cisco WAP/FreeRadius/OpenLDAP

2011-10-27 Thread Matt Arguin 
Hi All,
  having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to
auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5.

i am trying to configure EAP-TLS and think i am pretty close.  I am
currently wondering if possibly i have an incorrect mapping in the
ldap.attrs file (it is completely default right now).running
'radiusd -X' i do see some errors such as:

rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=anonymous)
rlm_ldap: object not found
[ldap] search failed

but later down the path of the session it looks like things are going
ok , seeing a bunch of EAP challeges  and it expanding the username
and stuff being put in to the inner-tunnel.  However, in the end:

rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=marguin2)
[ldap] checking if remote access for marguin2 is allowed by uid
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP.  Are you sure
that the user is configured correctly?

my ldap attribute for password is userPassword and i have tried
changing the values in the ldap.attrs to match this but that did not
help.  Here is the full output of the run of radiusd in debug mode.
Any insight is appreciated:

Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=181, length=132
User-Name = anonymous
Framed-MTU = 1400
Called-Station-Id = 64a0.e729.b890
Calling-Station-Id = 1c65.9d32.fb68
Service-Type = Login-User
Message-Authenticator = 0x247be03937ef0698a7ad23d2f86aa54b
EAP-Message = 0x0202000e01616e6f6e796d6f7573
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = 799
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = anonymous, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 2 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for anonymous
[ldap]  expand: %{Stripped-User-Name} -
[ldap]  expand: %{User-Name} - anonymous
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=anonymous)
[ldap]  expand: dc=currensee,dc=com - dc=currensee,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.local.currensee.com:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=Services,dc=currensee,dc=com/c17ad5805204465ab39d11e0381272c5
to ldap.local.currensee.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=anonymous)
rlm_ldap: object not found
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[eap] EAP packet type response id 2 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
Found Auth-Type = EAP
Warning:  Found 2 auth-types on request for user 'anonymous'
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 181 to 192.168.10.31 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x
State = 0x12d3382012d02152159f345e3e0c333a
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=182, length=228
User-Name = anonymous
Framed-MTU = 1400
Called-Station-Id = 64a0.e729.b890
Calling-Station-Id = 1c65.9d32.fb68
Service-Type = Login-User
Message-Authenticator = 0x07f8f2c72439114d5efd54762efa740b
EAP-Message =
0x0203005c19001603010051014d03014ea9917e4e0fee76b71533a74710796e73ac02e494439b92a5338ee6d1f1bcd92600390038003500160013000a00330032002f00050004001500120009001400110008000600030100
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = 799
State = 0x12d3382012d02152159f345e3e0c333a
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = anonymous, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 3 length 92
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found,

Re: cisco WAP/FreeRadius/OpenLDAP

2011-10-27 Thread Matt Arguin 
://www.impulse.com

 -- next part --
 An HTML attachment was scrubbed...
 URL: 
 https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111027/66f79dc6/attachment.html

 --

 Message: 4
 Date: Thu, 27 Oct 2011 21:00:00 +0200
 From: Alan DeKok al...@deployingradius.com
 Subject: Re: Failed to load module jradius
 To: FreeRadius users mailing list
        freeradius-users@lists.freeradius.org
 Message-ID: 4ea9aa30.3020...@deployingradius.com
 Content-Type: text/plain; charset=UTF-8

 Travis Dimmig wrote:
 I don?t seem to be able to get freeRadius to load the ?jradius? module.
 My steps are as follows:
...
 ?radiusd ?X? gives:

 /usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module
 jradius.

  It should give more than that.  Look at the *previous* lines to see
 the real cause of the problem.

  Alan DeKok.


 --

 Message: 5
 Date: Thu, 27 Oct 2011 18:59:33 +
 From: Travis Dimmig tdim...@impulse.com
 Subject: RE: Failed to load module jradius
 To: FreeRadius users mailing list
        freeradius-users@lists.freeradius.org
 Message-ID:
        2ecc69012853fb42a8adaba5eb3b4b800c9d1...@dsm-mail01.dsm.net
 Content-Type: text/plain; charset=us-ascii

 Figured it out.  The jradius.conf needs to be in 
 /usr/local/etc/raddb/modules.  I swear it used to be one directory up...  
 Anyway, I don't know if it's the freeRadius team or the JRadius team that 
 maintains this plugin, but the config file is not automatically copied into 
 the modules directory even when freeRadius is compiled with jradius support.


 Travis

 From: freeradius-users-bounces+tdimmig=impulse@lists.freeradius.org 
 [mailto:freeradius-users-bounces+tdimmig=impulse@lists.freeradius.org] On 
 Behalf Of Travis Dimmig
 Sent: Thursday, October 27, 2011 2:29 PM
 To: FreeRadius users mailing list
 Subject: Failed to load module jradius

 I don't seem to be able to get freeRadius to load the jradius module.  My 
 steps are as follows:

 wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gz
 tar -xzvf freeradius-server-2.1.12.tar.gz
 cd freeradius-server-2.1.12
 echo rlm_jradius  src/modules/stable
 ./configure  make  make install
 cp src/modules/rlm_jradius/jradius./conf /usr/local/etc/raddb

 I configure jradius.conf to point to my JRadius server, and add jradius to 
 the accounting section of sites-enabled.
 radiusd -X gives:
 /usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module 
 jradius.
 /usr/local/etc/raddb/sites-enabled/default[378]: Errors parsing accounting 
 section.

 I have verified that the jradius libraries have been compiled and installed 
 /usr/local/lib.

 I've managed to comile freeRadius with the jradius module before just 
 fine.not sure what the problem is now.  Any help would be greatly 
 appreciated.

 Travis Dimmig
 Software Development Specialist
 Impulse Point
 www.impulse.comhttp://www.impulse.com

 -- next part --
 An HTML attachment was scrubbed...
 URL: 
 https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111027/392fa3ba/attachment.html

 --

 Message: 6
 Date: Thu, 27 Oct 2011 21:01:21 +0200
 From: Alan DeKok al...@deployingradius.com
 Subject: Re: cisco WAP/FreeRadius/OpenLDAP
 To: FreeRadius users mailing list
        freeradius-users@lists.freeradius.org
 Message-ID: 4ea9aa81.50...@deployingradius.com
 Content-Type: text/plain; charset=ISO-8859-1

 Matt Arguin wrote:
   having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to
 auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5.

 i am trying to configure EAP-TLS

  Then you don't need LDAP.  EAP-TLS does authentication based on client
 certificates.  It doesn't use passwords.

  Why are you using EAP-TLS  LDAP?  What do you expect it to do?

  Alan DeKok.


 --

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


 End of Freeradius-Users Digest, Vol 78, Issue 124
 *




--
This email and any files transmitted with it are confidential and
intended solely for the addressee.  If you received this email in
error, please do not disclose the contents to anyone; kindly notify
the sender by return email and delete this email and any attachments
from your system.

© 2011 Currensee Inc. is a member of the National Futures Association
(NFA) Member ID 0403251 | Over the counter retail foreign currency
(Forex) trading may involve significant risk of loss. It is not
suitable for all investors and you should make sure you understand the
risks involved before trading and seek independent advice if
necessary. Performance, strategies and charts shown are not
necessarily predictive of any particular result and past performance
is no indication of future results. Investor returns may vary from
Trade Leader returns based