Using mschap authentication without EAP

Thu Jul 20 20:57:18 CEST 2006

> rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217
>        User-Name = "misterc"
>        CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e
>        CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986
>        NAS-IP-Address = 0.0.0.0
>        Service-Type = Login-User
>        Framed-IP-Address = 192.168.182.2
>        Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
>        Called-Station-Id = "AA-AA-AA-AA-DD-AA"
>        NAS-Identifier = "nas01"
>        Acct-Session-Id = "44bfd15d00000000"
>        NAS-Port-Type = Wireless-802.11
>        NAS-Port = 0
>        Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a
>        WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"
>

> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorize
> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user authorization
> for misterc
> Thu Jul 20 20:54:50 2006 : Debug: radius_xlat:  '(uid=misterc)'
> Thu Jul 20 20:54:50 2006 : Debug: radius_xlat:  'ou=utenti,dc=XXXX,dc=it'

Ok rlm_ldap is initialized

> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to 192.168.1.221:389
> Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result ...
> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successful

bind to the directory is Ok

> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in
> ou=utenti,dc=XXXX,dc=it, with filter (uid=misterc)
> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got
> ambiguous search result
> Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failed

Ah...
Seems that the used bound to the ldap directory can't find uid=misterc 
in ou=utenti,dc=XXXX,dc=it

> Thu Jul 20 20:54:51 2006 : Debug: auth: No authenticate method (Auth-Type)
> configuration found for the request: Rejecting the user

So Auth-Type isn't setted to Ldap

> Thu Jul 20 20:54:51 2006 : Debug: auth: Failed to validate the user.

This is logical

>    ldap {
>                server="192.168.1.221"
>                port="389"
>                basedn="ou=utenti,dc=uniroma1,dc=it"
>                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>                start_tls = no
>           access_attr = "uid"
>                dictionary_mapping = ${raddbdir}/ldap.attrmap
>                authtype = ldap
>                ldap_connections_number = 5
>                password_header = "{SHA}"
>                password_attribute = userPassword
>                 }
>           }

Well isn't it a pb of rights ? Is the anonymous user able to search the 
openldap directory for users entries ?

What is the result of a simple "ldapsearch" with the same ldap filter.

> If you need any other information please ask us; sorry if we are boring you
> but we are trying and trying without any significant result.
> Thanks.

Have you got ACLs in your openldap directory configuration files ?

Regards,
Thibault