802.1x, EAP and LDAP
Mike Richardson
doctor at mcc.ac.uk
Mon Mar 3 16:10:23 CET 2008
On Mon, Mar 03, 2008 at 03:38:32PM +0100, Stefan Winter wrote:
> Hi,
>
> The debug log says whens tarting up:
>
> > rlm_ldap: Over-riding set_auth_type, as we're not listed in the
> > "authenticate" section.
>
> My first suggestion would be: check if the mentions of ldap are commented out
> in the authenticate { } section - they are by default. Change that, and see
> how far you get. Chances are that that was all and it works :-)
If it were only that easy... I've messed with that before. AFAICT that only
applies if you are doing plain text authentication. I'm using TTLS and PAP
because the password is going to be stored in an encryted format in LDAP.
Here's the output after uncommenting as suggested:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/imported_clients.cfg
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/freeradius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/freeradius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/freeradius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/freeradius/freeradius.pid"
main: user = "freerad"
main: group = "freerad"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
ldap: server = "UK-AC-MAN-MTEST"
ldap: port = 636
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=radiusadmin,ou=dir,o=ac,c=uk"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "/tmp/oak-test-publickeycert.pem"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "demand"
ldap: password = "radius30"
ldap: basedn = "c=uk"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "nspmdistributionpassword"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: edir_account_policy_check = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name uni_ldap
rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x801107c8
Module: Instantiated ldap (uni_ldap)
Module: Loaded eap
eap: default_eap_type = "ttls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/freeradius/cert-srv.pem"
tls: certificate_file = "/etc/freeradius/cert-srv.pem"
tls: CA_file = "/etc/freeradius/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/dev/null"
tls: random_file = "/dev/urandom"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work!
WARNING: Fix this by running the OpenSSL command listed in eap.conf
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "md5"
ttls: copy_request_to_tunnel = no
ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = no
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/freeradius/huntgroups"
preprocess: hints = "/etc/freeradius/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/freeradius/users"
files: acctusersfile = "/etc/freeradius/acct_users"
files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/var/log/freeradius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=241, length=133
User-Name = "anonymous"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-2A-98-B4-19"
Calling-Station-Id = "00-0B-DB-8D-4B-12"
EAP-Message = 0x0203000e01616e6f6e796d6f7573
Message-Authenticator = 0xb44d549e4b1f2ec56153e1ad631e668a
NAS-Port-Type = Ethernet
NAS-Port = 50025
NAS-IP-Address = 10.150.200.1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat: '(uid=anonymous)'
radius_xlat: 'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to UK-AC-MAN-MTEST:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /tmp/oak-test-publickeycert.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=radiusadmin,ou=dir,o=ac,c=uk/radius30 to UK-AC-MAN-MTEST:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "uni_ldap" returns notfound for request 0
rlm_eap: EAP packet type response id 3 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 181
modcall[authorize]: module "files" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 241 to 10.150.200.1 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010400061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2c5156fe980e6942aecc6875b027751d
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=242, length=231
User-Name = "anonymous"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-2A-98-B4-19"
Calling-Station-Id = "00-0B-DB-8D-4B-12"
EAP-Message = 0x0204005e150016030100530100004f030147cc12bf0667b64837c1b30867fd26160a518e0f7647a58389823726b1a842bf00002800390038003500160013000a00330032002f000700050004001500120009001400110008000600030100
Message-Authenticator = 0x66f506782efe3471fbab984a878a73a9
NAS-Port-Type = Ethernet
