Re: Cisco AP, FreeRADIUS and Fedora Directory Server

2006-10-30 Thread Mustafa Şenay 


 I'm not sure that how will RADIUS server know to check password
 against LDAP server while EAP is in place?

  It doesn't.



Does this mean that EAP plugin only checks users file to
authenticate users with their passwords?

Mustafa
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco AP, FreeRADIUS and Fedora Directory Server

2006-10-30 Thread Mustafa Şenay 

It's not so much EAP in general, but the PEAP (i.e. MSCHAPv2 part).
However search this list's archive, see documentation etc. and the
pertinent parts of the server's debug output you still chose not to
provide here.

regards
K. Hoercher



Is there a way to get clear password after PEAP plugin has processed
EAP message and gained password to check against users file?

Mustafa
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco AP, FreeRADIUS and Fedora Directory Server

2006-10-30 Thread Alan DeKok 
=?ISO-8859-2?Q?Mustafa_=AAenay?= [EMAIL PROTECTED] wrote:
 Does this mean that EAP plugin only checks users file to
 authenticate users with their passwords?

  No.  It means that EAP doesn't supply a password, so it doesn't
exist, and can't be checked against LDAP.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco AP, FreeRADIUS and Fedora Directory Server

2006-10-17 Thread Alan DeKok 
=?ISO-8859-2?Q?Mustafa_=AAenay?= [EMAIL PROTECTED] wrote:
 Same password works when binding to LDAP server from different client
 applications, sucha as GQ. So I'm pretty sure that password is
 correct.

  That doesn't matter.

  Read ALL OF THE DEBUGGING LOG.

  IT WILL TELL YOU WHAT IS GOING ON.

  If you DO NOT read it, you WILL NOT solve the problem.

 I'm not sure that how will RADIUS server know to check password
 against LDAP server while EAP is in place?

  It doesn't.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco AP, FreeRADIUS and Fedora Directory Server

2006-10-16 Thread Mustafa Şenay 

Hm, well, sort of, as you get:

   rlm_eap_peap: Session established.  Decoding tunneled attributes.
   rlm_eap_peap: Received EAP-TLV response.
   rlm_eap_peap: Tunneled data is valid.
   rlm_eap_peap:  Had sent TLV failure.  User was rejcted rejected
 earlier in this session.

Probably wrong password. One cannot really be sure as you left out
those earlier in this session parts of the _full_ debug output.



Same password works when binding to LDAP server from different client
applications, sucha as GQ. So I'm pretty sure that password is
correct.

I'm not sure that how will RADIUS server know to check password
against LDAP server while EAP is in place?
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco AP, FreeRADIUS and Fedora Directory Server

2006-10-16 Thread K. Hoercher 

On 10/16/06, Mustafa Şenay [EMAIL PROTECTED] wrote:

Same password works when binding to LDAP server from different client
applications, sucha as GQ. So I'm pretty sure that password is
correct.


That doesn't mean it works for PEAP too (probably not). See below.


I'm not sure that how will RADIUS server know to check password
against LDAP server while EAP is in place?


It's not so much EAP in general, but the PEAP (i.e. MSCHAPv2 part).
However search this list's archive, see documentation etc. and the
pertinent parts of the server's debug output you still chose not to
provide here.

regards
K. Hoercher

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cisco AP, FreeRADIUS and Fedora Directory Server

2006-10-15 Thread Mustafa Şenay 

Hello,

I'm trying to authenticate Windows users via Cisco AP 1100, freeradius
and Fedora Directory Server (FDS) combination.

