802.1x, EAP and LDAP

Mike Richardson doctor at mcc.ac.uk
Mon Mar 3 15:34:43 CET 2008


Hi,

My first post: I'm trying to do 802.1x between Xsupplicant (through a Cisco
switch) to Freeradius 1.1.7 using Novell eDirectory LDAP.

I can successfully authenticate as a local user in the 'users' file but the
LDAP side is eluding me.

This is my first experience with 802.1x/EAP etc so I'm still learning.

It looks to me like the inner authentication doesn't know which Auth Type to
use but I don't know how to tell it. Everything I've says that you don't
explicitly state the Auth Type so I don't really know what to do next.

Here are the output from freeradius -X, radiusd.conf and eap.conf. Any help
would be appreciated. 

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/freeradius/proxy.conf
Config:   including file: /etc/freeradius/clients.conf
Config:   including file: /etc/freeradius/imported_clients.cfg
Config:   including file: /etc/freeradius/snmp.conf
Config:   including file: /etc/freeradius/eap.conf
Config:   including file: /etc/freeradius/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/freeradius"
 main: libdir = "/usr/lib/freeradius"
 main: radacctdir = "/var/log/freeradius/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/freeradius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/freeradius/freeradius.pid"
 main: user = "freerad"
 main: group = "freerad"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec 
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = "crypt"
 pap: auto_header = yes
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: use_mppe = yes
 mschap: require_encryption = yes
 mschap: require_strong = yes
 mschap: with_ntdomain_hack = yes
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap) 
Module: Loaded eap 
 eap: default_eap_type = "ttls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/freeradius/cert-srv.pem"
 tls: certificate_file = "/etc/freeradius/cert-srv.pem"
 tls: CA_file = "/etc/freeradius/root.pem"
 tls: private_key_password = "whatever"
 tls: dh_file = "/dev/null"
 tls: random_file = "/dev/urandom"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
 tls: cipher_list = "(null)"
 tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
WARNING: rlm_eap_tls: Unable to set DH parameters.  DH cipher suites may not work!
WARNING: Fix this by running the OpenSSL command listed in eap.conf
rlm_eap: Loaded and initialized type tls
 ttls: default_eap_type = "md5"
 ttls: copy_request_to_tunnel = no
 ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
 peap: default_eap_type = "mschapv2"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = no
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap) 
Module: Loaded preprocess 
 preprocess: huntgroups = "/etc/freeradius/huntgroups"
 preprocess: hints = "/etc/freeradius/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess) 
Module: Loaded realm 
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix) 
Module: Loaded LDAP 
 ldap: server = "UK-AC-MAN-MTEST"
 ldap: port = 636
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = "cn=radiusadmin,ou=dir,o=ac,c=uk"
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "/tmp/oak-test-publickeycert.pem"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "demand"
 ldap: password = "radius30"
 ldap: basedn = "c=uk"
 ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "nspmdistributionpassword"
 ldap: access_attr = "(null)"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
 ldap: edir_account_policy_check = yes
 ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name uni_ldap
rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x801214b0
Module: Instantiated ldap (uni_ldap) 
Module: Loaded files 
 files: usersfile = "/etc/freeradius/users"
 files: acctusersfile = "/etc/freeradius/acct_users"
 files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files) 
Module: Loaded Acct-Unique-Session-Id 
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique) 
Module: Loaded detail 
 detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail) 
Module: Loaded System 
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "/etc/shadow"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/freeradius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix) 
Module: Loaded radutmp 
 radutmp: filename = "/var/log/freeradius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp) 
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=235, length=133
	User-Name = "anonymous"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "00-1B-2A-98-B4-19"
	Calling-Station-Id = "00-0B-DB-8D-4B-12"
	EAP-Message = 0x0202000e01616e6f6e796d6f7573
	Message-Authenticator = 0xb2fdb52ddd49a39af4a793920f226161
	NAS-Port-Type = Ethernet
	NAS-Port = 50025
	NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to UK-AC-MAN-MTEST:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /tmp/oak-test-publickeycert.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=radiusadmin,ou=dir,o=ac,c=uk/radius30 to UK-AC-MAN-MTEST:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 0
  rlm_eap: EAP packet type response id 2 length 14
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 235 to 10.150.200.1 port 1645
	Framed-IP-Address = 255.255.255.254
	Framed-MTU = 576
	Service-Type = Framed-User
