Freeradius 2.1.5 and LDAP+EAP-TLS problem.
Ville Leinonen
ville.leinonen at solodel.com
Mon Mar 30 12:45:37 CEST 2009
Hi,
I read that, but what if user not found in ldap? Radius seems to need
some auth-type. How i can force auth-type using ldap?
My radius gives this message -> "No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user"
Here is some other logs if i use only ldap for authorize section:
rad_recv: Access-Request packet from host 10.10.1.100 port 1024, id=198, length=224
Framed-MTU = 1466
NAS-IP-Address = 10.10.1.100
NAS-Identifier = "8021x"
User-Name = "lnx01.demo.local"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 37
NAS-Port-Type = Ethernet
NAS-Port-Id = "37"
Called-Station-Id = "00-16-b9-55-48-c0"
Calling-Station-Id = "00-e0-00-1c-1e-c1"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
EAP-Message = 0x02330016017375736530312e64656d6f2e6c6f63616c
Message-Authenticator = 0x5c313918e00d0d385d435e3194c284ed
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "lnx01.demo.local", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[files] users: Matched entry DEFAULT at line 190
++[files] returns ok
[ldap] performing user authorization for lnx01.demo.local
[ldap] expand: (cn=%u) -> (cn=lnx01.demo.local)
[ldap] expand: ou=8021x,dc=demo,dc=local -> ou=8021x,dc=demo,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.10.101.31:389, authentication 0
rlm_ldap: setting TLS CACert Directory to /path/to/ca/dir/
rlm_ldap: bind as cn=Directory Manager/ to 10.10.101.31:389
rlm_ldap: waiting for bind result ...
request done: ld 0x9ba2480 msgid 1
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=8021x,dc=demo,dc=local, with filter (cn=lnx01.demo.local)
request done: ld 0x9ba2480 msgid 2
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user suse01.demo.local authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Login incorrect: [suse01.demo.local/<no User-Password attribute>] (from client 8021x port 37 cli 00-e0-00-1c-1e-c1)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> suse01.demo.local
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 198 to 10.10.1.100 port 1024
Waking up in 4.9 seconds.
Cleaning up request 0 ID 198 with timestamp +6
Ready to process requests.
Br,
Ville
>We have openldap which includes our machine accounts. We
>have also computer certificates. Now what i want to do that freeradius,
>checks authorization against ldap and authenticate against certificates.
>
>I have tested to put ldap to authorization section and eap to authentication
>section, but this wont work. I have also tested to put both ldap and eap to
>authorization section, but ldap wont return reject if user's noot found.
>
>Is there any method to return reject for authorization section if user not
>found in ldap and stop processing there? Or is there any other method to do this?
>
>Read doc/rlm_ldap about access_attr.
>Ivan Kalik
>Kalik Informatika ISP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090330/d11e4c46/attachment.html>
More information about the Freeradius-Users
mailing list