Authentication using LDAP for 802.1x

Roberto Ortega Ramiro roberto.ortega at esj.es
Sat Jun 22 02:50:57 CEST 2013


Hi, do you have a user who can read the password in the ldap.
It might be in raddb/modules/ldap


        ldap {
                server   = ldap.yourorg.com
             login    = "cn=admin,o=My Org,c=US"
             password = mypass
                basedn   = "ou=users,dc=yourorg,dc=com"
                filter   = "(posixAccount)(uid=%u))"
        }



2013/6/19 Marco Streich <marco.streich at kshp.ch>

> Hi all
>
> We have deployed FreeRADIUS on OS X before, but our configuration was
> rather ugly. What we would do is authenticate users locally, having the
> machine attached to our OpenDirectory server directly using the Connect
> Network Account Server functionality provided by OS X.
>
> I have seen this question getting asked a lot but still wasn't able to
> fill my gap in understanding the whole process.
>
> We're now using FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu
>
> As a start, I'm now trying to get a simple user authentication working.
> What I have done so far is defining ldap {} in the ldap module and added
> ldap into the authorize {} section.
>
> I also uncommented Auth-Type LDAP { ldap } in the authenticate {} section.
> <= Bad?!
>
> The same for the virtual inner-tunnel.
>
>
> When I run radtest from my laptop, the authentication is successful:
>
> $ radtest a4 whatever 192.168.1.231 18120 secret
>
> Sending Access-Request of id 18 to 192.168.1.231 port 1812
>         User-Name = "a4"
>         User-Password = "whatever"
>         NAS-IP-Address = 192.168.17.1
>         NAS-Port = 18120
>         Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Accept packet from host 192.168.1.231 port 1812, id=18,
> length=20
>
> When I try to authorize a supplicant connected to our switch which is
> configured to be the authenticator, debug shows me the following:
>
> ...
> rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=73,
> length=217
>         User-Name = "a4"
>         Service-Type = Framed-User
>         Cisco-AVPair = "service-type=Framed"
>         Framed-MTU = 9000
>         Called-Station-Id = "AC-A0-16-58-EB-07"
>         Calling-Station-Id = "00-23-32-CF-1D-A2"
>         EAP-Message = 0x020b0007016134
>         Message-Authenticator = 0xa3eaf856385eef096a4a8da0a9b938c3
>         Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
>         NAS-Port-Type = Ethernet
>         NAS-Port = 50007
>         NAS-Port-Id = "GigabitEthernet0/7"
>         NAS-IP-Address = 192.168.99.99
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "a4", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 11 length 7
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for a4
> [ldap]  expand: %{Stripped-User-Name} ->
> [ldap]  ... expanding second conditional
> [ldap]  expand: %{User-Name} -> a4
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=a4)
> [ldap]  expand: dc=ldap,dc=hopro,dc=edu -> dc=ldap,dc=hopro,dc=edu
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] attempting LDAP reconnection
>   [ldap] (re)connect to ldap.hopro.edu:389, authentication 0
>   [ldap] bind as / to ldap.hopro.edu:389
>   [ldap] waiting for bind result ...
>   [ldap] Bind was successful
>   [ldap] performing search in dc=ldap,dc=hopro,dc=edu, with filter (uid=a4)
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?
> [ldap] user a4 authorized to use remote access
>   [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
>  Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type md5
> rlm_eap_md5: Issuing Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 73 to 192.168.99.99 port 1645
>         EAP-Message = 0x010c00160410f7b955ffcad777bb64a0c2591f2a1852
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xab1bf9b7ab17fdd1d339d19378335aaa
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=74,
> length=234
>         User-Name = "a4"
>         Service-Type = Framed-User
>         Cisco-AVPair = "service-type=Framed"
>         Framed-MTU = 9000
>         Called-Station-Id = "AC-A0-16-58-EB-07"
>         Calling-Station-Id = "00-23-32-CF-1D-A2"
