On Thu, 18 Mar 2004, David Dunn wrote:
> Dear all,
>
> I'm a newbie to FR so please bear with me.
>
> I'm doing TTLS for wireless access. The wireless
> client is Alfa-Ariss SecureW2 with Netscape LDAP as
> backend (passwords are SHA encrypted). FR is CVS
> snapshot-20040308 running on RH9.
>
> I planned to retrieve the encrypted password from
> LDAP. During the final stage of the TTLS
> authentication use PAP module to encrypt the cleartext
> password from SecureW2 into SHA hash and compare with
> the retrieved one.
>
> But what actually happen is that FR indicate it found
> 'Auth-Type LDAP' during the final stage (request 5 in
> my debug) and proceed to use LDAP for user password
> authentication, since I didn't enable LDAP for
> authentication, it failed.
>
> If I enable LDAP for authentication, it works. A
> success bind to LDAP will authenticate the user. But
> cleartext password is used and I would rather avoid
> it.
>
> So how can I use PAP for password authentication or is
> it not possible?
You need to set Auth-Type in the users file. Since you don't the ldap module
sets it to LDAP.
>
> Below are the debug output, users file and
> radiusd.conf.
>
> Any input greatly appreciated.
>
> -------------------
> Debug output
> -------------------------------------------
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file:
> /usr/local/etc/raddb/clients.conf
> Config: including file:
> /usr/local/etc/raddb/snmp.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/usr/local/var"
> main: logdir = "/usr/local/var/log/radius"
> main: libdir = "/usr/local/lib"
> main: radacctdir =
> "/usr/local/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file =
> "/usr/local/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile =
> "/usr/local/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/sbin/checkrad"
> main: proxy_requests = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> Using deprecated naslist file. Support for this will
> go away soon.
> read_config_files: reading clients
> Using deprecated clients file. Support for this will
> go away soon.
> read_config_files: reading realms
> Using deprecated realms file. Support for this will
> go away soon.
> radiusd: entering modules setup
> Module: Library search path is /usr/local/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean
> output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
> pap: encryption_scheme = "sha1"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = no
> mschap: passwd = "(null)"
> mschap: authtype = "MS-CHAP"
> Module: Instantiated mschap (mschap)
> Module: Loaded eap
> eap: default_eap_type = "tls"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file =
> "/usr/local/etc/raddb/certs/cert-srv.pem"
> tls: certificate_file =
> "/usr/local/etc/raddb/certs/cert-srv.pem"
> tls: CA_file =
> "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
> tls: private_key_password = "whatever"
> tls: dh_file = "/usr/local/etc/raddb/certs/dh"
> tls: random_file =
> "/usr/local/etc/raddb/certs/random"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> rlm_eap: Loaded and initialized type tls
> ttls: default_eap_type = "md5"
> ttls: copy_request_to_tunnel = yes
> ttls: use_tunneled_reply = no
> rlm_eap: Loaded and initialized type ttls
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
> preprocess: huntgroups =
> "/usr/local/etc/raddb/huntgroups"
> preprocess: hints = "/usr/local/etc/raddb/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> Module: Instantiated realm (suffix)
> Module: Loaded files
> files: usersfile = "/usr/local/etc/raddb/users"
> files: acctusersfile =
> "/usr/local/etc/raddb/acct_users"
> files: preproxy_usersfile =
> "/usr/local/etc/raddb/preproxy_users"
> files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded LDAP
> ldap: server = "ldapserver"
> ldap: port = 389
> ldap: net_timeout = 1
> ldap: timeout = 4
> ldap: timelimit = 3
> ldap: identity = "uid=user,o=users,o=network"
> ldap: start_tls = no
> ldap: tls_cacertfile = "(null)"
