radlogin works, mobile device not

Mihajlo Joksimovic mihajlo.joksimovic at adfinis-sygroup.ch
Tue Sep 11 10:54:22 CEST 2012 

Yes i have.

Here are the two different logs, one from radlogin on the server and the
the second from an iphone who wants to connect.

RADLOGIN:
rad_recv: Access-Request packet from host 127.0.0.1 port 46391, id=99,
length=71
    Service-Type = Login-User
    User-Name = "Administrator"
    User-Password = "***"
    NAS-IP-Address = 10.119.2.4
    NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "Administrator", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for Administrator
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
    expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=Administrator)
    expand: dc=tcsvo,dc=local -> dc=tcsvo,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: starting TLS
rlm_ldap: bind as cn=admin,dc=tcsvo,dc=local/pPWSrf5 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=tcsvo,dc=local, with filter
(uid=Administrator)
rlm_ldap: checking if remote access for Administrator is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute
Cleartext-Password == "{crypt}$1$5eEakVq3$MQZSsqhrcB6NW/aaGYuRx."
rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password
== 0x4139444241443137383246324236314336454541304139374238384242373245
rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password
== 0x4241303338423239303831394236353944463132384232444433324241443037
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user Administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
+- entering group LDAP
rlm_ldap: - authenticate
rlm_ldap: login attempt by "Administrator" with password "***"
rlm_ldap: user DN: uid=Administrator,cn=users,dc=tcsvo,dc=local
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: starting TLS
rlm_ldap: bind as uid=Administrator,cn=users,dc=tcsvo,dc=local/D4t6Ui2g
to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user Administrator authenticated succesfully
++[ldap] returns ok
Login OK: [Administrator/***] (from client localhost port 0)
+- entering group post-auth
++[ldap] returns noop
++[exec] returns noop
Sending Access-Accept of id 99 to 127.0.0.1 port 46391
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 99 with timestamp +1284
Ready to process requests.




IPhone test:
rad_recv: Access-Request packet from host 10.119.12.2 port 1318, id=21,
length=197
    Message-Authenticator = 0x24691ccd1f2040d828405d72ef7189ec
    Service-Type = Framed-User
    User-Name = "nadine.bosshard"
    Framed-MTU = 1488
    Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"
    Calling-Station-Id = "9803D861E85C"
    NAS-Identifier = "aptcsvo02"
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 54Mbps 802.11g"
    EAP-Message = 0x02000014016e6164696e652e626f737368617264
    NAS-IP-Address = 10.119.12.2
    NAS-Port = 1
    NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 0 length 20
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_unix: [nadine.bosshard]: invalid shell [/bin/false]
++[unix] returns reject
Invalid user: [nadine.bosshard/<via Auth-Type = EAP>] (from client
aptcsvo02 port 1 cli 9803D861E85C)
  Found Post-Auth-Type Reject
+- entering group REJECT
    expand: %{User-Name} -> nadine.bosshard
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.119.12.2 port 1318, id=21,
length=197
Waiting to send Access-Reject to client aptcsvo02 port 1318 - ID: 21
Sending delayed reject for request 0
Sending Access-Reject of id 21 to 10.119.12.2 port 1318
Waking up in 4.9 seconds.
Cleaning up request 0 ID 21 with timestamp +1333
Ready to process requests.


Am 09/11/2012 10:42 AM, schrieb Fajar A. Nugraha:
> On Tue, Sep 11, 2012 at 3:29 PM, Mihajlo Joksimovic
> <mihajlo.joksimovic at adfinis-sygroup.ch> wrote:
>> Well i started with a fresh installation and made minimal changes.
>> i put in the ap's in clients.conf, activated and configured ldap and copied
>> the certs in the correct direction.
> that's a start
>
>> This is the output when i start with -X:
> good.
>
>> Listening on authentication address * port 1812
>> Listening on accounting address * port 1813
>> Listening on proxy address * port 1814
>> Ready to process requests.
> ... and where's the access-request packet?
>
> It should have different log compared to the one you pasted the first
> time, since the config is different.
>
> ... or is it you haven't tested authentication using this readius?
>

-- 
Adfinis SyGroup AG
Mihajlo Joksimovic, System Engineer

Güterstrasse 86 | CH-4053 Basel
Tel. 061 333 80 33

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120911/365f6646/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120911/365f6646/attachment.pgp>

More information about the Freeradius-Users mailing list