802.1x, EAP and LDAP

Hi,

My first post: I'm trying to do 802.1x between Xsupplicant (through a Cisco
switch) to Freeradius 1.1.7 using Novell eDirectory LDAP.

I can successfully authenticate as a local user in the 'users' file but the
LDAP side is eluding me.

This is my first experience with 802.1x/EAP etc so I'm still learning.

It looks to me like the inner authentication doesn't know which Auth Type to
use but I don't know how to tell it. Everything I've says that you don't
explicitly state the Auth Type so I don't really know what to do next.

Here are the output from freeradius -X, radiusd.conf and eap.conf. Any help
would be appreciated.

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/freeradius/proxy.conf
Config:   including file: /etc/freeradius/clients.conf
Config:   including file: /etc/freeradius/imported_clients.cfg
Config:   including file: /etc/freeradius/snmp.conf
Config:   including file: /etc/freeradius/eap.conf
Config:   including file: /etc/freeradius/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/freeradius"
 main: libdir = "/usr/lib/freeradius"
 main: radacctdir = "/var/log/freeradius/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/freeradius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/freeradius/freeradius.pid"
 main: user = "freerad"
 main: group = "freerad"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
 pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = yes
 mschap: require_strong = yes
 mschap: with_ntdomain_hack = yes
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded eap
 eap: default_eap_type = "ttls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/freeradius/cert-srv.pem"
 tls: certificate_file = "/etc/freeradius/cert-srv.pem"
 tls: CA_file = "/etc/freeradius/root.pem"
 tls: private_key_password = "whatever"
 tls: dh_file = "/dev/null"
 tls: random_file = "/dev/urandom"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
 tls: cipher_list = "(null)"
 tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
WARNING: rlm_eap_tls: Unable to set DH parameters.  DH cipher suites may not work!
WARNING: Fix this by running the OpenSSL command listed in eap.conf
rlm_eap: Loaded and initialized type tls
 ttls: default_eap_type = "md5"
 ttls: copy_request_to_tunnel = no
 ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
 peap: default_eap_type = "mschapv2"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = no
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/etc/freeradius/huntgroups"
 preprocess: hints = "/etc/freeradius/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded LDAP
 ldap: server = "UK-AC-MAN-MTEST"
 ldap: port = 636
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = "cn=radiusadmin,ou=dir,o=ac,c=uk"
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "/tmp/oak-test-publickeycert.pem"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "demand"
 ldap: password = "radius30"
 ldap: basedn = "c=uk"
 ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "nspmdistributionpassword"
 ldap: access_attr = "(null)"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
 ldap: edir_account_policy_check = yes
 ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name uni_ldap
rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x801214b0
Module: Instantiated ldap (uni_ldap)
Module: Loaded files
 files: usersfile = "/etc/freeradius/users"
 files: acctusersfile = "/etc/freeradius/acct_users"
 files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "/etc/shadow"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/freeradius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
 radutmp: filename = "/var/log/freeradius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=235, length=133
        User-Name = "anonymous"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1B-2A-98-B4-19"
        Calling-Station-Id = "00-0B-DB-8D-4B-12"
        EAP-Message = 0x0202000e01616e6f6e796d6f7573
        Message-Authenticator = 0xb2fdb52ddd49a39af4a793920f226161
        NAS-Port-Type = Ethernet
        NAS-Port = 50025
        NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to UK-AC-MAN-MTEST:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /tmp/oak-test-publickeycert.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=radiusadmin,ou=dir,o=ac,c=uk/radius30 to UK-AC-MAN-MTEST:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 0
  rlm_eap: EAP packet type response id 2 length 14
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 235 to 10.150.200.1 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x010300061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc0832a46dddb20ebc04b5f4e8bb744cb
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=236, length=231
        User-Name = "anonymous"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1B-2A-98-B4-19"
        Calling-Station-Id = "00-0B-DB-8D-4B-12"
        EAP-Message = 0x0203005e150016030100530100004f030147cc09506ffa93d49f47cfd7472481ab9f7226fa61fc2059bf2d95e106a83c6c00002800390038003500160013000a00330032002f000700050004001500120009001400110008000600030100
        Message-Authenticator = 0xedae998ce19f622f20b4d24a38835afc
        NAS-Port-Type = Ethernet
        NAS-Port = 50025
        State = 0xc0832a46dddb20ebc04b5f4e8bb744cb
        NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 1
  rlm_eap: EAP packet type response id 3 length 94
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 1
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns updated) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0053], ClientHello  
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello  
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0678], Certificate  
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode  
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 236 to 10.150.200.1 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x0104040a15c0000006d5160301004a02000046030147cc0b4c08c3e02e725aba579fbea1d707f44d1e29bd3eabe9d02d2e8bd0380820b10abb24401c99fb32ca2842619c9225c1aab278c7cf8e2f3d043f870d6e495700350016030106780b0006740006710002d4308202d030820239a003020102020102300d06092a864886f70d010105050030818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d0609
        EAP-Message = 0x2a864886f70d0109011610646f63746f72406d63632e61632e756b301e170d3037313030393132333033375a170d3039313030383132333033375a3081b3310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573312330210603550403131a617574686b2e6974732e6d616e636865737465722e61632e756b311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b30819f300d06092a864886f7
        EAP-Message = 0x0d010101050003818d0030818902818100d5258fbe611cf7570cb24a9cd31d8004cba7df05cdf398fdb534ecb6daf6ffa6c625109c28a5abdf7683d550ae63c947469a4f534667c1e7e9900ce2571bbc9863c89c02f09094040a7316068d2654e13941efdd6b416b990a6000d3ff2df46f10032ebc9f425768e81426df5c42adc1b7400f48155398b10257000f803e11630203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181005337fab657d2a50deb2ff3e9bb30eea51460f2f2f0e503becf43dd9999157573cf79058e6a64db78d133a3127388b8b832ed391df2d76d0946969c
        EAP-Message = 0x15a95ec6b646d277600da84a495c2ed1ab6868dc929fdb6ddabe82ee2cb9f8271061a7751be8eaa9af337e47f8113005622ca49b046f0caa54c406f510cc847d5096c816e000039730820393308202fca0030201020209009f72c65766f4a47d300d06092a864886f70d010105050030818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e6163
        EAP-Message = 0x2e756b301e170d3037313030393132323234395a170d
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xd4ebc02ff3c0e978da7391662d94acba
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=237, length=143
        User-Name = "anonymous"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1B-2A-98-B4-19"
        Calling-Station-Id = "00-0B-DB-8D-4B-12"
        EAP-Message = 0x020400061500
        Message-Authenticator = 0xb2297c6c1d2f44a2c0383f0eb0a979a2
        NAS-Port-Type = Ethernet
        NAS-Port = 50025
        State = 0xd4ebc02ff3c0e978da7391662d94acba
        NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 2
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 2
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 237 to 10.150.200.1 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x010502df1580000006d53039313030383132323234395a30818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b30819f300d06092a864886f70d010101050003818d0030818902818100e2ea754f630847ce8e3632f5a82c3a2cafa32e1c50cdf502765994d69cbf94bc0a7272630c8628bc742e161efa24ec817c5d23fa038ffc01
        EAP-Message = 0x5e1e462e0c80d87d71d6b8d0ea7d29d5548dc865a3db029f41e81dc11d65f88e8abba59f69398ce9c917d0ee220c75482846b769dd79b49733ab86e584cd86a2531c1c4f1dd729dd0203010001a381f63081f3301d0603551d0e04160414a8c429b59d09f0217be4ab2b402dfcc3d9e181e63081c30603551d230481bb3081b88014a8c429b59d09f0217be4ab2b402dfcc3d9e181e6a18194a4819130818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355
        EAP-Message = 0x040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b8209009f72c65766f4a47d300c0603551d13040530030101ff300d06092a864886f70d010105050003818100008623e013bbe32deff3a86b4feed8192477afd740213d6b5f8d3dda0248c3a7a434763ad837b62160e3582f36f6f15ca649c96a8fed4fc4fed8c44e6afab88b37e0797007b54653d90807c41e8c24937212fcfe8a4ca5ad1af34bd70f2fad8e88d2e36d55f173435eb8f65fe0d506c5bfb764e0a4f32f964bac9a3c0994a15716030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xdcf5b1027af5a8d41d900d1b97ee15ba
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=238, length=341
        User-Name = "anonymous"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1B-2A-98-B4-19"
        Calling-Station-Id = "00-0B-DB-8D-4B-12"
        EAP-Message = 0x020500cc15001603010086100000820080cda7f11fecdd0b16c60e8b1a016b57df2dcdd50a8dd08a9527318d7040b968f1178e57bf9aba455f6c9cee87555eab4f440cd348812da9ba957bc86a662197a0e8fd0657825d02fc70bcec4c9c939cef43d2e0de32d4395c84e04cb464e184c4eae1bec6fd93ed5b9a9b91e73c391d36a9759b9255aaf0ff8e46e7dfb7b9267014030100010116030100309359828a9fdbc456a4bad192e204bcaaecd4cf283a8f9523e0f2dff4efe7cda10445b5e9a113ec25b7f8f5a60e639e4d
        Message-Authenticator = 0xbd3d53b67e7c3a09dcb25edf8bda1626
        NAS-Port-Type = Ethernet
        NAS-Port = 50025
        State = 0xdcf5b1027af5a8d41d900d1b97ee15ba
        NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "chap" returns noop for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 3
  rlm_eap: EAP packet type response id 5 length 204
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 3
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 3
modcall: leaving group authorize (returns updated) for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange  
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]  
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished  
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]  
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished  
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 238 to 10.150.200.1 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x0106004515800000003b1403010001011603010030fa6e3ed9aba9a9143704b2966519c8790e3daa798cb5635a178667b5f202608c34253a7619429fc1359257458d08ffaa
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2cdab0db7a1a4dbef203ff7f2aa6e371
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=239, length=249
        User-Name = "anonymous"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1B-2A-98-B4-19"
        Calling-Station-Id = "00-0B-DB-8D-4B-12"
        EAP-Message = 0x0206007015001703010020e79b2ceee38e5efd7c85a8dc5a8dd328e8bd99e4673e79dc93e24c57d15a63a91703010040d3ec1e7faa959b6845f772a41d909bfb5230f4060b2437e4605a8187cf3d9f5b63588e76802caad0d34d338162adfacf583dfffc999f39cdff2bcf335a75eeae
        Message-Authenticator = 0xc86b007da48b72277e6325f27cfd4453
        NAS-Port-Type = Ethernet
        NAS-Port = 50025
        State = 0x2cdab0db7a1a4dbef203ff7f2aa6e371
        NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 4
  rlm_eap: EAP packet type response id 6 length 112
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 4
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
  TTLS: Got tunneled request
        User-Name = "raduser1"
        User-Password = "raduser10"
        FreeRADIUS-Proxied-To = 127.0.0.1
  TTLS: Sending tunneled request
        User-Name = "raduser1"
        User-Password = "raduser10"
        FreeRADIUS-Proxied-To = 127.0.0.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "raduser1", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for raduser1
radius_xlat:  '(uid=raduser1)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=raduser1)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user raduser1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns ok for request 4
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 4
  modcall[authorize]: module "files" returns notfound for request 4
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns ok) for request 4
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
  Found Post-Auth-Type
  Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 4
  modcall[post-auth]: module "uni_ldap" returns noop for request 4
modcall: leaving group REJECT (returns noop) for request 4
  TTLS: Got tunneled reply RADIUS code 3
  TTLS: Got tunneled Access-Reject
 rlm_eap: Handler failed in EAP/ttls
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 4
modcall: leaving group authenticate (returns invalid) for request 4
auth: Failed to validate the user.
  Found Post-Auth-Type
  Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 4
  modcall[post-auth]: module "uni_ldap" returns noop for request 4
modcall: leaving group REJECT (returns noop) for request 4
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=239, length=249
Sending Access-Reject of id 239 to 10.150.200.1 port 1645
        EAP-Message = 0x04060004
        Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 235 with timestamp 47cc0b4c
Cleaning up request 1 ID 236 with timestamp 47cc0b4c
Cleaning up request 2 ID 237 with timestamp 47cc0b4c
Cleaning up request 3 ID 238 with timestamp 47cc0b4c
Cleaning up request 4 ID 239 with timestamp 47cc0b4c
Nothing to do.  Sleeping until we see a request.




prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = no
}
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
$INCLUDE /etc/freeradius/imported_clients.cfg
snmp = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        pap {
                auto_header = yes
        }
        chap {
                authtype = CHAP
        }
        pam {
                pam_auth = radiusd
        }
        unix {
                cache = no
                cache_reload = 600
                shadow = /etc/shadow
                radwtmp = ${logdir}/radwtmp
        }
$INCLUDE ${confdir}/eap.conf
        mschap {
                authtype=MS-CHAP
                use_mppe = yes
                require_encryption = yes
                require_strong = yes
                with_ntdomain_hack = yes
                authtype=MS-CHAP
        }
        ldap uni_ldap {
                server = "UK-AC-MAN-MTEST"
                identity = "cn=radiusadmin,ou=dir,o=ac,c=uk"
                password = xxxxxxxx
                port = 636
                basedn = "c=uk"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                tls_cacertfile = /tmp/oak-test-publickeycert.pem
                tls_require_cert = "demand"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_attribute = nspmdistributionpassword
                edir_account_policy_check=yes
                timeout = 4
                timelimit = 3
                net_timeout = 1
                set_auth_type = yes
        }
        realm IPASS {
                format = prefix
                delimiter = "/"
                ignore_default = no
                ignore_null = no
        }
        realm suffix {
                format = suffix
                delimiter = "@"
                ignore_default = no
                ignore_null = no
        }
        realm realmpercent {
                format = suffix
                delimiter = "%"
                ignore_default = no
                ignore_null = no
        }
        realm ntdomain {
                format = prefix
                delimiter = "\\"
                ignore_default = no
                ignore_null = no
        }
        checkval {
                item-name = Calling-Station-Id
                check-name = Calling-Station-Id
                data-type = string
        }
       
