional 3rd party supplicant?
rlm_ldap: performing search in dc=test,dc=test,dc=pt, with filter (uid=ldapuser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
Like the message said, No "known good" password was found in LDAP. I'm guessing it's not OpenLDAP. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Feb 4, 2010 at 9:48 PM, José Campos <jjscampos@gmail.com> wrote:
The server is OpenLDAP.
Did you follow http://vuksan.com/linux/dot1x/802-1x-LDAP.html? Do you have cleartext/unencrypted password somewhere in LDAP schema? There's an alternative setup that I use, that will work even when there's no cleartext password in LDAP, by using LDAP bind. I suggest you use the "official" method first though. -- Fajar
José Campos wrote:
I can authenticate ldap users using the NTRadPing tool without a problem. But I can’t do it through an Access Point. Can you help me?
I have the AP(D-Link 2100 AP+) configure to WPA-EAP, Cipher Type=Auto.
I list the radius config and debug. .. [peap] Had sent TLV failure. User was rejected earlier in this session.
<sigh> You deleted the *most useful* portion of the debug log, which contained the actual problem. Take the debug output, and paste it into the form at: http://networkradius.com/freeradius.html Look for red text, and read the messages. Alan DeKok.
participants (3)
-
Alan DeKok -
Fajar A. Nugraha -
José Campos