Authenticate SSH user in a H3C Switch using FreeRadius + OpenLDAP

Alan DeKok aland at
Wed May 10 16:19:58 CEST 2017

On May 10, 2017, at 10:07 AM, Leandro Marçal <leandromarcalinf at> wrote:
> I have a problem that I not able to fix it. I am trying to authenticate a
> SSH user in a H3C switch. This switch is configured to authenticate the
> user in a Radius server wich is using openldap to store the user's name and
> password. Everytime I try to authenticate, I see a message in the
> radius.log saying that "[eap] No EAP-Message, not doing EAP". I tryed do
> use PAP, but I got "[pap] WARNING! No "known good" password found for the
> user.  Authentication may fail because of this." Dont't know what to do
> anymore. I don't know how to (and if I have to) force the switch to use EAP
> packetes.

 You're using an old version of the server.  And you edited the default configuration and broke it.

  Don't do that.

> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
> ++[pap] = noop

  This message is important.

> [ldap] performing user authorization for *username*
> [ldap]  expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=*username*)
> [ldap]  expand: dc=*x*,dc=*x*,dc=*x* -> dc=*x*,dc=*x*,dc=*x*
>  [ldap] ldap_get_conn: Checking Id: 0
>  [ldap] ldap_get_conn: Got Id: 0
>  [ldap] performing search in dc=*x*,dc=*x*,dc=*x*, with filter (uid=
> *username*)
> [ldap] looking for check items in directory...
>  [ldap] sambaNtPassword -> NT-Password == 0x3141363239333542344541464539
> 453736383232383241463838393445364439
>  [ldap] sambaLmPassword -> LM-Password == 0x3230433630443539444246304241
> 383345363841413236413834314138364641
> [ldap] looking for reply items in directory...
>  [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok

  And now a password is available.

> +} # group authorize = ok
> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
> the user

  Except the server doesn't know it needs to do PAP authentication, so it fails.

  Edit your configuration so that "pap" comes AFTER "ldap".  This is how the default configuration has it, because it works.

  Alan DeKok.

More information about the Freeradius-Users mailing list