an infamous LDAP-FreeRadius question

Tue Jul 11 16:10:12 CEST 2006

Thanks for the links. I've seen a few before and have gone over them again
this morning. I'm not sure where I have misconfigured something. 

When I try to connect via 802.1x from a wireless client my Radius server
debgging looks like below. Obviously the TLS session is not being setup
correctly. I'm wondering about the private_key_password attribute. I just
set it to "whatever" but that needs to correspond to a user on the LDAP
server doesn't it? I'm not sure that's been set up. 

Any helpful ideas/comments are greatly appreciated. Thanks!
Matt
mda at unb.ca

rad_recv: Access-Request packet from host x.x.x.201:6001, id=4, length=117
        User-Name = "mda"
        NAS-IP-Address = x.x.x.201
        Called-Station-Id = "00-02-2d-47-01-c4"
        Calling-Station-Id = "00-0e-35-36-48-f2"
        NAS-Identifier = "AP3WJD"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x02040008016d6461
        Message-Authenticator = 0x3453e92189034ccc69804159f1c574e6
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "mda", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: EAP packet type response id 4 length 8
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched DEFAULT at 153
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for mda
radius_xlat:  '(uid=mda)'
radius_xlat:  'ou=xxx,dc=xxx,dc=xxx'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapserver2:389, authentication 0
rlm_ldap: setting TLS CACert File to
/etc/openldap/cacerts/20060206_ldap2_xxx_xxx.crt
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Connect error
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns fail for request 0
modcall: group authorize returns fail for request 0
Finished request 0
Going to the next request

Matt Ashfield
Network Analyst
Integrated Technology Services
University of New Brunswick
(506) 447-3033
mda at unb.ca 

-----Original Message-----
From: Zoltan Ori [mailto:z.ori at morehead-st.edu] 
Sent: July 11, 2006 10:44 AM
To: mda at unb.ca; FreeRadius users mailing list
Subject: Re: an infamous LDAP-FreeRadius question

On Tuesday 11 July 2006 07:24, Matt Ashfield wrote:
> I have LDAP configured and can do a cleartext radius authentication using
> username/passwords (using radtest). What I'd like to do is take the next
> step and do 802.1x authentication for my windows clients and I suppose
> that's where I was hoping to find some cleancut instructions on this as
> I've seen quite a bit of threads concerning this but as mentioned in my
> initial email, they can be tough to follow.

There is no shortage of information available. There are links to HOW TO on 
www.freeradius.org main page for 802.1x and EAP
http://www.freeradiuos.org/doc/EAPTLS.pdf
http://www.tldp.org/HOWTO/8021X-HOWTO/

Read the docs on rlm_eap which has LDAP info. That can be found in your 
sources as well as on the wiki.

Also, see this document

http://vuksan.com/linux/dot1x/802-1x-LDAP.html

Zoltan Ori