> ldap: tls_cacertdir = "(null)"
> ldap: tls_certfile = "(null)"
> ldap: tls_keyfile = "(null)"
> ldap: tls_randfile = "(null)"
> ldap: tls_require_cert = "allow"
> ldap: password = "password"
> ldap: basedn = "o=network"
> ldap: filter =
> "(uid=%{Stripped-User-Name:-%{User-Name}})"
> ldap: base_filter = "(objectclass=radiusprofile)"
> ldap: default_profile = "(null)"
> ldap: profile_attribute = "(null)"
> ldap: password_header = "{SHA}"
> ldap: password_attribute = "userPassword"
> ldap: access_attr = "(null)"
> ldap: groupname_attribute = "cn"
> ldap: groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> ldap: groupmembership_attribute = "(null)"
> ldap: dictionary_mapping =
> "/usr/local/etc/raddb/ldap.attrmap"
> ldap: ldap_debug = 0
> ldap: ldap_connections_number = 5
> ldap: compare_check_items = no
> ldap: access_attr_used_for_allow = yes
> ldap: do_xlat = yes
> conns: (nil)
> rlm_ldap: reading ldap<->radius mappings from file
> /usr/local/etc/raddb/ldap.attrmap
> rlm_ldap: LDAP radiusCheckItem mapped to RADIUS
> $GENERIC$
> rlm_ldap: LDAP radiusReplyItem mapped to RADIUS
> $GENERIC$
> rlm_ldap: LDAP radiusAuthType mapped to RADIUS
> Auth-Type
> conns: 0x818fe00
> Module: Instantiated ldap (ldap)
> Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id,
> NAS-IP-Address, Client-IP-Address, NAS-Port"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
> detail: detailfile =
> "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
> radutmp: filename =
> "/usr/local/var/log/radius/radutmp"
> radutmp: username = "%{User-Name}"
> radutmp: case_sensitive = yes
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on IP address *, ports 1812/udp and
> 1813/udp.
> Ready to process requests.
> rad_recv: Access-Request packet from host
> 10.1.14.23:1112, id=88, length=150
> User-Name = "user1"
> Cisco-AVPair = "ssid=wireless"
> NAS-IP-Address = 10.1.14.23
> Called-Station-Id = "004096"
> Calling-Station-Id = "004096"
> NAS-Identifier = "AP01"
> NAS-Port = 37
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Service-Type = Authenticate-Only
> EAP-Message = 0x0229000901776d616e
> Message-Authenticator =
> 0xa6ec1d6fd980fb717d7f11d76a8dd6da
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok
> for request 0
> modcall[authorize]: module "chap" returns noop for
> request 0
> modcall[authorize]: module "mschap" returns noop for
> request 0
> rlm_realm: No '@' in User-Name = "user1", looking
> up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for
> request 0
> rlm_eap: EAP packet type response id 41 length 9
> rlm_eap: No EAP Start, assuming it's an on-going EAP
> conversation
> modcall[authorize]: module "eap" returns updated for
> request 0
> users: Matched DEFAULT at 146
> modcall[authorize]: module "files" returns ok for
> request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for user1
> radius_xlat: '(uid=user1)'
> radius_xlat: 'o=network'
> ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldapserver:389,
> authentication 0
> rlm_ldap: bind as uid=user1,o=users,o=network/password
> to ldapserver:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in o=network, with filter
> (uid=user1)
> rlm_ldap: Added password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user user1 authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for
> request 0
> modcall: group authorize returns updated for request 0
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Requiring client certificate
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module "eap" returns handled
> for request 0
> modcall: group authenticate returns handled for
> request 0
> Sending Access-Challenge of id 88 to 10.1.14.23:1112
> EAP-Message = 0x012a00060d20
> Message-Authenticator =
> 0x00000000000000000000000000000000
> State = 0xa41b75f68ee657c28b3553c325115578
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host
> 10.1.14.23:1113, id=89, length=165
> User-Name = "user1"
> Cisco-AVPair = "ssid=wireless"
> NAS-IP-Address = 10.1.14.23
> Called-Station-Id = "004096"
> Calling-Station-Id = "004096"
