Can't authenticate using LDAP (ldap+mysql+eap_ttls)

Edgaras edgaras at kauko.lt
Mon Feb 7 08:51:50 CET 2011


Hello,

I have configured freeradius (testing server) to try to authenticate using
LDAP and if a user is not found in LDAP database, then try SQL.

If I try authenticate using user found in SQL database - I get
authorizated, authenticated and connected.

But if I try authenticate as a user found in LDAP database -
authentication fails in inner tunnel:



server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test.user", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 6 length 79
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for test.user
[ldap] 	expand: %{Stripped-User-Name} ->
[ldap] 	... expanding second conditional
[ldap] 	expand: %{User-Name} -> test.user
[ldap] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=test.user)
[ldap] 	expand: ou=Users, dc=xxxxxx, dc=lt -> ou=Users, dc=xxxxxx, dc=lt
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=Users, dc=xxxxxx, dc=lt, with filter
(uid=test.user)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?
[ldap] user test.user authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for test.user with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel


*It says "Found Auth-Type = EAP" although in sites-enabled/inner-tunnel I
have uncommented:

Auth-Type LDAP {
                ldap
        }


By the way, if I try to autnenticate using same user via radtest server,
of course, don't go into the inner-tunnel and so I get authenticated.

I'm adding full radius log.

Thanks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.log
Type: application/octet-stream
Size: 54784 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110207/bc1b4cae/attachment.obj>


More information about the Freeradius-Users mailing list