freeradius 2.1.6 ldap + mschapv2 to authenticate
jpablorp
juanpablo.ramirez at foxconn.com
Tue Jun 23 17:36:23 CEST 2009
Hi everyone.
I've trying to setup a freeradius 2.1.6 with Ldap and mschapv2 to
authenticate.
when I send test from my console, this works fine.
client:
$ radtest user pass 10.14.56.26 0 secret.
server in debug mode:
Ready to process requests.
rad_recv: Access-Request packet from host 172.24.104.12 port 39285, id=52,
length=69
User-Name = "user"
User-Password = "pass"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
[ldap] performing user authorization for user
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand:
(&(SamAccountName=%{Stripped-User-Name:-%{User-Name})(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
->
(&(SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] expand: OU=Groups,DC=it,DC=test,DC=com ->
OU=Groups,DC=it,DC=test,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.14.56.100:389, authentication 0
rlm_ldap: bind as admin at it.test.com/adminpass to 10.14.56.100:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in OU=Groups,DC=it,DC=test,DC=com, with filter
(&(SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = ldap
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = ldap
+- entering group authenticate {...}
[ldap] login attempt by "user" with password "pass"
[ldap] user DN: CN=user,OU=General Group,OU=Users,DC=it,DC=test,DC=com
rlm_ldap: (re)connect to 10.14.56.100:389, authentication 1
rlm_ldap: bind as CN=user,OU=General
Group,OU=Users,DC=it,DC=test,DC=com/pass to 10.14.56.100:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap] user user authenticated succesfully
++[ldap] returns ok
Login OK: [user/pass] (from client redprivada1 port 0)
Sending Access-Accept of id 52 to 172.24.104.12 port 39285
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 52 with timestamp +10
But when I try to connect.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=174,
length=189
User-Name = "user"
Calling-Station-Id = "00-24-2C-83-AA-92"
Called-Station-Id = "00-21-A1-9E-F9-30:redprivada1"
NAS-Port = 1
NAS-IP-Address = 10.14.56.33
NAS-Identifier = "acces-ponit-wlc"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020e0016016a75616e7061626c6f5f72616d6972657a
Message-Authenticator = 0x76c7af8be679e0867bb2c06d1146d7e6
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
[ldap] performing user authorization for user
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand:
(&(SamAccountName=%{Stripped-User-Name:-%{User-Name})(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
->
(&(SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] expand: OU=Groups,DC=it,DC=test,DC=com ->
OU=Groups,DC=it,DC=test,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Groups,DC=it,DC=test,DC=com, with filter
(&(SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = "10.14.56.100"
port = 389
password = "H4b4cuc69"
identity = "juanpablo_ramirez at na.foxconn.com"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
basedn = "OU=GDL1,OU=Sites,OU=PCEBG-Sites,DC=na,DC=foxconn,DC=com"
filter =
"(&(SamAccountName=%{Stripped-User-Name:-%{User-Name})(memberOf
=CN=Wireless,OU=Groups,OU=GDL1,OU=Sites,OU=PCEBG-Sites,DC=na,DC=foxconn,DC=com))
"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-U
serDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = no
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Ne
twork
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-
Id
conns: 0x8188780
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NA
S-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y
%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/freeradius/freeradius.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/freeradius/freeradius.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=177,
length=189
User-Name = "juanpablo_ramirez"
Calling-Station-Id = "00-24-2C-83-AA-92"
Called-Station-Id = "00-21-A1-9E-F9-30:foxconnGDL"
NAS-Port = 1
NAS-IP-Address = 10.14.56.33
NAS-Identifier = "foxconn-gdl-wlc"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x02110016016a75616e7061626c6f5f72616d6972657a
Message-Authenticator = 0x5fdfd0ad23a6627e34d4b79a1e5c87c7
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "juanpablo_ramirez", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
[ldap] performing user authorization for juanpablo_ramirez
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand:
(&(SamAccountName=%{Stripped-User-Name:-%{User-Name})(memberOf=CN=Wireless,OU=Groups,OU=GDL1,OU=Sites,OU=PCEBG-Sites,DC=na,DC=foxconn,DC=com))
->
(&(SamAccountName=juanpablo_ramirez)(memberOf=CN=Wireless,OU=Groups,OU=GDL1,OU=Sites,OU=PCEBG-Sites,DC=na,DC=foxconn,DC=com))
[ldap] expand: OU=GDL1,OU=Sites,OU=PCEBG-Sites,DC=na,DC=foxconn,DC=com ->
OU=GDL1,OU=Sites,OU=PCEBG-Sites,DC=na,DC=foxconn,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.14.56.100:389, authentication 0
rlm_ldap: bind as juanpablo_ramirez at na.foxconn.com/H4b4cuc69 to
10.14.56.100:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in
OU=GDL1,OU=Sites,OU=PCEBG-Sites,DC=na,DC=foxconn,DC=com, with filter
(&(SamAccountName=juanpablo_ramirez)(memberOf=CN=Wireless,OU=Groups,OU=GDL1,OU=Sites,OU=PCEBG-Sites,DC=na,DC=foxconn,DC=com))
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user juanpablo_ramirez authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> juanpablo_ramirez
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 177 to 10.14.56.33 port 32768
Waking up in 4.9 seconds.
Cleaning up request 0 ID 177 with timestamp +103
Ready to process requests.
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 177 to 10.14.56.33 port 32768
Waking up in 4.9 seconds.
Cleaning up request 0 ID 177 with timestamp +103
Ready to process requests.
I don't know what I'm missing.
here is my radiusd.conf:
modules {
$INCLUDE ${confdir}/eap.conf
ldap {
server = "10.14.56.100"
basedn = "OU=Groups,DC=it,DC=test,DC=com"
identity = "admin at it.test.com"
password = adminpass
filter =
"(&(SamAccountName=%{Stripped-User-Name:-%{User-Name})(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
}
$INCLUDE ${(confdir)}/modules/
}
authorize {
preprocess
suffix
eap
files
ldap
}
authenticate {
ldap
unix
mschap
eap
}
I don't make changes in users file. It's the original file.
Please help me.
--
View this message in context: http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24167333.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list