LDAP check attributes

Antonio Matera antonio.matera at create-net.it
Thu May 18 10:02:50 CEST 2006 

Hi,
I write better my error in my log, the problem I suppose that is these 
lines:

Invalid operator for item EAP-Type: reverting to '=='
rlm_ldap: Pairs do not match. Rejecting user.
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns reject for request 5




Here I put the end of my log file:


rad_recv: Access-Request packet from host 192.168.20.4:1645, id=97, 
length=240
	User-Name = "vlan3"
	Framed-MTU = 1400
	Called-Station-Id = "0012.dacb.8420"
	Calling-Station-Id = "000c.f135.f1ba"
	Cisco-AVPair = "ssid=VLAN3"
	Service-Type = Login-User
	Message-Authenticator = 0xdc1ea9dbac4ed1f33ebb580a3c1c4a73
	EAP-Message = 
0x020600501900170301002088ea976b1bef6fd3a9bd5599650e83cd848cf424e51a204996c8941600f71b871703010020323a6993eede0a3f70fda756d35c73463b1f49efe677a830e25ab51d09220b6f
	NAS-Port-Type = Wireless-802.11
	Cisco-NAS-Port = "276"
	NAS-Port = 276
	State = 0xb0d694dd7c79d212c6f91ec33dceddf1
	NAS-IP-Address = 192.168.20.4
	NAS-Identifier = "ap"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
   modcall[authorize]: module "preprocess" returns ok for request 5
   modcall[authorize]: module "mschap" returns noop for request 5
     rlm_realm: No '@' in User-Name = "vlan3", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 5
   rlm_eap: EAP packet type response id 6 length 80
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 5
   modcall[authorize]: module "files" returns notfound for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for vlan3
radius_xlat:  '(uid=vlan3)'
radius_xlat:  'dc=create-net,dc=org'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=vlan3)
rlm_ldap: Added password vlan3 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusCiscoAVPair as Cisco-AVPair, value ssid=VLAN3 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11
rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, 
value 3 & op=11
rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 
IEEE-802 & op=11
rlm_ldap: user vlan3 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/peap
   rlm_eap: processing type peap
   rlm_eap_peap: Authenticate
   rlm_eap_tls: processing TLS
   eaptls_verify returned 7
   rlm_eap_tls: Done initial handshake
   eaptls_process returned 7
   rlm_eap_peap: EAPTLS_OK
   rlm_eap_peap: Session established.  Decoding tunneled attributes.
   rlm_eap_peap: Identity - vlan3
   rlm_eap_peap: Tunneled data is valid.
   PEAP: Got tunneled identity of vlan3
   PEAP: Setting default EAP type for tunneled EAP session.
   PEAP: Setting User-Name to vlan3
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
   modcall[authorize]: module "preprocess" returns ok for request 5
   modcall[authorize]: module "mschap" returns noop for request 5
     rlm_realm: No '@' in User-Name = "vlan3", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 5
   rlm_eap: EAP packet type response id 6 length 10
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 5
   modcall[authorize]: module "files" returns notfound for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for vlan3
radius_xlat:  '(uid=vlan3)'
radius_xlat:  'dc=create-net,dc=org'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=vlan3)
rlm_ldap: Added password vlan3 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusCiscoAVPair as Cisco-AVPair, value ssid=VLAN3 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11
rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, 
value 3 & op=11
rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 
IEEE-802 & op=11
Invalid operator for item EAP-Type: reverting to '=='
rlm_ldap: Pairs do not match. Rejecting user.
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns reject for request 5
modcall: leaving group authorize (returns reject) for request 5
Invalid user (rlm_ldap: Pairs do not match): [vlan3/<no User-Password 
attribute>] (from client cn-radius port 276 cli 000c.f135.f1ba)
   PEAP: Tunneled authentication was rejected.
   rlm_eap_peap: FAILURE
   modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 97 to 192.168.20.4 port 1645
	Tunnel-Type:0 = VLAN
	Tunnel-Private-Group-Id:0 = "3"
	Tunnel-Medium-Type:0 = IEEE-802
	EAP-Message = 
0x01070050190017030100207e6749688570ab3f6990aa513c84e1d57d72b0c19700ac8d067ab772d8a483221703010020698cbf6325fc65cc53a2c5f38ded1ceda6937e856568c4d62dfaf798a05261d3
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe4aede9badece66c821fb17e67e9d969
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=98, 
length=240
	User-Name = "vlan3"
	Framed-MTU = 1400
	Called-Station-Id = "0012.dacb.8420"
	Calling-Station-Id = "000c.f135.f1ba"
	Cisco-AVPair = "ssid=VLAN3"
	Service-Type = Login-User
	Message-Authenticator = 0x3a85a008df8442db44495e79eec73a91
	EAP-Message = 
0x0207005019001703010020717b9678780436411ce8d845e6a7afe99d179bcb45bb1b4f5d992ce5694899eb1703010020341bafcfa52a2e0e5c8c9e8decbf4c57ae787f9eb9a2116a8bc00d83ac2ff2b2
	NAS-Port-Type = Wireless-802.11
	Cisco-NAS-Port = "276"
	NAS-Port = 276
	State = 0xe4aede9badece66c821fb17e67e9d969
	NAS-IP-Address = 192.168.20.4
	NAS-Identifier = "ap"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
   modcall[authorize]: module "preprocess" returns ok for request 6
   modcall[authorize]: module "mschap" returns noop for request 6
     rlm_realm: No '@' in User-Name = "vlan3", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 6
   rlm_eap: EAP packet type response id 7 length 80
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 6
   modcall[authorize]: module "files" returns notfound for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for vlan3
radius_xlat:  '(uid=vlan3)'
radius_xlat:  'dc=create-net,dc=org'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=vlan3)
rlm_ldap: Added password vlan3 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusCiscoAVPair as Cisco-AVPair, value ssid=VLAN3 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11
rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, 
value 3 & op=11
rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 
IEEE-802 & op=11
rlm_ldap: user vlan3 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/peap
   rlm_eap: processing type peap
   rlm_eap_peap: Authenticate
   rlm_eap_tls: processing TLS
   eaptls_verify returned 7
   rlm_eap_tls: Done initial handshake
   eaptls_process returned 7
   rlm_eap_peap: EAPTLS_OK
   rlm_eap_peap: Session established.  Decoding tunneled attributes.
   rlm_eap_peap: Received EAP-TLV response.
   rlm_eap_peap: Tunneled data is valid.
   rlm_eap_peap:  Had sent TLV failure.  User was rejcted rejected 
earlier in this session.
  rlm_eap: Handler failed in EAP/peap
   rlm_eap: Failed in EAP select
   modcall[authenticate]: module "eap" returns invalid for request 6
modcall: leaving group authenticate (returns invalid) for request 6
auth: Failed to validate the user.
Login incorrect: [vlan3/<no User-Password attribute>] (from client 
ap-test-ivan port 276 cli 000c.f135.f1ba)
Delaying request 6 for 1 seconds
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=98, 
length=240
Sending Access-Reject of id 98 to 192.168.20.4 port 1645
	EAP-Message = 0x04070004
	Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 1 seconds...



What is wrong?
Thanks, bye Antonio




> on 17/05/2006 14.11 Mitchell, Michael J said the following:
>> Hi Antonio,
>>
>>>>  ldap: compare_check_items = no
>>
>> You need to set "compare_check_items = yes" in the ldap module
>> configuration? The default is "no".
>>
>> regards,
>> Mike
>>

More information about the Freeradius-Users mailing list