	EAP-Message = 0x010300061520
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xc0832a46dddb20ebc04b5f4e8bb744cb
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=236, length=231
	User-Name = "anonymous"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "00-1B-2A-98-B4-19"
	Calling-Station-Id = "00-0B-DB-8D-4B-12"
	EAP-Message = 0x0203005e150016030100530100004f030147cc09506ffa93d49f47cfd7472481ab9f7226fa61fc2059bf2d95e106a83c6c00002800390038003500160013000a00330032002f000700050004001500120009001400110008000600030100
	Message-Authenticator = 0xedae998ce19f622f20b4d24a38835afc
	NAS-Port-Type = Ethernet
	NAS-Port = 50025
	State = 0xc0832a46dddb20ebc04b5f4e8bb744cb
	NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 1
  rlm_eap: EAP packet type response id 3 length 94
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 1
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns updated) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7 
  rlm_eap_tls: Done initial handshake
    (other): before/accept initialization 
    TLS_accept: before/accept initialization 
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0053], ClientHello  
    TLS_accept: SSLv3 read client hello A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello  
    TLS_accept: SSLv3 write server hello A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0678], Certificate  
    TLS_accept: SSLv3 write certificate A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
    TLS_accept: SSLv3 write server done A 
    TLS_accept: SSLv3 flush data 
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
  eaptls_process returned 13 
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 236 to 10.150.200.1 port 1645
	Framed-IP-Address = 255.255.255.254
	Framed-MTU = 576
	Service-Type = Framed-User
	EAP-Message = 0x0104040a15c0000006d5160301004a02000046030147cc0b4c08c3e02e725aba579fbea1d707f44d1e29bd3eabe9d02d2e8bd0380820b10abb24401c99fb32ca2842619c9225c1aab278c7cf8e2f3d043f870d6e495700350016030106780b0006740006710002d4308202d030820239a003020102020102300d06092a864886f70d010105050030818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d0609
	EAP-Message = 0x2a864886f70d0109011610646f63746f72406d63632e61632e756b301e170d3037313030393132333033375a170d3039313030383132333033375a3081b3310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573312330210603550403131a617574686b2e6974732e6d616e636865737465722e61632e756b311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b30819f300d06092a864886f7
	EAP-Message = 0x0d010101050003818d0030818902818100d5258fbe611cf7570cb24a9cd31d8004cba7df05cdf398fdb534ecb6daf6ffa6c625109c28a5abdf7683d550ae63c947469a4f534667c1e7e9900ce2571bbc9863c89c02f09094040a7316068d2654e13941efdd6b416b990a6000d3ff2df46f10032ebc9f425768e81426df5c42adc1b7400f48155398b10257000f803e11630203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181005337fab657d2a50deb2ff3e9bb30eea51460f2f2f0e503becf43dd9999157573cf79058e6a64db78d133a3127388b8b832ed391df2d76d0946969c
	EAP-Message = 0x15a95ec6b646d277600da84a495c2ed1ab6868dc929fdb6ddabe82ee2cb9f8271061a7751be8eaa9af337e47f8113005622ca49b046f0caa54c406f510cc847d5096c816e000039730820393308202fca0030201020209009f72c65766f4a47d300d06092a864886f70d010105050030818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e6163
	EAP-Message = 0x2e756b301e170d3037313030393132323234395a170d
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xd4ebc02ff3c0e978da7391662d94acba
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=237, length=143
	User-Name = "anonymous"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "00-1B-2A-98-B4-19"
	Calling-Station-Id = "00-0B-DB-8D-4B-12"
	EAP-Message = 0x020400061500
	Message-Authenticator = 0xb2297c6c1d2f44a2c0383f0eb0a979a2
	NAS-Port-Type = Ethernet
	NAS-Port = 50025
	State = 0xd4ebc02ff3c0e978da7391662d94acba
	NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 2
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 2
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1 
  eaptls_process returned 13 
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 237 to 10.150.200.1 port 1645
	Framed-IP-Address = 255.255.255.254
	Framed-MTU = 576
	Service-Type = Framed-User
	EAP-Message = 0x010502df1580000006d53039313030383132323234395a30818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b30819f300d06092a864886f70d010101050003818d0030818902818100e2ea754f630847ce8e3632f5a82c3a2cafa32e1c50cdf502765994d69cbf94bc0a7272630c8628bc742e161efa24ec817c5d23fa038ffc01
	EAP-Message = 0x5e1e462e0c80d87d71d6b8d0ea7d29d5548dc865a3db029f41e81dc11d65f88e8abba59f69398ce9c917d0ee220c75482846b769dd79b49733ab86e584cd86a2531c1c4f1dd729dd0203010001a381f63081f3301d0603551d0e04160414a8c429b59d09f0217be4ab2b402dfcc3d9e181e63081c30603551d230481bb3081b88014a8c429b59d09f0217be4ab2b402dfcc3d9e181e6a18194a4819130818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355
	EAP-Message = 0x040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b8209009f72c65766f4a47d300c0603551d13040530030101ff300d06092a864886f70d010105050003818100008623e013bbe32deff3a86b4feed8192477afd740213d6b5f8d3dda0248c3a7a434763ad837b62160e3582f36f6f15ca649c96a8fed4fc4fed8c44e6afab88b37e0797007b54653d90807c41e8c24937212fcfe8a4ca5ad1af34bd70f2fad8e88d2e36d55f173435eb8f65fe0d506c5bfb764e0a4f32f964bac9a3c0994a15716030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xdcf5b1027af5a8d41d900d1b97ee15ba
