FreeRadius + OpenLDAP server

Rado Matisko rado.matisko2 at gmail.com
Tue Apr 8 22:05:53 CEST 2014


Im trying to get freeradius v2.1.12 to work with my LDAP server in school
with peap.

radtest is working, but connecting my android phone via Access Point with
SSID eduroam1 to freeradius and to LDAP server - now so much

*radtest works : *
root at notebook:/home/uniza-sk# radtest skuska skuska localhost 0 testing123
Sending Access-Request of id 228 to 127.0.0.1 port 1812
User-Name = "skuska"
User-Password = "skuska"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=228,
length=20


*debug : *
rad_recv: Access-Request packet from host 127.0.0.1 port 58878, id=228,
length=76
User-Name = "skuska"
User-Password = "skuska"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x2a5dcc7deb1dbac6d6abbb04e9b7f311
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20140408
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20140408
[auth_log]  expand: %t -> Tue Apr  8 13:35:45 2014
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "skuska", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for skuska
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> skuska
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=skuska)
[ldap]  expand: dc=fri,dc=uniza,dc=sk -> dc=fri,dc=uniza,dc=sk
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=fri,dc=uniza,dc=sk, with filter
(uid=skuska)
[ldap] Added User-Password = {SSHA}CA+M2KYvU3oYGtotgDtQEBta2WliH5w3 in
check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header ==
"{SSHA}CA+M2KYvU3oYGtotgDtQEBta2WliH5w3"
[ldap] looking for reply items in directory...
[ldap] user skuska authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "skuska"
[pap] Using SSHA encryption.
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [skuska] (from client localhost port 0)
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
[reply_log]  expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/reply-detail-20140408
[reply_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20140408
[reply_log]  expand: %t -> Tue Apr  8 13:35:45 2014
++[reply_log] returns ok
++[exec] returns noop
Sending Access-Accept of id 228 to 127.0.0.1 port 58878



*but if i connect from android phone via Access point :*

rad_recv: Access-Request packet from host 192.168.1.1 port 3072, id=0,
length=138
Cleaning up request 12 ID 0 with timestamp +37
User-Name = "skuska"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "00904c910003"
Calling-Station-Id = "1cb094111188"
NAS-Identifier = "00904c910003"
NAS-Port = 8
Framed-MTU = 1400
State = 0xfd4902fefe4d1bbe3a2596e3bf6ac7bb
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400061900
Message-Authenticator = 0xc52506a949478fe4d20b63da335ebdee

server eduroam1 {
# Executing section authorize from file
/etc/freeradius/sites-enabled/eduroam1
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/192.168.1.1/auth-detail-20140408
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/192.168.1.1/auth-detail-20140408
[auth_log]  expand: %t -> Tue Apr  8 13:37:40 2014
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "skuska", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[ldap] performing user authorization for skuska
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> skuska
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=skuska)
[ldap]  expand: dc=fri,dc=uniza,dc=sk -> dc=fri,dc=uniza,dc=sk
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=fri,dc=uniza,dc=sk, with filter
(uid=skuska)
[ldap] Added User-Password = {SSHA}CA+M2KYvU3oYGtotgDtQEBta2WliH5w3 in
check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header ==
"{SSHA}CA+M2KYvU3oYGtotgDtQEBta2WliH5w3"
[ldap] looking for reply items in directory...
[ldap] user skuska authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/freeradius/sites-enabled/eduroam1
+- entering group EAP {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
} # server eduroam1
Sending Access-Challenge of id 0 to 192.168.1.1 port 3072
EAP-Message =
0x0105002b190017030100206fb4433047881387cf9d3a1297cdfacfa5fa56da9e3cac8319000142f92d35cf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfd4902fef94c1bbe3a2596e3bf6ac7bb
Finished request 13.
Going to the next request
Waking up in 4.9 seconds.




Its just sending Acess-Challenge and then
Sending Access-Reject of id 0 to 192.168.1.1 port 3072
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140408/3f7760ef/attachment-0001.html>


More information about the Freeradius-Users mailing list