LDAP + TTLS PAP
Hi. I've been trying to setup freeradius with LDAP + TTLS PAP. I use the default radius, eap users files configuration, I configure my modules/ldap file to connect to my ldap, sites-avilable/default file to authorize ldap, and ldap.attrmap to check Cleartext-Password against userPassword. Everything seems normal, when I test it with radtest user pass 10.14.56.26 0 secret is accepted. but when i try from mi XP client the debug show this: +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = user, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} Here my /sites-avilable/default authorize section: authorize { preprocess chap mschap eap { ok = return } unix files ldap expiration logintime pap } Any Ideas? Thanks. -- View this message in context: http://www.nabble.com/LDAP-%2B-TTLS-PAP-tp24498710p24498710.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP + TTLS PAP
Ivan Kalik wrote: You have deleted the interesting part of the debug. Ivan Kalik Kalik Informatika ISP Sorry Here is my all debug. Ready to process requests. rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=2, length=163 User-Name = user Calling-Station-Id = 00-24-2C-83-AA-92 Called-Station-Id = 00-21-A1-9E-F9-30:testGDL NAS-Port = 1 NAS-IP-Address = 10.14.56.33 NAS-Identifier = test-gdl-wlc Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800090175736572 Message-Authenticator = 0xb86c778d5e5cbb982425e05ea5b4b6e8 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = user, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 8 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for user [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=user) [ldap] expand: ou=Wireless,dc=local,dc=test,dc=com - ou=Wireless,dc=local,dc=test,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=local,dc=test,dc=com, with filter (cn=user) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: userPassword - Cleartext-Password == Newuser01 [ldap] looking for reply items in directory... [ldap] user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 2 to 10.14.56.33 port 32768 EAP-Message = 0x010900160410a1a022fc9a0dfa06c749cc18033a2a4a Message-Authenticator = 0x State = 0xeb2a1c90eb2318c7f00b52ffc2a1bc44 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=2, length=163 Sending duplicate reply to client 10.14.56.33 port 32768 - ID: 2 Sending Access-Challenge of id 2 to 10.14.56.33 port 32768 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=2, length=163 Sending duplicate reply to client 10.14.56.33 port 32768 - ID: 2 Sending Access-Challenge of id 2 to 10.14.56.33 port 32768 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=3, length=178 User-Name = user Calling-Station-Id = 00-24-2C-83-AA-92 Called-Station-Id = 00-21-A1-9E-F9-30:testGDL NAS-Port = 1 NAS-IP-Address = 10.14.56.33 NAS-Identifier = test-gdl-wlc Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900060315 State = 0xeb2a1c90eb2318c7f00b52ffc2a1bc44 Message-Authenticator = 0xbe3af8eada8201dbfd51322d12e53c40 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = user, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for user [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=user) [ldap] expand: ou=Wireless,dc=local,dc=test,dc=com - ou=Wireless,dc=local,dc=test,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=local,dc=test,dc=com, with filter (cn=user) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: userPassword - Cleartext-Password == Newuser01 [ldap] looking for reply items in directory... [ldap] user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate
Re: LDAP + TTLS PAP
Ivan Kalik wrote: Here is my all debug. Enable ldap in inner-tunnel virtual server as well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for your help Ivan. Now everything looks fine. -- View this message in context: http://www.nabble.com/LDAP-%2B-TTLS-PAP-tp24498710p24500243.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Thanks for your help. I'm pretty new on freeradius. I've been read many how's to, but only in this post I've discovered many things. Alan DeKok-2 wrote: jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24187153.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.1.6 ldap + mschapv2 to authenticate