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=238, length=341
	User-Name = "anonymous"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "00-1B-2A-98-B4-19"
	Calling-Station-Id = "00-0B-DB-8D-4B-12"
	EAP-Message = 0x020500cc15001603010086100000820080cda7f11fecdd0b16c60e8b1a016b57df2dcdd50a8dd08a9527318d7040b968f1178e57bf9aba455f6c9cee87555eab4f440cd348812da9ba957bc86a662197a0e8fd0657825d02fc70bcec4c9c939cef43d2e0de32d4395c84e04cb464e184c4eae1bec6fd93ed5b9a9b91e73c391d36a9759b9255aaf0ff8e46e7dfb7b9267014030100010116030100309359828a9fdbc456a4bad192e204bcaaecd4cf283a8f9523e0f2dff4efe7cda10445b5e9a113ec25b7f8f5a60e639e4d
	Message-Authenticator = 0xbd3d53b67e7c3a09dcb25edf8bda1626
	NAS-Port-Type = Ethernet
	NAS-Port = 50025
	State = 0xdcf5b1027af5a8d41d900d1b97ee15ba
	NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "chap" returns noop for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 3
  rlm_eap: EAP packet type response id 5 length 204
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 3
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 3
modcall: leaving group authorize (returns updated) for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7 
  rlm_eap_tls: Done initial handshake
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange  
    TLS_accept: SSLv3 read client key exchange A 
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]  
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished  
    TLS_accept: SSLv3 read finished A 
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]  
    TLS_accept: SSLv3 write change cipher spec A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished  
    TLS_accept: SSLv3 write finished A 
    TLS_accept: SSLv3 flush data 
    (other): SSL negotiation finished successfully 
SSL Connection Established 
  eaptls_process returned 13 
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 238 to 10.150.200.1 port 1645
	Framed-IP-Address = 255.255.255.254
	Framed-MTU = 576
	Service-Type = Framed-User
	EAP-Message = 0x0106004515800000003b1403010001011603010030fa6e3ed9aba9a9143704b2966519c8790e3daa798cb5635a178667b5f202608c34253a7619429fc1359257458d08ffaa
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x2cdab0db7a1a4dbef203ff7f2aa6e371
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=239, length=249
	User-Name = "anonymous"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "00-1B-2A-98-B4-19"
	Calling-Station-Id = "00-0B-DB-8D-4B-12"
	EAP-Message = 0x0206007015001703010020e79b2ceee38e5efd7c85a8dc5a8dd328e8bd99e4673e79dc93e24c57d15a63a91703010040d3ec1e7faa959b6845f772a41d909bfb5230f4060b2437e4605a8187cf3d9f5b63588e76802caad0d34d338162adfacf583dfffc999f39cdff2bcf335a75eeae
	Message-Authenticator = 0xc86b007da48b72277e6325f27cfd4453
	NAS-Port-Type = Ethernet
	NAS-Port = 50025
	State = 0x2cdab0db7a1a4dbef203ff7f2aa6e371
	NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 4
  rlm_eap: EAP packet type response id 6 length 112
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 4
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7 
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7 
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
  TTLS: Got tunneled request
	User-Name = "raduser1"
	User-Password = "raduser10"
	FreeRADIUS-Proxied-To = 127.0.0.1
  TTLS: Sending tunneled request
	User-Name = "raduser1"
	User-Password = "raduser10"
	FreeRADIUS-Proxied-To = 127.0.0.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "raduser1", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for raduser1
radius_xlat:  '(uid=raduser1)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=raduser1)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user raduser1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns ok for request 4
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 4
  modcall[authorize]: module "files" returns notfound for request 4
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns ok) for request 4
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
  Found Post-Auth-Type 
  Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 4
  modcall[post-auth]: module "uni_ldap" returns noop for request 4
modcall: leaving group REJECT (returns noop) for request 4
  TTLS: Got tunneled reply RADIUS code 3
  TTLS: Got tunneled Access-Reject
 rlm_eap: Handler failed in EAP/ttls
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 4
modcall: leaving group authenticate (returns invalid) for request 4
auth: Failed to validate the user.
  Found Post-Auth-Type 
  Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 4
  modcall[post-auth]: module "uni_ldap" returns noop for request 4
modcall: leaving group REJECT (returns noop) for request 4
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=239, length=249
Sending Access-Reject of id 239 to 10.150.200.1 port 1645
	EAP-Message = 0x04060004
	Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 235 with timestamp 47cc0b4c
Cleaning up request 1 ID 236 with timestamp 47cc0b4c
Cleaning up request 2 ID 237 with timestamp 47cc0b4c
Cleaning up request 3 ID 238 with timestamp 47cc0b4c
Cleaning up request 4 ID 239 with timestamp 47cc0b4c
Nothing to do.  Sleeping until we see a request.




prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions	= yes
extended_expressions	= yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
	max_attributes = 200
	reject_delay = 1
	status_server = no
}
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
$INCLUDE /etc/freeradius/imported_clients.cfg
snmp	= no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
	start_servers = 5
	max_servers = 32
	min_spare_servers = 3
	max_spare_servers = 10
	max_requests_per_server = 0
}
modules {
	pap {
		auto_header = yes
	}
	chap {
		authtype = CHAP
	}
	pam {
		pam_auth = radiusd
	}
	unix {
		cache = no
		cache_reload = 600
		shadow = /etc/shadow
		radwtmp = ${logdir}/radwtmp
	}
$INCLUDE ${confdir}/eap.conf
	mschap {
		authtype=MS-CHAP
		use_mppe = yes
		require_encryption = yes
		require_strong = yes
		with_ntdomain_hack = yes
		authtype=MS-CHAP
	}
	ldap uni_ldap {
		server = "UK-AC-MAN-MTEST"
		identity = "cn=radiusadmin,ou=dir,o=ac,c=uk"
		password = xxxxxxxx
		port = 636
		basedn = "c=uk"
		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
		start_tls = no
		tls_cacertfile	= /tmp/oak-test-publickeycert.pem
		tls_require_cert	= "demand"
		dictionary_mapping = ${raddbdir}/ldap.attrmap
		ldap_connections_number = 5
		password_attribute = nspmdistributionpassword
		edir_account_policy_check=yes
		timeout = 4
		timelimit = 3
		net_timeout = 1
		set_auth_type = yes
	}
	realm IPASS {
		format = prefix
		delimiter = "/"
		ignore_default = no
		ignore_null = no
	}
	realm suffix {
		format = suffix
		delimiter = "@"
		ignore_default = no
		ignore_null = no
	}
	realm realmpercent {
		format = suffix
		delimiter = "%"
		ignore_default = no
		ignore_null = no
	}
	realm ntdomain {
		format = prefix
		delimiter = "\\"
		ignore_default = no
		ignore_null = no
	}	
	checkval {
		item-name = Calling-Station-Id
		check-name = Calling-Station-Id
		data-type = string
	}
	
