PEAP and TTLS simultaneously?

Tim Tyler tyler at beloit.edu
Tue Jun 10 16:47:59 CEST 2008


   Freeradius experts,
   I am running Freeradius 1.1.3 on a Centos 5 system.  My desire is 
to support PEAP mschapv2 clients against our ldap server's LM and NT 
passwords.  We also want to support some other clients with a TTLS - 
PAP against the posix passwords in our same ldap server.  I can get 
each configuration solution to work independently, but I can't get 
them to work when I try to combine them into one configuration.
1. Is it possible to support both PEAP-mschapv2 and TTLS-PAP using 
the same ldap server with each user having both password hashes supported?
2. If so, can someone suggest how I would combine the two 
configurations properly?
3. Would this be easier to accomplish if we were  using a 2.x version 
of Freeradius?  My only problem is that Centos and Redhat seem to 
take forever in supporting the most recent open source applications 
so I would have to find another RPM update source.
   I have included both configurations that work independently and 
the output of a TTLS -PAP attempt that fails when both configurations 
are combined into one configuration.

Here is my  general TTLS config:
#TTLS-pap method
modules {
  ldap ldap_2x {
                 server = {cut out}
                 identity =
                 password =
                 basedn =
                 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = yes
                 tls_cacertfile          = /etc/openldap/cacerts/cacert.cer
                 dictionary_mapping = ${raddbdir}/ldap.attrmap
                 ldap_connections_number = 5
                 timeout = 4
                 timelimit = 3
                 net_timeout = 1
         }


authorize {
         preprocess
         chap
         mschap
         suffix
         eap
         staff
         ldap_2x

}

authenticate {
         Auth-Type PAP {
                 pap
         }
         Auth-Type CHAP {
                 chap
         }
         Auth-Type MS-CHAP {
                 mschap
         }

         unix
         Auth-Type ldap_2x {
                 ldap_2x
         }

         eap
}


Here is my PEAP config:
#PEAP mschapv2 method
ldap ldap_1x{
                 server =  {cut out}
                 identity =
                 password =
                 basedn =
                 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                 start_tls = yes
                 tls_cacertfile  = /etc/openldap/cacerts/cacert.cer
                 dictionary_mapping = ${raddbdir}/ldap.attrmap
                 ldap_connections_number = 5
                 authtype = ldap
                 timeout = 4
                 timelimit = 3
                 net_timeout = 1


         }


authorize {
         preprocess
         chap
         mschap
         suffix
         ldap_1x
         eap
         files
}