Hi everyone. I've trying to setup a freeradius 2.1.6 with Ldap and mschapv2 to authenticate. when I send test from my console, this works fine. client: $ radtest user pass 10.14.56.26 0 secret. server in debug mode: Ready to process requests. rad_recv: Access-Request packet from host 172.24.104.12 port 39285, id=52, length=69 User-Name = user User-Password = pass NAS-IP-Address = 127.0.1.1 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = user, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop [ldap] performing user authorization for user [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] expand: ((SamAccountName=%{Stripped-User-Name:-%{User-Name})(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com)) - ((SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com)) [ldap] expand: OU=Groups,DC=it,DC=test,DC=com - OU=Groups,DC=it,DC=test,DC=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.14.56.100:389, authentication 0 rlm_ldap: bind as ad...@it.test.com/adminpass to 10.14.56.100:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in OU=Groups,DC=it,DC=test,DC=com, with filter ((SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com)) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = ldap [ldap] user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok Found Auth-Type = ldap +- entering group authenticate {...} [ldap] login attempt by user with password pass [ldap] user DN: CN=user,OU=General Group,OU=Users,DC=it,DC=test,DC=com rlm_ldap: (re)connect to 10.14.56.100:389, authentication 1 rlm_ldap: bind as CN=user,OU=General Group,OU=Users,DC=it,DC=test,DC=com/pass to 10.14.56.100:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful [ldap] user user authenticated succesfully ++[ldap] returns ok Login OK: [user/pass] (from client redprivada1 port 0) Sending Access-Accept of id 52 to 172.24.104.12 port 39285 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 52 with timestamp +10 But when I try to connect. rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=174, length=189 User-Name = user Calling-Station-Id = 00-24-2C-83-AA-92 Called-Station-Id = 00-21-A1-9E-F9-30:redprivada1 NAS-Port = 1 NAS-IP-Address = 10.14.56.33 NAS-Identifier = acces-ponit-wlc Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020e0016016a75616e7061626c6f5f72616d6972657a Message-Authenticator = 0x76c7af8be679e0867bb2c06d1146d7e6 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = user, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop [ldap] performing user authorization for user [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] expand: ((SamAccountName=%{Stripped-User-Name:-%{User-Name})(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com)) - ((SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com)) [ldap] expand: OU=Groups,DC=it,DC=test,DC=com - OU=Groups,DC=it,DC=test,DC=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Groups,DC=it,DC=test,DC=com, with filter ((SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com)) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. usersfile = /etc/freeradius/users acctusersfile = /etc/freeradius/acct_users preproxy_usersfile = /etc/freeradius/preproxy_users compat = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename =
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Thanks for your response. Now I'm using the defaults files and configure the access in modules (raddb/modules/ldap). Now seems like the solution is closer, When I test this appear in my server in debug mode: [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] NAK asked for unsupported type 25 [eap] No common EAP types found. [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 189 to 10.14.56.33 port 32768 EAP-Message = 0x040c0004 Message-Authenticator = 0x Waking up in 3.9 seconds. Cleaning up request 1 ID 188 with timestamp +30 Waking up in 1.0 seconds. Cleaning up request 2 ID 189 with timestamp +30 Ready to process requests. I think is problem on mi eap.conf file but I'm no sure what exactly I have to do. Any idea? Ivan Kalik wrote: I've trying to setup a freeradius 2.1.6 with Ldap and mschapv2 to authenticate. when I send test from my console, this works fine. But when I try to connect. I don't know what I'm missing. here is my radiusd.conf: Why did you find it necessary to butcher default configuration? Use default radiusd.conf, configure ldap in modules (raddb/modules/ldap) and watch it work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24170971.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Ivan Kalik wrote: Have you done some strange things to eap.conf or are you using the default one? Default configuration works. I replace eap.conf with the Default eap.conf file and this is my debug: ++[ldap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 198 to 10.14.56.33 port 32768 EAP-Message = 0x040d0004 Message-Authenticator = 0x Waking up in 3.6 seconds. Cleaning up request 1 ID 190 with timestamp +51 Cleaning up request 2 ID 191 with timestamp +51 Cleaning up request 3 ID 192 with timestamp +51 Cleaning up request 4 ID 193 with timestamp +51 Cleaning up request 5 ID 194 with timestamp +51 Cleaning up request 6 ID 195 with timestamp +51 Cleaning up request 7 ID 196 with timestamp +51 Cleaning up request 8 ID 197 with timestamp +51 Waking up in 1.0 seconds. Cleaning up request 9 ID 198 with timestamp +51 I'm missing something? -- View this message in context: http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24173891.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html