I configured FDS and radiusd.conf and other configuration files
according to ldap_howto found in freeradius documentation. I managed
to authorize users but authentication doesn't work. Here is the log of
radiusd -X. I have to make it work urgently. Has anybody suggestions?

rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:21645,
id=91, length=170
   User-Name = yilmaz
   Framed-MTU = 1400
   Called-Station-Id = 0012.dae5.02d0
   Calling-Station-Id = 00a0.c5fb.a044
   Service-Type = Login-User
   Message-Authenticator = 0xb5aae70f920a25df14d59908548ecadf
   EAP-Message =
0x020a00261900170301001b242f66ff01fc8cabcc0f2e8203235bec935abdc9dac564949a1b82
   NAS-Port-Type = Wireless-802.11
   NAS-Port = 674
   State = 0x5a4c45339a4de6925fbb158c95df2d80
   NAS-IP-Address = xxx.xxx.xxx.xxx
   NAS-Identifier = ap
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 17
 modcall[authorize]: module preprocess returns ok for request 17
 modcall[authorize]: module chap returns noop for request 17
 modcall[authorize]: module mschap returns noop for request 17
   rlm_realm: No '@' in User-Name = yilmaz, looking up realm NULL
   rlm_realm: No such realm NULL
 modcall[authorize]: module suffix returns noop for request 17
 rlm_eap: EAP packet type response id 10 length 38
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module eap returns updated for request 17
   users: Matched entry DEFAULT at line 152
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=Personel,dc=deu,dc=edu,dc=tr'
radius_xlat:  '(uid=yilmaz)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Personel,dc=deu,dc=edu,dc=tr, with
filter (uid=yilmaz)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:  '((uid=yilmaz)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Personel,dc=deu,dc=edu,dc=tr, with
filter ((radiusGroupName=disabled)((uid=yilmaz)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=yilmaz,
ou=Personel,dc=deu,dc=edu,dc=tr, with filter (objectclass=*)
rlm_ldap::groupcmp: Group disabled not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=Personel,dc=deu,dc=edu,dc=tr'
radius_xlat:  '((uid=yilmaz)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Personel,dc=deu,dc=edu,dc=tr, with
filter ((radiusGroupName=kablosuz)((uid=yilmaz)(objectclass=radiusprofile)))
rlm_ldap::ldap_groupcmp: User found in group kablosuz
rlm_ldap: ldap_release_conn: Release Id: 0
   users: Matched entry DEFAULT at line 222
 modcall[authorize]: module files returns ok for request 17
rlm_ldap: - authorize
rlm_ldap: performing user authorization for yilmaz
radius_xlat:  '(uid=yilmaz)'
radius_xlat:  'ou=Personel,dc=deu,dc=edu,dc=tr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Personel,dc=deu,dc=edu,dc=tr, with
filter (uid=yilmaz)
rlm_ldap: performing search in
uid=kablosuz,ou=Radius,ou=Profil,dc=deu,dc=edu,dc=tr, with filter
(objectclass=radiusprofile)
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User  op=11
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user yilmaz authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module ldap returns ok for request 17
modcall: leaving group authorize (returns updated) for request 17
 rad_check_password:  Found Auth-Type EAP
auth: type EAP
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 17
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/peap
 rlm_eap: processing type peap
 rlm_eap_peap: Authenticate
 rlm_eap_tls: processing TLS
 eaptls_verify returned 7
 rlm_eap_tls: Done initial handshake
 eaptls_process returned 7
 rlm_eap_peap: EAPTLS_OK
 rlm_eap_peap: Session established.  Decoding tunneled attributes.
 rlm_eap_peap: Received EAP-TLV response.
 rlm_eap_peap: Tunneled data is valid.
 rlm_eap_peap:  Had sent TLV failure.  User was rejcted rejected
earlier in this session.
rlm_eap: Handler failed in EAP/peap
 rlm_eap: Failed in EAP select
 modcall[authenticate]: module eap returns invalid for request 17
modcall: leaving group authenticate (returns invalid) for request 17
auth: Failed to validate the user.
Delaying request 17 for 1

Re: Cisco AP, FreeRADIUS and Fedora Directory Server

2006-10-15 Thread K. Hoercher 

Hi,

On 10/15/06, Mustafa Şenay [EMAIL PROTECTED] wrote:

according to ldap_howto found in freeradius documentation. I managed
to authorize users but authentication doesn't work. Here is the log of


Hm, well, sort of, as you get:


  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap:  Had sent TLV failure.  User was rejcted rejected
earlier in this session.


Probably wrong password. One cannot really be sure as you left out
those earlier in this session parts of the _full_ debug output.

regards
K. Hoercher

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html