How to raise numbers of request/sec in Freeradius
Hi, I use Freeradius2 to authenticate user login. I use the tools of Evolynx Radius Load Test to test number of request by second. I find only max 20-25 requests/sec in Freeradius. Can I raise the number via editing configuration files? Thanks. Robin Lu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with NTLM authentication
Thank you Phil for your reply,
What is prompting here? How is the firewall asking the user for a
password? Is this web intercept?
exactly right the firewall is prompting the user to authenticate using
its internal captive portal page.
What I am trying to achieve here is single sign on with radius
accounting using the following scenario:
our users authenticate to the Windows Domain, and when they try to
access the internet they hit a firewall protected policy which
requires authentication. now instead of authenticating via the
firewall captive portal I want to use NTLM to check is the user is
already authenticated on the AD and if so pass the authorization to
the radius for accounting.
the firewall has the option to do NTLM authentication on the protected
policy but I am trying to fit the Radius as well for accounting
perpouses
Bellow is the debug output
rad_recv: Access-Request packet from host 193.188.X.X port 5027,
id=40, length=126
NAS-Identifier = WAN-HA
User-Name = rsa
User-Password = **
NAS-IP-Address = 193.188.X.X
NAS-Port = 1
Called-Station-Id = 193.188.X.X
Calling-Station-Id = 192.168.1.74
Acct-Session-Id = 0fa5011f
Connect-Info = web-auth
Fortinet-Vdom-Name = root
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/193.188.X.X/auth-detail-20101022
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/193.188.X.X/auth-detail-20101022
[auth_log] expand: %t - Fri Oct 22 09:04:24 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 71
++[files] returns ok
[sql] expand: %{User-Name} - rsa
[sql] sql_set_user escaped user -- 'rsa'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'rsa' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM radusergroup WHERE username
= 'rsa' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
[sql] User rsa not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} - --username=rsa
[ntlm_auth] expand: --password=%{User-Password} - --password=
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Login OK: [rsa/*...@] (from client vdk-f-fgwan port 1 cli 192.168.1.74)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 40 to 193.188.X.X port 5027
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 193.188.X.X port 5028,
id=41, length=98
Acct-Status-Type = Start
Acct-Session-Id = 0fa5011f
User-Name = rsa
NAS-Identifier = VDK-F-FGWAN
Framed-IP-Address = 30.48.67.87
Fortinet-Client-IP-Address = 192.168.1.74
Fortinet-Vdom-Name = root
Calling-Station-Id = 192.168.1.74
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request,
unique ID MAY be inconsistent
[acct_unique] Hashing ',Client-IP-Address = 193.188.X.X,NAS-IP-Address
= 193.188.X.X,Acct-Session-Id = 0fa5011f,User-Name = rsa'
[acct_unique] Acct-Unique-Session-ID = f774c3b998804d6a.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/193.188.X.X/detail-20101022
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/193.188.X.X/detail-20101022
[detail]expand: %t - Fri Oct 22 09:04:24 2010
++[detail] returns ok
++[unix] returns noop
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - rsa
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING
Re: freeradius proxy can't recognize Delegated-IPv6-Prefix attribute
ichiro tanaka i_tan...@hotmail.co.jp writes: Proxy-Server recognition was repaired, if proxy-server did not include dictionary.ascend. I believe it is time to revisit the Ascend dictionary fixup. This was done once, and then reverted for between 2.1.7 and 2.1.8: commit e23e4754f755e6fe82a28e53ccc1b9ffcaf53fda Author: Alan T. DeKok al...@freeradius.org Date: Wed Dec 2 11:54:23 2009 +0100 Revert Moved Ascends illegal attributes to their own file This reverts commit 0241615ea5e98a13c92c266daab356e057d6a27d. While these dictionaries are unfortunate, making this change in a point release is likely a bad idea. commit 0241615ea5e98a13c92c266daab356e057d6a27d Author: Alan T. DeKok al...@freeradius.org Date: Tue Sep 29 10:10:59 2009 +0200 Moved Ascends illegal attributes to their own file Yes, I can see the point that this will break existing setups. But I will argue that such setups have *always* been broken. At least when we are discussing the FreeRADIUS 2.x era. You cannot support them without breaking RFC conformance, which should have a higher priority even in the stable tree. Or just rename the next 2.1.x release 2.2.0 if that makes you feel better :-) Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco log entry
