freeradius eap-ttls pap ldap

emmcosta emmcosta at gmail.com
Sat Jun 9 00:05:06 CEST 2007


Hi everyone,

I have a problem with my configuration, authorize is ok but
authentication fail.I use freeradius 1.1.6 e openldap 2.2.13 and use
windows xp for client with securew2.
My access-point is Cisco aironet 1100.

My radiusd.conf:

..........
        ldap {
                server = "localhost"
                identity = "cn=root,dc=teste,dc=pt"
                password = secret
                basedn = "dc=teste,dc=pt"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                base_filter = "(objectclass=radiusprofile)"
                start_tls = no
                access_attr = "uid"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_attribute = userPassword
                timeout = 4
                timelimit = 3
                net_timeout = 1
                 set_auth_type = no
        }
..............
authorize {
            preprocess
           ldap
           pap
}

authenticate{
        Auth-Type PAP {
                pap
        }
        Auth-Type LDAP {
                ldap
        }
        eap

}

My eap.conf:

eap{
                default_eap_type = ttls
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = yes
                md5 {
                }
                leap {
                }
                gtc {
                        auth_type = PAP
                }
                tls {
                        private_key_password = whatever
                        private_key_file = ${raddbdir}/certs/cert-srv.pem

                        #  If Private key & Certificate are located in
                        #  the same file, then private_key_file &
                        #  certificate_file must contain the same file
                        #  name.
                        certificate_file = ${raddbdir}/certs/cert-srv.pem

                        #  Trusted Root CA list
                        CA_file = ${raddbdir}/certs/demoCA/cacert.pem

                        dh_file = ${raddbdir}/certs/dh
                        random_file = ${raddbdir}/certs/random
             }
                ttls {
                        default_eap_type = gtc
                        use_tunneled_reply = yes
                }
}

The log:

............
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user_test
radius_xlat:  '(uid=user_test)'
radius_xlat:  'dc=teste,dc=pt'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=teste,dc=pt, with filter (uid=user_test)
Waking up in 1 seconds...
Threads: total/active/spare threads = 5/1/4
rlm_ldap: checking if remote access for user_test is allowed by uid
rlm_ldap: Added password {CRYPT}HkDWb49nxN4Zo in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value
{CRYPT}HkDWb49nxN4Zo & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gilberto authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
rlm_pap: No clear-text password in the request.  Not performing PAP.
  modcall[authorize]: module "pap" returns noop for request 2
modcall: leaving group authorize (returns ok) for request 2
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [user_test/<no User-Password attribute>] (from client
192.168.1.69 port 371 cli 0040.96a2.24f3)
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Thread 3 waiting to be assigned a request
--- Walking the entire request list ---
Waking up in 1 seconds...
Threads: total/active/spare threads = 5/0/5
--- Walking the entire request list ---
Sending Access-Reject of id 121 to 192.168.1.69 port 1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 121 with timestamp 4669d1cd
Nothing to do.  Sleeping until we see a request.


Anyone can help-me.

Best regards

-- 
/emmc




More information about the Freeradius-Users mailing list