> NAS-Identifier = "AP01"
> NAS-Port = 37
> Framed-MTU = 1400
> State = 0xa41b75f68ee657c28b3553c325115578
> NAS-Port-Type = Wireless-802.11
> Service-Type = Authenticate-Only
> EAP-Message = 0x022a00060315
> Message-Authenticator =
> 0x684e09ddab9f564306a8ee0a320be8cc
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
> modcall[authorize]: module "preprocess" returns ok
> for request 1
> modcall[authorize]: module "chap" returns noop for
> request 1
> modcall[authorize]: module "mschap" returns noop for
> request 1
> rlm_realm: No '@' in User-Name = "user1", looking
> up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for
> request 1
> rlm_eap: EAP packet type response id 42 length 6
> rlm_eap: No EAP Start, assuming it's an on-going EAP
> conversation
> modcall[authorize]: module "eap" returns updated for
> request 1
> users: Matched DEFAULT at 146
> modcall[authorize]: module "files" returns ok for
> request 1
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for user1
> radius_xlat: '(uid=user1)'
> radius_xlat: 'o=network'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in o=network, with filter
> (uid=user1)
> rlm_ldap: Added password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user user1 authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for
> request 1
> modcall: group authorize returns updated for request 1
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
> rlm_eap: Request found, released from the list
> rlm_eap: EAP NAK
> rlm_eap: EAP-NAK asked for EAP-Type/ttls
> rlm_eap: processing type tls
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module "eap" returns handled
> for request 1
> modcall: group authenticate returns handled for
> request 1
> Sending Access-Challenge of id 89 to 10.1.14.23:1113
> EAP-Message = 0x012b00061520
> Message-Authenticator =
> 0x00000000000000000000000000000000
> State = 0x45493f682e707bec1094904a38d2dbd0
> Finished request 1
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host
> 10.1.14.23:1114, id=90, length=219
> User-Name = "user1"
> Cisco-AVPair = "ssid=wireless"
> NAS-IP-Address = 10.1.14.23
> Called-Station-Id = "004096"
> Calling-Station-Id = "004096"
> NAS-Identifier = "AP01"
> NAS-Port = 37
> Framed-MTU = 1400
> State = 0x45493f682e707bec1094904a38d2dbd0
> NAS-Port-Type = Wireless-802.11
> Service-Type = Authenticate-Only
> EAP-Message =
> 0x022b003c158000000032160301002d0100002903018802320072731b407a9f787f35759aa0e91860694a9bdc7ea0c12a260d133645000002000a0100
> Message-Authenticator =
> 0x9fd228a07898128cc70c42e709c4b872
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 2
> modcall[authorize]: module "preprocess" returns ok
> for request 2
> modcall[authorize]: module "chap" returns noop for
> request 2
> modcall[authorize]: module "mschap" returns noop for
> request 2
> rlm_realm: No '@' in User-Name = "user1", looking
> up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for
> request 2
> rlm_eap: EAP packet type response id 43 length 60
> rlm_eap: No EAP Start, assuming it's an on-going EAP
> conversation
> modcall[authorize]: module "eap" returns updated for
> request 2
> users: Matched DEFAULT at 146
> modcall[authorize]: module "files" returns ok for
> request 2
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for user1
> radius_xlat: '(uid=user1)'
> radius_xlat: 'o=network'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in o=network, with filter
> (uid=user1)
> rlm_ldap: Added password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user user1 authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for
> request 2
> modcall: group authorize returns updated for request 2
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 2
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/ttls
> rlm_eap: processing type ttls
> rlm_eap_ttls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Length Included
> eaptls_verify returned 11
> (other): before/accept initialization
> TLS_accept: before/accept initialization
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d],
