Using LDAP with EAP-TLS

Alexandros Gougousoudis gougousoudis-list at servicecenter-khs.de
Mon May 16 14:32:59 CEST 2011 

Hi,

I'am trying to make FR 2.1.10 on Squeeze work with my LDAP installation. 
What I want to do is:

A host-based authentification for my workstations. All the names of the 
workstations are in LDAP, the authentification itself should be done 
with EAP-TLS. I would like to have a hint, how to start EAP when the 
LDAP-Query was successfull. The LDAP-Query works I think, FR says: 
[ldap] user scit-beerchen authorized to use remote access, but then it 
tries to make some kind of password authentification (I have no password 
for workstations in LDAP), and is not starting EAP-TLS. The asking host 
"scit-beerchen" is in the WLAN-User Group.

What could I do?

Please have a look on my Debug-Output:

rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, 
length=139
        User-Name = "scit-beerchen"
        NAS-IP-Address = 10.48.244.28
        Called-Station-Id = "0016b64f44cc"
        Calling-Station-Id = "002268c63ff2"
        NAS-Identifier = "0016b64f44cc"
        NAS-Port = 11
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0200001201736369742d626565726368656e
        Message-Authenticator = 0x12969f7ffa42f57be53a54474c1274be
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for scit-beerchen
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> scit-beerchen
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(uid=scit-beerchen)
[ldap]  expand: dc=verwaltung,dc=kh-berlin,dc=de -> 
dc=verwaltung,dc=kh-berlin,dc=de
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to physalis:389, authentication 0
  [ldap] bind as / to physalis:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with 
filter (uid=scit-beerchen)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?
[ldap] user scit-beerchen authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  
Authentication may fail because of this.
++[pap] returns noop
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> 
--username=scit-beerchen
[ntlm_auth]     expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password 
(0xc000006a)
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> scit-beerchen
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.8 seconds.
rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, 
length=139
Cleaning up request 0 ID 0 with timestamp +1034
        User-Name = "scit-beerchen"
        NAS-IP-Address = 10.48.244.28
        Called-Station-Id = "0016b64f44cc"
        Calling-Station-Id = "002268c63ff2"
        NAS-Identifier = "0016b64f44cc"
        NAS-Port = 11
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0200001201736369742d626565726368656e
        Message-Authenticator = 0x11c70e19e2f1150428f5cc12d535e57b
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for scit-beerchen
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> scit-beerchen
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(uid=scit-beerchen)
[ldap]  expand: dc=verwaltung,dc=kh-berlin,dc=de -> 
dc=verwaltung,dc=kh-berlin,dc=de
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with 
filter (uid=scit-beerchen)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?
[ldap] user scit-beerchen authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  
Authentication may fail because of this.
++[pap] returns noop
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> 
--username=scit-beerchen
[ntlm_auth]     expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password 
(0xc000006a)
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> scit-beerchen
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, 
length=139
Cleaning up request 1 ID 0 with timestamp +1034
        User-Name = "scit-beerchen"
        NAS-IP-Address = 10.48.244.28
        Called-Station-Id = "0016b64f44cc"
        Calling-Station-Id = "002268c63ff2"
        NAS-Identifier = "0016b64f44cc"
        NAS-Port = 11
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0200001201736369742d626565726368656e
        Message-Authenticator = 0x781aba777bfd1eee9fb99135f368597f
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for scit-beerchen
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> scit-beerchen
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(uid=scit-beerchen)
[ldap]  expand: dc=verwaltung,dc=kh-berlin,dc=de -> 
dc=verwaltung,dc=kh-berlin,dc=de
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with 
filter (uid=scit-beerchen)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?
[ldap] user scit-beerchen authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  
Authentication may fail because of this.
++[pap] returns noop
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> 
--username=scit-beerchen
[ntlm_auth]     expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password 
(0xc000006a)
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> scit-beerchen
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 0 to 10.48.244.28 port 3079
Waking up in 4.9 seconds.
Cleaning up request 2 ID 0 with timestamp +1034
Ready to process requests.


This is my "default" site:

authorize {
        preprocess
        chap
        mschap
        digest
        suffix
        ntdomain
        eap {
                ok = return
        }
        files
        ldap
        if (notfound) {
          reject
        }
        expiration
        logintime
        pap
        ntlm_auth
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        digest
        unix
        eap
        Auth-Type LDAP {
                ldap
                if (LDAP-Group == "WLAN-User") {
                noop
                }
                else {
                        reject
                }
        }
        ntlm_auth
}
preacct {
        preprocess
        acct_unique
        suffix
        files
}
accounting {
        detail
        unix
        radutmp
        exec
        attr_filter.accounting_response
}
session {
        radutmp
}
post-auth {
        exec
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
}
pre-proxy {
}
post-proxy {
        eap
}


TIA
 Alex

More information about the Freeradius-Users mailing list