        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = no
        }
        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                preproxy_usersfile = ${confdir}/preproxy_users
                compat = no
        }
        detail {
                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
        }
        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
        }
        $INCLUDE  ${confdir}/sql.conf
       
        radutmp {
                filename = ${logdir}/radutmp
                username = %{User-Name}
                case_sensitive = yes
                check_with_nas = yes
                perm = 0600
                callerid = "yes"
        }
        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }
        attr_filter {
                attrsfile = ${confdir}/attrs
        }
        counter daily {
                filename = ${raddbdir}/db.daily
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                allowed-servicetype = Framed-User
                cache-size = 5000
        }
        sqlcounter dailycounter {
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                reply-name = Session-Timeout
                sqlmod-inst = sql
                key = User-Name
                reset = daily
                query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
        }
        sqlcounter monthlycounter {
                counter-name = Monthly-Session-Time
                check-name = Max-Monthly-Session
                reply-name = Session-Timeout
                sqlmod-inst = sql
                key = User-Name
                reset = monthly
                query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
        }
        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }
        expr {
        }
        digest {
        }
        exec {
                wait = yes
                input_pairs = request
        }
        exec echo {
                wait = yes
                program = "/bin/echo %{User-Name}"
                input_pairs = request
                output_pairs = reply
        }
        ippool main_pool {
                range-start = 192.168.1.1
                range-stop = 192.168.3.254
                netmask = 255.255.255.0
                cache-size = 800
                session-db = ${raddbdir}/db.ippool
                ip-index = ${raddbdir}/db.ipindex
                override = no
                maximum-timeout = 0
        }
}
instantiate {
        exec
        expr
}
authorize {
        preprocess
       
        chap
        mschap
        suffix
        uni_ldap ## added out of sequence
        eap
        files
        pap
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        eap
}
preacct {
        preprocess
        acct_unique
        suffix
        files
}
accounting {
        detail
        unix
        radutmp
}
session {
        radutmp
}
post-auth {
        uni_ldap
        Post-Auth-Type REJECT {
                uni_ldap
        }
}
pre-proxy {
}
post-proxy {
        eap
}




        eap {
                default_eap_type = ttls
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                md5 {
                }
                leap {
                }
                gtc {
                        auth_type = PAP
                }
                tls {
                        private_key_password = whatever
                        private_key_file = ${raddbdir}/cert-srv.pem
                        certificate_file = ${raddbdir}/cert-srv.pem
                        CA_file = ${raddbdir}/root.pem
                        dh_file = /dev/null
                        random_file = /dev/urandom
                        fragment_size = 1024
                        include_length = yes
                }
                ttls {
                        default_eap_type = md5
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                }
                peap {
                        default_eap_type = mschapv2
                        proxy_tunneled_request_as_eap = no
                }
                mschapv2 {
                }
        }



Thanks,

Mike

--
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi,

The debug log says whens tarting up:

> rlm_ldap: Over-riding set_auth_type, as we're not listed in the
> "authenticate" section.

My first suggestion would be: check if the mentions of ldap are commented out
in the authenticate { } section - they are by default. Change that, and see
how far you get. Chances are that that was all and it works :-)

Stefan

--
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter@...     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mike Richardson wrote:
> My first post: I'm trying to do 802.1x between Xsupplicant (through a Cisco
> switch) to Freeradius 1.1.7 using Novell eDirectory LDAP.

  1) Configure and test TTLS with a user in the "users" file.
  2) Configure an test LDAP with "radtest" (clear-text password)
     for a *different* user
  3) test TTLS with a user in LDAP.

> I can successfully authenticate as a local user in the 'users' file but the
> LDAP side is eluding me.

  Don't do 802.1x and LDAP until you have normal "radtest" working with
LDAP.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On Mon, Mar 03, 2008 at 03:38:32PM +0100, Stefan Winter wrote:
If it were only that easy... I've messed with that before. AFAICT that only
applies if you are doing plain text authentication. I'm using TTLS and PAP
because the password is going to be stored in an encryted format in LDAP.