> ClientHello
> TLS_accept: SSLv3 read client hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a],
> ServerHello
> TLS_accept: SSLv3 write server hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694],
> Certificate
> TLS_accept: SSLv3 write certificate A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004],
> ServerHelloDone
> TLS_accept: SSLv3 write server done A
> TLS_accept: SSLv3 flush data
> TLS_accept:error in SSLv3 read client certificate
> A
> In SSL Handshake Phase
> In SSL Accept mode
> eaptls_process returned 13
> modcall[authenticate]: module "eap" returns handled
> for request 2
> modcall: group authenticate returns handled for
> request 2
> Sending Access-Challenge of id 90 to 10.1.14.23:1114
> EAP-Message =
> 0x012c040a15c0000006f1160301004a020000460301405a53f20c005fbd0f54410dcfb4bf5cfa13dc5a28942af6cec341cbf2f8b6d82084bba3be4fee585d6e6d05f9f19fb729a1537e5ef0d0050b04ccdf9328300879000a0016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365
> EAP-Message =
> 0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003
> EAP-Message =
> 0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09
> EAP-Message =
> 0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c
> EAP-Message =
> 0x652e636f6d301e170d3034303132353133323630375a
> Message-Authenticator =
> 0x00000000000000000000000000000000
> State = 0xafa99d3f945fdd8d901975ad7fa39ac6
> Finished request 2
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host
> 10.1.14.23:1115, id=91, length=164
> User-Name = "user1"
> Cisco-AVPair = "ssid=wireless"
> NAS-IP-Address = 10.1.14.23
> Called-Station-Id = "004096"
> Calling-Station-Id = "004096"
> NAS-Identifier = "AP01"
> NAS-Port = 37
> Framed-MTU = 1400
> State = 0xafa99d3f945fdd8d901975ad7fa39ac6
> NAS-Port-Type = Wireless-802.11
> Service-Type = Authenticate-Only
> EAP-Message = 0x022c000515
> Message-Authenticator =
> 0xc74eed5e6781a12cd592d5f4abe2e0b6
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 3
> modcall[authorize]: module "preprocess" returns ok
> for request 3
> modcall[authorize]: module "chap" returns noop for
> request 3
> modcall[authorize]: module "mschap" returns noop for
> request 3
> rlm_realm: No '@' in User-Name = "user1", looking
> up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for
> request 3
> rlm_eap: EAP packet type response id 44 length 5
> rlm_eap: No EAP Start, assuming it's an on-going EAP
> conversation
> modcall[authorize]: module "eap" returns updated for
> request 3
> users: Matched DEFAULT at 146
> modcall[authorize]: module "files" returns ok for
> request 3
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for user1
> radius_xlat: '(uid=user1)'
> radius_xlat: 'o=network'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in o=network, with filter
> (uid=user1)
> rlm_ldap: Added password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user user1 authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for
> request 3
> modcall: group authorize returns updated for request 3
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 3
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/ttls
> rlm_eap: processing type ttls
> rlm_eap_ttls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
> rlm_eap_tls: ack handshake fragment handler
> eaptls_verify returned 1
> eaptls_process returned 13
> modcall[authenticate]: module "eap" returns handled
> for request 3
> modcall: group authenticate returns handled for
> request 3
> Sending Access-Challenge of id 91 to 10.1.14.23:1115
> EAP-Message =
> 0x012d02fb1580000006f1170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52cc
> EAP-Message =
> 0xb99b41e80ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e
> EAP-Message =
> 0x31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c51603010004
> EAP-Message = 0x0e000000
> Message-Authenticator =
> 0x00000000000000000000000000000000
> State = 0x058cf4e7a546cde56eb32a77dc3a3150
> Finished request 3
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 5 seconds...
