wireless - freeradius - MS ldap

Alhagie Puye APuye at datawave.com
Tue Jan 3 21:03:03 CET 2006


Send the output ***DURING*** authentication........

The information you are sending is useless to anyone.

We are interested in what the server is saying during
authentication.....

Alhagie Puye - Network Engineer
Datawave Group of Companies
(604)295-1817  

> >-----Original Message-----
> >From: 
> >freeradius-users-bounces+apuye=datawave.com at lists.freeradius.
> >org 
> >[mailto:freeradius-users-bounces+apuye=datawave.com at lists.fre
> >eradius.org] On Behalf Of Dickson, John
> >Sent: January 3, 2006 11:41 AM
> >To: FreeRadius users mailing list
> >Subject: RE: wireless - freeradius - MS ldap 
> >
> >I sent this out earlier.
> >John
> >
> >[root at magellan john]# /usr/local/sbin/radiusd  -X -A 
> >Starting - reading configuration files ...
> >reread_config:  reading radiusd.conf
> >Config:   including file: /etc/raddb/clients.conf
> >Config:   including file: /etc/raddb/snmp.conf
> >Config:   including file: /etc/raddb/eap.conf
> >Config:   including file: /etc/raddb/sql.conf
> > main: prefix = "/usr"
> > main: localstatedir = "/var"
> > main: logdir = "/var/log/radius"
> > main: libdir = "/usr/lib"
> > main: radacctdir = "/var/log/radius/radacct"
> > main: hostname_lookups = no
> > main: max_request_time = 30
> > main: cleanup_delay = 5
> > main: max_requests = 1024
> > main: delete_blocked_requests = 0
> > main: port = 0
> > main: allow_core_dumps = no
> > main: log_stripped_names = no
> > main: log_file = "/var/log/radius/radius.log"
> > main: log_auth = no
> > main: log_auth_badpass = no
> > main: log_auth_goodpass = no
> > main: pidfile = "/var/run/radiusd/radiusd.pid"
> > main: user = "nobody"
> > main: group = "nobody"
> > main: usercollide = no
> > main: lower_user = "no"
> > main: lower_pass = "no"
> > main: nospace_user = "no"
> > main: nospace_pass = "no"
> > main: checkrad = "/usr/sbin/checkrad"
> > main: proxy_requests = yes
> > security: max_attributes = 200
> > security: reject_delay = 1
> > security: status_server = no
> > main: debug_level = 0
> >read_config_files:  reading dictionary
> >read_config_files:  reading naslist
> >Using deprecated naslist file.  Support for this will go away soon.
> >read_config_files:  reading clients
> >read_config_files:  reading realms
> >radiusd:  entering modules setup
> >Module: Library search path is /usr/lib
> >Module: Loaded exec
> > exec: wait = yes
> > exec: program = "(null)"
> > exec: input_pairs = "request"
> > exec: output_pairs = "(null)"
> > exec: packet_type = "(null)"
> >rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> >Module: Instantiated exec (exec)
> >Module: Loaded expr
> >Module: Instantiated expr (expr)
> >Module: Loaded LDAP
> > ldap: server = "ssotest.mccsso.mccneb.edu"
> > ldap: port = 389
> > ldap: net_timeout = 1
> > ldap: timeout = 4
> > ldap: timelimit = 3
> > ldap: identity = "dmadmin1""
> > ldap: tls_mode = no
> > ldap: start_tls = no
> > ldap: tls_cacertfile = "(null)"
> > ldap: tls_cacertdir = "(null)"
> > ldap: tls_certfile = "(null)"
> > ldap: tls_keyfile = "(null)"
> > ldap: tls_randfile = "(null)"
> > ldap: tls_require_cert = "allow"
> > ldap: password = "rDkf at mh"
> > ldap: basedn = "ou=Metro users,dc=mccsso,dc=mccneb,dc=edu"
> > ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> > ldap: base_filter = "(objectclass=radiusprofile)"
> > ldap: default_profile = "(null)"
> > ldap: profile_attribute = "(null)"
> > ldap: password_header = "(null)"
> > ldap: password_attribute = "(null)"
> > ldap: access_attr = "dialupAccess"
> > ldap: groupname_attribute = "cn"
> > ldap: groupmembership_filter =
> >"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(obj
> >ectClass=Gr
> >oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> > ldap: groupmembership_attribute = "(null)"
> > ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
> > ldap: ldap_debug = 0
> > ldap: ldap_connections_number = 5
> > ldap: compare_check_items = no
> > ldap: access_attr_used_for_allow = yes
> > ldap: do_xlat = yes
> >rlm_ldap: Registering ldap_groupcmp for Ldap-Group
> >rlm_ldap: Registering ldap_xlat with xlat_name ldap
> >rlm_ldap: reading ldap<->radius mappings from file 
> >/etc/raddb/ldap.attrmap
> >rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
