a problem about radius and ldap

Ramazan Ulker ulkerra at gmail.com
Thu Feb 8 13:14:36 CET 2007


In my configuration there is also pap  in my configuration, i forgot to
write in mail. I resend authentication block in radius.conf

authenticate {

Auth-Type PAP {
pap
}
   ldap
   eap
}


On 2/8/07, Ramazan Ulker <ulkerra at gmail.com> wrote:
>
> Hi
> I sent two ldapentry ldapsearch result and debug. In this ldapsearch there
> is clear-text userPassword. anyway i decribe the problem shortly for  your
> help.
> like in howto
> authorize {
>    preprocess
>    files
>    ldap
>    eap
> }
>
> authenticate {
>    ldap
>    eap
> }
>
> ldapsearch result
>
> userpassword=ramazan
> .............
> radiusclass=groupnet
> objectclass=radiusprofile
> objectclass=top
> objectclass=posixAccount
> objectclass=shadowAccount
>
> ...
>
> radtest successful for this configuration but xp client does't.
> ldapattr.map has User-Password to userPassword mapping. deleting the entry
> ldap in authentication block in radius.conf results unsuccessful both for
> radtest and xp client.
>
> For this configuration above debug log
>
>    rad_recv: Access-Request packet from host 192.168.100.17:1812, id=7,
> length=129
> NAS-IP-Address = 192.168.100.17
> NAS-Port = 50001
> NAS-Port-Type = Ethernet
> User-Name = "ramazan"
> Called-Station-Id = "00-0F-8F-77-DB-81"
> Calling-Station-Id = "00-12-79-AE-D2-4D"
> Service-Type = Framed-User
> Framed-MTU = 1500
> EAP-Message = 0x0204000c0172616d617a616e
> Message-Authenticator = 0x61cab38d83f6ed1abbd2ac2c8ce5b0bf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=dot1x.com'
> radius_xlat:  '(uid=ramazan)'
> ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 192.168.100.18:389, authentication 0
> rlm_ldap: bind as / to 192.168.100.18:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan)
> ldap_release_conn: Release Id: 0
> radius_xlat:
> '(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc=
> dot1x.com
> ))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc=
> dot1x.com)))'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc= dot1x.com, with filter
> (&(cn=VPN)(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc=
> dot1x.com))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc=
> dot1x.com))))
> rlm_ldap: object not found or got ambiguous search result
> ldap_release_conn: Release Id: 0
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in uid=ramazan,cn=users,cn=idc,dc= dot1x.com,
> with filter (objectclass=*)
> rlm_ldap::ldap_groupcmp: User found in group VPN
> ldap_release_conn: Release Id: 0
>     users: Matched DEFAULT at 174
>   modcall[authorize]: module "files" returns ok for request 0
>   rlm_eap: EAP packet type notification id 4 length 12
>   rlm_eap: EAP Start not found
>   modcall[authorize]: module "eap" returns updated for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for ramazan
> radius_xlat:  '(uid=ramazan)'
> radius_xlat:  'dc=dot1x.com'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan)
> rlm_ldap: checking if remote access for ramazan is allowed by
> radiusGroupName
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id,
> value 2 & op=11
> rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 &
> op=11
> rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11
> rlm_ldap: Adding radiusClass as Class, value employee & op=11
> rlm_ldap: user ramazan authorized to use remote access
> ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns updated for request 0
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate for request 0
>   rlm_eap: EAP packet type notification id 4 length 12
>   rlm_eap: EAP Start not found
>   rlm_eap: EAP Identity
>   rlm_eap: processing type md5
> rlm_eap_md5: Issuing Challenge
>   modcall[authenticate]: module "eap" returns ok for request 0
> modcall: group authenticate returns ok for request 0
> Login OK: [ramazan/<no User-Password attribute>] (from client radius port
> 50001 cli 00-12-79-AE-D2-4D)
>
> Sending Access-Challenge of id 7 to 192.168.100.17:1812
> Framed-IP-Address = 255.255.255.254
> Framed-MTU = 576
> Service-Type = Framed-User
> Tunnel-Private-Group-Id:0 = "2"
> Tunnel-Medium-Type:0 = 6
> Tunnel-Type:0 = VLAN
> Class = 0x656d706c6f796565
> EAP-Message = 0x0105001604105a4f17068db0feb3ebdee25f9cfe966f
> Message-Authenticator = 0x00000000000000000000000000000000
> State =
> 0x395efcd2fb04e81f34be33bd9cd0cf0831cbc4456746df615bd2474fb42f67add24a0e16
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
>
> rad_recv: Access-Request packet from host 192.168.100.17:1812, id=8,
> length=184
> NAS-IP-Address = 192.168.100.17
> NAS-Port = 50001
> NAS-Port-Type = Ethernet
> User-Name = "ramazan"
> Called-Station-Id = "00-0F-8F-77-DB-81"
