Hi I sent two ldapentry ldapsearch result and debug. In this ldapsearch there is clear-text userPassword. anyway i decribe the problem shortly for your help. like in howto authorize { preprocess files ldap eap }
authenticate { ldap eap } ldapsearch result userpassword=ramazan ............. radiusclass=groupnet objectclass=radiusprofile objectclass=top objectclass=posixAccount objectclass=shadowAccount ... radtest successful for this configuration but xp client does't. ldapattr.maphas User-Password to userPassword mapping. deleting the entry ldap in authentication block in radius.conf results unsuccessful both for radtest and xp client. For this configuration above debug log rad_recv: Access-Request packet from host 192.168.100.17:1812, id=7, length=129 NAS-IP-Address = 192.168.100.17 NAS-Port = 50001 NAS-Port-Type = Ethernet User-Name = "ramazan" Called-Station-Id = "00-0F-8F-77-DB-81" Calling-Station-Id = "00-12-79-AE-D2-4D" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0204000c0172616d617a616e Message-Authenticator = 0x61cab38d83f6ed1abbd2ac2c8ce5b0bf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=dot1x.com' radius_xlat: '(uid=ramazan)' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.100.18:389, authentication 0 rlm_ldap: bind as / to 192.168.100.18:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan) ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc= dot1x.com ))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc= dot1x.com)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=dot1x.com, with filter (&(cn=VPN)(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc= dot1x.com ))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc= dot1x.com)))) rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=ramazan,cn=users,cn=idc,dc=dot1x.com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group VPN ldap_release_conn: Release Id: 0 users: Matched DEFAULT at 174 modcall[authorize]: module "files" returns ok for request 0 rlm_eap: EAP packet type notification id 4 length 12 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for ramazan radius_xlat: '(uid=ramazan)' radius_xlat: 'dc=dot1x.com' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan) rlm_ldap: checking if remote access for ramazan is allowed by radiusGroupName rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 2 & op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 & op=11 rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11 rlm_ldap: Adding radiusClass as Class, value employee & op=11 rlm_ldap: user ramazan authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 0 rlm_eap: EAP packet type notification id 4 length 12 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [ramazan/<no User-Password attribute>] (from client radius port 50001 cli 00-12-79-AE-D2-4D) Sending Access-Challenge of id 7 to 192.168.100.17:1812 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Tunnel-Private-Group-Id:0 = "2" Tunnel-Medium-Type:0 = 6 Tunnel-Type:0 = VLAN Class = 0x656d706c6f796565 EAP-Message = 0x0105001604105a4f17068db0feb3ebdee25f9cfe966f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x395efcd2fb04e81f34be33bd9cd0cf0831cbc4456746df615bd2474fb42f67add24a0e16 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.100.17:1812, id=8, length=184 NAS-IP-Address = 192.168.100.17 NAS-Port = 50001 NAS-Port-Type = Ethernet User-Name = "ramazan" Called-Station-Id = "00-0F-8F-77-DB-81" Calling-Station-Id = "00-12-79-AE-D2-4D" Service-Type = Framed-User Framed-MTU = 1500 State = 0x395efcd2fb04e81f34be33bd9cd0cf0831cbc4456746df615bd2474fb42f67add24a0e16 EAP-Message = 0x0205001d0410820fd3de9d3280644551107995e35ea872616d617a616e Message-Authenticator = 0xaedb1daf912087d870c9a486827f1eef modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=dot1x.com' radius_xlat: '(uid=ramazan)' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan) ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc= dot1x.com ))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc= dot1x.com)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=dot1x.com, with filter (&(cn=VPN)(|(&(objectClass=GroupOfNames)(member=uid=ramazan,cn=users,cn=idc,dc= dot1x.com ))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=ramazan,cn=users,cn=idc,dc= dot1x.com)))) rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=ramazan,cn=users,cn=idc,dc=dot1x.com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group VPN ldap_release_conn: Release Id: 0 users: Matched DEFAULT at 174 modcall[authorize]: module "files" returns ok for request 1 rlm_eap: EAP packet type notification id 5 length 29 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for ramazan radius_xlat: '(uid=ramazan)' radius_xlat: 'dc=dot1x.com' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=dot1x.com, with filter (uid=ramazan) rlm_ldap: checking if remote access for ramazan is allowed by radiusGroupName rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 2 & op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value 6 & op=11 rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN & op=11 rlm_ldap: Adding radiusClass as Class, value employee & op=11 rlm_ldap: user ramazan authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 1 rlm_eap: EAP packet type notification id 5 length 29 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - md5 rlm_eap: processing type md5 rlm_eap_md5: No password configured for this user (there is a password in ldap in clear-text radtest successful) modcall[authenticate]: module "eap" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Login incorrect: [ramazan/<no User-Password attribute>] (from client radius port 50001 cli 00-12-79-AE-D2-4D) Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.100.17:1812, id=8, length=184 Sending Access-Reject of id 8 to 192.168.100.17:1812 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000 On 2/7/07, Phil Mayers <[EMAIL PROTECTED]> wrote:
Ramazan Ulker wrote: > rlm_eap: EAP_TYPE - md5 > rlm_eap: processing type md5 > rlm_eap_md5: No password configured for this user > modcall[authenticate]: module "eap" returns invalid for request 1 > modcall: group authenticate returns invalid for request 1 > auth: Failed to validate the user. EAP-MD5 needs the plaintext password. > rad_check_password: Found Auth-Type ldap > auth: type "LDAP" > modcall: entering group authenticate for request 0 > rlm_ldap: - authenticate > rlm_ldap: Attribute "User-Password" is required for authentication. > modcall[authenticate]: module "ldap" returns invalid for request 0 > modcall: group authenticate returns invalid for request 0 > auth: Failed to validate the user. rlm_ldap can only *AUTHENTICATE* PAP requests. Since you've over-ridden Auth-Type (as you've been told not to) you're trying to force an EAP request through it. Don't set Auth-Type If you want to use EAP-MD5, your LDAP directory will need to contain a plaintext password and be configured to pass it to FreeRadius, because EAP-MD5 needs the plaintext password. Do you have that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html