FreeRADIUS 3, FreeBSD, eDirectory

Marco Pirovano marco.pirovano at unibocconi.it
Wed Aug 2 09:46:39 CEST 2017 

Hi Arran,

yes, the universal password is enabled and is working with FR2.

The problem is with FR3.

On FR2 in debug mode:

The client:

[root at cariddi:~] radtest -x pirovano xxxxxxxx 10.5.255.241 1 yyyyyyyy
Sending Access-Request of id 97 to 10.5.255.241 port 1812
	User-Name = "pirovano"
	User-Password = "xxxxxxxx"
	NAS-IP-Address = 10.5.255.241
	NAS-Port = 1
	Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 10.5.255.241 port 1812, id=97, length=20

The FR2:

 [eDirectory-UNI] ldap_get_conn: Checking Id: 0
  [eDirectory-UNI] ldap_get_conn: Got Id: 0
  [eDirectory-UNI] attempting LDAP reconnection
  [eDirectory-UNI] (re)connect to ldap.unibocconi.it:389, authentication 0
  [eDirectory-UNI] starting TLS
  [eDirectory-UNI] bind as cn=RADIUSAdmin,ou=Servers,o=INetServices/zzzzzzzzz to ldap.unibocconi.it:389
  [eDirectory-UNI] waiting for bind result ...
  [eDirectory-UNI] Bind was successful
  [eDirectory-UNI] performing search in ou=Faculty-Staff,ou=Bocconi,o=INetServices, with filter (cn=pirovano)
[eDirectory-UNI] Added the eDirectory password xxxxxxxx in check items as Cleartext-Password



On FR3 in debug mode:

the client:

[root at freeradius3:~] radtest pirovano xxxxxxxx 10.1.1.82 1 yyyyyyyy
Sent Access-Request Id 157 from 0.0.0.0:35640 to 10.1.1.82:1812 length 78
	User-Name = "pirovano"
	User-Password = "xxxxxxxx"
	NAS-IP-Address = 10.1.1.82
	NAS-Port = 1
	Message-Authenticator = 0x00
	Cleartext-Password = "xxxxxxxx"
Received Access-Reject Id 157 from 10.1.1.82:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject


The FR3:

(0) eDirectory-ICT: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(0) eDirectory-ICT:    --> (cn=pirovano)
(0) eDirectory-ICT: Performing search in "ou=Faculty-Staff,ou=Bocconi,o=INetServices" with filter "(cn=pirovano)", scope "sub"
(0) eDirectory-ICT: Waiting for search result...
ber_get_next failed.
ber_get_next failed.
(0) eDirectory-ICT: User object found at DN "cn=Pirovano,ou=ICT,ou=Faculty-Staff,ou=Bocconi,o=INetServices"

(0) eDirectory-ICT: ERROR: Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error

rlm_ldap (eDirectory-ICT): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (eDirectory-ICT): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (eDirectory-ICT): Connecting to ldap://ldaps.unibocconi.it:636
rlm_ldap (eDirectory-ICT): Waiting for bind result...
rlm_ldap (eDirectory-ICT): Bind successful
(0)     [eDirectory-ICT] = fail
(0)   } # authorize = fail



Thanks.
Marco


----- Il 1-ago-17, alle 19:35, Arran Cudbard-Bell a.cudbardb at freeradius.org ha scritto:

>> On Aug 1, 2017, at 11:29 AM, Marco Pirovano <marco.pirovano at unibocconi.it>
>> wrote:
>> 
>> Hello list,
>> 
>> we are using FreeRADIUS to authenticate students wireless access.
>> It's FreeRADIUS Version 2.2.8 running on FreeBSD 9.2-STABLE.
>> 
>> Our LDAP server is eDirectory version 8.8
>> 
>> 
>> Now, we are upgrading to FreeRADIUS 3.0.15 (installed from ports) running on
>> FreeBSD 11.1-RELEASE.
>> LDAP is always eDirectory 8.8.
>> 
>> The bind to LDAP server it's ok, but the user is not authenticate, the error is:
>> 
>>  Invalid user (eDirectory-ICT: Failed to retrieve eDirectory password: (80) Other
>>  (e.g., implementation specific) error):
>> 
> 
> Have you enabled universal password?
> 
> https://www.netiq.com/documentation/edir_radius/pdfdoc/radiusadmin/radiusadmin.pdf
> 
> -Arran
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Marco Pirovano
Infrastrutture e Tecnologie
Information and Communication Technology
Universita' Bocconi
via Gobbi, 5 - 20136 Milano
Tel. +39 02 5836.3173  Fax. +39 02 5836.3160

Windows makes noise, Linux plays music,
but BSD Rocks!

More information about the Freeradius-Users mailing list