Working With EAP-TTLS, and LDAP

Alan Buxey alan.buxey at gmail.com
Fri Mar 22 19:33:14 CET 2019


hi,

okay - so you arent looking the password up with LDAP (hence the no
known password thing) but you are binding to the LDAP
to check credentials are okay. fine.

so, assuming that the user and password are the same, once thing that
looks possible is that you dont have the Auth-Type of LDAP
enabled in your inner-tunnel virtual server (thats the bit that deals
with the EAP side of the process with your setup) - you have a
call to ldap enabled in the Authenticate part....but not the other
half...the Authorization.  your LDAP config is sane - as it works with
the radtest method.... so that should be it.

alan

On Fri, 22 Mar 2019 at 18:14, Nate . <nate2077developer at gmail.com> wrote:
>
> I thought I had attached them, I'm sorry... I'm running through the test
> again, and this time I'll make it super clearer which tests are which too.
>
> Please don't yell at me, I'm doing my best and it's an extremely stressful
> time for me. And please understand, I appreciate your help with everything.
> I've double checked. I have attached the startup part of the logs, and
> separated the two tests. The freeradius_radtest is using the following
> command:
>
> freeradius:~$ radtest -t pap ldap_user ldap_pass 127.0.0.1 0 testing123
> Sent Access-Request Id 10 from 0.0.0.0:53177 to 127.0.0.1:1812 length 76
> User-Name = "ldap_user"
> User-Password = "ldap_pass"
> NAS-IP-Address = 192.168.16.111
> NAS-Port = 0
> Message-Authenticator = 0x00
> Cleartext-Password = "ldap_pass"
> Received Access-Accept Id 10 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
>
> So I can see here that the LDAP Module is functioning properly.
>
>
> On Thu, Mar 21, 2019 at 2:35 PM Alan DeKok <aland at deployingradius.com>
> wrote:
>
> > On Mar 21, 2019, at 10:57 AM, Nate . <nate2077developer at gmail.com> wrote:
> > >
> > > I have been dealing a few things, so this got delayed, apologies. I am
> > > still unclear on why I am unable to connect via the EAPTTLS-PAP. I have
> > > reviewed the log many times and I don't really understand it.
> >
> >   Then post it here as suggested in the "man" pages, web pages, and in the
> > email you get when you join the list.
> >
> >   How do you expect us to help you when you give us zero information?
> >
> > > I noticed a
> > > part of the authentication where it tries the LDAP, binds, and then
> > theres
> > > a part where it says "if ((ok || updated) && User-Password)  -> FALSE"
> > > where it is true on the radtest.
> >
> >   English descriptions are bad.  Post the debug output.  It will be much,
> > much, faster to solve the problem.
> >
> > > I'm felt certain it's the User-Password
> > > missing or something, but I don't understand why it would be missing. I
> > > noticed the "(0)   User-Password = " does not appear at the top of the
> > > connection log like the radtest either. Though, on the "Flat file user
> > > credentials" from my previous email, you can see it is also not listed at
> > > the top, so maybe it's not that.
> >
> >   <sigh>  Vague descriptions of problems are an utter waste of everyones
> > time.
> >
> >   Post the debug log.  Read the documentation.  I've been saying this for
> > 20 years, and it is getting tiring.
> >
> >   Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list