Cisco AP, FreeRADIUS and Fedora Directory Server

Sun Oct 15 23:51:44 CEST 2006

Hello,

I'm trying to authenticate Windows users via Cisco AP 1100, freeradius
and Fedora Directory Server (FDS) combination.

I configured FDS and radiusd.conf and other configuration files
according to ldap_howto found in freeradius documentation. I managed
to authorize users but authentication doesn't work. Here is the log of
radiusd -X. I have to make it work urgently. Has anybody suggestions?

rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:21645,
id=91, length=170
        User-Name = "yilmaz"
        Framed-MTU = 1400
        Called-Station-Id = "0012.dae5.02d0"
        Calling-Station-Id = "00a0.c5fb.a044"
        Service-Type = Login-User
        Message-Authenticator = 0xb5aae70f920a25df14d59908548ecadf
        EAP-Message =
0x020a00261900170301001b242f66ff01fc8cabcc0f2e8203235bec935abdc9dac564949a1b82
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 674
        State = 0x5a4c45339a4de6925fbb158c95df2d80
        NAS-IP-Address = xxx.xxx.xxx.xxx
        NAS-Identifier = "ap"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 17
  modcall[authorize]: module "preprocess" returns ok for request 17
  modcall[authorize]: module "chap" returns noop for request 17
  modcall[authorize]: module "mschap" returns noop for request 17
    rlm_realm: No '@' in User-Name = "yilmaz", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 17
  rlm_eap: EAP packet type response id 10 length 38
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 17
    users: Matched entry DEFAULT at line 152
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=Personel,dc=deu,dc=edu,dc=tr'
radius_xlat:  '(uid=yilmaz)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Personel,dc=deu,dc=edu,dc=tr, with
filter (uid=yilmaz)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:  '(&(uid=yilmaz)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Personel,dc=deu,dc=edu,dc=tr, with
filter (&(radiusGroupName=disabled)(&(uid=yilmaz)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=yilmaz,
ou=Personel,dc=deu,dc=edu,dc=tr, with filter (objectclass=*)
rlm_ldap::groupcmp: Group disabled not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=Personel,dc=deu,dc=edu,dc=tr'
radius_xlat:  '(&(uid=yilmaz)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Personel,dc=deu,dc=edu,dc=tr, with
filter (&(radiusGroupName=kablosuz)(&(uid=yilmaz)(objectclass=radiusprofile)))
rlm_ldap::ldap_groupcmp: User found in group kablosuz
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 222
  modcall[authorize]: module "files" returns ok for request 17
rlm_ldap: - authorize
rlm_ldap: performing user authorization for yilmaz
radius_xlat:  '(uid=yilmaz)'
radius_xlat:  'ou=Personel,dc=deu,dc=edu,dc=tr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Personel,dc=deu,dc=edu,dc=tr, with
filter (uid=yilmaz)
rlm_ldap: performing search in
uid=kablosuz,ou=Radius,ou=Profil,dc=deu,dc=edu,dc=tr, with filter
(objectclass=radiusprofile)
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user yilmaz authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 17
modcall: leaving group authorize (returns updated) for request 17
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 17
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap:  Had sent TLV failure.  User was rejcted rejected
earlier in this session.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 17
modcall: leaving group authenticate (returns invalid) for request 17
auth: Failed to validate the user.
Delaying request 17 for 1 seconds
Finished request 17
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:21645,
id=91, length=170
Sending Access-Reject of id 91 to xxx.xxx.xxx.xxx port 21645
        EAP-Message = 0x040a0004
        Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Cleaning up request 9 ID 83 with timestamp 4532acc3
Cleaning up request 10 ID 84 with timestamp 4532acc3
Cleaning up request 11 ID 85 with timestamp 4532acc3
Cleaning up request 12 ID 86 with timestamp 4532acc3
Cleaning up request 13 ID 87 with timestamp 4532acc3
Cleaning up request 14 ID 88 with timestamp 4532acc3
Cleaning up request 15 ID 89 with timestamp 4532acc3
Cleaning up request 16 ID 90 with timestamp 4532acc3
Cleaning up request 17 ID 91 with timestamp 4532acc3
Nothing to do.  Sleeping until we see a request.