>         EAP-Message = 0x020c00060315
>         Message-Authenticator = 0x265e5392ae96ffd2f0c96666a02c9035
>         Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
>         NAS-Port-Type = Ethernet
>         NAS-Port = 50007
>         NAS-Port-Id = "GigabitEthernet0/7"
>         State = 0xab1bf9b7ab17fdd1d339d19378335aaa
>         NAS-IP-Address = 192.168.99.99
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "a4", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 12 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for a4
> [ldap]  expand: %{Stripped-User-Name} ->
> [ldap]  ... expanding second conditional
> [ldap]  expand: %{User-Name} -> a4
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=a4)
> [ldap]  expand: dc=ldap,dc=hopro,dc=edu -> dc=ldap,dc=hopro,dc=edu
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] performing search in dc=ldap,dc=hopro,dc=edu, with filter (uid=a4)
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?
> [ldap] user a4 authorized to use remote access
>   [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
>  Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP NAK
> [eap] EAP-NAK asked for EAP-Type/ttls
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 74 to 192.168.99.99 port 1645
>         EAP-Message = 0x010d00061520
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xab1bf9b7aa16ecd1d339d19378335aaa
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=75,
> length=356
>         User-Name = "a4"
>         Service-Type = Framed-User
>         Cisco-AVPair = "service-type=Framed"
>         Framed-MTU = 9000
>         Called-Station-Id = "AC-A0-16-58-EB-07"
>         Calling-Station-Id = "00-23-32-CF-1D-A2"
>         EAP-Message =
> 0x020d008015800000007616030100710100006d030151c19a457c2d148d872abd670c09fe7719d9b316318eb0134b0db1b5ce12e57700003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100
>         Message-Authenticator = 0x474af0e5e41006c5947328ada905bf63
>         Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
>         NAS-Port-Type = Ethernet
>         NAS-Port = 50007
>         NAS-Port-Id = "GigabitEthernet0/7"
>         State = 0xab1bf9b7aa16ecd1d339d19378335aaa
>         NAS-IP-Address = 192.168.99.99
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "a4", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 13 length 128
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
>   TLS Length 118
> [ttls] Length Included
> [ttls] eaptls_verify returned 11
> [ttls]     (other): before/accept initialization
> [ttls]     TLS_accept: before/accept initialization
> [ttls] <<< TLS 1.0 Handshake [length 0071], ClientHello
> [ttls]     TLS_accept: SSLv3 read client hello A
> [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello
> [ttls]     TLS_accept: SSLv3 write server hello A
> [ttls] >>> TLS 1.0 Handshake [length 084f], Certificate
> [ttls]     TLS_accept: SSLv3 write certificate A
> [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
> [ttls]     TLS_accept: SSLv3 write key exchange A
> [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> [ttls]     TLS_accept: SSLv3 write server done A
> [ttls]     TLS_accept: SSLv3 flush data
> [ttls]     TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [ttls] eaptls_process returned 13
> ++[eap] returns handled
> Sending Access-Challenge of id 75 to 192.168.99.99 port 1645
>         EAP-Message =
> 0x010e040015c0000009eb160301003902000035030151c19a44f7368e4456fc7b31270848d83dbe071b6969f1e6f9d0d7adb8527c9400c01400000dff01000100000b000403000102160301084f0b00084b0008480003a33082039f30820287a003020102020101300d06092a864886f70d010105050030818f310b3009060355040613024348310b3009060355040813025a483110300e060355040713075a75657269636831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06092a864886f70d010901161069637461646d696e406b7368702e636831193017060355040313107261646975
>         EAP-Message =
