OpenLdap + Freeradius on centos 6.5 Not working

Vishesh kumar linuxtovishesh at
Thu May 14 12:15:13 CEST 2015

Thanks for your response Alan,

below are the logs I am getting in case of failure,

rad_recv: Access-Request packet from host port 52267, id=241,
        User-Name = "radtest"
        NAS-IP-Address =
        NAS-Identifier = "24a43ce6fc81"
        NAS-Port = 0
        Called-Station-Id = "2E-A4-3C-E7-FC-81:XXXX_Mgmt"
        Calling-Station-Id = "AC-38-70-99-E4-XX"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11b"
        EAP-Message = 0x027e000c0172616474657374
        Message-Authenticator = 0xc9d515710f90d967171e7bff8e9b4d7d
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[ldap] performing user authorization for radtest
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for detail
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> radtest
[ldap]  expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=radtest)
[ldap]  expand: ou=people,dc=xxxx,dc=local -> ou=people,dc=xxxx,dc=local
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to, authentication 0
  [ldap] bind as / to
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in ou=people,dc=xxxx,dc=local, with filter
[ldap] checking if remote access for radtest is allowed by uid
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
  [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "10"
  [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = 802
  [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is
                 configured correctly?
[ldap] user radtest authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
  WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform
requested ac
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 241 to port 52267
        Tunnel-Private-Group-Id:0 = "10"
        Tunnel-Medium-Type:0 = 802
        Tunnel-Type:0 = VLAN
Waking up in 4.9 seconds.
Cleaning up request 0 ID 241 with timestamp +17
Ready to process requests.
Mapping is done as below

#cat /etc/raddb/ldap.attrmap

checkItem User-Password userPassword
replyItem Tunnel-Type radiusTunnelType
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId

Vishesh Kumar

On Thu, May 14, 2015 at 3:14 PM, Alan Buxey <A.L.M.Buxey at> wrote:

> 'Please let me know if I am doing anything wrong here'
> Yes. You're not looking at the debug log for when it's failing from the
> client. You gave us the basic results from the radtest (which is PAP) .
> look at the logs for when your client is failing. If you cannot proceed
> yourself then post those logs to the list for help. Likely that either your
> ldap isn't supporting the password method or that you haven't used the
> right ldap/radius attribute maps
> alan

Vishesh Kumar

More information about the Freeradius-Users mailing list