FR 3.0 with eDir
Hubert Kupper
kupper at uni-landau.de
Tue Dec 17 13:38:08 CET 2013
Am 17.12.2013 12:22, schrieb Arran Cudbard-Bell:
>> I know. But the password is ok and works with OpenSuse 12.3 and FR 2.x
>> The response seems to be triggered by a mismatch of FR and OpenSuse 13.1 and eDir.
> If you get packet captures of each then we can do a comparison and figure out what
> changes.
>
> -Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
Here is a part of the result from radiusd -X. Do you want a wireshark
capture too?
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests
rad_recv: Access-Request packet from host 192.168.200.6 port 32770,
id=87, length=215
User-Name = 'foo'
Calling-Station-Id = '84-4b-f5-39-8a-f8'
Called-Station-Id = 'd8-24-bd-2e-4c-c0:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=8b0ec806000400e552b040e3'
NAS-IP-Address = 192.168.200.6
NAS-Identifier = 'xxx'
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '150'
EAP-Message = 0x0202000a0170726f6265
Message-Authenticator = 0x918dcc4fcbdefa81607d26e56be961ad
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) ? if (!User-Name)
(0) ? if (!User-Name) -> FALSE
(0) ? if (User-Name != "%{tolower:%{User-Name}}")
(0) expand: "%{tolower:%{User-Name}}" -> 'foo'
(0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) ? if (User-Name =~ / /)
(0) ? if (User-Name =~ / /) -> FALSE
(0) ? if (User-Name =~ /@.*@/ )
(0) ? if (User-Name =~ /@.*@/ ) -> FALSE
(0) ? if (User-Name =~ /\\.\\./ )
(0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(0) ? if (User-Name =~ /\\.$/)
(0) ? if (User-Name =~ /\\.$/) -> FALSE
(0) ? if (User-Name =~ /@\\./)
(0) ? if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [mschap] = noop
(0) suffix : No '@' in User-Name = "foo", looking up realm NULL
(0) suffix : Found realm "NULL"
(0) suffix : Adding Stripped-User-Name = "foo"
(0) suffix : Adding Realm = "NULL"
(0) suffix : Authentication realm is LOCAL
(0) [suffix] = ok
(0) eap : EAP packet type response id 2 length 10
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_md5 to process EAP data
rlm_eap_md5: Issuing Challenge
(0) eap : New EAP session, adding 'State' attribute to reply
0x2813582828105cdd
(0) [eap] = handled
(0) } # authenticate = handled
Sending Access-Challenge of id 87 from 192.168.1.56 port 1812 to
192.168.200.6 port 32770
EAP-Message = 0x0103001604109fd6f971b8b39a9e70ac72f7924821d6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2813582828105cdd2c29910179c66dfc
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 192.168.200.6 port 32770,
id=88, length=229
User-Name = 'foo'
Calling-Station-Id = '84-4b-f5-39-8a-f8'
Called-Station-Id = 'd8-24-bd-2e-4c-c0:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=8b0ec806000400e552b040e3'
NAS-IP-Address = 192.168.200.6
NAS-Identifier = 'xxx'
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '150'
EAP-Message = 0x020300060319
State = 0x2813582828105cdd2c29910179c66dfc
Message-Authenticator = 0x3225e79c9679af40be71f2f6c951c86a
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) ? if (!User-Name)
(1) ? if (!User-Name) -> FALSE
(1) ? if (User-Name != "%{tolower:%{User-Name}}")
(1) expand: "%{tolower:%{User-Name}}" -> 'foo'
(1) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(1) ? if (User-Name =~ / /)
(1) ? if (User-Name =~ / /) -> FALSE
(1) ? if (User-Name =~ /@.*@/ )
(1) ? if (User-Name =~ /@.*@/ ) -> FALSE
(1) ? if (User-Name =~ /\\.\\./ )
(1) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(1) ? if (User-Name =~ /\\.$/)
(1) ? if (User-Name =~ /\\.$/) -> FALSE
(1) ? if (User-Name =~ /@\\./)
(1) ? if (User-Name =~ /@\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [mschap] = noop
(1) suffix : No '@' in User-Name = "foo", looking up realm NULL
(1) suffix : Found realm "NULL"
(1) suffix : Adding Stripped-User-Name = "foo"
(1) suffix : Adding Realm = "NULL"
(1) suffix : Authentication realm is LOCAL
(1) [suffix] = ok
(1) eap : EAP packet type response id 3 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(1) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" ->
'(cn=foo)'
(1) ldap : expand: "o=org" -> 'o=org'
(1) ldap : Performing search in 'o=org' with filter '(cn=foo)'
(1) ldap : Waiting for search result...
(1) ldap : User object found at DN "cn=foo,ou=test,o=org"
(1) ERROR: ldap : Failed to retrieve eDirectory password: (80) Other
(e.g., implementation specific) error
rlm_ldap (ldap): Released connection (0)
rlm_ldap (ldap): Opening additional connection (1)
rlm_ldap (ldap): Connecting to 192.168.1.35:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1) [ldap] = fail
(1) } # authorize = fail
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject : expand: "%{User-Name}" -> 'foo'
(1) attr_filter.access_reject : Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) ldap : expand: "." -> '.'
(1) ldap : expand: "Authenticated at %S" -> 'Authenticated at
2013-12-17 13:22:30'
rlm_ldap (ldap): Reserved connection (1)
(1) ldap : Using user DN from request "cn=foo,ou=test,o=org"
(1) ldap : Modifying object with DN "cn=foo,ou=test,o=org"
(1) ldap : Waiting for modify result...
rlm_ldap (ldap): Released connection (1)
(1) [ldap] = reject
(1) } # Post-Auth-Type REJECT = reject
(1) Finished request 1.
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(1) Sending delayed reject
Sending Access-Reject of id 88 from 192.168.1.56 port 1812 to
192.168.200.6 port 32770
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 87 with timestamp +28
Waking up in 1.0 seconds.
(1) Cleaning up request packet ID 88 with timestamp +28
Ready to process requests
More information about the Freeradius-Users
mailing list