Freeradius as Authenticator

Florian Prester Florian.Prester at rrze.uni-erlangen.de
Mon Aug 8 11:04:54 CEST 2005


Alan DeKok wrote:

>Florian Prester <Florian.Prester at rrze.uni-erlangen.de> wrote:
>  
>
>>    With MSCHAP we are using the NT-password ( I know it is not realy 
>>crypted, but still better than cleartext!)
>>    
>>
>
>  That's a common misconception.
>
>  
>
>>Now, how can I use PAP authentication with EAP-TTLS?
>>    
>>
>
>  Tell the client to use it.  The server has NO control over whether
>the client uses PAP or not.
>
>  
>
>> Thu Aug  4 08:44:33 2005 : Debug:   rad_check_password:  Found 
>>Auth-Type LDAP
>> Thu Aug  4 08:44:33 2005 : Debug: auth: type "LDAP"
>> Thu Aug  4 08:44:33 2005 : Debug:   ERROR: Unknown value specified for 
>>Auth-Type.  Cannot
>>     perform   requested action.
>>    
>>
>
>  Yeah, the LDAP module sets Auth-Type itself, and it can end up
>causing problems.  The work-around is to set Auth-Type to PAP.  i.e.
>
>DEFAULT	Auth-Type = PAP
>
>  Alan DeKok.
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>  
>
Hm,

ok, if I set PAP for the client it still does not work!
I got an User-Password by ldap.attrmap,
The passwords match!
But the radius-server doesnot see the password-attribute.
With an local user (configured in the users-file) and the same 
client-setup everything works fine.
So I think there must be a problem with the ldap-intercation?

Any help pwould be great,
thankx
Florian


radius-log:

