Hi, as it says
rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for myRfx with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 9 you will need a clear-text password or a NT/LM password hash to be in your LDAP directory. Then you have to map that attribute ( for example sambaNTPassword ) to User-Password. You are trying to do MSCHAP but there is simply no defined password for this authorization type. Regards, Edvin -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paolo Barbato Sent: Donnerstag, 01. Dezember 2005 09:48 To: [email protected] Subject: 802.1x ldap tls Hi list, yes I know that this question has been discussed so many times but, still I'm in trouble. I've set up freeradius in order to authenticate+authorize Cisco NAS of Aironet. I've successfully connected PC/MAC wireless clients using TTLS+PAP with in backend and LDAP DB. Problem arise when I try to make the same with TLS, I mean PEAP+MSCHAP and LDAP DB. THis doesn't works. If I set a local user in users file, that is good, but if I try a LDAP user nothing come. LDAP store plain password. Some hints ? Here, some extracts from log: rlm_ldap: - authorize rlm_ldap: performing user authorization for myRfx radius_xlat: '(uid=myRfx)' radius_xlat: 'o=Consorzio RFX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=Consorzio RFX, with filter (uid=myRfx) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user myRfx authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 9 modcall: group authorize returns updated for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 9 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for myRfx with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 9 modcall: group Auth-Type returns reject for request 9 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 9 modcall: group authenticate returns reject for request 9 auth: Failed to validate the user. Login incorrect: [myRfx/<no User-Password attribute>] (from client localhost port 0) PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x9db3b30 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 9 modcall: group authenticate returns handled for request 9 Sending Access-Challenge of id 239 to 150.178.33.150:1645 EAP-Message = 0x010a002a1900170301001f1daf025ff66ee7cba51f42762f540bf78052e745788d4144c970 5681d67359 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2846493df32aa5a3d90a7d4d8c3b4867 Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 150.178.33.150:1645, id=240, length=176 User-Name = "myRfx" Framed-MTU = 1400 Called-Station-Id = "0011.2075.ab11" Calling-Station-Id = "0030.6519.c496" Service-Type = Login-User Message-Authenticator = 0x33f13f5d35c399dbc0f3422dc2c798d9 EAP-Message = 0x020a002a1900170301001fa1cae4d87f9f3e55c42ec8b99729dadddf42ba9a8f4eba029615 a9ece90eff NAS-Port-Type = Wireless-802.11 NAS-Port = 12652 State = 0x2846493df32aa5a3d90a7d4d8c3b4867 NAS-IP-Address = 150.178.33.150 NAS-Identifier = "NET26" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 modcall[authorize]: module "chap" returns noop for request 10 modcall[authorize]: module "mschap" returns noop for request 10 rlm_realm: No '@' in User-Name = "myRfx", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 10 rlm_eap: EAP packet type response id 10 length 42 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 10 modcall[authorize]: module "files" returns notfound for request 10 rlm_ldap: - authorize rlm_ldap: performing user authorization for myRfx radius_xlat: '(uid=myRfx)' radius_xlat: 'o=Consorzio RFX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=Consorzio RFX, with filter (uid=myRfx) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user myRfx authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 10 modcall: group authorize returns updated for request 10 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 10 modcall: group authenticate returns invalid for request 10 auth: Failed to validate the user. Login incorrect: [myRfx/<no User-Password attribute>] (from client rfxnet1 port 12652 cli 0030.6519.c496) Delaying request 10 for 1 seconds Finished request 10 Going to the next request Regards, Paolo. -- ---------------------------------------------------------------------------- -------------------- Paolo Barbato email: mailto:[EMAIL PROTECTED] Network Administrator phone: (39-049)-829-5097 (39-049)-829-5000 Corso Stati Uniti,4 www: http://www.igi.cnr.it 35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp ITALY JabberID: [EMAIL PROTECTED] ---------------------------------------------------------------------------- -------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
