Freeradius as Authenticator
Florian Prester
Florian.Prester at rrze.uni-erlangen.de
Mon Aug 8 11:04:54 CEST 2005
Alan DeKok wrote:
>Florian Prester <Florian.Prester at rrze.uni-erlangen.de> wrote:
>
>
>> With MSCHAP we are using the NT-password ( I know it is not realy
>>crypted, but still better than cleartext!)
>>
>>
>
> That's a common misconception.
>
>
>
>>Now, how can I use PAP authentication with EAP-TTLS?
>>
>>
>
> Tell the client to use it. The server has NO control over whether
>the client uses PAP or not.
>
>
>
>> Thu Aug 4 08:44:33 2005 : Debug: rad_check_password: Found
>>Auth-Type LDAP
>> Thu Aug 4 08:44:33 2005 : Debug: auth: type "LDAP"
>> Thu Aug 4 08:44:33 2005 : Debug: ERROR: Unknown value specified for
>>Auth-Type. Cannot
>> perform requested action.
>>
>>
>
> Yeah, the LDAP module sets Auth-Type itself, and it can end up
>causing problems. The work-around is to set Auth-Type to PAP. i.e.
>
>DEFAULT Auth-Type = PAP
>
> Alan DeKok.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
Hm,
ok, if I set PAP for the client it still does not work!
I got an User-Password by ldap.attrmap,
The passwords match!
But the radius-server doesnot see the password-attribute.
With an local user (configured in the users-file) and the same
client-setup everything works fine.
So I think there must be a problem with the ldap-intercation?
Any help pwould be great,
thankx
Florian
radius-log:
rad_recv: Access-Request packet from host 131.188.4.191:20000, id=158,
length=140
244 NAS-Port-Id = "5/1"
245 Calling-Station-Id = "00-20-A6-4D-2C-56"
246 Called-Station-Id = "00-0B-0E-2F-E2-C0:FAU-SEC"
247 Service-Type = Framed-User
248 EAP-Message = 0x0201000c01756e727a313438
249 User-Name = "unrz148"
250 NAS-Identifier = "Trapeze"
251 NAS-Port-Type = Wireless-802.11
252 NAS-IP-Address = 131.188.4.191
253 Message-Authenticator = 0xa761418a4abdbb324b10b31c653fed52
254 Mon Aug 8 10:58:12 2005 : Debug: Processing the authorize
section of radiusd.conf
255 Mon Aug 8 10:58:12 2005 : Debug: modcall: entering group
authorize for request 0
256 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]:
calling preprocess (rlm_preprocess) for request 0
257 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]:
returned from preprocess (rlm_preprocess) for request 0
258 Mon Aug 8 10:58:12 2005 : Debug: modcall[authorize]: module
"preprocess" returns ok for request 0
259 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]:
calling chap (rlm_chap) for request 0
260 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]:
returned from chap (rlm_chap) for request 0
261 Mon Aug 8 10:58:12 2005 : Debug: modcall[authorize]: module
"chap" returns noop for request 0
262 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]:
calling mschap (rlm_mschap) for request 0
263 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]:
returned from mschap (rlm_mschap) for request 0
264 Mon Aug 8 10:58:12 2005 : Debug: modcall[authorize]: module
"mschap" returns noop for request 0
265 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]:
calling suffix (rlm_realm) for request 0
266 Mon Aug 8 10:58:12 2005 : Debug: rlm_realm: No '@' in
User-Name = "unrz148", looking up realm NULL
267 Mon Aug 8 10:58:12 2005 : Debug: rlm_realm: No such realm
"NULL"
268 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]:
returned from suffix (rlm_realm) for request 0
269 Mon Aug 8 10:58:12 2005 : Debug: modcall[authorize]: module
"suffix" returns noop for request 0
270 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]:
calling eap (rlm_eap) for request 0
271 Mon Aug 8 10:58:12 2005 : Debug: rlm_eap: EAP packet type
response id 1 length 12
272 Mon Aug 8 10:58:12 2005 : Debug: rlm_eap: No EAP Start,
assuming it's an on-going EAP conversation
273 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]:
returned from eap (rlm_eap) for request 0
274 Mon Aug 8 10:58:12 2005 : Debug: modcall[authorize]: module
"eap" returns updated for request 0
275 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]:
calling files (rlm_files) for request 0
276 Mon Aug 8 10:58:12 2005 : Debug: users: Matched entry