 rad_recv: Access-Request packet from host 131.188.4.191:20000, id=158, 
length=140
    244         NAS-Port-Id = "5/1"
    245         Calling-Station-Id = "00-20-A6-4D-2C-56"
    246         Called-Station-Id = "00-0B-0E-2F-E2-C0:FAU-SEC"
    247         Service-Type = Framed-User
    248         EAP-Message = 0x0201000c01756e727a313438
    249         User-Name = "unrz148"
    250         NAS-Identifier = "Trapeze"
    251         NAS-Port-Type = Wireless-802.11
    252         NAS-IP-Address = 131.188.4.191
    253         Message-Authenticator = 0xa761418a4abdbb324b10b31c653fed52
    254 Mon Aug  8 10:58:12 2005 : Debug:   Processing the authorize 
section of radiusd.conf
    255 Mon Aug  8 10:58:12 2005 : Debug: modcall: entering group 
authorize for request 0
    256 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authorize]: 
calling preprocess (rlm_preprocess) for request 0
    257 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authorize]: 
returned from preprocess (rlm_preprocess) for request 0
    258 Mon Aug  8 10:58:12 2005 : Debug:   modcall[authorize]: module 
"preprocess" returns ok for request 0
    259 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authorize]: 
calling chap (rlm_chap) for request 0
    260 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authorize]: 
returned from chap (rlm_chap) for request 0
    261 Mon Aug  8 10:58:12 2005 : Debug:   modcall[authorize]: module 
"chap" returns noop for request 0
    262 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authorize]: 
calling mschap (rlm_mschap) for request 0
    263 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authorize]: 
returned from mschap (rlm_mschap) for request 0
    264 Mon Aug  8 10:58:12 2005 : Debug:   modcall[authorize]: module 
"mschap" returns noop for request 0
    265 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authorize]: 
calling suffix (rlm_realm) for request 0
    266 Mon Aug  8 10:58:12 2005 : Debug:     rlm_realm: No '@' in 
User-Name = "unrz148", looking up realm NULL
    267 Mon Aug  8 10:58:12 2005 : Debug:     rlm_realm: No such realm 
"NULL"
    268 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authorize]: 
returned from suffix (rlm_realm) for request 0
    269 Mon Aug  8 10:58:12 2005 : Debug:   modcall[authorize]: module 
"suffix" returns noop for request 0
    270 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authorize]: 
calling eap (rlm_eap) for request 0
    271 Mon Aug  8 10:58:12 2005 : Debug:   rlm_eap: EAP packet type 
response id 1 length 12
    272 Mon Aug  8 10:58:12 2005 : Debug:   rlm_eap: No EAP Start, 
assuming it's an on-going EAP conversation
    273 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authorize]: 
returned from eap (rlm_eap) for request 0
    274 Mon Aug  8 10:58:12 2005 : Debug:   modcall[authorize]: module 
"eap" returns updated for request 0
    275 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authorize]: 
calling files (rlm_files) for request 0
    276 Mon Aug  8 10:58:12 2005 : Debug:     users: Matched entry 
DEFAULT at line 40
    277 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authorize]: 
returned from files (rlm_files) for request 0
    278 Mon Aug  8 10:58:12 2005 : Debug:   modcall[authorize]: module 
"files" returns ok for request 0
    279 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authorize]: 
calling ldap (rlm_ldap) for request 0
    280 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: - authorize
    281 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: performing user 
authorization for unrz148
    282 Mon Aug  8 10:58:12 2005 : Debug: radius_xlat:  '(Userid=unrz148)'
    283 Mon Aug  8 10:58:12 2005 : Debug: radius_xlat:  
'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE'
    284 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: ldap_get_conn: 
Checking Id: 0
    285 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
    286 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: attempting LDAP 
reconnection
    287 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: (re)connect to 
131.188.3.53:400, authentication 0
    288 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: bind as 
cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernb        
erg,c=DE/xaver to 131.188.3.53:400
    289 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: waiting for bind 
result ...
    290 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: Bind was successful
    291 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: performing search in 
ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE        , with filter 
(Userid=unrz148)
    292 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: checking if remote 
access for unrz148 is allowed by uid
    293 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: looking for check 
items in directory...
    294 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: Adding fauUserid as 
Password, value unrz148 & op=21
    295 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: Adding description 
as NT-Password, value 0x925B509D0BD4D37992897EEEC91        072C1 & op=21
    296 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: Adding lmPassword as 
LM-Password, value AC8398A336F64627FDCFC2AFB2D1BE        34 & op=21
    297 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: looking for reply 
items in directory...
    298 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: user unrz148 
authorized to use remote access
    299 Mon Aug  8 10:58:12 2005 : Debug: rlm_ldap: ldap_release_conn: 
Release Id: 0
    300 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authorize]: 
returned from ldap (rlm_ldap) for request 0
    301 Mon Aug  8 10:58:12 2005 : Debug:   modcall[authorize]: module 
"ldap" returns ok for request 0
    302 Mon Aug  8 10:58:12 2005 : Debug: modcall: group authorize 
returns updated for request 0
    303 Mon Aug  8 10:58:12 2005 : Debug:   rad_check_password:  Found 
Auth-Type pap
    304 Mon Aug  8 10:58:12 2005 : Debug: auth: type "PAP"
    305 Mon Aug  8 10:58:12 2005 : Debug:   Processing the authenticate 
section of radiusd.conf
    306 Mon Aug  8 10:58:12 2005 : Debug: modcall: entering group 
Auth-Type for request 0
    307 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authenticate]: 
calling pap (rlm_pap) for request 0
    308 Mon Aug  8 10:58:12 2005 : Auth: rlm_pap: Attribute "Password" 
is required for authentication.
    309 Mon Aug  8 10:58:12 2005 : Debug:   modsingle[authenticate]: 
returned from pap (rlm_pap) for request 0
    310 Mon Aug  8 10:58:12 2005 : Debug:   modcall[authenticate]: 
module "pap" returns invalid for request 0
    311 Mon Aug  8 10:58:12 2005 : Debug: modcall: group Auth-Type 
returns invalid for request 0
    312 Mon Aug  8 10:58:12 2005 : Debug: auth: Failed to validate the user.
    313 Mon Aug  8 10:58:12 2005 : Auth: Login incorrect: [unrz148/<no 
User-Password attribute>] (from client airbrush por        t 0 cli 
00-20-A6-4D-2C-56)
    314 Mon Aug  8 10:58:12 2005 : Debug: Delaying request 0 for 1 seconds
    315 Mon Aug  8 10:58:12 2005 : Debug: Finished request 0



-- 
--------------------------------------------------------------
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Germany

Tel.: +499131 8527813




More information about the Freeradius-Users mailing list