> rad_recv: Access-Request packet from host
> 10.1.14.23:1116, id=92, length=359
> User-Name = "user1"
> Cisco-AVPair = "ssid=wireless"
> NAS-IP-Address = 10.1.14.23
> Called-Station-Id = "004096"
> Calling-Station-Id = "004096"
> NAS-Identifier = "AP01"
> NAS-Port = 37
> Framed-MTU = 1400
> State = 0x058cf4e7a546cde56eb32a77dc3a3150
> NAS-Port-Type = Wireless-802.11
> Service-Type = Authenticate-Only
> EAP-Message =
> 0x022d00c81580000000be160301008610000082008064262741e14313c97f9c6edfcf6d3db77f8197cdd66727465052570d3e3c79a543e7787a452ea28782e4491801fcdf723edb70b7e22c887208e377a8edd9fe0fc354dc9e95bfe8675b563946a40665dceb8510c8ed744d3c18b12d4bdea4fa52ff23b5dc873f87199448355b5f2c9ef264416299464dc59bd6cc99990e226a6914030100010116030100286b5c53a51630c28e0927dffc8f7bb6d4409ce9ad74f3a42cbe04d58129fafd7f47b8ac9cf43ce4f8
> Message-Authenticator =
> 0x1e002c5548cb7566a92455af62757a15
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 4
> modcall[authorize]: module "preprocess" returns ok
> for request 4
> modcall[authorize]: module "chap" returns noop for
> request 4
> modcall[authorize]: module "mschap" returns noop for
> request 4
> rlm_realm: No '@' in User-Name = "user1", looking
> up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for
> request 4
> rlm_eap: EAP packet type response id 45 length 200
> rlm_eap: No EAP Start, assuming it's an on-going EAP
> conversation
> modcall[authorize]: module "eap" returns updated for
> request 4
> users: Matched DEFAULT at 146
> modcall[authorize]: module "files" returns ok for
> request 4
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for user1
> radius_xlat: '(uid=user1)'
> radius_xlat: 'o=network'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in o=network, with filter
> (uid=user1)
> rlm_ldap: Added password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user user1 authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for
> request 4
> modcall: group authorize returns updated for request 4
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 4
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/ttls
> rlm_eap: processing type ttls
> rlm_eap_ttls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Length Included
> eaptls_verify returned 11
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086],
> ClientKeyExchange
> TLS_accept: SSLv3 read client key exchange A
> rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length
> 0001]
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010],
> Finished
> TLS_accept: SSLv3 read finished A
> rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length
> 0001]
> TLS_accept: SSLv3 write change cipher spec A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010],
> Finished
> TLS_accept: SSLv3 write finished A
> TLS_accept: SSLv3 flush data
> (other): SSL negotiation finished successfully
> SSL Connection Established
> eaptls_process returned 13
> modcall[authenticate]: module "eap" returns handled
> for request 4
> modcall: group authenticate returns handled for
> request 4
> Sending Access-Challenge of id 92 to 10.1.14.23:1116
> EAP-Message =
> 0x012e003d1580000000331403010001011603010028f5808af65516fa1f74bf2447d55462f9b4ff1748d26aac2770d98a4eaef66bff4ab3311db24ebee7
> Message-Authenticator =
> 0x00000000000000000000000000000000
> State = 0x364f92bc59a5ae6abfc171f30d8f6083
> Finished request 4
> Going to the next request
> Waking up in 5 seconds...
> rad_recv: Access-Request packet from host
> 10.1.14.23:1117, id=93, length=230
> User-Name = "user1"
> Cisco-AVPair = "ssid=wireless"
> NAS-IP-Address = 10.1.14.23
> Called-Station-Id = "004096"
> Calling-Station-Id = "004096"
> NAS-Identifier = "AP01"
> NAS-Port = 37
> Framed-MTU = 1400
> State = 0x364f92bc59a5ae6abfc171f30d8f6083
> NAS-Port-Type = Wireless-802.11
> Service-Type = Authenticate-Only
> EAP-Message =
> 0x022e004715800000003d1703010038beee1f2475dbf589e89499fe6a0de5427f66152a7db6a5ffd884d470adb6356d22228944e59166d83506b9d95fc90b1cae0303d34d4aee7d
> Message-Authenticator =
> 0xf91b3a4d6fa7973995f206328e8da2cb
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 5
> modcall[authorize]: module "preprocess" returns ok
> for request 5
> modcall[authorize]: module "chap" returns noop for
> request 5
> modcall[authorize]: module "mschap" returns noop for
> request 5
> rlm_realm: No '@' in User-Name = "user1", looking
> up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for
> request 5
> rlm_eap: EAP packet type response id 46 length 71
> rlm_eap: No EAP Start, assuming it's an on-going EAP
> conversation
> modcall[authorize]: module "eap" returns updated for
> request 5
> users: Matched DEFAULT at 146
> modcall[authorize]: module "files" returns ok for
> request 5
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for user1
> radius_xlat: '(uid=user1)'
> radius_xlat: 'o=network'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in o=network, with filter
> (uid=user1)
> rlm_ldap: Added password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user user1 authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for
> request 5
> modcall: group authorize returns updated for request 5
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 5
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/ttls
> rlm_eap: processing type ttls
> rlm_eap_ttls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Length Included
> eaptls_verify returned 11
> eaptls_process returned 7
> rlm_eap_ttls: Session established. Proceeding to
> decode tunneled attributes.
