802.1x + freeradius authentication problem

Ramon Barquier Ramon.Barquier at uab.es
Thu Feb 1 17:32:38 CET 2007 

Hi all,

We are trying to set up an environment with 802.1x + Freeradius for our 
Wireless net. Our goal is to authenticate Windows XP clients using EAP.

Our radius server is bound to an LDAP database. We have tested our users 
with a "radius-test" tool and everything seems to work fine, but when 
trying to validate in our 802.1x environment, the radius server rejects 
the user. In fact, although we get a "authorize returns ok", there seems 
to be an additional check that claims the user has no password.

Any ideas? We attach the radiusd log (hope it helps!).

Thanks in advance,


rad_recv: Access-Request packet from host **NAS_ IP_ADDRESS** port 1027, 
id=2, length=187
       Message-Authenticator = 0xc40883257068815f1b14f3b80780eeab
       Service-Type = Framed-User
       User-Name = "ID_of_USER"
       Framed-MTU = 1488
       State = 0xb32f32ffc94e41b83d5af8f919ee449e
       Called-Station-Id = "00-12-CF-1A-15-80:Eduroam"
       Calling-Station-Id = "00-0E-35-FE-1F-6D"
       NAS-Port-Type = Wireless-802.11
       Connect-Info = "CONNECT 54Mbps 802.11g"
       EAP-Message = 0x020200060319
       NAS-IP-Address = 1.0.1.2
       NAS-Port = 1
       NAS-Port-Id = "STA port # 1"
 Processing the authorize section of radiusd.conf
modcall:  entering group authorize for request 6
 modcall[authorize]: module "preprocess" returns ok for request 6
radius_xlat:  
'/home/radmgr/freeradius/var/log/radius/radacct/158.109.1.15/auth-detail-20070201' 

rlm_detail: 
/home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to 
/home/radmgr/freeradius/var/log/radius/radacct/NAS_IP_ADDRESS/auth-detail-20070201 

radius_xlat:  'Thu Feb  1 17:06:44 2007'
 modcall[authorize]: module "auth_log" returns ok for request 6
 modcall[authorize]: module "chap" returns noop for request 6
 modcall[authorize]: module "mschap" returns noop for request 6
   rlm_realm: No '@' in User-Name = "ID_of_USER", looking up realm NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 6
 rlm_eap: EAP packet type response id 2 length 6
 rlm_eap: Ignoring NAK with request for unknown EAP type
 modcall[authorize]: module "eap" returns noop for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ID_of_USER
radius_xlat:  '(uid=ID_of_USER)'
radius_xlat:  'ou=People,dc=my_org,dc=es'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=my_org,dc=es, with filter 
(uid=ID_of_USER)
rlm_ldap: Password header not found in password 
{SSHA}HzNGeJ1eXDD/B9ZOG+QdbpeCGUx1Q+UiMSdLZg== for user ID_of_USER
rlm_ldap: Added User-Password = 
{SSHA}HzNGeJ1eXDD/B9ZOG+QdbpeCGUx1Q+UiMSdLZg== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding LDAP attribute UserClass as RADIUS attribute Filter-Id 
= GRUPS_INTERES#951#Servei d'InformÃ?tica
rlm_ldap: Adding LDAP attribute UserClass as RADIUS attribute Filter-Id 
= USUARI_PROVES#951#Servei d'InformÃ?tica
rlm_ldap: user IP_of_USER authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module "ldap" returns ok for request 6
modcall: group authorize returns ok for request 6
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

!!!    Replacing User-Password in config items with 
Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

!!! Please update your configuration so that the "known 
good"               !!!
!!! clear text password is in Cleartext-Password, and not in 
User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [ID_of_User/<no User-Password attribute>] (from client 
NAS_IP_ADDRESS port 1 cli 00-0E-35-FE-1F-6D)
Delaying request 6 for 1 seconds
Finished request 6
Going to the next request
Waking up in 5 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 2 to NAS_IP_ADDRESS port 1027
       Filter-Id = "GRUPS_INTERES#951#Servei d'Inform\303\240tica"
Cleaning up request 6 ID 2 with timestamp 45c21014
Cleaning up request 5 ID 1 with timestamp 45c21014
Cleaning up request 4 ID 0 with timestamp 45c21014
Nothing to do.  Sleeping until we see a request.

-- 
Ramón Barquier Montalbán           
Comunicacions
Servei d'Informàtica
 
Edifici D
Campus de la UAB
08193 Bellaterra. Barcelona
Tel. +34 935 811 488        Fax: +34 935 812 094
Ramon.Barquier at uab.es
www.uab.es/si

More information about the Freeradius-Users mailing list