802.1x, WinXP and LDAP

Gary Algier gaa at ulticom.com
Wed Jan 4 15:44:42 CET 2006


Hello:

I am trying to get an HP Procurve 2650 Ethernet switch to use Freeradius
1.0.5 for 802.1x auth.  The backend is Sun's directory server with all
the necessary SambaNTPassword attributes, etc. to make Samba work.

The client is a WinXP system.  I am using the builtin
supplicant.  I can get it to work with the "Automatically use my
Windows login..." box _unchecked_, but not with it checked.  I would
like to use the checked mode as then the user does not need to
"click here to select a certificate or credentials for
connection to the network".

When the box is not checked, I get to type any value I want for the
user ID and password.  I can then get authenticated and the switch
connects me to the proper VLAN.

When the box is checked, I cannot get authenticated and the switch
puts me on the "guest" VLAN. I should be able to authenticate,
but the ID comes across as something like "MALACHITE\gaa".  The
first part is the netbios hostname and the second is the real ID.

I have setup the hints, users and radiusd.conf files with:
----------------------------------------------------------------------------------------------
hints:
     ...
     DEFAULT NAS-IP-Address == 172.25.16.9, User-Name =~ "^(.*)\\\\(.*)"
             Hint = "8021XUSER",
             Stripped-User-Name = `${2}`
     ...
users:
     ...
     DEFAULT Hint == "8021XUSER"
             Fall-Through = 1
     ...
radiusd.conf:
     ...
             ldap {
                     server = "ldap.ulticom.com"
                     basedn = "dc=ulticom,dc=com"
                     filter = "(&(objectclass=person)(uid=%{Stripped-User-Name:-%{User-Name}}))"
                     do_xlat = yes
                     base_filter = "(objectclass=*)"
                     start_tls = no
                     access_attr = "uid"
                     dictionary_mapping = ${raddbdir}/ldap.attrmap
                     ldap_connections_number = 5
                     timeout = 4
                     timelimit = 3
                     net_timeout = 1
             }
     ...
----------------------------------------------------------------------------------------------