MONTFORD, AUSTIN wrote: What does this error mean on a cisco switch? Ask Cisco. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with NTLM authentication
On 10/22/2010 07:12 AM, Ramzi Abdallah wrote: exactly right the firewall is prompting the user to authenticate using its internal captive portal page. ... requires authentication. now instead of authenticating via the firewall captive portal I want to use NTLM to check is the user is already authenticated on the AD and if so pass the authorization to the radius for accounting. the firewall has the option to do NTLM authentication on the protected policy but I am trying to fit the Radius as well for accounting perpouses Well, it's the HTTP server (in this case, the firewall captive portal) that asks/makes the client do NTLM. If you want single signon you'll need to enable it there. There's nothing you can do at the radius server to enable this. Maybw the firewall will still do radius accounting even with NTLM enabled? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius proxy can't recognize Delegated-IPv6-Prefix attribute
Bjørn Mork wrote: I believe it is time to revisit the Ascend dictionary fixup. I think so, yes. Yes, I can see the point that this will break existing setups. But I will argue that such setups have *always* been broken. At least when we are discussing the FreeRADIUS 2.x era. You cannot support them without breaking RFC conformance, which should have a higher priority even in the stable tree. Pretty much, yes. Or just rename the next 2.1.x release 2.2.0 if that makes you feel better :-) No... 2.2.0 is a different branch in git, and has major new features, like TCP transport, and many more which are waiting for certain things to happen. For 2.1.11, the safer alternative is to move the illegal attributes to their own dictionaries, and then include those *before* the RFC dictionaries. People will still be able to create/send attributes using the illegal names. But when attributes are received, the new names will be used by default. That *is* a change in behavior. But it's time for 10-year-old equipment to be deprecated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorize an user using a multivalue ldap attribute
Hello,
I have a string attribute named Relaciones in my ldap.
This attribute can have more than one value. Actually I return those values
in the reply:
Sending Access-Accept of id 229 to X.X.X.X port 32796
Relaciones += -11
Relaciones += 03
Relaciones += -01
I want to authorize the access only if there is one attibute Relaciones
whith a positive value. So I would like to use unlang in authorize module to
check all the attributes Relaciones whit a regex, but I don't know how can
I check all the attributes, and how can I stop procesing the attributes if I
found one wihtout a minus sign.
if (%{reply:Relaciones} =~ /^([0-9]{2})/) {
}
Thanks very much, and sorry for my english.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Activate LDAP group membership checking
Hi,
I'm trying to activate the LDAP group membership checking in FreeRadius.
In my radiusd.conf i've modified the group checking section:
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
groupmembership_attribute = ou
By looking in my openldap logs, freeradius is not even trying to search for
the group.
Do i have to activate something else to enable group checking?
Thank you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to raise numbers of request/sec in Freeradius
Robin wrote: I use the tools of Evolynx Radius Load Test to test number of request by second. I find only max 20-25 requests/sec in Freeradius. Can I raise the number via editing configuration files? When authentication is from the users file, the server can do 10K requests/s. The issue isn't FreeRADIUS. It's something else. So... what are you doing with the authentication requests? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Hello again,
I have a string attribute named Relaciones in my ldap.