authenticate {
         Auth-Type PAP {
                 pap
         }

         Auth-Type MS-CHAP {
                 mschap
         }

         eap
}


Here is the output of a command line TTLS attempt from the server:
# /usr/sbin/radiusd -X -y
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
  main: prefix = "/usr"
  main: localstatedir = "/var"
  main: logdir = "/var/log/radius"
  main: libdir = "/usr/lib"
  main: radacctdir = "/var/log/radius/radacct"
  main: hostname_lookups = no
  main: snmp = no
  main: max_request_time = 30
  main: cleanup_delay = 5
  main: max_requests = 1024
  main: delete_blocked_requests = 0
  main: port = 0
  main: allow_core_dumps = no
  main: log_stripped_names = no
  main: log_file = "/var/log/radius/radius.log"
  main: log_auth = no
  main: log_auth_badpass = no
  main: log_auth_goodpass = no
  main: pidfile = "/var/run/radiusd/radiusd.pid"
  main: user = "radiusd"
  main: group = "radiusd"
  main: usercollide = no
  main: lower_user = "no"
  main: lower_pass = "no"
  main: nospace_user = "no"
  main: nospace_pass = "no"
  main: checkrad = "/usr/sbin/checkrad"
  main: proxy_requests = yes
  proxy: retry_delay = 5
  proxy: retry_count = 3
  proxy: synchronous = no
  proxy: default_fallback = yes
  proxy: dead_time = 120
  proxy: post_proxy_authorize = no
  proxy: wake_all_if_all_dead = no
  security: max_attributes = 200
  security: reject_delay = 1
  security: status_server = no
  main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
Using deprecated clients file.  Support for this will go away soon.
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
  exec: wait = yes
  exec: program = "(null)"
  exec: input_pairs = "request"
  exec: output_pairs = "(null)"
  exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
  pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded MS-CHAP
  mschap: use_mppe = yes
  mschap: require_encryption = no
  mschap: require_strong = no
  mschap: with_ntdomain_hack = no
  mschap: passwd = "(null)"
  mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
  ldap: server = "testldap.beloit.edu"
  ldap: port = 389
  ldap: net_timeout = 1
  ldap: timeout = 4
  ldap: timelimit = 3
  ldap: identity = "cn=Manager,dc=beloit,dc=edu"
  ldap: tls_mode = no
  ldap: start_tls = yes
  ldap: tls_cacertfile = "/etc/openldap/cacerts/cacert.cer"
  ldap: tls_cacertdir = "(null)"
  ldap: tls_certfile = "(null)"
  ldap: tls_keyfile = "(null)"
  ldap: tls_randfile = "(null)"
  ldap: tls_require_cert = "allow"
  ldap: password = "tac2tmaw"
  ldap: basedn = "dc=beloit,dc=edu"
  ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
  ldap: base_filter = "(objectclass=radiusprofile)"
  ldap: default_profile = "(null)"
  ldap: profile_attribute = "(null)"
  ldap: password_header = "(null)"
  ldap: password_attribute = "(null)"
  ldap: access_attr = "(null)"
  ldap: groupname_attribute = "cn"
  ldap: groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
  ldap: groupmembership_attribute = "(null)"
  ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
  ldap: ldap_debug = 0
  ldap: ldap_connections_number = 5
  ldap: compare_check_items = yes
  ldap: access_attr_used_for_allow = yes
  ldap: do_xlat = yes
  ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ldap_2x-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ldap_2x-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap_2x
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS 
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x85d71f8
Module: Instantiated ldap (ldap_2x)
Module: Loaded eap
  eap: default_eap_type = "peap"
  eap: timer_expire = 60
  eap: ignore_unknown_eap_types = no
  eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type leap
  gtc: challenge = "Password: "
  gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
  tls: rsa_key_exchange = no
  tls: dh_key_exchange = yes
  tls: rsa_key_length = 512
  tls: dh_key_length = 512
  tls: verify_depth = 0
  tls: CA_path = "(null)"
  tls: pem_file_type = yes
  tls: private_key_file = "/etc/raddb/certs/server_keycert.pem"
  tls: certificate_file = "/etc/raddb/certs/server_keycert.pem"
  tls: CA_file = "/etc/raddb/certs/cacert.pem"
  tls: private_key_password = "2okacaip"
  tls: dh_file = "/etc/raddb/certs/dh"
  tls: random_file = "/etc/raddb/certs/random"
  tls: fragment_size = 1024
  tls: include_length = yes
  tls: check_crl = no
  tls: check_cert_cn = "(null)"
  tls: cipher_list = "(null)"
  tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
  ttls: default_eap_type = "md5"
  ttls: copy_request_to_tunnel = yes
  ttls: use_tunneled_reply = yes
rlm_eap: Loaded and initialized type ttls
  peap: default_eap_type = "mschapv2"
  peap: copy_request_to_tunnel = no
  peap: use_tunneled_reply = no
  peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
  mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
  preprocess: huntgroups = "/etc/raddb/huntgroups"
  preprocess: hints = "/etc/raddb/hints"
  preprocess: with_ascend_hack = no
  preprocess: ascend_channels_per_line = 23
  preprocess: with_ntdomain_hack = no
  preprocess: with_specialix_jetstream_hack = no
  preprocess: with_cisco_vsa_hack = no
  preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded realm