> TTLS: Got tunneled request
> User-Name = "user1"
> User-Password = "password"
> FreeRADIUS-Proxied-To = 127.0.0.1
> TTLS: Sending tunneled request
> User-Name = "user1"
> User-Password = "password"
> FreeRADIUS-Proxied-To = 127.0.0.1
> Cisco-AVPair = "ssid=wireless"
> NAS-IP-Address = 10.1.14.23
> Called-Station-Id = "004096"
> Calling-Station-Id = "004096"
> NAS-Identifier = "AP01"
> NAS-Port = 37
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Service-Type = Authenticate-Only
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 5
> modcall[authorize]: module "preprocess" returns ok
> for request 5
> modcall[authorize]: module "chap" returns noop for
> request 5
> modcall[authorize]: module "mschap" returns noop for
> request 5
> rlm_realm: No '@' in User-Name = "user1", looking
> up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for
> request 5
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for
> request 5
> users: Matched DEFAULT at 146
> modcall[authorize]: module "files" returns ok for
> request 5
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for user1
> radius_xlat: '(uid=user1)'
> radius_xlat: 'o=network'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in o=network, with filter
> (uid=user1)
> rlm_ldap: Added password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user user1 authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for
> request 5
> modcall: group authorize returns ok for request 5
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> ERROR: Unknown value specified for Auth-Type.
> Cannot perform requested action.
> auth: Failed to validate the user.
> TTLS: Got tunneled reply RADIUS code 3
> TTLS: Got tunneled Access-Reject
> rlm_eap: Handler failed in EAP/ttls
> rlm_eap: Failed in EAP select
> modcall[authenticate]: module "eap" returns invalid
> for request 5
> modcall: group authenticate returns invalid for
> request 5
> auth: Failed to validate the user.
> Delaying request 5 for 1 seconds
> Finished request 5
> Going to the next request
> Waking up in 5 seconds...
> rad_recv: Access-Request packet from host
> 10.1.14.23:1117, id=93, length=230
> Sending Access-Reject of id 93 to 10.1.14.23:1117
> EAP-Message = 0x042e0004
> Message-Authenticator =
> 0x00000000000000000000000000000000
> --- Walking the entire request list ---
> Cleaning up request 0 ID 88 with timestamp 405a53f2
> Cleaning up request 1 ID 89 with timestamp 405a53f2
> Cleaning up request 2 ID 90 with timestamp 405a53f2
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 3 ID 91 with timestamp 405a53f3
> Cleaning up request 4 ID 92 with timestamp 405a53f3
> Cleaning up request 5 ID 93 with timestamp 405a53f3
> Nothing to do. Sleeping until we see a request.
