On Fri, 18 Jun 2004, Arnauld Dravet wrote:
> Hello
>
> I'm facing some kind of configuration troubles with freeradius and openldap. I
> got a new Access Point wich i'm trying to use with 802.1x auth.
>
>
> I'm using a classical samba/qmail LDAP schema so that users in the company can
> authenticate against ldap with win/linux workstations. Basically, i got 3
> password fields, lmPassword, ntPassword, and userPassword . All of them are
> encrypted and, there is no "0x" in front of the ntPassword.
>
> The ldap section in radiusd.conf seems to be ok, the connection is done, and ive
> set the password_attribute to "userPassword" and later to "ntPassword" to check
> if it changed naything to the problem (no).
>
> Other sections i'm using:
>
> authorize {
> preprocess
> auth_log
> ldap
> eap
> }
>
> authenticate {
> eap
> }
>
> now, when i set up a 802.1x client, the AP connect to the radius server and here
> is the debug output:
>
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.6.3:1134, id=71, length=172
> NAS-IP-Address = 192.168.6.3
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1
> Framed-MTU = 1400
> User-Name = "arnauld.dravet"
> Calling-Station-Id = "00904b625711"
> Called-Station-Id = "000d54fc1807"
> NAS-Identifier = "EPSI AP1"
> State = 0xa63191155f9268efbcad3167d4e42e90
> EAP-Message =
> 0x0202002404105f6aa1f2ca8bfe0b6efc3da31527335861726e61756c642e647261766574
> Message-Authenticator = 0xb917bedaab691dda63cd4364b2d93ae8
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 3
> modcall[authorize]: module "preprocess" returns ok for request 3
> radius_xlat: '/var/log/radius/radacct/192.168.6.3/auth-detail-20040618'
> rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.6.3/auth-detail-20040618
> modcall[authorize]: module "auth_log" returns ok for request 3
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for arnauld.dravet
> radius_xlat: '(&(objectclass=posixAccount)(uid=arnauld.dravet))'
> radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter
> (&(objectclass=posixAccount)(uid=arnauld.dravet))
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user arnauld.dravet authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
Either you haven't configured password extraction in the ldap module or it isn't
working. Make sure the user rlm_ldap uses to connect to the ldap server is
allowed to read the userpassword entry. Posting your rlm_ldap configuration
might help.
> modcall[authorize]: module "ldap" returns ok for request 3
> rlm_eap: EAP packet type response id 2 length 36
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 3
> modcall: group authorize returns updated for request 3
> rad_check_password: Found Auth-Type LDAP
> rad_check_password: Found Auth-Type EAP
> Warning: Found 2 auth-types on request for user 'arnauld.dravet'
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 3
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/md5
> rlm_eap: processing type md5
> rlm_eap_md5: User-Password is required for EAP-MD5 authentication
> rlm_eap: Handler failed in EAP/md5
> rlm_eap: Failed in EAP select
> modcall[authenticate]: module "eap" returns invalid for request 3
> modcall: group authenticate returns invalid for request 3
> auth: Failed to validate the user.
> Login incorrect: [arnauld.dravet/<no User-Password attribute>] (from client ap1
> port 1 cli 00904b625711)
> Delaying request 3 for 2 seconds
> Finished request 3
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 2 seconds...
> --- Walking the entire request list ---
> Waking up in 2 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 71 to 192.168.6.3:1134
> EAP-Message = 0x04020004
> Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 2 ID 70 with timestamp 40d298d0
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 3 ID 71 with timestamp 40d298d1
> Nothing to do. Sleeping until we see a request.
>
>
> It's been two days i'm stuck on this problem, i think i've read all the
> documentation and mailing lists archives .. i've tried different things, but it
> still finish with a message saying it miss the User-Password attribute ... I've
> of course also try to use ldap in the authenticate section. I tested the initial
> config with radtest and it worked fine when i used ldap in the authenticate
> section, cause radtest won't use eap ...
>
> Thanks for any help you can give :)
>
> --
> Arnauld Dravet
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
