Hi
I sent two ldapentry ldapsearch result and debug. In this ldapsearch there
is clear-text userPassword. anyway i decribe the problem shortly for your
help.
like in howto
authorize {
preprocess
files
ldap
eap
}
authenticate {
ldap
eap
}
ldapsearch result
userpassword=ramazan
.............
radiusclass=groupnet
objectclass=radiusprofile
objectclass=top
objectclass=posixAccount
objectclass=shadowAccount
...
radtest successful for this configuration but xp client does't.
ldapattr.maphas User-Password to userPassword mapping. deleting the
entry ldap in
authentication block in radius.conf results unsuccessful both for radtest
and xp client.
For this configuration above debug log
rad_recv: Access-Request packet from host 192.168.100.17:1812, id=7,
length=129
NAS-IP-Address = 192.168.100.17
NAS-Port = 50001
NAS-Port-Type = Ethernet
User-Name = "ramazan"
Called-Station-Id = "00-0F-8F-77-DB-81"
Calling-Station-Id = "00-12-79-AE-D2-4D"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0204000c0172616d617a616e
Message-Authenticator = 0x61cab38d83f6ed1abbd2ac2c8ce5b0bf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=dot1x.com'
radius_xlat: '(uid=ramazan)'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.100.18:389, authentication 0
rlm_ldap: bind as / to 192.168.100.18:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan)
ldap_release_conn: Release Id: 0
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com
))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com)))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=dot1x.com, with filter
(&(cn=VPN)(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com
))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com))))
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=ramazan,cn=users,cn=idc,dc=dot1x.com,
with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group VPN
ldap_release_conn: Release Id: 0
users: Matched DEFAULT at 174
modcall[authorize]: module "files" returns ok for request 0
rlm_eap: EAP packet type notification id 4 length 12
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ramazan
radius_xlat: '(uid=ramazan)'
radius_xlat: 'dc=dot1x.com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan)
rlm_ldap: checking if remote access for ramazan is allowed by
radiusGroupName
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id,
value 2 & op=11
rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 &
op=11
rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11
rlm_ldap: Adding radiusClass as Class, value employee & op=11
rlm_ldap: user ramazan authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 0
rlm_eap: EAP packet type notification id 4 length 12
rlm_eap: EAP Start not found
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [ramazan/<no User-Password attribute>] (from client radius port
50001 cli 00-12-79-AE-D2-4D)
Sending Access-Challenge of id 7 to 192.168.100.17:1812
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Tunnel-Private-Group-Id:0 = "2"
Tunnel-Medium-Type:0 = 6
Tunnel-Type:0 = VLAN
Class = 0x656d706c6f796565
EAP-Message = 0x0105001604105a4f17068db0feb3ebdee25f9cfe966f
Message-Authenticator = 0x00000000000000000000000000000000
State =
0x395efcd2fb04e81f34be33bd9cd0cf0831cbc4456746df615bd2474fb42f67add24a0e16
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.100.17:1812, id=8,
length=184
NAS-IP-Address = 192.168.100.17
NAS-Port = 50001
NAS-Port-Type = Ethernet
User-Name = "ramazan"
Called-Station-Id = "00-0F-8F-77-DB-81"
Calling-Station-Id = "00-12-79-AE-D2-4D"
Service-Type = Framed-User
Framed-MTU = 1500
State =
0x395efcd2fb04e81f34be33bd9cd0cf0831cbc4456746df615bd2474fb42f67add24a0e16
EAP-Message = 0x0205001d0410820fd3de9d3280644551107995e35ea872616d617a616e
Message-Authenticator = 0xaedb1daf912087d870c9a486827f1eef
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=dot1x.com'
radius_xlat: '(uid=ramazan)'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan)
ldap_release_conn: Release Id: 0
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com
))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com)))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=dot1x.com, with filter
(&(cn=VPN)(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com
))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc=
dot1x.com))))
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=ramazan,cn=users,cn=idc,dc=dot1x.com,
with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group VPN
ldap_release_conn: Release Id: 0
users: Matched DEFAULT at 174
modcall[authorize]: module "files" returns ok for request 1
rlm_eap: EAP packet type notification id 5 length 29
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ramazan
radius_xlat: '(uid=ramazan)'
radius_xlat: 'dc=dot1x.com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan)
rlm_ldap: checking if remote access for ramazan is allowed by
radiusGroupName
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id,
value 2 & op=11
rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 &
op=11
rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11
rlm_ldap: Adding radiusClass as Class, value employee & op=11
rlm_ldap: user ramazan authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 1
rlm_eap: EAP packet type notification id 5 length 29
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - md5
rlm_eap: processing type md5
rlm_eap_md5: No password configured for this user (there is a password in
ldap in clear-text radtest successful)
modcall[authenticate]: module "eap" returns invalid for request 1
modcall: group authenticate returns invalid for request 1
auth: Failed to validate the user.
Login incorrect: [ramazan/<no User-Password attribute>] (from client radius
port 50001 cli 00-12-79-AE-D2-4D)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.100.17:1812, id=8,
length=184
Sending Access-Reject of id 8 to 192.168.100.17:1812
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
On 2/7/07, Phil Mayers <[EMAIL PROTECTED]> wrote:
Ramazan Ulker wrote:
> rlm_eap: EAP_TYPE - md5
> rlm_eap: processing type md5
> rlm_eap_md5: No password configured for this user
> modcall[authenticate]: module "eap" returns invalid for request 1
> modcall: group authenticate returns invalid for request 1
> auth: Failed to validate the user.
EAP-MD5 needs the plaintext password.
> rad_check_password: Found Auth-Type ldap
> auth: type "LDAP"
> modcall: entering group authenticate for request 0
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication.
> modcall[authenticate]: module "ldap" returns invalid for request 0
> modcall: group authenticate returns invalid for request 0
> auth: Failed to validate the user.
rlm_ldap can only *AUTHENTICATE* PAP requests. Since you've over-ridden
Auth-Type (as you've been told not to) you're trying to force an EAP
request through it.
Don't set Auth-Type
If you want to use EAP-MD5, your LDAP directory will need to contain a
plaintext password and be configured to pass it to FreeRadius, because
EAP-MD5 needs the plaintext password. Do you have that?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
