ldap - edirectory authentication

Peter Lambrechtsen plambrechtsen at gmail.com
Thu Dec 9 23:49:21 CET 2010 

It's important that FreeRadius was built with the --with-edir switch for
Universal Password to properly work.

On Fri, Dec 10, 2010 at 11:48 AM, Peter Lambrechtsen <
plambrechtsen at gmail.com> wrote:

> You may need to comment out the logintime and pap sections, since this
> isn't a pap authentication.
>
> It seems like the password is being correctly extracted out of eDirectory
> using Universal Password, but are you sure that's properly configured in the
> build version of FreeRadius?
>
> On Fri, Dec 10, 2010 at 11:40 AM, Robert Koskey <rkoskey at rockyview.ab.ca>wrote:
>
>>  Can anyone help? We are trying to do a ldap authentication from novell's
>> edirectory to an Aruba controller for wireless access. These are the error's
>> we are getting.
>> It used to work perfectly but the original radius server blew up. We
>> installed a new one with the same configuration and it doesn't work. The
>> problem areas are bold'ed.
>> The problem seems to occur after the ldap authentication. I don't think we
>> are entirely clear about the order in which the whole process happens.
>>
>> Any help or suggestions would be greatly appreciated.
>>
>> The set up is:
>> OpenSuse 11.0
>> FreeRadius 2.0.5
>>
>> We have tried:
>> OpenSuse 11.3
>> FreeRadius 2.1.9  (same result)
>>
>>
>> rad_recv: Access-Request packet from host 10.215.10.100 port 34806,
>> id=218, length=199
>>  User-Name = "jordanhkaltenbruner"
>>  NAS-IP-Address = 10.200.8.30
>>  NAS-Port = 2
>>  NAS-Identifier = "10.215.10.99"
>>  NAS-Port-Type = Wireless-802.11
>>  Calling-Station-Id = "78CA39B5D3E5"
>>  Called-Station-Id = "000B8661AC58"
>>  Service-Type = Login-User
>>  Framed-MTU = 1100
>>  EAP-Message = 0x02010018016a6f7264616e686b616c74656e6272756e6572
>>  Aruba-Essid-Name = "SCHS-Student"
>>  Aruba-Location-Id = "SpringbankW2-9"
>>  Message-Authenticator = 0x4542e9b98b5978ca1ca52b7617910620
>> +- entering group authorize
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>>     rlm_realm: No '@' <%27@%27> in User-Name = "jordanhkaltenbruner",
>> looking up realm NULL
>>     rlm_realm: No such realm "NULL"
>> ++[suffix] returns noop
>> rlm_ldap: - authorize
>> rlm_ldap: performing user authorization for jordanhkaltenbruner
>> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
>> details
>>  expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->
>> (uid=jordanhkaltenbruner)
>>  expand: ou=springhigh_lab,o=springhigh -> ou=springhigh_lab,o=springhigh
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to 10.215.0.3:636, authentication 0
>> rlm_ldap: setting TLS mode to 1
>> rlm_ldap: bind as cn=admin,o=springhigh/???? to 10.215.0.3:636
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in ou=springhigh_lab,o=springhigh, with filter
>> (uid=jordanhkaltenbruner)
>> rlm_ldap: Added the eDirectory password 51601222 in check items as
>> Cleartext-Password
>> rlm_ldap: No default NMAS login sequence
>> rlm_ldap: looking for check items in directory...
>> rlm_ldap: looking for reply items in directory...
>> rlm_ldap: user jordanhkaltenbruner authorized to use remote access
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> ++[ldap] returns ok
>> *++[expiration] returns noop
>> ++[logintime] returns noop
>> rlm_pap: No clear-text password in the request.  Not performing PAP.
>> ++[pap] returns noop
>> auth: type Local
>> auth: No User-Password or CHAP-Password attribute in the request
>> auth: Failed to validate the user.
>> *  Found Post-Auth-Type Reject
>> +- entering group REJECT
>>  expand: %{User-Name} -> jordanhkaltenbruner
>>  attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] returns updated
>> Sending Access-Reject of id 218 to 10.215.10.100 port 34806
>> Finished request 0.
>>
>>
>> Robert Koskey,
>> Systems and Network Manager
>>
>> Rocky View Schools
>> Telephone: 403-945-4080
>> Cell: 403-988-4640
>>
>>
>> Robert Koskey,
>> Systems and Network Manager
>>
>> Rocky View Schools
>> Telephone: 403-945-4080
>> Cell: 403-988-4640
>>
>> _____________________________________________________________________________________
>>
>>
>> This communication is intended for the use of the recipient to which it is
>> addressed, and may contain confidential, personal, and or privileged
>> information. Please contact us immediately if you are not the intended
>> recipient of this communication, and do not copy, distribute, or take action
>> relying on it. Any communication received in error, or subsequent reply,
>> should be deleted or destroyed.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101210/f207ac33/attachment.html>

More information about the Freeradius-Users mailing list