	preprocess {
		huntgroups = ${confdir}/huntgroups
		hints = ${confdir}/hints
		with_ascend_hack = no
		ascend_channels_per_line = 23
		with_ntdomain_hack = no
		with_specialix_jetstream_hack = no
		with_cisco_vsa_hack = no
	}
	files {
		usersfile = ${confdir}/users
		acctusersfile = ${confdir}/acct_users
		preproxy_usersfile = ${confdir}/preproxy_users
		compat = no
	}
	detail {
		detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
		detailperm = 0600
	}
	acct_unique {
		key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
	}
	$INCLUDE  ${confdir}/sql.conf
	
	radutmp {
		filename = ${logdir}/radutmp
		username = %{User-Name}
		case_sensitive = yes
		check_with_nas = yes		
		perm = 0600
		callerid = "yes"
	}
	radutmp sradutmp {
		filename = ${logdir}/sradutmp
		perm = 0644
		callerid = "no"
	}
	attr_filter {
		attrsfile = ${confdir}/attrs
	}
	counter daily {
		filename = ${raddbdir}/db.daily
		key = User-Name
		count-attribute = Acct-Session-Time
		reset = daily
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		allowed-servicetype = Framed-User
		cache-size = 5000
	}
	sqlcounter dailycounter {
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		reply-name = Session-Timeout
		sqlmod-inst = sql
		key = User-Name
		reset = daily
		query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
	}
	sqlcounter monthlycounter {
		counter-name = Monthly-Session-Time
		check-name = Max-Monthly-Session
		reply-name = Session-Timeout
		sqlmod-inst = sql
		key = User-Name
		reset = monthly
		query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
	}
	always fail {
		rcode = fail
	}
	always reject {
		rcode = reject
	}
	always ok {
		rcode = ok
		simulcount = 0
		mpp = no
	}
	expr {
	}
	digest {
	}
	exec {
		wait = yes
		input_pairs = request
	}
	exec echo {
		wait = yes
		program = "/bin/echo %{User-Name}"
		input_pairs = request
		output_pairs = reply
	}
	ippool main_pool {
		range-start = 192.168.1.1
		range-stop = 192.168.3.254
		netmask = 255.255.255.0
		cache-size = 800
		session-db = ${raddbdir}/db.ippool
		ip-index = ${raddbdir}/db.ipindex
		override = no
		maximum-timeout = 0
	}
}
instantiate {
	exec
	expr
}
authorize {
	preprocess
	
	chap
	mschap
	suffix
        uni_ldap ## added out of sequence
	eap
	files
	pap
}
authenticate {
	Auth-Type PAP {
		pap
	}
	Auth-Type CHAP {
		chap
	}
	Auth-Type MS-CHAP {
		mschap
	}
	eap
}
preacct {
	preprocess
	acct_unique
	suffix
	files
}
accounting {
	detail
	unix
	radutmp
}
session {
	radutmp
}
post-auth {
	uni_ldap
	Post-Auth-Type REJECT {
		uni_ldap
	}
}
pre-proxy {
}
post-proxy {
	eap
}




	eap {
		default_eap_type = ttls
		timer_expire     = 60
		ignore_unknown_eap_types = no
		cisco_accounting_username_bug = no
		md5 {
		}
		leap {
		}
		gtc {
			auth_type = PAP
		}
		tls {
			private_key_password = whatever
			private_key_file = ${raddbdir}/cert-srv.pem
			certificate_file = ${raddbdir}/cert-srv.pem
			CA_file = ${raddbdir}/root.pem
			dh_file = /dev/null
			random_file = /dev/urandom
			fragment_size = 1024
			include_length = yes
		}
		ttls {
			default_eap_type = md5
			copy_request_to_tunnel = no
			use_tunneled_reply = no
		}
		peap {
			default_eap_type = mschapv2
			proxy_tunneled_request_as_eap = no
		}
		mschapv2 {
		}
	}



Thanks,

Mike

-- 
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*



More information about the Freeradius-Users mailing list