FR + openldap + WPA, auth fails
With nearly the same config files as I had working on 1.0.1, I'm having problems with 1.1.6 authenticating WPA users. Probably something to do with this: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for mzeier@mozilla.com with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 7 modcall: leaving group MS-CHAP (returns reject) for request 7 eap.conf - http://pastebin.mozilla.org/10218 radiusd.conf - http://pastebin.mozilla.org/10223 If there are other relevant files, let me know. Box is more or less a stock RHEL4. -- matthew zeier | Network Engineer | Mozilla Corp. | (650)903-0800 x219
matthew zeier wrote:
With nearly the same config files as I had working on 1.0.1, I'm having problems with 1.1.6 authenticating WPA users.
See "man rlm_pap" in 1.1.6. That might help.
If there are other relevant files, let me know. Box is more or less a stock RHEL4.
Debug output? In 1.0.1, where are the passwords obtained from? LDAP? "users" file? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
matthew zeier wrote:
With nearly the same config files as I had working on 1.0.1, I'm having problems with 1.1.6 authenticating WPA users.
See "man rlm_pap" in 1.1.6. That might help.
If there are other relevant files, let me know. Box is more or less a stock RHEL4.
Debug output?
I pasted all of 'radiusd -X' to http://pastebin.mozilla.org/10251. Is that enough debug ?
In 1.0.1, where are the passwords obtained from? LDAP? "users" file?
LDAP. I said nearly the same config files because 1.1.6 choked on the 1.0.1 radiusd.conf file and the only changes I made the to the RHEL stock 1.0.1 radiusd.conf was for the LDAP settings. So for 1.1.6, I just added those in there. If I revert to 1.0.1 (and move back my 1.0.1 radiusd.conf), WPA auth works fine. -- matthew zeier | Network Engineer | Mozilla Corp. | (650)903-0800 x219
matthew zeier wrote:
I pasted all of 'radiusd -X' to http://pastebin.mozilla.org/10251. Is that enough debug ?
Yes.
In 1.0.1, where are the passwords obtained from? LDAP? "users" file?
LDAP.
The debug output doesn't reference LDAP. i.e. you moved only part of your configuration from 1.0.1 to 1.1.6. You missed configuring the "ldap" module, and missed uncommenting it in the "authorize" section of radiusd.conf.
I said nearly the same config files because 1.1.6 choked on the 1.0.1 radiusd.conf
Can you post the errors? I haven't used 1.0.1 in *years*, so I have no idea what may or may not work when upgrading from 1.0.1 to 1.1.6.
and the only changes I made the to the RHEL stock 1.0.1 radiusd.conf was for the LDAP settings. So for 1.1.6, I just added those in there.
It looks like you didn't uncomment "ldap", as noted above. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
matthew zeier wrote:
I pasted all of 'radiusd -X' to http://pastebin.mozilla.org/10251. Is that enough debug ?
Yes.
In 1.0.1, where are the passwords obtained from? LDAP? "users" file? LDAP.
The debug output doesn't reference LDAP. i.e. you moved only part of your configuration from 1.0.1 to 1.1.6. You missed configuring the "ldap" module, and missed uncommenting it in the "authorize" section of radiusd.conf.
Indeed - I uncommented it from the authorize section and it works now. - mz -- matthew zeier | Network Engineer | Mozilla Corp. | (650)903-0800 x219
matthew zeier wrote:
Can you post the errors?
I haven't used 1.0.1 in *years*, so I have no idea what may or may not work when upgrading from 1.0.1 to 1.1.6.
Should have mentioned that that's what RHEL4 ships.
I've seen that with other projects, too. RedHat has a tendency to include versions of software that are *years* out of date. I have no idea why they do this. It's one thing to support older versions. I understand the reasons for that. But I don't understand forcing *new* customers to use software that is almost 3 years out of date. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
matthew zeier