Here's the output after uncommenting as suggested:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/freeradius/proxy.conf
Config:   including file: /etc/freeradius/clients.conf
Config:   including file: /etc/freeradius/imported_clients.cfg
Config:   including file: /etc/freeradius/snmp.conf
Config:   including file: /etc/freeradius/eap.conf
Config:   including file: /etc/freeradius/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/freeradius"
 main: libdir = "/usr/lib/freeradius"
 main: radacctdir = "/var/log/freeradius/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/freeradius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/freeradius/freeradius.pid"
 main: user = "freerad"
 main: group = "freerad"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
 pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = yes
 mschap: require_strong = yes
 mschap: with_ntdomain_hack = yes
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
 ldap: server = "UK-AC-MAN-MTEST"
 ldap: port = 636
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = "cn=radiusadmin,ou=dir,o=ac,c=uk"
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "/tmp/oak-test-publickeycert.pem"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "demand"
 ldap: password = "radius30"
 ldap: basedn = "c=uk"
 ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "nspmdistributionpassword"
 ldap: access_attr = "(null)"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
 ldap: edir_account_policy_check = yes
 ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name uni_ldap
rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x801107c8
Module: Instantiated ldap (uni_ldap)
Module: Loaded eap
 eap: default_eap_type = "ttls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/freeradius/cert-srv.pem"
 tls: certificate_file = "/etc/freeradius/cert-srv.pem"
 tls: CA_file = "/etc/freeradius/root.pem"
 tls: private_key_password = "whatever"
 tls: dh_file = "/dev/null"
 tls: random_file = "/dev/urandom"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
 tls: cipher_list = "(null)"
 tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
WARNING: rlm_eap_tls: Unable to set DH parameters.  DH cipher suites may not work!
WARNING: Fix this by running the OpenSSL command listed in eap.conf
rlm_eap: Loaded and initialized type tls
 ttls: default_eap_type = "md5"
 ttls: copy_request_to_tunnel = no
 ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
 peap: default_eap_type = "mschapv2"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = no
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/etc/freeradius/huntgroups"
 preprocess: hints = "/etc/freeradius/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/etc/freeradius/users"
 files: acctusersfile = "/etc/freeradius/acct_users"
 files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "/etc/shadow"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/freeradius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
 radutmp: filename = "/var/log/freeradius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=241, length=133
        User-Name = "anonymous"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1B-2A-98-B4-19"
        Calling-Station-Id = "00-0B-DB-8D-4B-12"
        EAP-Message = 0x0203000e01616e6f6e796d6f7573
        Message-Authenticator = 0xb44d549e4b1f2ec56153e1ad631e668a
        NAS-Port-Type = Ethernet
        NAS-Port = 50025
        NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to UK-AC-MAN-MTEST:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /tmp/oak-test-publickeycert.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=radiusadmin,ou=dir,o=ac,c=uk/radius30 to UK-AC-MAN-MTEST:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 0
  rlm_eap: EAP packet type response id 3 length 14
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 241 to 10.150.200.1 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x010400061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2c5156fe980e6942aecc6875b027751d
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=242, length=231
        User-Name = "anonymous"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1B-2A-98-B4-19"
        Calling-Station-Id = "00-0B-DB-8D-4B-12"
        EAP-Message = 0x0204005e150016030100530100004f030147cc12bf0667b64837c1b30867fd26160a518e0f7647a58389823726b1a842bf00002800390038003500160013000a00330032002f000700050004001500120009001400110008000600030100
        Message-Authenticator = 0x66f506782efe3471fbab984a878a73a9
        NAS-Port-Type = Ethernet
        NAS-Port = 50025
        State = 0x2c5156fe980e6942aecc6875b027751d
        NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 1
  rlm_eap: EAP packet type response id 4 length 94
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 1
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns updated) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0053], ClientHello  
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello  
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0678], Certificate  
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode  
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 242 to 10.150.200.1 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x0105040a15c0000006d5160301004a02000046030147cc14c009f727ef2402d4fad6bcecfe3bcd72689bb7c85e85603c9adca1eb8e203e5fdb6b5bad50e80a6f92a03b1cebbb44f735274641b1791df6ac5291f85c7700350016030106780b0006740006710002d4308202d030820239a003020102020102300d06092a864886f70d010105050030818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d0609
        EAP-Message = 0x2a864886f70d0109011610646f63746f72406d63632e61632e756b301e170d3037313030393132333033375a170d3039313030383132333033375a3081b3310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573312330210603550403131a617574686b2e6974732e6d616e636865737465722e61632e756b311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b30819f300d06092a864886f7
        EAP-Message = 0x0d010101050003818d0030818902818100d5258fbe611cf7570cb24a9cd31d8004cba7df05cdf398fdb534ecb6daf6ffa6c625109c28a5abdf7683d550ae63c947469a4f534667c1e7e9900ce2571bbc9863c89c02f09094040a7316068d2654e13941efdd6b416b990a6000d3ff2df46f10032ebc9f425768e81426df5c42adc1b7400f48155398b10257000f803e11630203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181005337fab657d2a50deb2ff3e9bb30eea51460f2f2f0e503becf43dd9999157573cf79058e6a64db78d133a3127388b8b832ed391df2d76d0946969c
        EAP-Message = 0x15a95ec6b646d277600da84a495c2ed1ab6868dc929fdb6ddabe82ee2cb9f8271061a7751be8eaa9af337e47f8113005622ca49b046f0caa54c406f510cc847d5096c816e000039730820393308202fca0030201020209009f72c65766f4a47d300d06092a864886f70d010105050030818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e6163
        EAP-Message = 0x2e756b301e170d3037313030393132323234395a170d
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01d6512cad1d4926f0ce9a9cd0fb33d1
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=243, length=143
        User-Name = "anonymous"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1B-2A-98-B4-19"
        Calling-Station-Id = "00-0B-DB-8D-4B-12"
        EAP-Message = 0x020500061500
        Message-Authenticator = 0xb9d6884149d80dacf0157781f949d221
        NAS-Port-Type = Ethernet
        NAS-Port = 50025
        State = 0x01d6512cad1d4926f0ce9a9cd0fb33d1
        NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 2
  rlm_eap: EAP packet type response id 5 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 2
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 243 to 10.150.200.1 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x010602df1580000006d53039313030383132323234395a30818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b30819f300d06092a864886f70d010101050003818d0030818902818100e2ea754f630847ce8e3632f5a82c3a2cafa32e1c50cdf502765994d69cbf94bc0a7272630c8628bc742e161efa24ec817c5d23fa038ffc01
        EAP-Message = 0x5e1e462e0c80d87d71d6b8d0ea7d29d5548dc865a3db029f41e81dc11d65f88e8abba59f69398ce9c917d0ee220c75482846b769dd79b49733ab86e584cd86a2531c1c4f1dd729dd0203010001a381f63081f3301d0603551d0e04160414a8c429b59d09f0217be4ab2b402dfcc3d9e181e63081c30603551d230481bb3081b88014a8c429b59d09f0217be4ab2b402dfcc3d9e181e6a18194a4819130818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355
        EAP-Message = 0x040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b8209009f72c65766f4a47d300c0603551d13040530030101ff300d06092a864886f70d010105050003818100008623e013bbe32deff3a86b4feed8192477afd740213d6b5f8d3dda0248c3a7a434763ad837b62160e3582f36f6f15ca649c96a8fed4fc4fed8c44e6afab88b37e0797007b54653d90807c41e8c24937212fcfe8a4ca5ad1af34bd70f2fad8e88d2e36d55f173435eb8f65fe0d506c5bfb764e0a4f32f964bac9a3c0994a15716030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xd4ee02e4ff3fa99b8bc946c7211385e3
Finished request 2
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=244, length=341
        User-Name = "anonymous"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1B-2A-98-B4-19"
        Calling-Station-Id = "00-0B-DB-8D-4B-12"
        EAP-Message = 0x020600cc150016030100861000008200808e6cf1f486f61d36b48487ab5f61e2621a5e54c917618cc7de667e52dbc561586a3577906c36d3b6a226493352d6b6a3ceef5dbadb45b538d5c788b5382198a084282dd728d8eb38a1b7105cf64b47446c1acada00e97c8f54fa5e8d8d0761b31fe3a70bb081027836af4c0bd974be49b1dbcdfc42313378f7504d326d0a250e140301000101160301003055a53627a635e1aed424140b7b5b4cb80fb875ed32b7d6e4f68b477ae9d14cadf9b8b7a63a0b69b0b1a31d9638158655
        Message-Authenticator = 0x6b3dad9949169d28a06737200c13c05b
        NAS-Port-Type = Ethernet
        NAS-Port = 50025
        State = 0xd4ee02e4ff3fa99b8bc946c7211385e3
        NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "chap" returns noop for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 3
  rlm_eap: EAP packet type response id 6 length 204
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 3
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 3
modcall: leaving group authorize (returns updated) for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange  
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]  
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished  
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]  
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished  
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 244 to 10.150.200.1 port 1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x0107004515800000003b1403010001011603010030cc89d2cbbe5170e95c98d16842a31800f8b6968a1813f4bd499d9f6d9a224b5d6ad4f5737fb4a96a3949d5b7952a97a0
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb1a6b438e7b877038a7d4bb7173ac013
Finished request 3
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=245, length=249
        User-Name = "anonymous"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1B-2A-98-B4-19"
        Calling-Station-Id = "00-0B-DB-8D-4B-12"
        EAP-Message = 0x0207007015001703010020a819c8c977c11469db6af3b963fedee329e678ed839896b16acd6e52f69ca7eb17030100406788ca181350f08ccf5665d9c416f22ce7bebd06e4b9903f06a521b93cb78c61d1ccb21b49c5de7945dc89962aa8fa04639ffc88b90bbc94d7cd2fe278ad7c9c
        Message-Authenticator = 0x22a487248763bfd3825d8ac959b18b50
        NAS-Port-Type = Ethernet
        NAS-Port = 50025
        State = 0xb1a6b438e7b877038a7d4bb7173ac013
        NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 4
  rlm_eap: EAP packet type response id 7 length 112
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 4
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
  TTLS: Got tunneled request
        User-Name = "raduser1"
        User-Password = "raduser10"
        FreeRADIUS-Proxied-To = 127.0.0.1
  TTLS: Sending tunneled request
        User-Name = "raduser1"
        User-Password = "raduser10"
        FreeRADIUS-Proxied-To = 127.0.0.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "raduser1", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for raduser1
radius_xlat:  '(uid=raduser1)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=raduser1)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user raduser1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns ok for request 4
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 4
  modcall[authorize]: module "files" returns notfound for request 4
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns ok) for request 4
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
  Found Post-Auth-Type
  Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 4
  modcall[post-auth]: module "uni_ldap" returns noop for request 4
modcall: leaving group REJECT (returns noop) for request 4
  TTLS: Got tunneled reply RADIUS code 3
  TTLS: Got tunneled Access-Reject
 rlm_eap: Handler failed in EAP/ttls
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 4
modcall: leaving group authenticate (returns invalid) for request 4
auth: Failed to validate the user.
  Found Post-Auth-Type
  Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 4
  modcall[post-auth]: module "uni_ldap" returns noop for request 4
modcall: leaving group REJECT (returns noop) for request 4
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 241 with timestamp 47cc14bf
Sending Access-Reject of id 245 to 10.150.200.1 port 1645
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 242 with timestamp 47cc14c0
Cleaning up request 2 ID 243 with timestamp 47cc14c0
Cleaning up request 3 ID 244 with timestamp 47cc14c0
Cleaning up request 4 ID 245 with timestamp 47cc14c0
Nothing to do.  Sleeping until we see a request.