  realm: format = "suffix"
  realm: delimiter = "@"
  realm: ignore_default = no
  realm: ignore_null = no
Module: Instantiated realm (suffix)
  ldap: server = "testldap.beloit.edu"
  ldap: port = 389
  ldap: net_timeout = 1
  ldap: timeout = 4
  ldap: timelimit = 3
  ldap: identity = "cn=Manager,dc=beloit,dc=edu"
  ldap: tls_mode = no
  ldap: start_tls = yes
  ldap: tls_cacertfile = "/etc/openldap/cacerts/cacert.cer"
  ldap: tls_cacertdir = "(null)"
  ldap: tls_certfile = "(null)"
  ldap: tls_keyfile = "(null)"
  ldap: tls_randfile = "(null)"
  ldap: tls_require_cert = "allow"
  ldap: password = "tac2tmaw"
  ldap: basedn = "dc=beloit,dc=edu"
  ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
  ldap: base_filter = "(objectclass=radiusprofile)"
  ldap: default_profile = "(null)"
  ldap: profile_attribute = "(null)"
  ldap: password_header = "(null)"
  ldap: password_attribute = "(null)"
  ldap: access_attr = "(null)"
  ldap: groupname_attribute = "cn"
  ldap: groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
  ldap: groupmembership_attribute = "(null)"
  ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
  ldap: ldap_debug = 0
  ldap: ldap_connections_number = 5
  ldap: compare_check_items = no
  ldap: access_attr_used_for_allow = yes
  ldap: do_xlat = yes
  ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ldap_1x-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ldap_1x-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap_1x
rlm_ldap: Over-riding set_auth_type, as we're not listed in the 
"authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS 
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x85ea9a8
Module: Instantiated ldap (ldap_1x)
Module: Loaded files
  files: usersfile = "/etc/raddb/users"
  files: acctusersfile = "/etc/raddb/acct_users"
  files: preproxy_usersfile = "/etc/raddb/preproxy_users"
  files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
  acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
  detail: detailfile = 
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
  detail: detailperm = 384
  detail: dirperm = 493
  detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
  unix: cache = no
  unix: passwd = "(null)"
  unix: shadow = "/etc/shadow"
  unix: group = "(null)"
  unix: radwtmp = "/var/log/radius/radwtmp"
  unix: usegroup = no
  unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
  radutmp: filename = "/var/log/radius/radutmp"
  radutmp: username = "%{User-Name}"
  radutmp: case_sensitive = yes
  radutmp: check_with_nas = yes
  radutmp: perm = 384
  radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 144.89.40.88:33050, id=31, length=57
         User-Name = "tyler"
         User-Password = "chair"
         NAS-IP-Address = 255.255.255.255
         NAS-Port = 1812
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "chap" returns noop for request 0
   modcall[authorize]: module "mschap" returns noop for request 0
     rlm_realm: No '@' in User-Name = "tyler", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for tyler
radius_xlat:  '(uid=tyler)'
radius_xlat:  'dc=beloit,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to testldap.beloit.edu:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/cacert.cer
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
rlm_ldap: starting TLS
rlm_ldap: bind as cn=Manager,dc=beloit,dc=edu/tac2tmaw to 
testldap.beloit.edu:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=beloit,dc=edu, with filter (uid=tyler)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value 
[U          ] & op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value 
E02C0DC6138F12F76F424596E04E10E2 & op=21
rlm_ldap: Adding sambaLMPassword as LM-Password, value 
0A5283563091373BAAD3B435B51404EE & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user tyler authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap_1x" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for tyler
radius_xlat:  '(uid=tyler)'
radius_xlat:  'dc=beloit,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to testldap.beloit.edu:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/cacert.cer
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
rlm_ldap: starting TLS
rlm_ldap: bind as cn=Manager,dc=beloit,dc=edu/tac2tmaw to 
testldap.beloit.edu:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=beloit,dc=edu, with filter (uid=tyler)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value 
[U          ] & op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value 
E02C0DC6138F12F76F424596E04E10E2 & op=21
rlm_ldap: Adding sambaLMPassword as LM-Password, value 
0A5283563091373BAAD3B435B51404EE & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Pairs do not match. Rejecting user.
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap_2x" returns reject for request 0
modcall: leaving group authorize (returns reject) for request 0
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 31 to 144.89.40.88 port 33050
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 31 with timestamp 484e906c
Nothing to do.  Sleeping until we see a request.


Tim Tyler
Network Engineer - Beloit College
tyler at beloit.edu 




More information about the Freeradius-Users mailing list