> >rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
> >rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
> >rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS 
> >Simultaneous-Use
> >rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS 
> >Called-Station-Id
> >rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS 
> >Calling-Station-Id
> >rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
> >rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password
> >rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
> >rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
> >rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
> >rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
> >rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS 
> >Framed-IP-Address
> >rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS 
> >Framed-IP-Netmask
> >rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
> >rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
> >rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
> >rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
> >rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS 
> >Framed-Compression
> >rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
> >rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
> >rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
> >rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
> >rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
> >rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS 
> >Framed-IPX-Network
> >rlm_ldap: LDAP radiusClass mapped to RADIUS Class
> >rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
> >rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
> >rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS 
> >Termination-Action
> >rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS 
> >Login-LAT-Service
> >rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
> >rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
> >rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS 
> >Framed-AppleTalk-Link
> >rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS 
> >Framed-AppleTalk-Network
> >rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS 
> >Framed-AppleTalk-Zone
> >rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
> >rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
> >conns: 0x8d5c4d0
> >Module: Instantiated ldap (ldap)
> >Module: Loaded preprocess
> > preprocess: huntgroups = "/etc/raddb/huntgroups"
> > preprocess: hints = "/etc/raddb/hints"
> > preprocess: with_ascend_hack = no
> > preprocess: ascend_channels_per_line = 23
> > preprocess: with_ntdomain_hack = no
> > preprocess: with_specialix_jetstream_hack = no
> > preprocess: with_cisco_vsa_hack = no
> >Module: Instantiated preprocess (preprocess)
> >Module: Loaded Acct-Unique-Session-Id
> > acct_unique: key = "User-Name, Acct-Session-Id, 
> >NAS-IP-Address, Client-IP-Address, NAS-Port"
> >Module: Instantiated acct_unique (acct_unique)
> >Module: Loaded realm
> > realm: format = "suffix"
> > realm: delimiter = "@"
> > realm: ignore_default = no
> > realm: ignore_null = no
> >Module: Instantiated realm (suffix)
> >Module: Loaded files
> > files: usersfile = "/etc/raddb/users"
> > files: acctusersfile = "/etc/raddb/acct_users"
> > files: preproxy_usersfile = "/etc/raddb/preproxy_users"
> > files: compat = "no"
> >Module: Instantiated files (files)
> >Module: Loaded detail
> > detail: detailfile =
> >"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> > detail: detailperm = 384
> > detail: dirperm = 493
> > detail: locking = no
> >Module: Instantiated detail (detail)
> >Module: Loaded System
> > unix: cache = no
> > unix: passwd = "(null)"
> > unix: shadow = "/etc/shadow"
> > unix: group = "(null)"
> > unix: radwtmp = "/var/log/radius/radwtmp"
> > unix: usegroup = no
> > unix: cache_reload = 600
> >Module: Instantiated unix (unix)
> >Module: Loaded radutmp
> > radutmp: filename = "/var/log/radius/radutmp"
> > radutmp: username = "%{User-Name}"
> > radutmp: case_sensitive = yes
> > radutmp: check_with_nas = yes
> > radutmp: perm = 384
> > radutmp: callerid = yes
> >Module: Instantiated radutmp (radutmp)
> >Module: Loaded eap
> > eap: default_eap_type = "md5"
> > eap: timer_expire = 60
> > eap: ignore_unknown_eap_types = no
> > eap: cisco_accounting_username_bug = no
