Some users can't login after upgrade!

Dean, Barry B.Dean at liverpool.ac.uk
Thu Nov 8 17:01:08 CET 2007


The configuration I had was FreeRADIUS 1.1.4 running on NetBSD_3.0 (STABLE) authenticating to Novell eDirectory using LDAP.

All was fine...

I upgraded to FreeRADIUS 1.1.7 and all seemed OK, until two of my users found they can no longer login to the Cisco VPN3000 which uses this RADIUS. The log files simply show:

Tue Nov  6 15:06:40 2007 : Auth: Login incorrect: [<user>] (from client vpn3000 port 13712 cli X.X.X.X)

We also use RADIUS with EZProxy. I used a spare EZProxy test box and asked the user to login using that, failed with 1.1.7 RADIUS, changed it to use a spare 1.1.4 server and they could login!

User names are alphabetic only and less than 8 characters, passwords are alpha-numeric only and 8 characters.

I am reasonably new to RADIUS and cannot figure out why these two users are being singled out!

I thought at first it might be because we have "edir_account_policy_check=yes" and that given the ChangeLog for 1.1.7 says "Added more eDirectory support.", and the two users possibly have extra attributes as they are sysadmins, that something was being checked that was not with 1.1.4 and that was preventing login.

However later in radiusd.conf in the post-auth section the LDAP server entries are commented out. and it says:

	  #  Un-comment the following if you have set
        #  'edir_account_policy_check = yes' in the ldap module sub-section of
        #  the 'modules' section. 

So does this mean this feature is not in operation?

Has anyone any ideas where I should start looking?

Thanks.

---------------
Barry Dean
Networks Team
University of Liverpool






More information about the Freeradius-Users mailing list