> 0x732e686f70726f2e656475301e170d3132313231393130353634305a170d3133313231393130353634305a307d310b3009060355040613024348310b3009060355040813025a4831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e61646531193017060355040313107261646975732e686f70726f2e656475311f301d06092a864886f70d010901161069637461646d696e406b7368702e636830820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd4065ec39decc5191947b7fae6df68b82333bce018385b48d641bfde2d9ba6294a786cd7e15b7d1824591d077af2a4c2fe
>         EAP-Message =
> 0x7e66cbccd3f279171bb3e77936b8e6a92cbb0e17eb0abbcdac9945db8c11af0074d9480d263664e17d021663e0694dbfe839def4202ddede6958974bc82e8023c68adc741ab7c9e64027171b32d0d04c3e93cf1bd49947e3e462ed368fb71e8ce9fcff7414fe921494836b128635e0004e8ce29dc26a919f58d7c91f7181dcb1a71e404960f04ba20c51d42ff3872c3335cbb612ac48c6234a326c9d83f6416e32a070f6307496ca83066f071d92b29732c4045105a726e359388542437214e6480df09c8e4ce4149f53da2b449d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382
>         EAP-Message =
> 0x0101000e14a8494074acd8a45fb6b8e3a4ed0966823b82d9aa29417ccfd1b47764a8ae60cf65b6cf411e686e0fd8748ca655495d30408f12afef47897e31af44e8833601af028f101df0a2534f680ce10df4c7d88c312af4a5b2fc3711d2ce021bbe0ab4e439d095c102005dbce074a0a90767729ea3f1edb88b2c7d4b9e5f727cb10c5309afb41d0acdd75548de5508de058b2d684e1390fe1d917da97c34bbc13548ef1fc71aa8b4bf52dc76ccaa537f96b2460e56faa0ed34b1a3b5e4d6b3f10458883ba6bf4cb38f9096300181038c2d471e21bb4a9184d7521ba143fcf19608677da5b9e3ecce9b4d47d6f0a3b44c85380c1bd4cd15e325160d28
>         EAP-Message = 0x324bf7e31c3b00049f308204
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xab1bf9b7a915ecd1d339d19378335aaa
> Finished request 2.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=76,
> length=234
>         User-Name = "a4"
>         Service-Type = Framed-User
>         Cisco-AVPair = "service-type=Framed"
>         Framed-MTU = 9000
>         Called-Station-Id = "AC-A0-16-58-EB-07"
>         Calling-Station-Id = "00-23-32-CF-1D-A2"
>         EAP-Message = 0x020e00061500
>         Message-Authenticator = 0x37d15b32cc7d6ece0c91b13551cd0b93
>         Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
>         NAS-Port-Type = Ethernet
>         NAS-Port = 50007
>         NAS-Port-Id = "GigabitEthernet0/7"
>         State = 0xab1bf9b7a915ecd1d339d19378335aaa
>         NAS-IP-Address = 192.168.99.99
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "a4", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 14 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
> [ttls] Received TLS ACK
> [ttls] ACK handshake fragment handler
> [ttls] eaptls_verify returned 1
> [ttls] eaptls_process returned 13
> ++[eap] returns handled
> Sending Access-Challenge of id 76 to 192.168.99.99 port 1645
>         EAP-Message =
> 0x010f040015c0000009eb9b30820383a003020102020900b75f4cb4031a50e3300d06092a864886f70d010105050030818f310b3009060355040613024348310b3009060355040813025a483110300e060355040713075a75657269636831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06092a864886f70d010901161069637461646d696e406b7368702e636831193017060355040313107261646975732e686f70726f2e656475301e170d3132313231393130353634305a170d3133313231393130353634305a30818f310b3009060355040613024348310b3009060355040813025a48
>         EAP-Message =
> 0x3110300e060355040713075a75657269636831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06092a864886f70d010901161069637461646d696e406b7368702e636831193017060355040313107261646975732e686f70726f2e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100d63a0ad9924d4bbf29ea25b2abfa17eb9d47e36ad480ce8dc1ec454aaf6470396a570eebeec3363c818882061081437e5367266e30b91be77f4e37ea9a01e56221dcbeb6f52c2157da7a74b5b024f98e3f45670aa8b6968c4b939c6b80302c318bf66f63d4f116
>         EAP-Message =
> 0x450cbb35f51f3565e121276f7fa61f2a326d432cc0cfbb94411671b3a3e3db42879419f0e18b86ba020a8d5c6e8c817f755891eb10876a57194f57780baef2b90997c16b03aab89d66833765b711bb66453be64883c0265ddc50c761525902e16cbfc7567962037f2b1ddd49e700ea4f94a55864ef801aad3315c688de2e6e15141ccedcdc016745a3ad46aef6223c66cadab19fe17cc3b7a50203010001a381f73081f4301d0603551d0e0416041442c8e782326f14866e14f0328f22ef21e5dca7683081c40603551d230481bc3081b9801442c8e782326f14866e14f0328f22ef21e5dca768a18195a4819230818f310b3009060355040613024348
>         EAP-Message =