> >rlm_eap: Loaded and initialized type md5
> >rlm_eap: Loaded and initialized type leap
> > gtc: challenge = "Password: "
> > gtc: auth_type = "PAP"
> >rlm_eap: Loaded and initialized type gtc
> > mschapv2: with_ntdomain_hack = no
> >rlm_eap: Loaded and initialized type mschapv2
> >Module: Instantiated eap (eap)
> >Listening on authentication *:1812
> >Listening on accounting *:1813
> >Ready to process requests. 
> >
> >-----Original Message-----
> >From: 
> >freeradius-users-bounces+jdickson2=mccneb.edu at lists.freeradius.org
> >[mailto:freeradius-users-bounces+jdickson2=mccneb.edu at lists.f
> >reeradius.o
> >rg] On Behalf Of Alhagie Puye
> >Sent: Tuesday, January 03, 2006 1:16 PM
> >To: FreeRadius users mailing list
> >Subject: RE: wireless - freeradius - MS ldap 
> >
> >John,
> >
> >Just run "radiusd -X -A" on the FreeRADIUS server and then 
> >try athenticating against it.
> >
> >You should see a lot of debug information. Send the output 
> >to the list.....that would be more helpful.
> >
> >Thanks,
> >
> >Alhagie Puye - Network Engineer
> >Datawave Group of Companies
> >(604)295-1817  
> >
> >> >-----Original Message-----
> >> >From: 
> >> >freeradius-users-bounces+apuye=datawave.com at lists.freeradius.
> >> >org
> >> >[mailto:freeradius-users-bounces+apuye=datawave.com at lists.fre
> >> >eradius.org] On Behalf Of Dickson, John
> >> >Sent: January 3, 2006 10:58 AM
> >> >To: FreeRadius users mailing list
> >> >Subject: RE: wireless - freeradius - MS ldap
> >> >
> >> >I don't know. Ithought I was sending enouhg information.
> >> >
> >> >I was using this link to setup...it's my first.
> >> >http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/radius.html
> >> >
> >> >What is confusing me is where configuration is applied to receive 
> >> >requests (cisco router) and where applied to pass 
> >requests (MS ldap).
> >> >
> >> >-----Original Message-----
> >> >From: 
> >> >freeradius-users-bounces+jdickson2=mccneb.edu at lists.freeradius.org
> >> >[mailto:freeradius-users-bounces+jdickson2=mccneb.edu at lists.f
> >> >reeradius.o
> >> >rg] On Behalf Of Alan DeKok
> >> >Sent: Tuesday, January 03, 2006 11:55 AM
> >> >To: FreeRadius users mailing list
> >> >Subject: Re: wireless - freeradius - MS ldap
> >> >
> >> >"Dickson, John" <JDickson2 at mccneb.edu> wrote:
> >> >> OK. In the radius.conf under module configuration I have "ldap"
> >> >> information pointing to the LDAP server and the
> >> >authentication fails.
> >> >
> >> >  The debug log you posted doesn't show that.  In fact, it shows 
> >> >pretty much nothing useful.  You've taken care to
> >> >*not* show the results from radtest, so all anyone can see is:
> >> >
> >> >  a) your radius server starts
> >> >  b) radtest sends packets.
> >> >
> >> >  They don't see:
> >> >
> >> >  c) radiusd *receiving* packets
> >> >  d) radtest receiving a response
> >> >
> >> >  How the heck can anyone help you without that information?
> >> >
> >> >  Alan DeKok.
> >> >-
> >> >List info/subscribe/unsubscribe? See
> >> >http://www.freeradius.org/list/users.html
> >> >
> >> >-
> >> >List info/subscribe/unsubscribe? See 
> >> >http://www.freeradius.org/list/users.html
> >> >
> >
> >
> >This message (including any attachments) is confidential, 
> >may be privileged and is only intended for the person to 
> >whom it is addressed.
> >If you have received it by mistake please notify the sender 
> >by return e-mail and delete this message from your system.  
> >Any unauthorized use or dissemination of this message in 
> >whole or in part is strictly prohibited.  E-mail 
> >communications are inherently vulnerable to interception by 
> >unauthorized parties and are susceptible to change.  We will 
> >use alternate communication means upon request.
> >
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
> >
> >-
> >List info/subscribe/unsubscribe? See 
> >http://www.freeradius.org/list/users.html
> >


This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed.  If you have received it by mistake please notify the sender by return e-mail and delete this message from your system.  Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited.  E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change.  We will use alternate communication means upon request.




More information about the Freeradius-Users mailing list