freeradius, ldap error - HELP ME!

Thibault Le Meur Thibault.LeMeur at supelec.fr
Wed Mar 21 14:55:49 CET 2007


Hi,

Very strange I didn't get this email ?

See my comments below:

> 
> Thibault Le Meur ha scritto:
> >> >> But the output now is:
> >> >>
> >> >> rad_recv: Access-Request packet from host 
> 127.0.0.1:1030, id=65, 
> >> >> length=54
> >> >>         Service-Type = Framed-User
> >> >>         Framed-Protocol = PPP
> >> >>         User-Name = "peppeska"
> >> >>         NAS-IP-Address = 127.0.0.1
> >> >>         NAS-Port = 0
> >> >>
> >> >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >> >> - ->Where is User-Password attribute?
> >> >> - ------------------------------------------------
> > >
> > > A good question indeed, that one should be asked to your NAS  ;-)
> > >
> > > It's up to the NAS to send User-Password: unless it is setup to do
> something
> > > else (for instance MSCHAP).
> > >
> > > Have you setup ppp to use mschap (require-mschap-v2 option) ? Are 
> > > you using the radiusclient library ?
> 
>  refuse-pap
>  refuse-chap
>  require-mschap
>  require-mschap-v2
>  require-mppe


Ok so that your NAS don't have to send User-Password but a MS-CHAP challenge
instead: that's what I thought.

> > > If yes, could you check that you radiusclient dictionnary file 
> > > includes Microsoft attributes:
> > > * check the "dictionary      <path-to-dict-file>" line of
> > > /etc/radiusclient-ng/radiusclient.conf file (or 
> > > /etc/radiusclient/radiusclient.conf file)
> > > * check that the file <path-to-dict-file> contains a reference to 
> > > other dictionnary files such as: INCLUDE 
> > > /usr/share/radiusclient-ng/dictionary.merit
> > > INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft
> > > * check that you have these 2 extra dictionnary files (especially 
> > > the microsoft one) ==> I've attached the two files
> 
> in my radiusclient.conf there is:
> 
> # dictionary of allowed attributes and values
> # just like in the normal RADIUS distributions
> dictionary      /etc/radiusclient/dictionary
> 
> and in the dictonary file:
> $INCLUDE /etc/radiusclient/dictionary.microsoft
> $INCLUDE /etc/radiusclient/dictionary.ascend
> $INCLUDE /etc/radiusclient/dictionary.compat
> $INCLUDE /etc/radiusclient/dictionary.merit
> $INCLUDE /usr/share/freeradius/dictionary

Don't write "$INCLUDE" but "INCLUDE" without the "$": this is the syntax for
radiusclient.


> But... whitout declaretion of Default Auth-Type in the users file:
> 
> rlm_ldap: user peppeska authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 0
> modcall: leaving group authorize (returns ok) for request 0
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> Login incorrect: [peppeska/<no User-Password attribute>] 
> (from client localhost port 0) Delaying request 0 for 1 
> seconds Finished request 0

Sure, because Auth-Type must be set to MS-CHAP (automatically, don't use
Auth-Type:=): this will be the case if FR receives MS-CHAP challenge.

But this can work only if radiusclient knows the MS-CHAP Radius attributes,
which is not the case for the momenet (see above the INCLUDE issue).

Regards,
Thibault







More information about the Freeradius-Users mailing list