This attribute can have more than one value. Actually I return those values
in the reply:
Sending Access-Accept of id 229 to X.X.X.X port 32796
Relaciones += -11
Relaciones += 03
Relaciones += -01
I want to authorize the access only if there is one attibute Relaciones
whith a positive value. So I would like to use unlang in authorize module to
check all the attributes Relaciones whit a regex, but I don't know how can
I check all the attributes, and how can I stop procesing the attributes if I
found one wihtout a minus sign.
if (%{reply:Relaciones} =~ /^([0-9]{2})/) {
}
maybe I can check the value with a check item:
#cat /etc/freeradius/ldap.attrmap
checkItem NT-Password ntPassword
checkItem RelacionesRelaciones ~= /^([0-9]{2})/
replyItem Nombre-Completosn
replyItem Relaciones Relaciones +=
anyway i test both ideas, but don't work:
[ldap] looking for check items in directory...
[ldap] ntPassword - NT-Password == 0x3...
[ldap1] looking for reply items in directory...
[ldap1] Relaciones - Relaciones += -11
[ldap1] Relaciones - Relaciones += 03
[ldap1] Relaciones - Relaciones += -01
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap1] user XXX authorized to use remote access
[ldap1] ldap_release_conn: Release Id: 0
[ldap1] returns ok
? if (fail)
? Evaluating (fail) - FALSE
? if (fail) - FALSE
- entering else else {...}
+? if (%{reply:Relaciones} =~ /^([0-9]{2})/)
expand: %{reply:Relaciones} - -11
? Evaluating (%{reply:Relaciones} =~ /^([0-9]{2})/) - FALSE
+? if (%{reply:Relaciones} =~ /^([0-9]{2})/) - FALSE
- else else returns ok
any ideas?
thank you very much.
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Ana Gallardo wrote:
I want to authorize the access only if there is one attibute Relaciones
whith a positive value. So I would like to use unlang in authorize
module to check all the attributes Relaciones whit a regex, but I
don't know how can I check all the attributes, and how can I stop
procesing the attributes if I found one wihtout a minus sign.
if (%{reply:Relaciones} =~ /^([0-9]{2})/) {
You can't really do that with unlang. I suggest using the perl module.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Activate LDAP group membership checking
mic nightic wrote: By looking in my openldap logs, freeradius is not even trying to search for the group. Do i have to activate something else to enable group checking? doc/rlm_ldap Look for group support Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Activate LDAP group membership checking
Yes sir! thank you Found the solution in the doc On Fri, Oct 22, 2010 at 12:57 PM, Alan DeKok al...@deployingradius.comwrote: mic nightic wrote: By looking in my openldap logs, freeradius is not even trying to search for the group. Do i have to activate something else to enable group checking? doc/rlm_ldap Look for group support Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Hello Alan, and thank you for your response.
You can't really do that with unlang. I suggest using the perl module.
I flow your suggestion and write this:
# cat /etc/freeradius/perl/checkRelaciones.pm
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use Data::Dumper;
use constantRLM_MODULE_REJECT=0;# /* immediately reject the
request */
use constantRLM_MODULE_OK=2;# /* the module is OK, continue */
sub authorize {
my $attr;
my $valor;
while (($attr,$valor)= each(%RAD_REPLY{'Relaciones'}){
if ($valor =~ /^([0-9]{2})/) {
return RLM_MODULE_OK;
}
}
return RLM_MODULE_REJECT;
}
and I use this in authorize section:
authorize{
...
files
...
perl
expiration
...
}
but, when I try to run freeradius in debug mode:
...
perl {
module = /etc/freeradius/perl/checkRelaciones.pm
func_authorize = authorize
func_authenticate = authenticate
func_accounting = accounting
func_preacct = preacct
func_checksimul = checksimul
func_detach = detach
func_xlat = xlat
func_pre_proxy = pre_proxy
func_post_proxy = post_proxy
func_post_auth = post_auth
func_recv_coa = recv_coa
func_send_coa = send_coa
}
Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module
Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined
symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64.
at /usr/lib/perl/5.10/Data/Dumper.pm line 36
So, I think thah I need to upgrade or something like this.
Thank you again.