> Calling-Station-Id = "00-12-79-AE-D2-4D"
> Service-Type = Framed-User
> Framed-MTU = 1500
> State =
> 0x395efcd2fb04e81f34be33bd9cd0cf0831cbc4456746df615bd2474fb42f67add24a0e16
> EAP-Message = 0x0205001d0410820fd3de9d3280644551107995e35ea872616d617a616e
> Message-Authenticator = 0xaedb1daf912087d870c9a486827f1eef
> modcall: entering group authorize for request 1
>   modcall[authorize]: module "preprocess" returns ok for request 1
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=dot1x.com'
> radius_xlat:  '(uid=ramazan)'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc= dot1x.com, with filter (uid=ramazan)
> ldap_release_conn: Release Id: 0
> radius_xlat:
> '(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc=
> dot1x.com))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc=
> dot1x.com)))'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=dot1x.com, with filter
> (&(cn=VPN)(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc=
> dot1x.com
> ))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc=
> dot1x.com))))
> rlm_ldap: object not found or got ambiguous search result
> ldap_release_conn: Release Id: 0
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in uid=ramazan,cn=users,cn=idc,dc=dot1x.com,
> with filter (objectclass=*)
> rlm_ldap::ldap_groupcmp: User found in group VPN
> ldap_release_conn: Release Id: 0
>     users: Matched DEFAULT at 174
>   modcall[authorize]: module "files" returns ok for request 1
>   rlm_eap: EAP packet type notification id 5 length 29
>   rlm_eap: EAP Start not found
>   modcall[authorize]: module "eap" returns updated for request 1
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for ramazan
> radius_xlat:  '(uid=ramazan)'
> radius_xlat:  'dc= dot1x.com'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan)
> rlm_ldap: checking if remote access for ramazan is allowed by
> radiusGroupName
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id,
> value 2 & op=11
> rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 &
> op=11
> rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11
> rlm_ldap: Adding radiusClass as Class, value employee & op=11
> rlm_ldap: user ramazan authorized to use remote access
> ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 1
> modcall: group authorize returns updated for request 1
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate for request 1
>   rlm_eap: EAP packet type notification id 5 length 29
>   rlm_eap: EAP Start not found
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP_TYPE - md5
>   rlm_eap: processing type md5
> rlm_eap_md5: No password configured for this user  (there is a password in
> ldap in clear-text radtest successful)
>   modcall[authenticate]: module "eap" returns invalid for request 1
> modcall: group authenticate returns invalid for request 1
> auth: Failed to validate the user.
> Login incorrect: [ramazan/<no User-Password attribute>] (from client
> radius port 50001 cli 00-12-79-AE-D2-4D)
> Delaying request 1 for 1 seconds
> Finished request 1
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.100.17:1812 , id=8,
> length=184
> Sending Access-Reject of id 8 to 192.168.100.17:1812
> EAP-Message = 0x04050004
> Message-Authenticator = 0x00000000000000000000000000000000
>
>
>
> On 2/7/07, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> >
> > Ramazan Ulker wrote:
> >
> > > rlm_eap: EAP_TYPE - md5
> > > rlm_eap: processing type md5
> > > rlm_eap_md5: No password configured for this user
> > > modcall[authenticate]: module "eap" returns invalid for request 1
> > > modcall: group authenticate returns invalid for request 1
> > > auth: Failed to validate the user.
> >
> >
> > EAP-MD5 needs the plaintext password.
> >
> >
> > > rad_check_password: Found Auth-Type ldap
> > > auth: type "LDAP"
> > > modcall: entering group authenticate for request 0
> > > rlm_ldap: - authenticate
> > > rlm_ldap: Attribute "User-Password" is required for authentication.
> > > modcall[authenticate]: module "ldap" returns invalid for request 0
> > > modcall: group authenticate returns invalid for request 0
> > > auth: Failed to validate the user.
> >
> > rlm_ldap can only *AUTHENTICATE* PAP requests. Since you've over-ridden
> > Auth-Type (as you've been told not to) you're trying to force an EAP
> > request through it.
> >
> > Don't set Auth-Type
> >
> > If you want to use EAP-MD5, your LDAP directory will need to contain a
> > plaintext password and be configured to pass it to FreeRadius, because
> > EAP-MD5 needs the plaintext password. Do you have that?
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070208/14c90be4/attachment.html>


More information about the Freeradius-Users mailing list