EAP-TTLS with mschapv2 and edirectory
Michael Fischer
michi.fischer at gmx.net
Wed Sep 9 11:14:53 CEST 2009
On Wed, 2009-09-09 at 08:02 +1200, Peter Lambrechtsen wrote:
> On 9/09/2009, at 2:43 AM, Alan DeKok <aland at deployingradius.com> wrote:
>
> > Michael Fischer wrote:
> >> I'm trying to set up 802.1x authentication on my Enterasys
> >> AccessPoints
> >> using freeradius and eDirectory.
> >>
> >> Freeradius and eDirectory work like a charm when I use it for Cisco-
> >> VPN
> >> authentication.
> >
> > Which is likely PAP (i.e. clear-text password).
> >
> >
> >> rlm_ldap: Error reading Universal Password.Return Code = -1635
> >
> > Go fix that.
> >
> > eDirectory isn't returning the password. Therefore, FreeRADIUS
> > doesn't have it, and cannot authenticate anyone.
>
> Turn on universal password and allow user to retrieve password in your
> universal password policy.
> Then reset their password using imanager or via ldap and try again.
>
> >
> >
> > Alan DeKok.
Hi,
the strange thing is that I've never used anything else than universal
password and my universal password policy does allow the user to read
the password.
I get the same error with the working Cisco-VPN configuration, see the
debug output:
Ready to process requests.
rad_recv: Access-Request packet from host 10.99.4.1:1025, id=161,
length=142
User-Name = "dfuernsin"
User-Password = "xxxxxx"
NAS-Port = 172
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "10.99.4.1"
Calling-Station-Id = "10.3.4.97"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "10.3.4.97"
NAS-IP-Address = 10.99.4.1
Cisco-AVPair = "ip:source-ip=10.3.4.97"
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dfuernsin
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64
rlm_ldap: starting TLS
rlm_ldap: bind as cn=admin,o=TGM/xxxxxx to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: checking if remote access for dfuernsin is allowed by
dialupAccess
rlm_ldap: Error reading Universal Password.Return Code = -1635
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user dfuernsin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
rlm_ldap: - authenticate
rlm_ldap: login attempt by "dfuernsin" with password "xxxxxxx"
rlm_ldap: user DN: cn=dfuernsin,ou=ITS,ou=People,o=TGM
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64
rlm_ldap: starting TLS
rlm_ldap: bind as cn=dfuernsin,ou=ITS,ou=People,o=TGM/xxxxxx to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user dfuernsin authenticated succesfully
Login OK: [dfuernsin] (from client firewall port 172 cli 10.3.4.97)
Sending Access-Accept of id 161 to 10.99.4.1 port 1025
Class = 0x54474d2d495453
I guess that cannot be the problem then...
lg, Mike
--
Please stop top-quoting!
email: michi.fischer at gmx.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090909/b2499439/attachment.pgp>
More information about the Freeradius-Users
mailing list