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
On 22/10/10 13:16, Ana Gallardo wrote: Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36 You need to install the Data::Dumper module from your package manager, or from CPAN, or from somewhere else :) -- Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
On 10/22/10 6:25 AM, Jonathan Gazeley wrote: On 22/10/10 13:16, Ana Gallardo wrote: Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36 You need to install the Data::Dumper module from your package manager, or from CPAN, or from somewhere else :) Conversely, you could comment out/remove the use Data::Dumper line since you're not using it. It's mainly for debugging and easily printing the entire contents of an object/array/hash/etc. -- Kevin Ehlers Network Engineer University of Oregon signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication failed
ok I found my problem. I have forgotten to add my domain in the proxy.conf,
after I have done this ldap search works fine.
but know I have one more problem with authentification. I want to use peap
with mschap to support both windows und linux systems. But authentification
fails. I don't know what i have to configure or where is the problem. I
would be very happy about some hints.
I'm sorry about the very long debug output
rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=86,
length=149
NAS-IP-Address = 192.168.0.2
NAS-Port = 50006
NAS-Port-Type = Ethernet
User-Name = FIRMA1\\usera
Called-Station-Id = 00-15-F9-D8-7C-C6
Calling-Station-Id = 00-1A-4B-63-69-0B
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x1558e554175bfc9edc831547521be2ad
EAP-Message = 0x020300061900
Message-Authenticator = 0xfb650903c7207e001d0385d8a036
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022
[auth_log] expand: %t - Fri Oct 22 18:32:40 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] Looking up realm FIRMA1 for User-Name = FIRMA1\usera
[ntdomain] Found realm FIRMA1
[ntdomain] Adding Stripped-User-Name = usera
[ntdomain] Adding Realm = FIRMA1
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 86 to 192.168.0.2 port 1812
EAP-Message =
0x0104003619000f0b409c6f7dd2e83b8a1ad34c1b43c61b5cfa499e7822f081073040ea4c9280acd2686fd194f216030100040e00
Message-Authenticator = 0x
State = 0x1558e554165cfc9edc831547521be2ad
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=87,
length=465
NAS-IP-Address = 192.168.0.2
NAS-Port = 50006
NAS-Port-Type = Ethernet
User-Name = FIRMA1\\usera
Called-Station-Id = 00-15-F9-D8-7C-C6
Calling-Station-Id = 00-1A-4B-63-69-0B
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x1558e554165cfc9edc831547521be2ad
EAP-Message =
0x0204014019800136160301010611020100626313e9c274f169e9ed94821e91d59e61578ab381c0e35788422b88b6e12b77d9551a970514289baaaf9c2ec3edb8ae126c1c5b5f29d7883997fee2eee9f55a635005cb534cf7c708f0a0ec98dbda376e88b67de4616926d9aa586737b2536998fad9c4648c8ce1e3b704415c4031063fc103bf0ddd1159d8b8ef2c5c41332aca99428569333c19f8d539b1a01f232cdf9023030176aef9c9bcea7588447853febc8b340da21d9b5af78d2d8b5b3acc0779e9f8d970f93471273749a0653a7e6611ee11bfcabb019b34e3f54f5e1b693d89fe471eab29d8027641dfed05bfeeeca249fd3561371c
EAP-Message =
0xa736d666ebba66d8c0a368d306e0af12f71b43504cad85a614030100010116030100204c903a9993c942b403d46902c7564ea7f66787ca59a02e46fc08946a84aa509d
Message-Authenticator = 0x67bf63ab1ed1abebb8161ae463114461
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022
[auth_log] expand: %t - Fri Oct 22 18:32:40 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] Looking up realm FIRMA1 for User-Name = FIRMA1\usera
[ntdomain] Found realm FIRMA1
[ntdomain] Adding Stripped-User-Name = usera
[ntdomain] Adding Realm = FIRMA1
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 4 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept
RE: LDAP authentication failed
2 things:
1) near the bottom of the debug output there is a line that's says you
are passing the username as domain\user, and it asks if you have enabled
the with NT domain hack option?Check your mschap module config to
see if this is enabled, it is commented out by default. You can check
the complete debug output that includes the server initializing and you
can see it there IF it is enabled.
