Hi All,
having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to
auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5.
i am trying to configure EAP-TLS and think i am pretty close. I am
currently wondering if possibly i have an incorrect mapping in the
ldap.attrs file (it is completely default right now).running
'radiusd -X' i do see some errors such as:
rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=anonymous)
rlm_ldap: object not found
[ldap] search failed
but later down the path of the session it looks like things are going
ok , seeing a bunch of EAP challeges and it expanding the username
and stuff being put in to the inner-tunnel. However, in the end:
rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=marguin2)
[ldap] checking if remote access for marguin2 is allowed by uid
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure
that the user is configured correctly?
my ldap attribute for password is userPassword and i have tried
changing the values in the ldap.attrs to match this but that did not
help. Here is the full output of the run of radiusd in debug mode.
Any insight is appreciated:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=181, length=132
User-Name = anonymous
Framed-MTU = 1400
Called-Station-Id = 64a0.e729.b890
Calling-Station-Id = 1c65.9d32.fb68
Service-Type = Login-User
Message-Authenticator = 0x247be03937ef0698a7ad23d2f86aa54b
EAP-Message = 0x0202000e01616e6f6e796d6f7573
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = 799
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = anonymous, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 2 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for anonymous
[ldap] expand: %{Stripped-User-Name} -
[ldap] expand: %{User-Name} - anonymous
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=anonymous)
[ldap] expand: dc=currensee,dc=com - dc=currensee,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.local.currensee.com:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=Services,dc=currensee,dc=com/c17ad5805204465ab39d11e0381272c5
to ldap.local.currensee.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=anonymous)
rlm_ldap: object not found
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[eap] EAP packet type response id 2 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user 'anonymous'
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 181 to 192.168.10.31 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x
State = 0x12d3382012d02152159f345e3e0c333a
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=182, length=228
User-Name = anonymous
Framed-MTU = 1400
Called-Station-Id = 64a0.e729.b890
Calling-Station-Id = 1c65.9d32.fb68
Service-Type = Login-User
Message-Authenticator = 0x07f8f2c72439114d5efd54762efa740b
EAP-Message =
0x0203005c19001603010051014d03014ea9917e4e0fee76b71533a74710796e73ac02e494439b92a5338ee6d1f1bcd92600390038003500160013000a00330032002f00050004001500120009001400110008000600030100
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = 799
State = 0x12d3382012d02152159f345e3e0c333a
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = anonymous, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 3 length 92
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found,