--
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On Mon, Mar 03, 2008 at 03:44:29PM +0100, Alan DeKok wrote:
> Mike Richardson wrote:
> > My first post: I'm trying to do 802.1x between Xsupplicant (through a Cisco
> > switch) to Freeradius 1.1.7 using Novell eDirectory LDAP.
>
>   1) Configure and test TTLS with a user in the "users" file.

Works.

>   2) Configure an test LDAP with "radtest" (clear-text password)
>      for a *different* user

Doesn't work. Similar sort of error though.

>   3) test TTLS with a user in LDAP.
>
> > I can successfully authenticate as a local user in the 'users' file but the
> > LDAP side is eluding me.
>
>   Don't do 802.1x and LDAP until you have normal "radtest" working with
> LDAP.

AFAICT radtest doesn't do EAP so it didn't seem to be a particularly valid
test. The approach required appeared quite different but I'm open to
suggestions. I've spent a long time trying to get RADIUS/LDAP auth to work
in any format.

Anyway, the output from a test with 'radtest' and LDAP:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/freeradius/proxy.conf
Config:   including file: /etc/freeradius/clients.conf
Config:   including file: /etc/freeradius/imported_clients.cfg
Config:   including file: /etc/freeradius/snmp.conf
Config:   including file: /etc/freeradius/eap.conf
Config:   including file: /etc/freeradius/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/freeradius"
 main: libdir = "/usr/lib/freeradius"
 main: radacctdir = "/var/log/freeradius/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/freeradius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/freeradius/freeradius.pid"
 main: user = "freerad"
 main: group = "freerad"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
 pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = yes
 mschap: require_strong = yes
 mschap: with_ntdomain_hack = yes
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
 ldap: server = "UK-AC-MAN-MTEST"
 ldap: port = 636
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = "cn=radiusadmin,ou=dir,o=ac,c=uk"
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "/tmp/oak-test-publickeycert.pem"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "demand"
 ldap: password = "radius30"
 ldap: basedn = "c=uk"
 ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "nspmdistributionpassword"
 ldap: access_attr = "(null)"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
 ldap: edir_account_policy_check = yes
 ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name uni_ldap
rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x801107c8
Module: Instantiated ldap (uni_ldap)
Module: Loaded eap
 eap: default_eap_type = "ttls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/freeradius/cert-srv.pem"
 tls: certificate_file = "/etc/freeradius/cert-srv.pem"
 tls: CA_file = "/etc/freeradius/root.pem"
 tls: private_key_password = "whatever"
 tls: dh_file = "/dev/null"
 tls: random_file = "/dev/urandom"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
 tls: cipher_list = "(null)"
 tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
WARNING: rlm_eap_tls: Unable to set DH parameters.  DH cipher suites may not work!
WARNING: Fix this by running the OpenSSL command listed in eap.conf
rlm_eap: Loaded and initialized type tls
 ttls: default_eap_type = "md5"
 ttls: copy_request_to_tunnel = no
 ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
 peap: default_eap_type = "mschapv2"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = no
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/etc/freeradius/huntgroups"
 preprocess: hints = "/etc/freeradius/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/etc/freeradius/users"
 files: acctusersfile = "/etc/freeradius/acct_users"
 files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "/etc/shadow"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/freeradius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
 radutmp: filename = "/var/log/freeradius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 130.88.200.85:1025, id=61, length=48
        User-Name = "raduser2"
        User-Password = "raduser20"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "raduser2", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for raduser2
radius_xlat:  '(uid=raduser2)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to UK-AC-MAN-MTEST:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /tmp/oak-test-publickeycert.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=radiusadmin,ou=dir,o=ac,c=uk/radius30 to UK-AC-MAN-MTEST:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in c=uk, with filter (uid=raduser2)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user raduser2 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns ok for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
  modcall[authorize]: module "files" returns notfound for request 0
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
  Found Post-Auth-Type
  Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 0
  modcall[post-auth]: module "uni_ldap" returns noop for request 0
modcall: leaving group REJECT (returns noop) for request 0
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 61 to 130.88.200.85 port 1025
Waking up in 4 seconds...


--
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mike Richardson wrote:
>>   2) Configure an test LDAP with "radtest" (clear-text password)
>>      for a *different* user
>
> Doesn't work. Similar sort of error though.

  Then fix that before proceeding with EAP.

>>   Don't do 802.1x and LDAP until you have normal "radtest" working with
>> LDAP.
>
> AFAICT radtest doesn't do EAP so it didn't seem to be a particularly valid
> test.

  To be blunt: it's rude to ask questions of experts, and then to tell
them that their answers are invalid.  If you know better, why are you
asking questions on this list?

> The approach required appeared quite different but I'm open to
> suggestions. I've spent a long time trying to get RADIUS/LDAP auth to work
> in any format.

  I've spent over 10 years working with RADIUS, and almost 9 years with
FreeRADIUS.  The "Active Directory with LDAP && TTLS" issue has come up
more times than I can count.  It has been *solved* more times than I can
count, by FOLLOWING INSTRUCTIONS.

> Anyway, the output from a test with 'radtest' and LDAP:
...
> rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.

  You were told to go fix this.  Do it.  Now

> rad_recv: Access-Request packet from host 130.88.200.85:1025, id=61, length=48
> User-Name = "raduser2"
> User-Password = "raduser20"
...
> rlm_ldap: looking for check items in directory...

  Nothing.  This isn't surprising for Active Directory.

> auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user

  If you have configured "ldap" in the "authenticate" section, then this
would work.  The LDAP "bind as user" works with AD for PAP requests.

  Hint: look in the configuration files for instances of the word
"ldap".  Read the comments.  Un-comment the sample configurations.

  It's *not* hard.

  1) install FreeRADIUS
  2) configure LDAP (*all* references in radiusd.conf &&
sites-available/default)
  3) validate that radtest works.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On Mon, Mar 03, 2008 at 04:46:36PM +0100, Alan DeKok wrote:
> Mike Richardson wrote:
> >>   2) Configure an test LDAP with "radtest" (clear-text password)
> >>      for a *different* user
> >
> > Doesn't work. Similar sort of error though.
>
>   Then fix that before proceeding with EAP.

> >>   Don't do 802.1x and LDAP until you have normal "radtest" working with
> >> LDAP.
> >
> > AFAICT radtest doesn't do EAP so it didn't seem to be a particularly valid
> > test.
>
>   To be blunt: it's rude to ask questions of experts, and then to tell
> them that their answers are invalid.  If you know better, why are you
> asking questions on this list?

I'm not trying to be rude I promise. I'm asking here because I don't know
better. I'm sorry if it sounds differently, it's just that after a solid
week on this I'm a little frustrated. Apologies if this came through.

I'd read that radtest didn't do EAP so I installed Xsupplicant and was using
that for tests. That seems to be a more realisic approach. If you think that
I can fix the problem by not attempting EAP and using radtest then that is
exactly what I shall do.

> > The approach required appeared quite different but I'm open to
> > suggestions. I've spent a long time trying to get RADIUS/LDAP auth to work
> > in any format.
>
>   I've spent over 10 years working with RADIUS, and almost 9 years with
> FreeRADIUS.  The "Active Directory with LDAP && TTLS" issue has come up
> more times than I can count.  It has been *solved* more times than I can
> count, by FOLLOWING INSTRUCTIONS.

