On Wed, 27 Mar 2002, Michael S. McCollough wrote:
> I am usually not a complete idiot, but I cannot get this to work. Using the
> settings for radiusd you recommended I cannot get PAP or CHAP to work. PAP
> will work if I put ldap back in the authenticate section. I am beyond the
> point of embarrassed now but must keep going.
>
> Below are my results:
>
> Radiusd.conf authorize and auth sections:
> authorize {
> preprocess
> chap
> ldap
> suffix
> files
> }
>
> authenticate {
> unix
> chap
> # ldap
> }
The ldap module will set Auth-Type to Ldap if it has not already been set.
In cases of PAP requests the chap module will not set the Auth-Type
Do one of the following:
1.
authenticate {
chap
authtype Ldap {
ldap
}
}
That is let the ldap module handle the PAP request
2. authenticate {
chap
authtype PAP {
pap
}
}
authorize {
chap
files <-- files is before ldap so that it can set the Auth-Type first
ldap
files:
DEFAULT Auth-Type = PAP
That is let the pap module handle the PAP request
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
>
> PAP Attempt:
> rad_recv: Access-Request packet from host 208.241.20.2:64305, id=17,
> length=42
> User-Name = "me"
> Password = "\207\246\031v}\\\237f\207_\307\202#\200\366Q"
> modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> rlm_chap: Could not find proper Chap-Password attribute in request
> modcall[authorize]: module "chap" returns noop
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for me
> radius_xlat: '(uid=me)'
> radius_xlat: 'dc=uchub,dc=com'
> ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap:389:389, authentication 0
> rlm_ldap: bind as cn=manager,dc=uchub,dc=com/password
> rlm_ldap: waiting for bind result ...
> rlm_ldap: performing search in dc=uchub,dc=com, with filter (uid=me)
> rlm_ldap: Added password password in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user me authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok
> modcall[authorize]: module "suffix" returns ok
> users: Matched DEFAULT at 2
> modcall[authorize]: module "files" returns ok
> modcall: group authorize returns ok
> rad_check_password: Found Auth-Type ldap
> auth: type "Ldap"
> auth: Failed to validate the user.
> Login incorrect: [me/password] (from client MR-Firewall port 0)
> Sending Access-Reject of id 17 to 208.241.20.2:64305
> Finished request 0
>
>
>
> CHAP Attempt:
> rad_recv: Access-Request packet from host 208.241.20.2:64709, id=18,
> length=43
> User-Name = "me"
> CHAP-Password = "\302w\247\033\363\253S\376\346\t$.\016by=2"
> modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> rlm_chap: Adding Auth-Type = CHAP
> modcall[authorize]: module "chap" returns ok
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for me
> radius_xlat: '(uid=me)'
> radius_xlat: 'dc=uchub,dc=com'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=uchub,dc=com, with filter (uid=me)
> rlm_ldap: Added password password in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user me authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok
> modcall[authorize]: module "suffix" returns ok
> users: Matched DEFAULT at 2
> modcall[authorize]: module "files" returns ok
> modcall: group authorize returns ok
> rad_check_password: Found Auth-Type ldap
> auth: type "Ldap"
> auth: Failed to validate the user.
> Login incorrect: [me/<CHAP-Password>] (from client MR-Firewall port 0)
> Sending Access-Reject of id 18 to 208.241.20.2:64709
> Finished request 1
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 1 ID 18 with timestamp 3ca1ebcd
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
