On Tue, 21 Oct 2003, Lai Fu Keung wrote:
>
> Hi,
>
> I use LDAP to authenticate all requests. LDAP contains 2 password
> attributes -- a plain text password for authenticating MS-CHAP and a
> crypted password for authenticating PAP, CHAP.
>
> I can get CHAP, MS-CHAP working, but not with PAP.
>
> Anyone can help? Thanks in advance.
>
> Lai
>
>
> Error message:
>
> rad_recv: Access-Request packet from host 147.8.123.123:1645, id=211,
> length=197
> User-Name = "testuser"
> User-Password = "testtest"
> NAS-IP-Address = 147.8.123.123
> NAS-Port = 21
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Called-Station-Id = "300"
> USR-Connect-Speed = 48000-BPS
> USR-Modulation-Type = v90Analog
> USR-Simplified-MNP-Levels = mnpLevel4
> USR-Simplified-V42bis-Usage = none
> USR-Chassis-Call-Slot = 0
> USR-Chassis-Call-Span = 0
> USR-Chassis-Call-Channel = 16
> NAS-Identifier = "modemserver"
> Acct-Session-Id = "050003e4"
> NAS-Port-Type = Async
> modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> radius_xlat: '/var/log/radius/radacct/147.8.123.123/auth-detail-
> 20031020'
> rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-
> %Y%m%d expands to /var/log/radius/radacct/147.8.123.123/auth-detail-
> 20031020
> modcall[authorize]: module "auth_log" returns ok
> modcall[authorize]: module "chap" returns noop
> users: Matched DEFAULT at 171
> users: Matched DEFAULT at 185
> modcall[authorize]: module "files" returns ok
> modcall: entering group redundant
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for tfklai
> radius_xlat: '(uid=testuser)'
> radius_xlat: 'ou=radius,c=hk'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=radius,c=hk, with filter
> (uid=testuser)
> rlm_ldap: Added password testtest in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user tfklai authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "first_ldap" returns ok
> modcall: group redundant returns ok
> modcall[authorize]: module "mschap" returns noop
> modcall: group authorize returns ok
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> modcall: entering group Auth-Type
> modcall: entering group redundant
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "testuser" with password "testtest"
> rlm_ldap: user DN: uid=testuser,ou=radius,c=hk
> rlm_ldap: (re)connect to freeradius.hku.hk:389, authentication 1
> rlm_ldap: bind as uid=testuser,ou=radius,c=hk/testtest to
> freeradius.hku.hk:389
> rlm_ldap: waiting for bind result ...
> modcall[authenticate]: module "first_ldap" returns reject
> modcall: group redundant returns reject
> modcall: group Auth-Type returns reject
> auth: Failed to validate the user.
> Login incorrect (rlm_ldap: Bind as user failed): [testuser/testtest]
> (from client ppp-29642300 port 21)
Well it seems that the bind operation is failing. If your encrypted password is
not the userpassword attribute then the ldap server will _not_ use that in the
bind operation and as a result the bind operation will fail. So make sure you
are using the right password attribute.
>
> radiusd.config file:
>
> module {
> pap {
> encryption_scheme = crypt
> }
> chap {
> authtype = CHAP
> }
> ms_chap {
> authtype = MS-CHAP
> etc ...
> }
> ldap first_ldap {
> server = "freeradius.hku.hk"
> identity = "cn=administrator,c=hk"
> password = 123456
> basedn = "ou=radius,c=hk"
> etc ...
> }
> }
>
> authorize {
> chap
> redundant {
> first_ldap {
> notfound = return
> }
> second_ldap {
> notfound = return
> }
> handled
> }
> files
> mschap
> }
>
> authenticate {
> Auth-Type LDAP {
> # ldap
> redundant {
> first_ldap
> second_ldap
> }
> }
> Auth-Type PAP {
> pap
> }
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
> }
>
> users file:
>
> DEFAULT Service-Type == Framed-User
> Framed-IP-Address = 255.255.255.254,
> Framed-MTU = 576,
> Service-Type = Framed-User,
> Fall-Through = Yes
>
> DEFAULT Framed-Protocol == PPP
> Framed-Protocol = PPP,
> Framed-Compression = Van-Jacobson-TCP-IP
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
