On Wed, 2009-09-09 at 08:02 +1200, Peter Lambrechtsen wrote: > On 9/09/2009, at 2:43 AM, Alan DeKok <[email protected]> wrote: > > > Michael Fischer wrote: > >> I'm trying to set up 802.1x authentication on my Enterasys > >> AccessPoints > >> using freeradius and eDirectory. > >> > >> Freeradius and eDirectory work like a charm when I use it for Cisco- > >> VPN > >> authentication. > > > > Which is likely PAP (i.e. clear-text password). > > > > > >> rlm_ldap: Error reading Universal Password.Return Code = -1635 > > > > Go fix that. > > > > eDirectory isn't returning the password. Therefore, FreeRADIUS > > doesn't have it, and cannot authenticate anyone. > > Turn on universal password and allow user to retrieve password in your > universal password policy. > Then reset their password using imanager or via ldap and try again. > > > > > > > Alan DeKok. Hi,
the strange thing is that I've never used anything else than universal
password and my universal password policy does allow the user to read
the password.
I get the same error with the working Cisco-VPN configuration, see the
debug output:
Ready to process requests.
rad_recv: Access-Request packet from host 10.99.4.1:1025, id=161,
length=142
User-Name = "dfuernsin"
User-Password = "xxxxxx"
NAS-Port = 172
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "10.99.4.1"
Calling-Station-Id = "10.3.4.97"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "10.3.4.97"
NAS-IP-Address = 10.99.4.1
Cisco-AVPair = "ip:source-ip=10.3.4.97"
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dfuernsin
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64
rlm_ldap: starting TLS
rlm_ldap: bind as cn=admin,o=TGM/xxxxxx to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: checking if remote access for dfuernsin is allowed by
dialupAccess
rlm_ldap: Error reading Universal Password.Return Code = -1635
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusClass as Class, value TGM-ITS & op=11
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user dfuernsin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
rlm_ldap: - authenticate
rlm_ldap: login attempt by "dfuernsin" with password "xxxxxxx"
rlm_ldap: user DN: cn=dfuernsin,ou=ITS,ou=People,o=TGM
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64
rlm_ldap: starting TLS
rlm_ldap: bind as cn=dfuernsin,ou=ITS,ou=People,o=TGM/xxxxxx to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user dfuernsin authenticated succesfully
Login OK: [dfuernsin] (from client firewall port 172 cli 10.3.4.97)
Sending Access-Accept of id 161 to 10.99.4.1 port 1025
Class = 0x54474d2d495453
I guess that cannot be the problem then...
lg, Mike
--
Please stop top-quoting!
email: [email protected]
signature.asc
Description: This is a digitally signed message part
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