I am doing everything that has been asked of me.

> > Anyway, the output from a test with 'radtest' and LDAP:
> ...
> > rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
>
>   You were told to go fix this.  Do it.  Now

I DID. I didn't think that posting the new radius config would be of use but
the section in authenticate is DEFINTIELY there and uncommented. Why this
message is appearing in the output is a mystery to me.

> > rad_recv: Access-Request packet from host 130.88.200.85:1025, id=61, length=48
> > User-Name = "raduser2"
> > User-Password = "raduser20"
> ...
> > rlm_ldap: looking for check items in directory...
>
>   Nothing.  This isn't surprising for Active Directory.

Novell eDirectory not active directory.

> > auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
>
>   If you have configured "ldap" in the "authenticate" section, then this
> would work.  The LDAP "bind as user" works with AD for PAP requests.

I did.

>   Hint: look in the configuration files for instances of the word
> "ldap".  Read the comments.  Un-comment the sample configurations.
>
I did.

>   It's *not* hard.

I know, that's why I did it.

>   1) install FreeRADIUS
>   2) configure LDAP (*all* references in radiusd.conf &&
> sites-available/default)
>   3) validate that radtest works.

I'm reading everything and following all the instructions to the letter.
Please don't take that sort of attitude. I've explained that I'm not so I'd
appreciate it if you'd do the same.

Thanks,

Mike

--
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mike Richardson wrote:
> I'd read that radtest didn't do EAP so I installed Xsupplicant and was using
> that for tests. That seems to be a more realisic approach. If you think that
> I can fix the problem by not attempting EAP and using radtest then that is
> exactly what I shall do.

  Yes.  The problem has nothing to do with EAP.

>>> rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
>>   You were told to go fix this.  Do it.  Now
>
> I DID. I didn't think that posting the new radius config would be of use but
> the section in authenticate is DEFINTIELY there and uncommented. Why this
> message is appearing in the output is a mystery to me.

  How much of the default configuration file did you edit?  Start with
the *default* configuration, and make small changes from there.

  The default configuration *works*.

  If you've been trying to get this working for a long time, then either
there's a major bug in the version you're using, *or*, you're not
editing && testing the configuration in a systematic way.

> I'm reading everything and following all the instructions to the letter.
> Please don't take that sort of attitude. I've explained that I'm not so I'd
> appreciate it if you'd do the same.

  My amazement is that it appears to be so hard to get this working.
Honestly, the default configuration works in the widest possible set of
circumstances.  I can't tell you how many people just installed the
server, un-commented the ldap config, pointed it to their local ldap
server, tested with "radtest", and saw that it worked.

  It really *is* that easy.  Try it.  If it doesn't work for you, then
there's something major going wrong.

  *That's* why configurations are tested in pieces.  If plain PAP
doesn't work when going to LDAP, then it's a complete and total waste of
your time to install and configure an 802.1x supplicant.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On Mon, Mar 03, 2008 at 05:23:44PM +0100, Alan DeKok wrote:
I've been making changes for 8 hours a day for over a week so it might
differ from the original. However I been back to the defaults twice. As of
tomorrow I'll reinstall and try it again. From what you're saying I believe
I need to put in the LDAP config for our eDirectory and uncomment any LDAP
authorisation/authentication entries. Anything else?

Then I can use radtest to test the authentication?

How does the config know to use PAP rather than CHAP/MSCHAP?

>   The default configuration *works*.
>
>   If you've been trying to get this working for a long time, then either
> there's a major bug in the version you're using, *or*, you're not
> editing && testing the configuration in a systematic way.

Freeradius 1.1.7 on debian etch.

I've been through every config guide I can find on the net, several times.
Admittedly at the start I'd only used Radiator so the Freeradius config was
quite different.

It's only today though that I found a site which explained the limitations
of the PAP/CHAP/MSCHAP with respect to password encryptions. Most guides
assume MSCHAP, for use with PEAP, and most use flat file user
authentication. Not many touch on LDAP and only Novell have eDirectory based
documentation.

> > I'm reading everything and following all the instructions to the letter.
> > Please don't take that sort of attitude. I've explained that I'm not so I'd
> > appreciate it if you'd do the same.
>
>   My amazement is that it appears to be so hard to get this working.
> Honestly, the default configuration works in the widest possible set of
> circumstances.  I can't tell you how many people just installed the
> server, un-commented the ldap config, pointed it to their local ldap
> server, tested with "radtest", and saw that it worked.

That's what I keep reading and trying but so far nothing. I have set up an
OpenLDAP server but so far I've got the same error messages as with
eDirectory.

>   It really *is* that easy.  Try it.  If it doesn't work for you, then
> there's something major going wrong.
>
>   *That's* why configurations are tested in pieces.  If plain PAP
> doesn't work when going to LDAP, then it's a complete and total waste of
> your time to install and configure an 802.1x supplicant.

eDirectory was the only piece I have no control over (managed elsewhere) so
started with Supplicant->RADIUS->files and got that working then attempted
to add LDAP. It seemed to make sense at the time given the plethora of
documentation to help with this and little for RADIUS->LDAP. In hindsight it
was the wrong order but wisdom is not always learned linearly.

I hope that it all works and I won't need to come back other than to thank
you.

Mike

--
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

>From what you're saying I believe
>I need to put in the LDAP config for our eDirectory and uncomment any LDAP
>authorisation/authentication entries. Anything else?
>
>Then I can use radtest to test the authentication?

Yes. First test with user file entry, then with entry in the directory.

>
>How does the config know to use PAP rather than CHAP/MSCHAP?
>

Welcome to Freeradius. Server will figure it out "on it's own" (it can
determine what type of a request it is) and apply the appropriate
processing (ie. set Auth-Type itself).

Once pap is working you can send a mschap request (radtest doesn't do it
but something like JRadius Simulator can) to make sure that works (you
haven't encrypted the password or such) before sending a PEAP request.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mike Richardson wrote:
> I've been making changes for 8 hours a day for over a week so it might
> differ from the original.

  Which is a bit of a problem in and of itself.

> However I been back to the defaults twice. As of
> tomorrow I'll reinstall and try it again. From what you're saying I believe
> I need to put in the LDAP config for our eDirectory and uncomment any LDAP
> authorisation/authentication entries. Anything else?

  Not for LDAP.

> Then I can use radtest to test the authentication?

  Yes.

> How does the config know to use PAP rather than CHAP/MSCHAP?

  Because all of the experience of the developers working for years with
RADIUS is distilled into the configuration files.

> I've been through every config guide I can find on the net, several times.

  If it takes more than 10 minutes to get FreeRADIUS authenticating to
LDAP, ask a question on the list.  Honestly.  It's *so* much better to
get an answer on the list than to fight for a week...

> It's only today though that I found a site which explained the limitations
> of the PAP/CHAP/MSCHAP with respect to password encryptions.

  My deployingradius.com site?  It has a number of resources.

> Most guides
> assume MSCHAP, for use with PEAP, and most use flat file user
> authentication. Not many touch on LDAP and only Novell have eDirectory based
> documentation.

  Of course.  Only Novell understands how eDirectory works.