The problem seems to be that the hostname is not always stripped.  If I compare the
output of "radiusd -X" between the two scenarios I see that the "unchecked" configuration
does a lot of ldap lookups like:
----------------------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 172.25.16.9:1025, id=208, length=193
         Framed-MTU = 1480
         NAS-IP-Address = 172.25.16.9
         NAS-Identifier = "hp-50-9"
         User-Name = "gaa"
         Service-Type = Framed-User
         Framed-Protocol = PPP
         NAS-Port = 1
         NAS-Port-Type = Ethernet
         NAS-Port-Id = "1"
         Called-Station-Id = "00-11-85-40-71-ff"
         Calling-Station-Id = "00-14-22-dc-9b-16"
         Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = "50"
         EAP-Message = 0x0201000801676161
         Message-Authenticator = 0x29393306cb95a1c78586d546cf5eb462
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "chap" returns noop for request 0
   modcall[authorize]: module "mschap" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gaa
radius_xlat:  '(&(objectclass=person)(uid=gaa))'
radius_xlat:  'dc=ulticom,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.ulticom.com:389, authentication 0
rlm_ldap: bind as / to ldap.ulticom.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=gaa))
rlm_ldap: checking if remote access for gaa is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [U & op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value ABABABABABABABABABABABABABABABAB & op=21
rlm_ldap: Adding sambaLMPassword as LM-Password, value CDCDCDCDCDCDCDCDCDCDCDCDCDCDCDCD & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gaa authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns ok for request 0
   rlm_eap: EAP packet type response id 1 length 8
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 0
     users: Matched entry DEFAULT at line 153
     users: Matched entry DEFAULT at line 176
     users: Matched entry DEFAULT at line 188
   modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
   rlm_eap: EAP Identity
   rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
   modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
----------------------------------------------------------------------------------------------
Eventually somebody is happy with this sequence and I am "in".  With the "checked"
configuration all the early lookups work, but the last lookup fails:
----------------------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 172.25.16.9:1025, id=222, length=254
         Framed-MTU = 1480
         NAS-IP-Address = 172.25.16.9
         NAS-Identifier = "hp-50-9"
         User-Name = "MALACHITE\\gaa"
         Service-Type = Framed-User
         Framed-Protocol = PPP
         NAS-Port = 1
         NAS-Port-Type = Ethernet
         NAS-Port-Id = "1"
         Called-Station-Id = "00-11-85-40-71-ff"
         Calling-Station-Id = "00-14-22-dc-9b-16"
         Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = "50"
         State = 0xe5aab6b483e09694dcbd98eb81ac64bf
         EAP-Message = 0x020600291900170301001ef47b2a4c59a72fa63123f178383e6518a535662859ed121d2819831f649f
         Message-Authenticator = 0x9b8b7d5de51ffffde87cfabe52688fbc
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
   hints: Matched DEFAULT at 36
radius_xlat:  'gaa'
   modcall[authorize]: module "preprocess" returns ok for request 5
   modcall[authorize]: module "chap" returns noop for request 5
   modcall[authorize]: module "mschap" returns noop for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for MALACHITE\gaa
radius_xlat:  '(&(objectclass=person)(uid=gaa))'
radius_xlat:  'dc=ulticom,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=gaa))
rlm_ldap: checking if remote access for MALACHITE\gaa is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [U & op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value EFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF & op=21
rlm_ldap: Adding sambaLMPassword as LM-Password, value ABABABABABABABABABABABABABABABAB & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user MALACHITE\gaa authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns ok for request 5
   rlm_eap: EAP packet type response id 6 length 41
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 5
     users: Matched entry DEFAULT at line 153
     users: Matched entry DEFAULT at line 157
     users: Matched entry DEFAULT at line 176
     users: Matched entry DEFAULT at line 188
   modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/peap
   rlm_eap: processing type peap
   rlm_eap_peap: Authenticate
   rlm_eap_tls: processing TLS
   eaptls_verify returned 7
   rlm_eap_tls: Done initial handshake
   eaptls_process returned 7
   rlm_eap_peap: EAPTLS_OK
   rlm_eap_peap: Session established.  Decoding tunneled attributes.
   rlm_eap_peap: Identity - MALACHITE\gaa
   rlm_eap_peap: Tunneled data is valid.
   PEAP: Got tunneled EAP-Message
         EAP-Message = 0x02060012014d414c4143484954455c676161
   PEAP: Got tunneled identity of MALACHITE\gaa
   PEAP: Setting default EAP type for tunneled EAP session.
   PEAP: Setting User-Name to MALACHITE\gaa
   PEAP: Sending tunneled request
         EAP-Message = 0x02060012014d414c4143484954455c676161
         FreeRADIUS-Proxied-To = 127.0.0.1
         User-Name = "MALACHITE\\gaa"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
   modcall[authorize]: module "preprocess" returns ok for request 5
   modcall[authorize]: module "chap" returns noop for request 5
   modcall[authorize]: module "mschap" returns noop for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for MALACHITE\gaa
radius_xlat:  '(&(objectclass=person)(uid=MALACHITE))'
radius_xlat:  'dc=ulticom,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=MALACHITE))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns notfound for request 5
modcall: group authorize returns notfound for request 5
----------------------------------------------------------------------------------------------

So, why don't my regular expressions apply during the group authorize?
How can I fix the group authorize?  Perhaps I don't need it.  Some day
I may use it for controlling VLAN assignment, but for now I would be
happy to just differentiate between "auth" and "not auth".

-- 
Gary Algier, WB2FWZ          gaa at ulticom.com             +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054      Fax:+1 856 866 2033

Nielsen's First Law of Computer Manuals:
     People don't read documentation voluntarily.



More information about the Freeradius-Users mailing list