Hiya,
I am using the latest released freeradius (0.3).
and openldap 2.0.18.
I am trying to us a nortel VPN server and an ascend
dial in server to authticate from the Free radius
system. When running in debug mode on the freeradius
server it looks like it gets everything it needs
but for some reason it refuses the login as the last second.
I know the user login and radius login on the ldap server
work well asI have authenticated using ldapsearch for
each user. Acl's are wide open on the ldap server
since I am in test mode.
Can anyone help me figure out what is going on?
As a side note.. does anyone know if freeradius plans
on supporting ldap authentication via ssl in the future?
Thanks for any assistance you can offer.. I am stumped.
Mike
------------------------------------------------------
I know the ldap side of the house works fine since
I have many other services authenticating in test mode
off of it.
Here is an example ldap entry for one of my users..
dn: uid=lynn, ou=people, dc=xpedite, dc=com
cn: Lynda Megill
sn: Megill
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: d2VsY29tZQ==
uid: lynn
givenName: Lynda
homePostalAddress: 200 Frederick Ave
homePhone: 732-961-0027
mobile: 732-861-6762
o: Xpedite Inc.
ou: SA
title: Internet Manager
telephoneNumber: 732-389-3900
postalAddress: 400 Atrium Drive
l: Somerset
st: New Jersey
postalCode: 08873
facsimileTelephoneNumber: 732-389-0782
pager: 732-389-8888
mail: [EMAIL PROTECTED]
uidNumber: 799
gidNumber: 500
gecos: Lynda Megill
loginShell: /bin/ksh
homeDirectory: /home/lynn
creatorsName: cn=anonymous
createTimestamp: 20011106201934Z
modifiersName: cn=anonymous
modifyTimestamp: 20011106201934Z
---------------------------------------------
Here is the entry for the user free radius is binding to
the server as.
dn: uid=radius, ou=people, dc=xpedite, dc=com
cn: Radius User Authentication Access
sn: Radius
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: shadowAccount
userPassword:: dGNwaXA=
uid: radius
creatorsName: cn=anonymous
createTimestamp: 20011205171609Z
modifiersName: cn=anonymous
modifyTimestamp: 20011205171609Z
----------------------------------------------
Here is my users file
initial-banner Password == ascend
Service-Type = Dialout-Framed-User,
Reply-Message = "Up to 16 lines of up to 80 characters each",
Reply-Message = "will be accepted. Long lines will be truncated",
Reply-Message = "Additional lines will be ignored",
Fall-Through = No
initial-banner-xxx Password == ascend
Service-Type = Dialout-Framed-User,
Reply-Message = "Up to 16 lines of up to 80 characters each",
Reply-Message = "will be accepted. Long lines will be truncated",
Reply-Message = "Additional lines will be ignored",
Fall-Through = No
banner Password == ascend
Service-Type = Dialout-Framed-User,
Reply-Message = "Up to 16 lines of up to 80 characters each",
Reply-Message = "will be accepted. Long lines will be truncated",
Reply-Message = "Additional lines will be ignored",
Reply-Message = " ",
Reply-Message = "There can be up to 10 Ascend-Host-Info entries",
Reply-Message = "in this profile. Each entry contains an IP
address",
Reply-Message = "to telnet to and up to 31 characters of text",
Reply-Message = "describing the host. The text will be assigned",
Reply-Message = "a number. When the number is selected a telnet",
Reply-Message = "session to the ip address will be initiated.",
Ascend-Host-Info = "1.2.3.4 a host name or phrase",
Ascend-Host-Info = "1.2.3.5 another host",
Ascend-Host-Info = "5.4.3.2 the last host",
Fall-Through = No
max Password == max
Framed-Address = 10.0.8.1,
Framed-Netmask = 255.255.255.0,
Ascend-Metric = 1,
Ascend-Maximum-Channels = 23,
Ascend-Link-Compression = Link-Comp-None,
Ascend-Idle-Limit = 30,
Fall-Through = No
pools-etndial1 Password == ascend
Service-Type = Dialout-Framed-User,
Ascend-IP-Pool-Definition = "1 137.236.205.1 24",
Ascend-IP-Pool-Definition = "2 137.236.205.65 24",
Fall-Through = No
pools-etndial2 Password == ascend
Service-Type = Dialout-Framed-User,
Ascend-IP-Pool-Definition = "1 137.236.213.1 24",
Ascend-IP-Pool-Definition = "2 137.236.213.129 24",
Fall-Through = No
pools-etndial3 Password == ascend
Service-Type = Dialout-Framed-User,
Ascend-IP-Pool-Definition = "1 137.236.218.1 48",
Ascend-IP-Pool-Definition = "2 137.236.218.65 48",
Fall-Through = No
DEFAULT Auth-Type := LDAP
Fall-Through = Yes
DEFAULT Service-Type == Framed-User
Framed-Protocol = PPP,
Framed-Netmask = 255.255.255.0,
Framed-Routing = None,
Ascend-Route-IP = Route-IP-Yes,
Ascend-Bridge = Bridge-Yes,
Ascend-Assign-IP-Pool = 1,
Ascend-Idle-Limit = 0,
Ascend-Force-56 = Force-56-No,
Fall-Through = No
---------------------------------------------------
Here are the ldap bits from the radiusd.conf
ldap {
server = "ldaptest2.xpedite.com"
identity = "uid=radius, ou=people, dc=xpedite, dc=com"
password = "tcpip"
basedn = "ou=people, dc=xpedite, dc=com"
filter = "(uid=%u)"
dictionary_mapping = ${raddbdir}/ldap.attrmap
timeout = 30
timelimit = 30
net_timeout = 30
}
authorize {
ldap {
notfound = return
}
files
}
-----------------------------------------------
The appropriate freeradius log bits..
rad_recv: Access-Request packet from host 137.236.206.3:1025, id=79,
length=96
User-Name = "lynn"
Password = "\025k\261\035\263\275\332"
NAS-IP-Address = 137.236.206.3
NAS-Port = 20103
NAS-Port-Type = Async
Service-Type = Framed-User
Framed-Protocol = PPP
State = 0x
Called-Station-Id = "5425387"
Framed-IP-Address = 137.236.218.2
Acct-Session-Id = "327266785"
rlm_ldap: - authorize
rlm_ldap: performing user authorization for lynn
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user lynn authorized to use remote access
Sending Access-Reject of id 79 to 137.236.206.3:1025
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