  For LDAP, buy the O'Reilly OpenLDAP book.  It has a good section on
getting OpenLDAP && FreeRADIUS to talk to each other.  It's very quick...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On Tue, Mar 04, 2008 at 07:33:09AM +0100, Alan DeKok wrote:
> Mike Richardson wrote:
> > I've been making changes for 8 hours a day for over a week so it might
> > differ from the original.
>
>   Which is a bit of a problem in and of itself.

I posted the configs in the original email - was there anything in there
which looked completely out of place?

> > How does the config know to use PAP rather than CHAP/MSCHAP?
>
>   Because all of the experience of the developers working for years with
> RADIUS is distilled into the configuration files.

Is there any documentation on how this works? I would like to know.

> > I've been through every config guide I can find on the net, several times.
>
>   If it takes more than 10 minutes to get FreeRADIUS authenticating to
> LDAP, ask a question on the list.  Honestly.  It's *so* much better to
> get an answer on the list than to fight for a week...

I don't mind fighting for a week if it works at the end and I have a better
understanding. At this point it doesn't work but I do have a better
understanding. Most software takes more than 10 minutes to understand and
configure and I wouldn't be confident in my ability to support it campus
wide if I'd only spend 10 mins on it. I don't believe in asking for help
without doing as thorough as job as I can in experimenting and learning.

Normally between time, trial and error and google things will work. In this
case, unfortunately not. It's the first time I've had to post to a mailing
list for help in many years and, no offence intended, it feels like I'm
admitting defeat.

>   My deployingradius.com site?  It has a number of resources.

Thanks, I'll take a look.

>   Of course.  Only Novell understands how eDirectory works.
>
>   For LDAP, buy the O'Reilly OpenLDAP book.  It has a good section on
> getting OpenLDAP && FreeRADIUS to talk to each other.  It's very quick...

Thanks again.

Mike

--
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mike Richardson wrote:
> I posted the configs in the original email - was there anything in there
> which looked completely out of place?

  No idea.  Honestly, I rarely look at configurations.  There's just too
much stuff there.  I look at debug logs.  And if the configuration has
big problems, it's *really* not worth my time to look.  That's why I
keep saying "start with the default config"

>>> How does the config know to use PAP rather than CHAP/MSCHAP?
>>   Because all of the experience of the developers working for years with
>> RADIUS is distilled into the configuration files.
>
> Is there any documentation on how this works? I would like to know.

  raddb/radiusd.conf.  In short, the RADIUS Access-Request contains all
of the information the server needs to determine the authentication
method.  The only requirement on the local administrator is to somehow
tell the server a Cleartext-Password.

> I don't mind fighting for a week if it works at the end and I have a better
> understanding. At this point it doesn't work but I do have a better
> understanding. Most software takes more than 10 minutes to understand and
> configure and I wouldn't be confident in my ability to support it campus
> wide if I'd only spend 10 mins on it. I don't believe in asking for help
> without doing as thorough as job as I can in experimenting and learning.

  Sure.  But the default configuration is *really* that simple for basic
things like LDAP, SQL, and 802.1x.  And version 2.0 is even easier.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Looks like something odd is going on. I've removed freeradius and
reinstalled it. I added the LDAP config and uncommented the various 'ldap' lines,
see config.

Defintiely uncommented:

        Auth-Type LDAP {
                uni_ldap
        }


This line still there:

rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.

The software is a debian package compiled with --with-rlm_eap as per
http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html

I've tested it with a user in the users file and it works fine.

My next move would be to install the default debian package (without EAP)
support and try that, then to try openldap unless you've got better
suggestions?

Thanks,

radiusd.conf:

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = no
}
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
$INCLUDE  ${confdir}/imported_clients.cfg
snmp = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        pap {
                auto_header = yes
        }
        chap {
                authtype = CHAP
        }
        pam {
                pam_auth = radiusd
        }
        unix {
                cache = no
                cache_reload = 600
                shadow = /etc/shadow
                radwtmp = ${logdir}/radwtmp
        }
$INCLUDE ${confdir}/eap.conf
        mschap {
        }
        ldap original {
                server = "ldap.your.domain"
                basedn = "o=My Org,c=UA"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                access_attr = "dialupAccess"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                edir_account_policy_check=no
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }
        ldap uni_ldap {
                server = "UK-AC-MAN-MTEST"
                identity = "cn=radiusadmin,ou=dir,o=ac,c=uk"
                password = radius30
                port = 636
                basedn = "c=uk"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                tls_cacertfile  = /home/doctor/oak-test-publickeycert.pem
                tls_require_cert        = "demand"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_attribute = nspmdistributionpassword
                edir_account_policy_check=no
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }
        realm IPASS {
                format = prefix
                delimiter = "/"
                ignore_default = no
                ignore_null = no
        }
        realm suffix {
                format = suffix
                delimiter = "@"
                ignore_default = no
                ignore_null = no
        }
        realm realmpercent {
                format = suffix
                delimiter = "%"
                ignore_default = no
                ignore_null = no
        }
        realm ntdomain {
                format = prefix
                delimiter = "\\"
                ignore_default = no
                ignore_null = no
        }
        checkval {
                item-name = Calling-Station-Id
                check-name = Calling-Station-Id
                data-type = string
        }
       
        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = no
        }
        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                preproxy_usersfile = ${confdir}/preproxy_users
                compat = no
        }
        detail {
                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
        }
        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
        }
        $INCLUDE  ${confdir}/sql.conf
       
        radutmp {
                filename = ${logdir}/radutmp
                username = %{User-Name}
                case_sensitive = yes
                check_with_nas = yes
                perm = 0600
                callerid = "yes"
        }
        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }
        attr_filter {
                attrsfile = ${confdir}/attrs
        }
        counter daily {
                filename = ${raddbdir}/db.daily
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                allowed-servicetype = Framed-User
                cache-size = 5000
        }
        sqlcounter dailycounter {
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                reply-name = Session-Timeout
                sqlmod-inst = sql
                key = User-Name
                reset = daily
                query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
        }
        sqlcounter monthlycounter {
                counter-name = Monthly-Session-Time
                check-name = Max-Monthly-Session
                reply-name = Session-Timeout
                sqlmod-inst = sql
                key = User-Name
                reset = monthly
                query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
        }
        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }
        expr {
        }
        digest {
        }
        exec {
                wait = yes
                input_pairs = request
        }
        exec echo {
                wait = yes
                program = "/bin/echo %{User-Name}"
                input_pairs = request
                output_pairs = reply
        }
        ippool main_pool {
                range-start = 192.168.1.1
                range-stop = 192.168.3.254
                netmask = 255.255.255.0
                cache-size = 800
                session-db = ${raddbdir}/db.ippool
                ip-index = ${raddbdir}/db.ipindex
                override = no
                maximum-timeout = 0
        }
}
instantiate {
        exec
        expr
}
authorize {
        preprocess
       
        chap
        mschap
        suffix
        eap
        files
        uni_ldap
        pap
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        unix
        Auth-Type LDAP {
                uni_ldap
        }
        eap
}
preacct {
        preprocess
        acct_unique
        suffix
        files
}
accounting {
        detail
        unix
        radutmp
}
session {
        radutmp
}
post-auth {
        uni_ldap
}
pre-proxy {
}
post-proxy {
        eap
}