NAS-Port = 50025
State = 0x2c5156fe980e6942aecc6875b027751d
NAS-IP-Address = 10.150.200.1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat: '(uid=anonymous)'
radius_xlat: 'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "uni_ldap" returns notfound for request 1
rlm_eap: EAP packet type response id 4 length 94
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 181
modcall[authorize]: module "files" returns ok for request 1
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0053], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0678], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 242 to 10.150.200.1 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0105040a15c0000006d5160301004a02000046030147cc14c009f727ef2402d4fad6bcecfe3bcd72689bb7c85e85603c9adca1eb8e203e5fdb6b5bad50e80a6f92a03b1cebbb44f735274641b1791df6ac5291f85c7700350016030106780b0006740006710002d4308202d030820239a003020102020102300d06092a864886f70d010105050030818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d0609
EAP-Message = 0x2a864886f70d0109011610646f63746f72406d63632e61632e756b301e170d3037313030393132333033375a170d3039313030383132333033375a3081b3310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573312330210603550403131a617574686b2e6974732e6d616e636865737465722e61632e756b311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b30819f300d06092a864886f7
EAP-Message = 0x0d010101050003818d0030818902818100d5258fbe611cf7570cb24a9cd31d8004cba7df05cdf398fdb534ecb6daf6ffa6c625109c28a5abdf7683d550ae63c947469a4f534667c1e7e9900ce2571bbc9863c89c02f09094040a7316068d2654e13941efdd6b416b990a6000d3ff2df46f10032ebc9f425768e81426df5c42adc1b7400f48155398b10257000f803e11630203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181005337fab657d2a50deb2ff3e9bb30eea51460f2f2f0e503becf43dd9999157573cf79058e6a64db78d133a3127388b8b832ed391df2d76d0946969c
EAP-Message = 0x15a95ec6b646d277600da84a495c2ed1ab6868dc929fdb6ddabe82ee2cb9f8271061a7751be8eaa9af337e47f8113005622ca49b046f0caa54c406f510cc847d5096c816e000039730820393308202fca0030201020209009f72c65766f4a47d300d06092a864886f70d010105050030818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e6163
EAP-Message = 0x2e756b301e170d3037313030393132323234395a170d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x01d6512cad1d4926f0ce9a9cd0fb33d1
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=243, length=143
User-Name = "anonymous"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-2A-98-B4-19"
Calling-Station-Id = "00-0B-DB-8D-4B-12"
EAP-Message = 0x020500061500
Message-Authenticator = 0xb9d6884149d80dacf0157781f949d221
NAS-Port-Type = Ethernet
NAS-Port = 50025
State = 0x01d6512cad1d4926f0ce9a9cd0fb33d1
NAS-IP-Address = 10.150.200.1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat: '(uid=anonymous)'
radius_xlat: 'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "uni_ldap" returns notfound for request 2
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry DEFAULT at line 181
modcall[authorize]: module "files" returns ok for request 2
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 243 to 10.150.200.1 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010602df1580000006d53039313030383132323234395a30818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b30819f300d06092a864886f70d010101050003818d0030818902818100e2ea754f630847ce8e3632f5a82c3a2cafa32e1c50cdf502765994d69cbf94bc0a7272630c8628bc742e161efa24ec817c5d23fa038ffc01
EAP-Message = 0x5e1e462e0c80d87d71d6b8d0ea7d29d5548dc865a3db029f41e81dc11d65f88e8abba59f69398ce9c917d0ee220c75482846b769dd79b49733ab86e584cd86a2531c1c4f1dd729dd0203010001a381f63081f3301d0603551d0e04160414a8c429b59d09f0217be4ab2b402dfcc3d9e181e63081c30603551d230481bb3081b88014a8c429b59d09f0217be4ab2b402dfcc3d9e181e6a18194a4819130818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355
EAP-Message = 0x040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b8209009f72c65766f4a47d300c0603551d13040530030101ff300d06092a864886f70d010105050003818100008623e013bbe32deff3a86b4feed8192477afd740213d6b5f8d3dda0248c3a7a434763ad837b62160e3582f36f6f15ca649c96a8fed4fc4fed8c44e6afab88b37e0797007b54653d90807c41e8c24937212fcfe8a4ca5ad1af34bd70f2fad8e88d2e36d55f173435eb8f65fe0d506c5bfb764e0a4f32f964bac9a3c0994a15716030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd4ee02e4ff3fa99b8bc946c7211385e3
Finished request 2
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=244, length=341
User-Name = "anonymous"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-2A-98-B4-19"
