FreeRadius and Openldap authentication

rwakim at mind-techno.fr rwakim at mind-techno.fr
Mon Jan 2 11:46:09 CET 2006 

Hello,

I'm pretty new to ldap and radius, I try to put and 802.x authentication
but I have difficulties setting it up correctly.

Here is my problem:

When I start the radtest binary:

	radtest "test" "supersecret" localhost 2 testing123

Here is the result:
	
	Sending Access-Request of id 45 to 127.0.0.1:1812
      User-Name = "test"
      User-Password = "supersecret"
      NAS-IP-Address = lavoisier
      NAS-Port = 2
	rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=45,
length=20


Here is the log on the radius server (Started with radiusd -X):

rad_recv: Access-Request packet from host 127.0.0.1:61292, id=50,
length=56
        User-Name = "test"
        User-Password = "supersecret"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 2
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "chap" returns noop for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 3
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 3
    users: Matched entry DEFAULT at line 78
    users: Matched entry DEFAULT at line 160
  modcall[authorize]: module "files" returns ok for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat:  '(uid=test)'
radius_xlat:  'dc=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=fr, with filter (uid=test)
rlm_ldap: checking if remote access for test is allowed by
radiusFilterId
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFilterId as Filter-Id, value
Enterasys:version=1:policy=Enterprise User & op=11
rlm_ldap: user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 3
modcall: group authorize returns ok for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: EAP-Message not found
rlm_eap: Malformed EAP Message
  modcall[authenticate]: module "eap" returns fail for request 3
modcall: group authenticate returns fail for request 3
auth: Failed to validate the user.
Login incorrect: [test] (from client localhost port 2)
Delaying request 3 for 1 seconds
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 50 to 127.0.0.1:61292
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 50 with timestamp 43b8f992
Nothing to do.  Sleeping until we see a request.


For the moment I have one box running Openldap on a debian/SPARC and one
box running Freeradius on a FreeBSD 5.3/SPARC

The LDAP user info:

dn: cn=test,ou=users, dc=fr
userPassword:: e1NIQX1jTWc1Y3dTazFuUEdMZW56UUw5UEdpV1pHSVU9
ou: ou=mind-techno,dc=fr
objectClass: top
objectClass: person
objectClass: pilotPerson
objectClass: radiusProfile
janetMailbox: test at mind-techno.fr
sn: test
cn: test


The SLDAPD conf file:

access to dn="cn=.*,dc=fr" attr=userPassword
        by dn="cn=admin,dc=fr" write
        by anonymous auth
        by self write
        by * none



The RADIUS radiusd.conf file:

        ldap {
                server = "galilee.mind-techno.fr"

                identity = "cn=emanager,dc=fr"
                password = "XXXXXXXXXXXXXX"

                basedn = "dc=fr"

                filter = "(uid=%u)"
#               base_filter = "(objectclass=radiusprofile)"

                start_tls = no

                access_attr = "radiusFilterId"

                dictionary_mapping = ${raddbdir}/ldap.attrmap
                #authtype = ldap

                ldap_connections_number = 5

                password_attribute = "userPassword"
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }



authenticate {

        # Uncomment it if you want to use ldap for authentication
        #
        # Note that this means "check plain-text password against
        # the ldap database", which means that EAP won't work,
        # as it does not supply a plain-text password.
        Auth-Type LDAP {
                ldap
        }

        #
        #  Allow EAP authentication.
        eap
}

The RADIUS users file:

DEFAULT         Auth-Type := EAP
                Fall-Through = 1
#               Reply-Message = "LDAP"



I must admit I'm pretty lost in all this, And that any help will be
nice.


I would be grateful if you had a how-to or tutorial on how to build a
easy and working 802.x authentication with a Radius/LDAP system.

Best regards,

-- 
M. Robert Wakim
Mind Technologies
 
24 rue Victor Hugo
94220 Charenton-Le-Pont
FRANCE
 
tel         :  +33 (0)1 41 79 09 40
Fax       :  +33 (0)1 43 68 80 32
 
Email    : rwakim at mind-techno.fr
web       : http://www.mind-techno.fr

More information about the Freeradius-Users mailing list