FreeRadius OpenLDAP TTLS/PAP

Thu Jun 14 13:15:29 CEST 2012

I try to configure FreeRadius / OpenLDAP with a method of TTLS / PAP. but it
does not work. how to do.
thank you

Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 41586, id=30,
length=56
    User-Name = "toto"
    User-Password = "\267\002n\235W\270=\207\343\327U\032\036\032w\372"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 1812
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "toto", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for toto
[ldap]     expand: %{Stripped-User-Name} ->
[ldap]     ... expanding second conditional
[ldap]     expand: %{User-Name} -> toto
[ldap]     expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=toto)
[ldap]     expand: dc=tem-tsp,dc=eu -> dc=tem-tsp,dc=eu
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=tem-tsp,dc=eu, with filter (uid=toto)
[ldap] Added User-Password = toto in check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "toto"
[ldap] looking for reply items in directory...
  [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "33"
  [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user toto authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Config already contains "known good" password.  Ignoring
Password-With-Header
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.    
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"              
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "�?n?W�=?��U???w�"
[pap] Using clear text password "toto"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
  WARNING: Unprintable characters in the password.       Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> toto
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 11 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 11
Sending Access-Reject of id 30 to 127.0.0.1 port 41586
Waking up in 4.9 seconds.
Cleaning up request 11 ID 30 with timestamp +1966
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 41586, id=30,
length=56
    User-Name = "toto"
    User-Password = "\267\002n\235W\270=\207\343\327U\032\036\032w\372"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 1812
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "toto", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for toto
[ldap]     expand: %{Stripped-User-Name} ->
[ldap]     ... expanding second conditional
[ldap]     expand: %{User-Name} -> toto
[ldap]     expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=toto)
[ldap]     expand: dc=tem-tsp,dc=eu -> dc=tem-tsp,dc=eu
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=tem-tsp,dc=eu, with filter (uid=toto)
[ldap] Added User-Password = toto in check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "toto"
[ldap] looking for reply items in directory...
  [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "33"
  [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user toto authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Config already contains "known good" password.  Ignoring
Password-With-Header
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.    
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"              
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "�?n?W�=?��U???w�"
[pap] Using clear text password "toto"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
  WARNING: Unprintable characters in the password.       Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> toto
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 12
Sending Access-Reject of id 30 to 127.0.0.1 port 41586
Waking up in 4.9 seconds.
Cleaning up request 12 ID 30 with timestamp +1974
Ready to process requests.

-----
kahina akkouche
--
View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-OpenLDAP-TTLS-PAP-tp5713750.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.