LDAP + TTLS PAP
Hi.
I've been trying to setup freeradius with LDAP + TTLS PAP.
I use the default radius, eap users files configuration, I configure my
modules/ldap file to connect to my ldap, sites-avilable/default file to
authorize ldap, and ldap.attrmap to check Cleartext-Password against
userPassword.
Everything seems normal, when I test it with
radtest user pass 10.14.56.26 0 secret
is accepted.
but when i try from mi XP client the debug show this:
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = user, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
Here my /sites-avilable/default authorize section:
authorize {
preprocess
chap
mschap
eap {
ok = return
}
unix
files
ldap
expiration
logintime
pap
}
Any Ideas?
Thanks.
--
View this message in context:
http://www.nabble.com/LDAP-%2B-TTLS-PAP-tp24498710p24498710.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP + TTLS PAP
Ivan Kalik wrote:
You have deleted the interesting part of the debug.
Ivan Kalik
Kalik Informatika ISP
Sorry
Here is my all debug.
Ready to process requests.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=2,
length=163
User-Name = user
Calling-Station-Id = 00-24-2C-83-AA-92
Called-Station-Id = 00-21-A1-9E-F9-30:testGDL
NAS-Port = 1
NAS-IP-Address = 10.14.56.33
NAS-Identifier = test-gdl-wlc
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020800090175736572
Message-Authenticator = 0xb86c778d5e5cbb982425e05ea5b4b6e8
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = user, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 8 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for user
[ldap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=user)
[ldap] expand: ou=Wireless,dc=local,dc=test,dc=com -
ou=Wireless,dc=local,dc=test,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Wireless,dc=local,dc=test,dc=com, with
filter (cn=user)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: userPassword - Cleartext-Password == Newuser01
[ldap] looking for reply items in directory...
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 2 to 10.14.56.33 port 32768
EAP-Message = 0x010900160410a1a022fc9a0dfa06c749cc18033a2a4a
Message-Authenticator = 0x
State = 0xeb2a1c90eb2318c7f00b52ffc2a1bc44
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=2,
length=163
Sending duplicate reply to client 10.14.56.33 port 32768 - ID: 2
Sending Access-Challenge of id 2 to 10.14.56.33 port 32768
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=2,
length=163
Sending duplicate reply to client 10.14.56.33 port 32768 - ID: 2
Sending Access-Challenge of id 2 to 10.14.56.33 port 32768
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=3,
length=178
User-Name = user
Calling-Station-Id = 00-24-2C-83-AA-92
Called-Station-Id = 00-21-A1-9E-F9-30:testGDL
NAS-Port = 1
NAS-IP-Address = 10.14.56.33
NAS-Identifier = test-gdl-wlc
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020900060315
State = 0xeb2a1c90eb2318c7f00b52ffc2a1bc44
Message-Authenticator = 0xbe3af8eada8201dbfd51322d12e53c40
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = user, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for user
[ldap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=user)
[ldap] expand: ou=Wireless,dc=local,dc=test,dc=com -
ou=Wireless,dc=local,dc=test,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Wireless,dc=local,dc=test,dc=com, with
filter (cn=user)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: userPassword - Cleartext-Password == Newuser01
[ldap] looking for reply items in directory...
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
Re: LDAP + TTLS PAP
Ivan Kalik wrote: Here is my all debug. Enable ldap in inner-tunnel virtual server as well. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for your help Ivan. Now everything looks fine. -- View this message in context: http://www.nabble.com/LDAP-%2B-TTLS-PAP-tp24498710p24500243.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Thanks for your help. I'm pretty new on freeradius. I've been read many how's to, but only in this post I've discovered many things. Alan DeKok-2 wrote: jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24187153.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.1.6 ldap + mschapv2 to authenticate
Hi everyone.
