I am having problems authenticating to my freeradius server remotely. Here is
my current configuration:
SuSE 9.1 default rpm-based install and then an upgrade through YOU to
freeradius-0.9.3-106.6
Files modified:
/etc/raddb/radiusd.conf:
Around line 720:
ldap {
# server = "ldap.your.domain"
server = "127.0.0.1"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
# basedn = "o=My Org,c=UA"
basedn = "ou=Users,dc=mydomain,dc=com"
# filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
filter = "(objectClass=posixAccount)(uid=%u)"
In the authorize section around line 1448 uncommented:
ldap
Around line 1511 uncommented:
Auth-Type LDAP {
ldap
}
/etc/raddb/users:
Around line 152:
#DEFAULT Auth-Type = System
DEFAULT Auth-Type = LDAP
The server is on 192.168.0.2 and my external client is on 192.168.0.3. All
system-based firewalls are shutdown. Client is SuSE 9.2 with these packages:
freeradius-1.0.0-5
radiusclient-0.3.2-142
The /etc/raddb/clients.conf is (with comments removed):
client 127.0.0.1 {
secret = test
shortname = localhost
nastype = other
}
client 192.168.0.2 {
secret = test
shortname = mail
nastype = other
}
client 192.168.0.3 {
secret = test
shortname = suse
nastype = other
}
The 192.168.0.3 entry was created with vi by utilizing 5yy and then a p so
there are no hidden characters in the secret line.
When running radtest from the server itself the following commands succeed:
radtest myuser secret localhost:1812 10 test
radtest myuser secret 127.0.0.1:1812 10 test
radtest myuser secret 192.168.0.2:1812 10 test
When running radtest from the 192.168.0.3 client the following command fails:
radtest myuser secret 192.168.0.2 10 test
Here are the obvious errors:
From the server:
Ready to process requests.
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/
udp.
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.3:1024, id=244, length=61
User-Name = "myuser"
User-Password = "A\317\324\013\367G\325Rbf\342'?n~\246"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "myuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 153
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for myuser
radius_xlat: '(objectClass=posixAccount)(uid=myuser)'
radius_xlat: 'ou=Users,dc=mydomain,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as / to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=Users,dc=mydomain,dc=com, with filter
(objectClass=posixAccount)(uid=myuser)
rlm_ldap: checking if remote access for myuser is allowed by dialupAccess
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user myuser authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "myuser" with password "Aï?ïïbfï?n~"
rlm_ldap: user DN: uid=myuser,ou=Users,dc=mydomain,dc=com
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1
rlm_ldap: bind as uid=myuser,ou=Users,dc=mydomain,dc=com/Aï?ïïbfï?n~ to
127.0.0.1:389
rlm_ldap: waiting for bind result ...
modcall[authenticate]: module "ldap" returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
WARNING: Unprintable characters in the password. ? Double-check the shared
secret on the server and the NAS!
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 244 to 192.168.221.125:1024
Waking up in 4 seconds...
From the client:
Sending Access-Request of id 244 to 192.168.0.2:1812
User-Name = "myuser"
User-Password = "secret"
NAS-IP-Address = suse
NAS-Port = 10
rad_recv: Access-Reject packet from host 192.168.0.2:1812, id=244, length=20
rad_decode: Received Access-Reject packet from 192.168.0.2:1812 with invalid
signature (err=2)! (Shared secret is incorrect.)
I think that covers it. Any ideas before I go down the "install from source"
road?
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
