EAP-MD5 with LDAP

Rohaizam Abu Bakar haizam at myjaring.net
Fri Jun 23 18:56:31 CEST 2006 

Hi..

Using FB 6.0
FR 1.0.5

trying to configure EAP-MD5  with LDAP backend...

But it keep reporting:

rlm_ldap: Attribute "User-Password" is required for authentication.

No EAP been processed...

please see full debug log below..


Below is my config with multiple DEFAULT entry... for Wireless services & 
normal Dialup authentication



i) users
   =====

   DEFAULT         NAS-Identifier == "Wireless-802.11", Autz-Type := Y5, 
Auth-Type :=Y5
   DEFAULT         Autz-Type := LDAP, Auth-Type := LDAP

ii) eap.conf
    ========
    eap {
        default_eap_type = md5
        }
        md5 {
        }
    }


iii) radiusd.conf
     ============

     $INCLUDE ${confdir}/eap.conf

     authorize {
        eap

        Autz-Type LDAP {
             ldap1
        }
        Autz-Type Y5 {
             ldapy51
        }
     }


     authenticate {

        Auth-Type LDAP {
              ldap1
        }
       Auth-Type Y5 {
             ldapy51
        }
     eap
     }


        ldap ldap1 {
                server = "localhost"
                identity = "cn=root,dc=jaring,dc=my"
                password = xxxxxx
                basedn = "ou=RADIUS,ou=People,dc=jaring,dc=my"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                access_attr = "dialupAccess"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 10
                password_attribute = userPassword
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }

     ldap ldapy51 {
                server = "localhost"
                identity = "cn=root,dc=jaring,dc=my"
                password = xxxxxx
                basedn = "ou=Y5,ou=People,dc=jaring,dc=my"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                access_attr = "dialupAccess"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 10
                password_attribute = userPassword
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }



rad_recv: Access-Request packet from host 202.73.10.12:1814, id=133,
length=197
        Framed-MTU = 1466
        NAS-IP-Address = 10.220.0.2
        NAS-Identifier = "OCEPOP"
        User-Name = "jaroce"
        Service-Type = Framed-User
        NAS-Port = 129
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "ether9_129"
        Called-Station-Id = "00-11-95-e1-ce-8a"
        Calling-Station-Id = "00-13-46-86-c3-93"
        Connect-Info = "CONNECT Ethernet 2Mbps Full duplex"
        EAP-Message = 0x02020015016a61726f6365406d793031352e636f6d
        Message-Authenticator = 0x6d5b3fff40ff4c920b88d100ed80a209
        Proxy-State = 0x3433
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '/' in User-Name = "jaroce", skipping NULL due to
config.
  modcall[authorize]: module "IPASS" returns noop for request 1
    rlm_realm: No '@' in User-Name = "jaroce", looking up realm NULL
    rlm_realm: Found realm "NULL"
    rlm_realm: Adding Stripped-User-Name = "jaroce"
    rlm_realm: Proxying request from user jaroce to realm NULL
    rlm_realm: Adding Realm = "NULL"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: EAP packet type response id 2 length 21
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry DEFAULT at line 68
  modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
  Processing the authorize section of radiusd.conf
modcall: entering group Autz-Type for request 1
modcall: entering group redundant for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jaroce
radius_xlat:  '(uid=jaroce)'
radius_xlat:  'ou=RADIUS,ou=People,dc=jaring,dc=my'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with
filter (uid=jaroce)
rlm_ldap: checking if remote access for jaroce is allowed by dialupAccess
rlm_ldap: Added password j4r1ng in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
Van-Jacobson-TCP-IP & op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP &
op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User &
op=11
rlm_ldap: user jaroce authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap1" returns ok for request 1
modcall: group redundant returns ok for request 1
modcall: group Autz-Type returns ok for request 1
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 1
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
  modcall[authenticate]: module "ldap1" returns invalid for request 1
modcall: group redundant returns invalid for request 1
modcall: group Auth-Type returns invalid for request 1
auth: Failed to validate the user.
Login incorrect: [jaroce] (from client OCE_JARING port 129 cli
00-13-46-86-c3-93)

More information about the Freeradius-Users mailing list