Hi, On Tue, 2005-03-08 at 15:44 +0100, guest01 wrote: > hm, radius is very strange .... Can anyone please help me? > this is the logfile output after testing with radexample: > > rad_recv: Access-Request packet from host 127.0.0.1:1025, id=40, length=66 > User-Name = "testuser" > User-Password = "123456" > Service-Type = Authenticate-Only > NAS-IP-Address = 127.0.0.1 > NAS-Port = 0
These are the attributes in the request. As you can see the client sends User-Password = "testuser". This will be used to perform authentication. > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > users: Matched DEFAULT at 152 > modcall[authorize]: module "files" returns ok for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for testuser > radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))' > radius_xlat: 'ou=users,dc=gibraltar,dc=local' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to localhost:389, authentication 0 > rlm_ldap: bind as / to localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with > filter (&(objectclass=gibraltarUser)(uid=testuser)) > rlm_ldap: checking if remote access for testuser is allowed by isVPNUser > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user testuser authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > Processing the authenticate section of radiusd.conf > modcall: entering group Auth-Type for request 0 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "testuser" with password "123456" > rlm_ldap: user DN: uid=testuser,ou=users,dc=gibraltar,dc=local > rlm_ldap: (re)connect to localhost:389, authentication 1 > rlm_ldap: bind as uid=testuser,ou=users,dc=gibraltar,dc=local/123456 to This is where the ldap authenticate takes place..(Binding as testuser with password 123456). > localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: user testuser authenticated succesfully > modcall[authenticate]: module "ldap" returns ok for request 0 > modcall: group Auth-Type returns ok for request 0 > Sending Access-Accept of id 40 to 127.0.0.1:1025 > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 40 with timestamp 422db560 > Nothing to do. Sleeping until we see a request. > > and this is the output after trying to connect via pptpd with winxp prof. > Ready to process requests. > rad_recv: Access-Request packet from host 127.0.0.1:1025, id=41, length=54 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "testuser" > NAS-IP-Address = 66.150.161.140 > NAS-Port = 0 In this case there is no User-Password attribute in the request. So later on in the authenticate section it has the username ( testuser ) but no password to bind with hence authentication fails. > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > users: Matched DEFAULT at 152 > users: Matched DEFAULT at 171 > users: Matched DEFAULT at 183 > modcall[authorize]: module "files" returns ok for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for testuser > radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))' > radius_xlat: 'ou=users,dc=gibraltar,dc=local' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to localhost:389, authentication 0 > rlm_ldap: bind as / to localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with > filter (&(objectclass=gibraltarUser)(uid=testuser)) > rlm_ldap: checking if remote access for testuser is allowed by isVPNUser > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user testuser authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > Processing the authenticate section of radiusd.conf > modcall: entering group Auth-Type for request 0 > rlm_ldap: - authenticate > rlm_ldap: Attribute "User-Password" is required for authentication. > modcall[authenticate]: module "ldap" returns invalid for request 0 > modcall: group Auth-Type returns invalid for request 0 > auth: Failed to validate the user. > Delaying request 0 for 1 seconds > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Sending Access-Reject of id 41 to 127.0.0.1:1025 > Waking up in 4 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 41 with timestamp 422db59d > Nothing to do. Sleeping until we see a request. > > The first part, the authorize-part works fine, but the authentication-part > will not work!!! Any ideas? In my radiusd.conf, I configured everything > right (I think). Otherwise it wouldn't work with radexample or radtest. > > Just for understanding, what the hell does the authentication part do? What > attributes do I need for it to get it work? Isn't radiusauthtype enough? > > I just want my users to authenticate via radius to my pptp server, I don't > need special authentication attributes like radiussessiontime or > whatever... > I tried to set authenticate-only as default, but it didn't work > > please help! > best regards > peda > > PS: Debian woody, with freeradius 1.0.1 and ppp 2.4.3 Regards, -Sayantan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
