WLAN 802.1x FreeRadius with LDAP

Christian Poessinger christian at poessinger.com
Sat Nov 26 14:50:30 CET 2005


Hello folks, I want to do a setup with a HP Procurve 520wl
Access Point, OpenLDAP and FreeRadius with 802.1x and users
in my LDAP backend. LDAP and Radius works fine, when i do a

radtest user pass radius.domain.tld 0 secret

i get an access accept package back. Now i configured my AP to
use the Radius server for 802.1x auth, when i want to logon
into the WLAN I enter my user and pass that just worked with
radtest but I recieve an acces reject package. This is really
strange cause the Radius debug mode tells me LDAP connection
successfull. I use clear passwords in the backend, so there
should be no problem.

Anyone has an idea for my problem?

Here is the Radius debug message with the access reject packet:

rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
radius_xlat:  '(uid=user)'
radius_xlat:  'ou=people,dc=domain,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter
(uid=user)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
modcall: group authorize returns updated for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 11 to xxx.xxx.164.26:6001
        EAP-Message =
0x0105040619407c917840ad1cf254e5ca549ca9b1053de4de1e704dc6eb9cec86a35eafabe5
2f60e8ee1a9697a755a713be14acd2db7f3402acb70864e3139ef470c900d024f2fd0f455b94
028c87d7a170ce86f302e35c4e658d09f17016227f0003cf308203cb30820334a00302010202
0900927540ab5d693004300d06092a864886f70d01010405003081a0310b3009060355040613
0244453110300e06035504081307426176617269613112301006035504071309577565727a62
75726731163014060355040a130d4765466f656b6f4d20652e562e31193017060355040b1310
4765466f656b6f4d20652e562e20434131193017060355040313
        EAP-Message =
0x104765466f656b6f4d20652e562e204341311d301b06092a864886f70d010901160e636140
6765666f656b6f6d2e6465301e170d3035303531363137313832335a170d3036303531363137
313832335a3081a0310b30090603550406130244453110300e06035504081307426176617269
613112301006035504071309577565727a6275726731163014060355040a130d4765466f656b
6f4d20652e562e31193017060355040b13104765466f656b6f4d20652e562e20434131193017
060355040313104765466f656b6f4d20652e562e204341311d301b06092a864886f70d010901
160e6361406765666f656b6f6d2e646530819f300d06092a8648
        EAP-Message =
0x86f70d010101050003818d0030818902818100c8124b32b761710b8c576a5b8f566a1dd8cc
97c423dfd8901cd58b9e90960328233879b3a09ebda855dbaa4376c00318ebc1767173051ae1
5995a1d41c9a6289707d5f7dd1e608ca5071e2aeb99092204f9386789c9ec8d5f754a26e9940
297ffbe547b5d0cf5ee16566abcc7578e25ac6a3b5e57befee43f2828174d27db19f02030100
01a382010930820105301d0603551d0e04160414ac6e4891d5a749d6548d7eda627ca2d64d12
d2693081d50603551d230481cd3081ca8014ac6e4891d5a749d6548d7eda627ca2d64d12d269
a181a6a481a33081a0310b30090603550406130244453110300e
        EAP-Message =
0x06035504081307426176617269613112301006035504071309577565727a62757267311630
14060355040a130d4765466f656b6f4d20652e562e31193017060355040b13104765466f656b
6f4d20652e562e20434131193017060355040313104765466f656b6f4d20652e562e20434131
1d301b06092a864886f70d010901160e6361406765666f656b6f6d2e6465820900927540ab5d
693004300c0603551d13040530030101ff300d06092a864886f70d0101040500038181004a36
34f23e46d180ec87122ee39ba0c6757d22a23ec39a38e3f282e82efb7428b83d04f665e28b00
e99a88217803c1abb4a0bc90fe6a51a37eec1c1868853a5436d5
        EAP-Message = 0x9035f217c35ab4d53d6f1e3d11cdeabc9f77
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc479631c6d6d413371d8af0ebf14ac4f
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 4 seconds...
rad_recv: Access-Request packet from host xxx.xxx.164.26:6001, id=12,
length=155
        User-Name = "user"
        NAS-IP-Address = xxx.xxx.1.66
        Called-Station-Id = "00-08-88-12-2e-3f"
        Calling-Station-Id = "00-0d-37-ab-2f-c7"
        NAS-Identifier = "ORiNOCO-AP-2000-00-02-00"
        State = 0xc479631c6d6d413371d8af0ebf14ac4f
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020500061900
        Message-Authenticator = 0xb07e446b64197c49b0ebaca6e799dc53
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "chap" returns noop for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: No '@' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 3