Calling-Station-Id = "00-0B-DB-8D-4B-12"
EAP-Message = 0x020600cc150016030100861000008200808e6cf1f486f61d36b48487ab5f61e2621a5e54c917618cc7de667e52dbc561586a3577906c36d3b6a226493352d6b6a3ceef5dbadb45b538d5c788b5382198a084282dd728d8eb38a1b7105cf64b47446c1acada00e97c8f54fa5e8d8d0761b31fe3a70bb081027836af4c0bd974be49b1dbcdfc42313378f7504d326d0a250e140301000101160301003055a53627a635e1aed424140b7b5b4cb80fb875ed32b7d6e4f68b477ae9d14cadf9b8b7a63a0b69b0b1a31d9638158655
Message-Authenticator = 0x6b3dad9949169d28a06737200c13c05b
NAS-Port-Type = Ethernet
NAS-Port = 50025
State = 0xd4ee02e4ff3fa99b8bc946c7211385e3
NAS-IP-Address = 10.150.200.1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat: '(uid=anonymous)'
radius_xlat: 'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "uni_ldap" returns notfound for request 3
rlm_eap: EAP packet type response id 6 length 204
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched entry DEFAULT at line 181
modcall[authorize]: module "files" returns ok for request 3
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 244 to 10.150.200.1 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0107004515800000003b1403010001011603010030cc89d2cbbe5170e95c98d16842a31800f8b6968a1813f4bd499d9f6d9a224b5d6ad4f5737fb4a96a3949d5b7952a97a0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb1a6b438e7b877038a7d4bb7173ac013
Finished request 3
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=245, length=249
User-Name = "anonymous"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-2A-98-B4-19"
Calling-Station-Id = "00-0B-DB-8D-4B-12"
EAP-Message = 0x0207007015001703010020a819c8c977c11469db6af3b963fedee329e678ed839896b16acd6e52f69ca7eb17030100406788ca181350f08ccf5665d9c416f22ce7bebd06e4b9903f06a521b93cb78c61d1ccb21b49c5de7945dc89962aa8fa04639ffc88b90bbc94d7cd2fe278ad7c9c
Message-Authenticator = 0x22a487248763bfd3825d8ac959b18b50
NAS-Port-Type = Ethernet
NAS-Port = 50025
State = 0xb1a6b438e7b877038a7d4bb7173ac013
NAS-IP-Address = 10.150.200.1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat: '(uid=anonymous)'
radius_xlat: 'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "uni_ldap" returns notfound for request 4
rlm_eap: EAP packet type response id 7 length 112
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry DEFAULT at line 181
modcall[authorize]: module "files" returns ok for request 4
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
TTLS: Got tunneled request
User-Name = "raduser1"
User-Password = "raduser10"
FreeRADIUS-Proxied-To = 127.0.0.1
TTLS: Sending tunneled request
User-Name = "raduser1"
User-Password = "raduser10"
FreeRADIUS-Proxied-To = 127.0.0.1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "raduser1", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for raduser1
radius_xlat: '(uid=raduser1)'
radius_xlat: 'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=raduser1)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user raduser1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "uni_ldap" returns ok for request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 4
modcall[authorize]: module "files" returns notfound for request 4
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns ok) for request 4
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
Found Post-Auth-Type
Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 4
modcall[post-auth]: module "uni_ldap" returns noop for request 4
modcall: leaving group REJECT (returns noop) for request 4
TTLS: Got tunneled reply RADIUS code 3
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 4
modcall: leaving group authenticate (returns invalid) for request 4
auth: Failed to validate the user.
Found Post-Auth-Type
Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 4
modcall[post-auth]: module "uni_ldap" returns noop for request 4
modcall: leaving group REJECT (returns noop) for request 4
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 241 with timestamp 47cc14bf
Sending Access-Reject of id 245 to 10.150.200.1 port 1645
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 242 with timestamp 47cc14c0
Cleaning up request 2 ID 243 with timestamp 47cc14c0
Cleaning up request 3 ID 244 with timestamp 47cc14c0
Cleaning up request 4 ID 245 with timestamp 47cc14c0
Nothing to do. Sleeping until we see a request.
--
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*
More information about the Freeradius-Users
mailing list