> -------------------------------------------
>
> -------------------
> users
> -------------------------------------------
> DEFAULT
> Fall-Through = no
> -------------------------------------------
>
> -------------------
> radiusd.conf
> -------------------------------------------
> prefix = /usr/local
> exec_prefix = ${prefix}
> sysconfdir = ${prefix}/etc
> localstatedir = ${prefix}/var
> sbindir = ${exec_prefix}/sbin
> logdir = ${localstatedir}/log/radius
> raddbdir = ${sysconfdir}/raddb
> radacctdir = ${logdir}/radacct
> confdir = ${raddbdir}
> run_dir = ${localstatedir}/run/radiusd
> log_file = ${logdir}/radius.log
> libdir = ${exec_prefix}/lib
> pidfile = ${run_dir}/radiusd.pid
> max_request_time = 30
> delete_blocked_requests = no
> cleanup_delay = 5
> max_requests = 1024
> bind_address = *
> port = 0
> hostname_lookups = no
> allow_core_dumps = no
> regular_expressions = yes
> extended_expressions = yes
> log_stripped_names = no
> log_auth = no
> log_auth_badpass = no
> log_auth_goodpass = no
> usercollide = no
> lower_user = no
> lower_pass = no
> nospace_user = no
> nospace_pass = no
> checkrad = ${sbindir}/checkrad
>
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = no
> }
>
> proxy_requests = no
> $INCLUDE ${confdir}/clients.conf
> snmp = no
> $INCLUDE ${confdir}/snmp.conf
>
> thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> }
>
> modules {
> pap {
> encryption_scheme = sha1
> }
>
> chap {
> authtype = CHAP
> }
>
> eap {
> default_eap_type = tls
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
>
> tls {
> private_key_password = whatever
> private_key_file = ${raddbdir}/certs/cert-srv.pem
> certificate_file = ${raddbdir}/certs/cert-srv.pem
> CA_file = ${raddbdir}/certs/demoCA/cacert.pem
> dh_file = ${raddbdir}/certs/dh
> random_file = ${raddbdir}/certs/random
> fragment_size = 1024
> include_length = yes
> }
>
> ttls {
> default_eap_type = md5
> copy_request_to_tunnel = yes
> use_tunneled_reply = no
> }
>
> }
>
> mschap {
> authtype = MS-CHAP
> }
>
> ldap {
> server = "ldapserver"
> identity = "uid=user1,o=users,o=network"
> password = "password"
> basedn = "o=network"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> start_tls = no
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> password_header = "{SHA}"
> password_attribute = userPassword
> timeout = 4
> timelimit = 3
> net_timeout = 1
> }
>
> realm suffix {
> format = suffix
> delimiter = "@"
> }
>
> realm realmpercent {
> format = suffix
> delimiter = "%"
> }
>
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
>
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> }
>
> files {
> usersfile = ${confdir}/users
> acctusersfile = ${confdir}/acct_users
> compat = no
> }
>
> detail {
> detailfile =
> ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> detailperm = 0600
> }
>
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> }
>
> radutmp {
> filename = ${logdir}/radutmp
> username = %{User-Name}
> case_sensitive = yes
> check_with_nas = yes
> callerid = "yes"
> }
>
> radutmp sradutmp {
> filename = ${logdir}/sradutmp
> perm = 0644
> callerid = "no"
> }
>
> attr_filter {
> attrsfile = ${confdir}/attrs
> }
>
> counter daily {
> filename = ${raddbdir}/db.daily
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
> allowed-servicetype = Framed-User
> cache-size = 5000
> }
>
> always fail {
> rcode = fail
> }
> always reject {
> rcode = reject
> }
> always ok {
> rcode = ok
> simulcount = 0
> mpp = no
> }
>
> expr {
> }
>
> digest {
> }
>
> exec {
> wait = yes
> input_pairs = request
> }
>
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = request
> output_pairs = reply
> }
>
> ippool main_pool {
> range-start = 192.168.1.1
> range-stop = 192.168.3.254
> netmask = 255.255.255.0
> cache-size = 800
> session-db = ${raddbdir}/db.ippool
> ip-index = ${raddbdir}/db.ipindex
> override = no
> maximum-timeout = 0
> }
> }
>
> instantiate {
> exec
> expr
> }
>
> authorize {
> preprocess
> chap
> mschap
> suffix
> eap
> files
> ldap
> }
>
> authenticate {
> Auth-Type PAP {
> pap
> }
>
> Auth-Type CHAP {
> chap
> }
>
> Auth-Type MS-CHAP {
> mschap
> }
>
> eap
> }
>
> preacct {
> preprocess
> suffix
> files
> }
>
> accounting {
> acct_unique
> detail
> radutmp
> }
>
> session {
> radutmp
> }
>
> post-auth {
> }
>
> pre-proxy {
> }
>
> post-proxy {
> eap
> }
> -------------------------------------------
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - More reliable, more storage, less spam
> http://mail.yahoo.com
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