> 0x310b3009060355040813025a483110300e060355040713075a75657269636831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06092a864886f70d010901161069637461646d696e406b7368702e636831193017060355040313107261646975732e686f70726f2e656475820900b75f4cb4031a50e3300c0603551d13040530030101ff300d06092a864886f70d010105050003820101000b570cdc802ec347643ce7e5a81cd487273f8eb79f7580d9423e0ac121c39d23b8d7e606fa291515bfa8e232e845b04788cb14bbac1e67cdeded46cdead9957a88eb3c04075cbb2f9d66c81451f7
>         EAP-Message = 0xc982a3f0ae66f5d41f3c2ff9
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xab1bf9b7a814ecd1d339d19378335aaa
> Finished request 3.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=77,
> length=234
>         User-Name = "a4"
>         Service-Type = Framed-User
>         Cisco-AVPair = "service-type=Framed"
>         Framed-MTU = 9000
>         Called-Station-Id = "AC-A0-16-58-EB-07"
>         Calling-Station-Id = "00-23-32-CF-1D-A2"
>         EAP-Message = 0x020f00061500
>         Message-Authenticator = 0x49c786eea0efa3a358db3c5c61d82830
>         Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
>         NAS-Port-Type = Ethernet
>         NAS-Port = 50007
>         NAS-Port-Id = "GigabitEthernet0/7"
>         State = 0xab1bf9b7a814ecd1d339d19378335aaa
>         NAS-IP-Address = 192.168.99.99
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "a4", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 15 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
> [ttls] Received TLS ACK
> [ttls] ACK handshake fragment handler
> [ttls] eaptls_verify returned 1
> [ttls] eaptls_process returned 13
> ++[eap] returns handled
> Sending Access-Challenge of id 77 to 192.168.99.99 port 1645
>         EAP-Message =
> 0x011002091580000009eb6cf7c88612440aaa64dd8ca6d9533e4bd26a893bbee70e343d13c54accb14ee61b9e7ec6ee78090b76e0e353da5da86cfeb3f2c9381011e5f25cfb755e4dbcc8a78f37d906019e5a2c2225a03a5f2318e3bf8c56eb0b43ad64ac8ddebb84ca1352b5a80b4a8c8757c5a37352508833404ebd868c5dd0cc92b3df240cf05b1e721b7a90d8e0a060e4834fff2dc79a04353dab2492381d4488ab7e92257f4ed7fb3eb4053e22a3160301014b0c0001470300174104e284bd8b7ec8e3510d4a6bb593e671a0945af1e997ce5cc010d13fd0e76a68e71c034e1412d7fc4b26233ca3df8dba3463719b1fa33f4ab4934a7208005205
>         EAP-Message =
> 0x5f010042df9b97e266190e04d0b6ea3fdaf36282b104caaee17a75acbccf6e74e427b6fa6a600c9db92fcbe7e34cffc49deb6a2e3949e17692845c03a7ab92d4daf19bee3788c1afcf23fbc5c9ddd487f335bd83d238cfe52f80ca59a6cc6ad58b3ecb7502ab687184733c42cd5de45e06cd101ae2e41f4943c01ac3379e928240ac532451599dce12979065ad088a056130f57d119038f40003d55fcebe5edd0acde65036f24fd69cc0fda63ff408c25ee9c3ad100bf0a90d6031a0034d064b8ecf8a5323d79e7d7b764d08105ea8c35c7548983060ce8f8577909b8a2c2049d78f99b0acc37a55b993519f1e475b7b4f9fff67e943f61c7a9f4a18fd
>         EAP-Message = 0x05b6bbbc248c16030100040e000000
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xab1bf9b7af0becd1d339d19378335aaa
> Finished request 4.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=78,
> length=372
>         User-Name = "a4"
>         Service-Type = Framed-User
>         Cisco-AVPair = "service-type=Framed"
>         Framed-MTU = 9000
>         Called-Station-Id = "AC-A0-16-58-EB-07"
>         Calling-Station-Id = "00-23-32-CF-1D-A2"
>         EAP-Message =
> 0x021000901580000000861603010046100000424104ee7b81c5eb47db38fd9999628065d8bc69504fd008ffcce581bf49a5dc349fac012b27f4d21db7352c31e8be8bc097f9fd3414f7160990963cd9ad8e53166e951403010001011603010030ed341f879e3591dedc6633d8a0376280178fe300950d293b30747d15b35f4867c69765e98c2f0a15bcb95a992cbc77a4
>         Message-Authenticator = 0xe7c4329c24d68ad3919250d82c96961a
>         Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
>         NAS-Port-Type = Ethernet
>         NAS-Port = 50007
>         NAS-Port-Id = "GigabitEthernet0/7"
>         State = 0xab1bf9b7af0becd1d339d19378335aaa
>         NAS-IP-Address = 192.168.99.99
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "a4", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 16 length 144
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
>   TLS Length 134
> [ttls] Length Included
> [ttls] eaptls_verify returned 11
> [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
