Hi,
I write better my error in my log, the problem I suppose that is these
lines:
Invalid operator for item EAP-Type: reverting to '=='
rlm_ldap: Pairs do not match. Rejecting user.
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns reject for request 5
Here I put the end of my log file:
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=97,
length=240
User-Name = "vlan3"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=VLAN3"
Service-Type = Login-User
Message-Authenticator = 0xdc1ea9dbac4ed1f33ebb580a3c1c4a73
EAP-Message =
0x020600501900170301002088ea976b1bef6fd3a9bd5599650e83cd848cf424e51a204996c8941600f71b871703010020323a6993eede0a3f70fda756d35c73463b1f49efe677a830e25ab51d09220b6f
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "276"
NAS-Port = 276
State = 0xb0d694dd7c79d212c6f91ec33dceddf1
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "vlan3", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 6 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
modcall[authorize]: module "files" returns notfound for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for vlan3
radius_xlat: '(uid=vlan3)'
radius_xlat: 'dc=create-net,dc=org'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=vlan3)
rlm_ldap: Added password vlan3 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusCiscoAVPair as Cisco-AVPair, value ssid=VLAN3 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11
rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id,
value 3 & op=11
rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value
IEEE-802 & op=11
rlm_ldap: user vlan3 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - vlan3
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled identity of vlan3
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to vlan3
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "vlan3", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 6 length 10
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
modcall[authorize]: module "files" returns notfound for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for vlan3
radius_xlat: '(uid=vlan3)'
radius_xlat: 'dc=create-net,dc=org'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=vlan3)
rlm_ldap: Added password vlan3 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusCiscoAVPair as Cisco-AVPair, value ssid=VLAN3 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11
rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id,
value 3 & op=11
rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value
IEEE-802 & op=11
Invalid operator for item EAP-Type: reverting to '=='
rlm_ldap: Pairs do not match. Rejecting user.
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns reject for request 5
modcall: leaving group authorize (returns reject) for request 5
Invalid user (rlm_ldap: Pairs do not match): [vlan3/<no User-Password
attribute>] (from client cn-radius port 276 cli 000c.f135.f1ba)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 97 to 192.168.20.4 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Private-Group-Id:0 = "3"
Tunnel-Medium-Type:0 = IEEE-802
EAP-Message =
0x01070050190017030100207e6749688570ab3f6990aa513c84e1d57d72b0c19700ac8d067ab772d8a483221703010020698cbf6325fc65cc53a2c5f38ded1ceda6937e856568c4d62dfaf798a05261d3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe4aede9badece66c821fb17e67e9d969
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=98,
length=240
User-Name = "vlan3"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=VLAN3"
Service-Type = Login-User
Message-Authenticator = 0x3a85a008df8442db44495e79eec73a91
EAP-Message =
0x0207005019001703010020717b9678780436411ce8d845e6a7afe99d179bcb45bb1b4f5d992ce5694899eb1703010020341bafcfa52a2e0e5c8c9e8decbf4c57ae787f9eb9a2116a8bc00d83ac2ff2b2
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "276"
NAS-Port = 276
State = 0xe4aede9badece66c821fb17e67e9d969
NAS-IP-Address = 192.168.20.4
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "vlan3", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 7 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall[authorize]: module "files" returns notfound for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for vlan3
radius_xlat: '(uid=vlan3)'
radius_xlat: 'dc=create-net,dc=org'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=vlan3)
rlm_ldap: Added password vlan3 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusCiscoAVPair as Cisco-AVPair, value ssid=VLAN3 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11
rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id,
value 3 & op=11
rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value
IEEE-802 & op=11
rlm_ldap: user vlan3 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure. User was rejcted rejected
earlier in this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 6
modcall: leaving group authenticate (returns invalid) for request 6
auth: Failed to validate the user.
Login incorrect: [vlan3/<no User-Password attribute>] (from client
ap-test-ivan port 276 cli 000c.f135.f1ba)
Delaying request 6 for 1 seconds
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.20.4:1645, id=98,
length=240
Sending Access-Reject of id 98 to 192.168.20.4 port 1645
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 1 seconds...
What is wrong?
Thanks, bye Antonio
on 17/05/2006 14.11 Mitchell, Michael J said the following:
Hi Antonio,
ldap: compare_check_items = no
You need to set "compare_check_items = yes" in the ldap module
configuration? The default is "no".
regards,
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
