Using LDAP with EAP-TLS

Mon, 16 May 2011 05:41:59 -0700 

Hi,
I'am trying to make FR 2.1.10 on Squeeze work with my LDAP installation. What I want to do is: 


A host-based authentification for my workstations. All the names of the 
workstations are in LDAP, the authentification itself should be done 
with EAP-TLS. I would like to have a hint, how to start EAP when the 
LDAP-Query was successfull. The LDAP-Query works I think, FR says: 
[ldap] user scit-beerchen authorized to use remote access, but then it 
tries to make some kind of password authentification (I have no password 
for workstations in LDAP), and is not starting EAP-TLS. The asking host 
"scit-beerchen" is in the WLAN-User Group.


What could I do?

Please have a look on my Debug-Output:


rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, 
length=139

       User-Name = "scit-beerchen"
       NAS-IP-Address = 10.48.244.28
       Called-Station-Id = "0016b64f44cc"
       Calling-Station-Id = "002268c63ff2"
       NAS-Identifier = "0016b64f44cc"
       NAS-Port = 11
       Framed-MTU = 1400
       NAS-Port-Type = Wireless-802.11
       EAP-Message = 0x0200001201736369742d626565726368656e
       Message-Authenticator = 0x12969f7ffa42f57be53a54474c1274be

# Executing section authorize from file 
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for scit-beerchen
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> scit-beerchen

[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(uid=scit-beerchen)
[ldap]  expand: dc=verwaltung,dc=kh-berlin,dc=de -> 
dc=verwaltung,dc=kh-berlin,dc=de

 [ldap] ldap_get_conn: Checking Id: 0
 [ldap] ldap_get_conn: Got Id: 0
 [ldap] attempting LDAP reconnection
 [ldap] (re)connect to physalis:389, authentication 0
 [ldap] bind as / to physalis:389
 [ldap] waiting for bind result ...
 [ldap] Bind was successful

 [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with 
filter (uid=scit-beerchen)

[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...

WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?

[ldap] user scit-beerchen authorized to use remote access
 [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++[expiration] returns noop
++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  
Authentication may fail because of this.

++[pap] returns noop

[ntlm_auth]     expand: --username=%{mschap:User-Name} -> 
--username=scit-beerchen

[ntlm_auth]     expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password 
(0xc000006a)

Exec-Program: returned: 1
++[ntlm_auth] returns reject
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> scit-beerchen
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.8 seconds.

rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, 
length=139

Cleaning up request 0 ID 0 with timestamp +1034
       User-Name = "scit-beerchen"
       NAS-IP-Address = 10.48.244.28
       Called-Station-Id = "0016b64f44cc"
       Calling-Station-Id = "002268c63ff2"
       NAS-Identifier = "0016b64f44cc"
       NAS-Port = 11
       Framed-MTU = 1400
       NAS-Port-Type = Wireless-802.11
       EAP-Message = 0x0200001201736369742d626565726368656e
       Message-Authenticator = 0x11c70e19e2f1150428f5cc12d535e57b

# Executing section authorize from file 
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for scit-beerchen
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> scit-beerchen

[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(uid=scit-beerchen)
[ldap]  expand: dc=verwaltung,dc=kh-berlin,dc=de -> 
dc=verwaltung,dc=kh-berlin,dc=de

 [ldap] ldap_get_conn: Checking Id: 0
 [ldap] ldap_get_conn: Got Id: 0

 [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with 
filter (uid=scit-beerchen)

[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...

WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?

[ldap] user scit-beerchen authorized to use remote access
 [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++[expiration] returns noop
++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  
Authentication may fail because of this.

++[pap] returns noop

[ntlm_auth]     expand: --username=%{mschap:User-Name} -> 
--username=scit-beerchen

[ntlm_auth]     expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password 
(0xc000006a)

Exec-Program: returned: 1
++[ntlm_auth] returns reject
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> scit-beerchen
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.

rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, 
length=139

Cleaning up request 1 ID 0 with timestamp +1034
       User-Name = "scit-beerchen"
       NAS-IP-Address = 10.48.244.28
       Called-Station-Id = "0016b64f44cc"
       Calling-Station-Id = "002268c63ff2"
       NAS-Identifier = "0016b64f44cc"
       NAS-Port = 11
       Framed-MTU = 1400
       NAS-Port-Type = Wireless-802.11
       EAP-Message = 0x0200001201736369742d626565726368656e
       Message-Authenticator = 0x781aba777bfd1eee9fb99135f368597f

# Executing section authorize from file 
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for scit-beerchen
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> scit-beerchen

[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(uid=scit-beerchen)
[ldap]  expand: dc=verwaltung,dc=kh-berlin,dc=de -> 
dc=verwaltung,dc=kh-berlin,dc=de

 [ldap] ldap_get_conn: Checking Id: 0
 [ldap] ldap_get_conn: Got Id: 0

 [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with 
filter (uid=scit-beerchen)

[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...

WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?

[ldap] user scit-beerchen authorized to use remote access
 [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++[expiration] returns noop
++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  
Authentication may fail because of this.

++[pap] returns noop

[ntlm_auth]     expand: --username=%{mschap:User-Name} -> 
--username=scit-beerchen

[ntlm_auth]     expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password 
(0xc000006a)

Exec-Program: returned: 1
++[ntlm_auth] returns reject
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> scit-beerchen
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 0 to 10.48.244.28 port 3079
Waking up in 4.9 seconds.
Cleaning up request 2 ID 0 with timestamp +1034
Ready to process requests.


This is my "default" site:

authorize {
       preprocess
       chap
       mschap
       digest
       suffix
       ntdomain
       eap {
               ok = return
       }
       files
       ldap
       if (notfound) {
         reject
       }
       expiration
       logintime
       pap
       ntlm_auth
}
authenticate {
       Auth-Type PAP {
               pap
       }
       Auth-Type CHAP {
               chap
       }
       Auth-Type MS-CHAP {
               mschap
       }
       digest
       unix
       eap
       Auth-Type LDAP {
               ldap
               if (LDAP-Group == "WLAN-User") {
               noop
               }
               else {
                       reject
               }
       }
       ntlm_auth
}
preacct {
       preprocess
       acct_unique
       suffix
       files
}
accounting {
       detail
       unix
       radutmp
       exec
       attr_filter.accounting_response
}
session {
       radutmp
}
post-auth {
       exec
       Post-Auth-Type REJECT {
               attr_filter.access_reject
       }
}
pre-proxy {
}
post-proxy {
       eap
}


TIA
Alex

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to