> [ttls]     TLS_accept: SSLv3 read client key exchange A
> [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
> [ttls] <<< TLS 1.0 Handshake [length 0010], Finished
> [ttls]     TLS_accept: SSLv3 read finished A
> [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
> [ttls]     TLS_accept: SSLv3 write change cipher spec A
> [ttls] >>> TLS 1.0 Handshake [length 0010], Finished
> [ttls]     TLS_accept: SSLv3 write finished A
> [ttls]     TLS_accept: SSLv3 flush data
> [ttls]     (other): SSL negotiation finished successfully
> SSL Connection Established
> [ttls] eaptls_process returned 13
> ++[eap] returns handled
> Sending Access-Challenge of id 78 to 192.168.99.99 port 1645
>         EAP-Message =
> 0x0111004515800000003b1403010001011603010030b0518066786178044d44483eb37026fdd8406df7f6eaae28282bc696f782e64198a16f06ecde63a263375845bf3304f7
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xab1bf9b7ae0aecd1d339d19378335aaa
> Finished request 5.
> Going to the next request
> Waking up in 4.8 seconds.
> rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=79,
> length=275
>         User-Name = "a4"
>         Service-Type = Framed-User
>         Cisco-AVPair = "service-type=Framed"
>         Framed-MTU = 9000
>         Called-Station-Id = "AC-A0-16-58-EB-07"
>         Calling-Station-Id = "00-23-32-CF-1D-A2"
>         EAP-Message =
> 0x0211002f1580000000251503010020f0c878ea3889abbd6850566e4a4b6b5e5777dc3f5e0f11789e9a9430219cc5b3
>         Message-Authenticator = 0x69b565f9da2f3112f04fc8a2197444a4
>         Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
>         NAS-Port-Type = Ethernet
>         NAS-Port = 50007
>         NAS-Port-Id = "GigabitEthernet0/7"
>         State = 0xab1bf9b7ae0aecd1d339d19378335aaa
>         NAS-IP-Address = 192.168.99.99
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "a4", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 17 length 47
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
>   TLS Length 37
> [ttls] Length Included
> [ttls] eaptls_verify returned 11
> [ttls] <<< TLS 1.0 Alert [length 0002], warning close_notify
> TLS Alert read:warning:close notify
> [ttls] WARNING: No data inside of the tunnel.
> [ttls] eaptls_process returned 7
> [ttls] Session established.  Proceeding to decode tunneled attributes.
> [ttls] SSL_read Error
> [eap] Handler failed in EAP/ttls
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> a4
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 6 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 6
> Sending Access-Reject of id 79 to 192.168.99.99 port 1645
>         EAP-Message = 0x04110004
>         Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.7 seconds.
> ...
>
> >[ttls] WARNING: No data inside of the tunnel.
>
> At this moment, I cannot wrap my mind around what is going on here.
>
> I understand that ldap tries to authenticate the user by itself, instead
> of handing it to the LDAP server. But what is different when I run radtest?
>
> Debug from radtest:
> ...
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group LDAP {...}
> [ldap] login attempt by "a4" with password "whatever"
> [ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu
>   [ldap] (re)connect to ldap.hopro.edu:389, authentication 1
>   [ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to
> ldap.hopro.edu:389
>   [ldap] waiting for bind result ...
>   [ldap] Bind was successful
> [ldap] user a4 authenticated successfully
> ++[ldap] returns ok
> ...
>
>
> Would someone from you guys guide me in the right direction?
>
> Thank you in advance
>
> Marco
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
-- 
Un saludo.
____________________

Roberto Ortega
Profesor de Informática.
http://www.proyectoret.es

Escuelas San José Valencia
Avd.Cortes Valencianas nº1
46015 Valencia
R4600489A
Tf:963499011 ext. 262
Fax:963488835
http://www.escuelassj.com

No imprimas este correo si no es necesario. Protejamos el medio ambiente.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130622/d219574e/attachment-0001.html>


More information about the Freeradius-Users mailing list