2) I gave up on PEAP/MSCHAPv2 on linux, EAP/TTLS works great for me with
no other config tweaks after I got the windows clients working! If
there is not a super important requirement to use the same authorization
on both platforms you could do the same, just an idea.
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of snowman5840
Sent: Friday, October 22, 2010 11:58 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: LDAP authentication failed
ok I found my problem. I have forgotten to add my domain in the
proxy.conf, after I have done this ldap search works fine.
but know I have one more problem with authentification. I want to use
peap with mschap to support both windows und linux systems. But
authentification fails. I don't know what i have to configure or where
is the problem. I would be very happy about some hints.
I'm sorry about the very long debug output
rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=86,
length=149
NAS-IP-Address = 192.168.0.2
NAS-Port = 50006
NAS-Port-Type = Ethernet
User-Name = FIRMA1\\usera
Called-Station-Id = 00-15-F9-D8-7C-C6
Calling-Station-Id = 00-1A-4B-63-69-0B
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x1558e554175bfc9edc831547521be2ad
EAP-Message = 0x020300061900
Message-Authenticator = 0xfb650903c7207e001d0385d8a036
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022
[auth_log] expand: %t - Fri Oct 22 18:32:40 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] Looking up realm FIRMA1 for User-Name = FIRMA1\usera
[ntdomain] Found realm FIRMA1
[ntdomain] Adding Stripped-User-Name = usera
[ntdomain] Adding Realm = FIRMA1
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel
setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap]
processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK
[peap] ACK handshake fragment handler [peap] eaptls_verify returned 1
[peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 86 to 192.168.0.2 port 1812
EAP-Message =
0x0104003619000f0b409c6f7dd2e83b8a1ad34c1b43c61b5cfa499e7822f081073040ea
4c9280acd2686fd194f216030100040e00
Message-Authenticator = 0x
State = 0x1558e554165cfc9edc831547521be2ad
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=87,
length=465
NAS-IP-Address = 192.168.0.2
NAS-Port = 50006
NAS-Port-Type = Ethernet
User-Name = FIRMA1\\usera
Called-Station-Id = 00-15-F9-D8-7C-C6
Calling-Station-Id = 00-1A-4B-63-69-0B
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x1558e554165cfc9edc831547521be2ad
EAP-Message =
0x0204014019800136160301010611020100626313e9c274f169e9ed94821e91
d59e61578ab381c0e35788422b88b6e12b77d9551a970514289baaaf9c2ec3edb8ae126c
1c5b5f29d7883997fee2eee9f55a635005cb534cf7c708f0a0ec98dbda376e88b67de461
6926d9aa586737b2536998fad9c4648c8ce1e3b704415c4031063fc103bf0ddd1159d8b8
ef2c5c41332aca99428569333c19f8d539b1a01f232cdf9023030176aef9c9bcea758844
7853febc8b340da21d9b5af78d2d8b5b3acc0779e9f8d970f93471273749a0653a7e6611
ee11bfcabb019b34e3f54f5e1b693d89fe471eab29d8027641dfed05bfeeeca249fd3561
371c
EAP-Message =
0xa736d666ebba66d8c0a368d306e0af12f71b43504cad85a61403010001011603010020
4c903a9993c942b403d46902c7564ea7f66787ca59a02e46fc08946a84aa509d
Message-Authenticator = 0x67bf63ab1ed1abebb8161ae463114461
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/192.168.0.2/auth-detail
RE: LDAP authentication failed
wow. hey now it's working with both OS ;-) . thx for your hint, nt_hack was missing. -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-authentication-failed-tp3217861p3232899.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
