EAP/TTLS Auth problem
Alan DeKok
aland at deployingradius.com
Mon May 14 17:18:41 CEST 2012
Steve Hopps wrote:
> I'll post the full log. It should be pulling from OpenLDAP. I had to
> censor the log in a few places, including the IP of the system I'm
> using to test, which I changed to 6.6.6.6
And please check Phil's comment. It is *still* showing this:
[pap] Using CRYPT password "*"
THAT is the problem. "*" isn't a valid Crypt'd password. It's there
because it's being read from /etc/passwd by the "unix" module. The
"unix" module is doing that because your configuration is left over from
an older version. This was changed in 2.1.10. From the ChangeLog:
* No longer look users up in /etc/passwd in the default
configuration.
This can be reverted by enabling "unix" in the "authorize"
section.
In addition, the debug output *clearly* shows it's not getting
anything from LDAP:
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
i.e. it found nothing.
If you want it to read LDAP, then:
a) delete the "unix" module from the "authorize" section
b) don't test with a user who's in /etc/passwd
c) ensure that the user exists in LDAP.
Alan DeKok.
More information about the Freeradius-Users
mailing list