  rlm_eap: EAP packet type response id 5 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
radius_xlat:  '(uid=user)'
radius_xlat:  'ou=people,dc=domain,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter
(uid=user)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 3
modcall: group authorize returns updated for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 12 to xxx.xxx.164.26:6001
        EAP-Message =
0x0106003b1900715e896f163c5ccb279cd28b82295a1bd493ac86f6ffe4733d43f380f4871b
567d14ecb8d5171f15de61995e16030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xccbffd45885465294711dc5bf8395320
Finished request 3
Going to the next request
Waking up in 4 seconds...
rad_recv: Access-Request packet from host xxx.xxx.164.26:6001, id=13,
length=341
        User-Name = "user"
        NAS-IP-Address = xxx.xxx.1.66
        Called-Station-Id = "00-08-88-12-2e-3f"
        Calling-Station-Id = "00-0d-37-ab-2f-c7"
        NAS-Identifier = "ORiNOCO-AP-2000-00-02-00"
        State = 0xccbffd45885465294711dc5bf8395320
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message =
0x020600c01980000000b616030100861000008200801942772db96a99e5e538cb1d5d208967
b1353ea1158512bb1bd050ab7e2aca218fe43e45fbb41a076a2a0dad179b456de8d7afce55b7
c72e125ebe3bb4c42ff4804ded92a10e29c9f021a9dcfe7cac9c60fc41d1be343c7cb74b2889
5a5855e476b79b5db1fea73e1d0615baa9bfcca6004b37f7ebc2ef0f54e6d38ba0c57a631403
010001011603010020340f13326352d4d4b739b0a1d5350db6b211be3d1b16345f3429ce4875
18e879
        Message-Authenticator = 0x1379379ef003130e6e5d8bc4ea849160
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
  rlm_eap: EAP packet type response id 6 length 192
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
radius_xlat:  '(uid=user)'
radius_xlat:  'ou=people,dc=domain,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter
(uid=user)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 4
modcall: group authorize returns updated for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 13 to xxx.xxx.164.26:6001
        EAP-Message =
0x0107003119001403010001011603010020eb7dbacfe1675927e1f3fcf8e5f61914d375ca69
10fcded8e503adb2dbfccbff
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xbe4b1111c47a456a9bbe659aa28a4911
Finished request 4
Going to the next request
Waking up in 4 seconds...
rad_recv: Access-Request packet from host xxx.xxx.164.26:6001, id=14,
length=182
        User-Name = "user"
        NAS-IP-Address = xxx.xxx.1.66
        Called-Station-Id = "00-08-88-12-2e-3f"
        Calling-Station-Id = "00-0d-37-ab-2f-c7"
        NAS-Identifier = "ORiNOCO-AP-2000-00-02-00"
        State = 0xbe4b1111c47a456a9bbe659aa28a4911
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message =
0x020700211980000000171503010012a389dbe218dce122f0104ff21769ccb64b2b
        Message-Authenticator = 0xca07ce402c4e46c7342a2abc05383cab
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "chap" returns noop for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
    rlm_realm: No '@' in User-Name = "user", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 5
  rlm_eap: EAP packet type response id 7 length 33
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user
radius_xlat:  '(uid=user)'
radius_xlat:  'ou=people,dc=domain,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=domain,dc=de, with filter
(uid=user)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 5
modcall: group authorize returns updated for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
rlm_eap_peap: No data inside of the tunnel.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 4 seconds...
rad_recv: Access-Request packet from host xxx.xxx.164.26:6001, id=14,
length=182
Sending Access-Reject of id 14 to xxx.xxx.164.26:6001
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 9 with timestamp 43886940
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 10 with timestamp 43886941
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 11 with timestamp 43886942
Cleaning up request 3 ID 12 with timestamp 43886942
Cleaning up request 4 ID 13 with timestamp 43886942
Cleaning up request 5 ID 14 with timestamp 43886942
Nothing to do.  Sleeping until we see a request.





More information about the Freeradius-Users mailing list