radius authentication fallback from ldap to local
Chowdhury Satish-NVF476
satish.chowdhury at motorolasolutions.com
Sat May 7 14:17:37 CEST 2011
Hi,
Got it resolved with following configuration
radiusd.conf
------------
authorize {
preprocessor
.....
passwd
ldap {
fail = 1
}
if(fail)
{
files
}
}
authenticate {
.....
Auth-Type FALLBACK_LDAP{
redundant {
ldap
pap
}
......
}
eap.conf
--------
eap {
....
gtc {
Challange = "Password"
auth_type = FALLBACK_LDAP
}
....
}
users
------
DEFAULT Auth-Type = FALLBACK_LDAP
Fall-Through = No
Thanks
-Satish
-----Original Message-----
From:
freeradius-users-bounces+satish.chowdhury=motorolasolutions.com at lists.fr
eeradius.org
[mailto:freeradius-users-bounces+satish.chowdhury=motorolasolutions.com@
lists.freeradius.org] On Behalf Of Chowdhury Satish-NVF476
Sent: Saturday, May 07, 2011 12:51 PM
To: freeradius-users at lists.freeradius.org
Subject: radius authentication fallback from ldap to local
Hi,
I am trying to configure fallback of radius server form ldap to local
file based authentication when the ldap server is not reachable.
I have a wireless client which needs to be authenticated by the radius
server on association. The wireless client uses EAP-PEAP authentication
and PEAP-GTC as inner protocol. The authentication works fine with LDAP
and Local files with separate configuration settings. However, I am
unable to configure for the fallback mechanism.
My freeradius version is 2.1.7. I did following modification for
fallback.
Radiusd.conf
-------------
authorize {
preprocessor
.....
passwd
ldap {
fail = 1
}
if(fail)
{
files
}
}
eap.conf
---------
eap {
....
gtc {
Challange = "Password"
auth_type = ldap
}
....
}
users
--------
DEFAULT Auth-Type = Local
Fall-Through = Yes
With above settings the LDAP authentication works fine. When ldap is
disconnected the radius server fails to find ladp and fallback to files
module.
However it fails in eap with following error..
----->>
[eap] Request found, released from the list [eap] EAP/gtc [eap]
processing type gtc [gtc] +- entering group LDAP {...} [ldap] login
attempt by "user1" with password "symbol123"
[ldap] expand: (sAMAccountName=%{Stripped-User-Name}) ->
(sAMAccountName=user1)
[ldap] expand: DC=wlan,DC=com -> DC=wlan,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail
[eap] Handler failed in EAP/gtc
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
auth: Failed to validate the user.: [user1] (from client localhost port
1 cli 00-13-CE-F0-6E-32 via TLS tunnel)
Login incorrect: [user1] (from client localhost port 1 cli
00-13-CE-F0-6E-32 via TLS tunnel)
} # server
[peap] Got tunneled reply code 3
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
<<<---------
Complete log pasted here http://pastebin.com/PjDuvAvy. Packets 1-8 is
when ldap is connected. Ldap is diconnected from Packet 9 onwards. The
error is in Packet 17. The wireless client waits for Access-Accept.
Latter, I changed the eap.conf as below
eap {
....
gtc {
Challange = "Password"
auth_type = Local
}
....
}
With this configuration local fallback authentication works. However,
when ldap is connected the ldap authentication is successful only if the
user credential is present in the local password file.
How to solve it?. I am newbie to radius, please guide if I miss some
thing obvious.
Regards,
Satish
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list