I've trying to setup a freeradius 2.1.6 with Ldap and mschapv2 to
authenticate.
when I send test from my console, this works fine.
client:
$ radtest user pass 10.14.56.26 0 secret.
server in debug mode:
Ready to process requests.
rad_recv: Access-Request packet from host 172.24.104.12 port 39285, id=52,
length=69
User-Name = user
User-Password = pass
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = user, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
[ldap] performing user authorization for user
[ldap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[ldap] expand:
((SamAccountName=%{Stripped-User-Name:-%{User-Name})(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
-
((SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] expand: OU=Groups,DC=it,DC=test,DC=com -
OU=Groups,DC=it,DC=test,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.14.56.100:389, authentication 0
rlm_ldap: bind as ad...@it.test.com/adminpass to 10.14.56.100:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in OU=Groups,DC=it,DC=test,DC=com, with filter
((SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = ldap
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = ldap
+- entering group authenticate {...}
[ldap] login attempt by user with password pass
[ldap] user DN: CN=user,OU=General Group,OU=Users,DC=it,DC=test,DC=com
rlm_ldap: (re)connect to 10.14.56.100:389, authentication 1
rlm_ldap: bind as CN=user,OU=General
Group,OU=Users,DC=it,DC=test,DC=com/pass to 10.14.56.100:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap] user user authenticated succesfully
++[ldap] returns ok
Login OK: [user/pass] (from client redprivada1 port 0)
Sending Access-Accept of id 52 to 172.24.104.12 port 39285
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 52 with timestamp +10
But when I try to connect.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=174,
length=189
User-Name = user
Calling-Station-Id = 00-24-2C-83-AA-92
Called-Station-Id = 00-21-A1-9E-F9-30:redprivada1
NAS-Port = 1
NAS-IP-Address = 10.14.56.33
NAS-Identifier = acces-ponit-wlc
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020e0016016a75616e7061626c6f5f72616d6972657a
Message-Authenticator = 0x76c7af8be679e0867bb2c06d1146d7e6
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = user, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
[ldap] performing user authorization for user
[ldap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[ldap] expand:
((SamAccountName=%{Stripped-User-Name:-%{User-Name})(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
-
((SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] expand: OU=Groups,DC=it,DC=test,DC=com -
OU=Groups,DC=it,DC=test,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Groups,DC=it,DC=test,DC=com, with filter
((SamAccountName=user)(memberOf=CN=Wireless,OU=Groups,DC=it,DC=test,DC=com))
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
usersfile = /etc/freeradius/users
acctusersfile = /etc/freeradius/acct_users
preproxy_usersfile = /etc/freeradius/preproxy_users
compat = no
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename =
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Thanks for your response.
Now I'm using the defaults files and configure the access in modules
(raddb/modules/ldap).
Now seems like the solution is closer,
When I test this appear in my server in debug mode:
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for unsupported type 25
[eap] No common EAP types found.
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 189 to 10.14.56.33 port 32768
EAP-Message = 0x040c0004
Message-Authenticator = 0x
Waking up in 3.9 seconds.
Cleaning up request 1 ID 188 with timestamp +30
Waking up in 1.0 seconds.
Cleaning up request 2 ID 189 with timestamp +30
Ready to process requests.
I think is problem on mi eap.conf file but I'm no sure what exactly I have
to do.
Any idea?
Ivan Kalik wrote:
I've trying to setup a freeradius 2.1.6 with Ldap and mschapv2 to
authenticate.
when I send test from my console, this works fine.
But when I try to connect.
I don't know what I'm missing.
here is my radiusd.conf:
Why did you find it necessary to butcher default configuration? Use
default radiusd.conf, configure ldap in modules (raddb/modules/ldap) and
watch it work.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
View this message in context:
http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24170971.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Ivan Kalik wrote:
Have you done some strange things to eap.conf or are you using the default
one? Default configuration works.
I replace eap.conf with the Default eap.conf file
and this is my debug:
++[ldap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 198 to 10.14.56.33 port 32768
EAP-Message = 0x040d0004
Message-Authenticator = 0x
Waking up in 3.6 seconds.
Cleaning up request 1 ID 190 with timestamp +51
Cleaning up request 2 ID 191 with timestamp +51
Cleaning up request 3 ID 192 with timestamp +51
Cleaning up request 4 ID 193 with timestamp +51
Cleaning up request 5 ID 194 with timestamp +51
Cleaning up request 6 ID 195 with timestamp +51
Cleaning up request 7 ID 196 with timestamp +51
Cleaning up request 8 ID 197 with timestamp +51
Waking up in 1.0 seconds.
Cleaning up request 9 ID 198 with timestamp +51
I'm missing something?
--
View this message in context:
http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24173891.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