DEFAULT at line 40
277 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]:
returned from files (rlm_files) for request 0
278 Mon Aug 8 10:58:12 2005 : Debug: modcall[authorize]: module
"files" returns ok for request 0
279 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]:
calling ldap (rlm_ldap) for request 0
280 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: - authorize
281 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: performing user
authorization for unrz148
282 Mon Aug 8 10:58:12 2005 : Debug: radius_xlat: '(Userid=unrz148)'
283 Mon Aug 8 10:58:12 2005 : Debug: radius_xlat:
'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE'
284 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: ldap_get_conn:
Checking Id: 0
285 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
286 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: attempting LDAP
reconnection
287 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: (re)connect to
131.188.3.53:400, authentication 0
288 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: bind as
cn=florian,ou=allro,ou=AAAdsadm,o=Universitaet Erlangen-Nuernb
erg,c=DE/xaver to 131.188.3.53:400
289 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: waiting for bind
result ...
290 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: Bind was successful
291 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: performing search in
ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE , with filter
(Userid=unrz148)
292 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: checking if remote
access for unrz148 is allowed by uid
293 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: looking for check
items in directory...
294 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: Adding fauUserid as
Password, value unrz148 & op=21
295 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: Adding description
as NT-Password, value 0x925B509D0BD4D37992897EEEC91 072C1 & op=21
296 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: Adding lmPassword as
LM-Password, value AC8398A336F64627FDCFC2AFB2D1BE 34 & op=21
297 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: looking for reply
items in directory...
298 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: user unrz148
authorized to use remote access
299 Mon Aug 8 10:58:12 2005 : Debug: rlm_ldap: ldap_release_conn:
Release Id: 0
300 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authorize]:
returned from ldap (rlm_ldap) for request 0
301 Mon Aug 8 10:58:12 2005 : Debug: modcall[authorize]: module
"ldap" returns ok for request 0
302 Mon Aug 8 10:58:12 2005 : Debug: modcall: group authorize
returns updated for request 0
303 Mon Aug 8 10:58:12 2005 : Debug: rad_check_password: Found
Auth-Type pap
304 Mon Aug 8 10:58:12 2005 : Debug: auth: type "PAP"
305 Mon Aug 8 10:58:12 2005 : Debug: Processing the authenticate
section of radiusd.conf
306 Mon Aug 8 10:58:12 2005 : Debug: modcall: entering group
Auth-Type for request 0
307 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authenticate]:
calling pap (rlm_pap) for request 0
308 Mon Aug 8 10:58:12 2005 : Auth: rlm_pap: Attribute "Password"
is required for authentication.
309 Mon Aug 8 10:58:12 2005 : Debug: modsingle[authenticate]:
returned from pap (rlm_pap) for request 0
310 Mon Aug 8 10:58:12 2005 : Debug: modcall[authenticate]:
module "pap" returns invalid for request 0
311 Mon Aug 8 10:58:12 2005 : Debug: modcall: group Auth-Type
returns invalid for request 0
312 Mon Aug 8 10:58:12 2005 : Debug: auth: Failed to validate the user.
313 Mon Aug 8 10:58:12 2005 : Auth: Login incorrect: [unrz148/<no
User-Password attribute>] (from client airbrush por t 0 cli
00-20-A6-4D-2C-56)
314 Mon Aug 8 10:58:12 2005 : Debug: Delaying request 0 for 1 seconds
315 Mon Aug 8 10:58:12 2005 : Debug: Finished request 0
--
--------------------------------------------------------------
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Germany
Tel.: +499131 8527813
More information about the Freeradius-Users
mailing list