/usr/sbin/freeradius -X output:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/freeradius/proxy.conf
Config:   including file: /etc/freeradius/clients.conf
Config:   including file: /etc/freeradius/imported_clients.cfg
Config:   including file: /etc/freeradius/snmp.conf
Config:   including file: /etc/freeradius/eap.conf
Config:   including file: /etc/freeradius/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/freeradius"
 main: libdir = "/usr/lib/freeradius"
 main: radacctdir = "/var/log/freeradius/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/freeradius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/freeradius/freeradius.pid"
 main: user = "freerad"
 main: group = "freerad"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
 pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "/etc/shadow"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/freeradius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
 ldap: server = "UK-AC-MAN-MTEST"
 ldap: port = 636
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = "cn=radiusadmin,ou=dir,o=ac,c=uk"
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "/home/doctor/oak-test-publickeycert.pem"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "demand"
 ldap: password = "radius30"
 ldap: basedn = "c=uk"
 ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "nspmdistributionpassword"
 ldap: access_attr = "(null)"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
 ldap: edir_account_policy_check = no
 ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name uni_ldap
rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x80110a78
Module: Instantiated ldap (uni_ldap)
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/etc/freeradius/huntgroups"
 preprocess: hints = "/etc/freeradius/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/etc/freeradius/users"
 files: acctusersfile = "/etc/freeradius/acct_users"
 files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = "/var/log/freeradius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 130.88.200.85:1025, id=47, length=48
        User-Name = "raduser1"
        User-Password = "raduser10"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "raduser1", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 155
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for raduser1
radius_xlat:  '(uid=raduser1)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to UK-AC-MAN-MTEST:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /home/doctor/oak-test-publickeycert.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=radiusadmin,ou=dir,o=ac,c=uk/radius30 to UK-AC-MAN-MTEST:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in c=uk, with filter (uid=raduser1)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user raduser1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  modcall[authenticate]: module "unix" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 47 to 130.88.200.85 port 1025
Waking up in 4 seconds...


Mike

--
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

I don't know anything about eDirectory, but could this be a problem for
retrieving password and other attributes:

>rlm_ldap: No default NMAS login sequence

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mike Richardson wrote:
> Looks like something odd is going on. I've removed freeradius and
> reinstalled it. I added the LDAP config and uncommented the various 'ldap' lines,
> see config.

  You did a bit more than that.  That additional effort is where the
problem is coming from.

> Defintiely uncommented:
>
>         Auth-Type LDAP {
>                 uni_ldap
>         }

  There is no "uni_ldap" line in the default configuration.  It's
"ldap".  And yes, it makes a difference, for reasons that will become
clear later.

> radiusd.conf:

> ldap original {
> server = "ldap.your.domain"
> basedn = "o=My Org,c=UA"
...
>         ldap uni_ldap {
>                 server = "UK-AC-MAN-MTEST"
>                 identity = "cn=radiusadmin,ou=dir,o=ac,c=uk"
...

  Um... no.  When I said "uncomment and configure the ldap module", it
did NOT mean "re-name the existing ldap module, and add a new one with a
different name".

  The extra work you're doing is breaking the server.  Stop it.  Just
un-comment the original ldap module, and configure it.  Don't re-name
it.  Don't add a new ldap module.

> /usr/sbin/freeradius -X output:
...
> Module: Instantiated ldap (uni_ldap)

  The module you created is called "uni_ldap", not "ldap".  Hence the
confusion.  If you had left it named "ldap", it would have Just Worked.

  Or, if you changed the authenticate section to:

authenticate {
        ...
        Auth-Type uni_ldap {
                uni_ldap
        }
        ...
}

  Then it would also have worked.  See the comments on module instance
names at the top of the "modules" section in "radiusd.conf".  If you
create another instance of the LDAP module, then that instance is NOT
named "ldap".  You MUST use it's instance name everywhere.

  Again, just un-commenting and configuring the LDAP references in
radiusd.conf would have made this work.  The extra effort you put into
it *broke* the configuration.

  When I say "just un-comment and configure", I REALLY MEAN "just
un-comment and configure".

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On Tue, Mar 04, 2008 at 10:45:37AM +0100, Alan DeKok wrote:
>   Um... no.  When I said "uncomment and configure the ldap module", it
> did NOT mean "re-name the existing ldap module, and add a new one with a
> different name".
>
>   The extra work you're doing is breaking the server.  Stop it.  Just
> un-comment the original ldap module, and configure it.  Don't re-name
> it.  Don't add a new ldap module.

Ok, done that now, still doesn't work though unfortunately.

Thanks for the instantiation explanation, that was useful and cleared up
some confusion.

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = no
}
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
$INCLUDE  ${confdir}/imported_clients.cfg
snmp = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        pap {
                auto_header = yes
        }
        chap {
                authtype = CHAP
        }
        pam {
                pam_auth = radiusd
        }
        unix {
                cache = no
                cache_reload = 600
                shadow = /etc/shadow
                radwtmp = ${logdir}/radwtmp
        }
$INCLUDE ${confdir}/eap.conf
        mschap {
        }
        ldap {
                server = "UK-AC-MAN-MTEST"
                identity = "cn=radiusadmin,ou=dir,o=ac,c=uk"
                password = radius30
                port = 636
                basedn = "c=uk"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                tls_cacertfile  = /home/doctor/oak-test-publickeycert.pem
                tls_require_cert        = "demand"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_attribute = nspmdistributionpassword
                edir_account_policy_check=no
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }
        realm IPASS {
                format = prefix
                delimiter = "/"
                ignore_default = no
                ignore_null = no
        }
        realm suffix {
                format = suffix
                delimiter = "@"
                ignore_default = no
                ignore_null = no
        }
        realm realmpercent {
                format = suffix
                delimiter = "%"
                ignore_default = no
                ignore_null = no
        }
        realm ntdomain {
                format = prefix
                delimiter = "\\"
                ignore_default = no
                ignore_null = no
        }
        checkval {
                item-name = Calling-Station-Id
                check-name = Calling-Station-Id
                data-type = string
        }
       
        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = no
        }
        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                preproxy_usersfile = ${confdir}/preproxy_users
                compat = no
        }
        detail {
                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
        }
        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
        }
        $INCLUDE  ${confdir}/sql.conf
       
        radutmp {
                filename = ${logdir}/radutmp
                username = %{User-Name}
                case_sensitive = yes
                check_with_nas = yes
                perm = 0600
                callerid = "yes"
        }
        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }
        attr_filter {
                attrsfile = ${confdir}/attrs
        }
        counter daily {
                filename = ${raddbdir}/db.daily
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                allowed-servicetype = Framed-User
                cache-size = 5000
        }
        sqlcounter dailycounter {
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                reply-name = Session-Timeout
                sqlmod-inst = sql
                key = User-Name
                reset = daily
                query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
        }
        sqlcounter monthlycounter {
                counter-name = Monthly-Session-Time
                check-name = Max-Monthly-Session
                reply-name = Session-Timeout
                sqlmod-inst = sql
                key = User-Name
                reset = monthly
                query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
        }
        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }
        expr {
        }
        digest {
        }
        exec {
                wait = yes
                input_pairs = request
        }
        exec echo {
                wait = yes
                program = "/bin/echo %{User-Name}"
                input_pairs = request
                output_pairs = reply
        }
        ippool main_pool {
                range-start = 192.168.1.1
                range-stop = 192.168.3.254
                netmask = 255.255.255.0
                cache-size = 800
                session-db = ${raddbdir}/db.ippool
                ip-index = ${raddbdir}/db.ipindex
                override = no
                maximum-timeout = 0
        }
}
instantiate {
        exec
        expr
}
authorize {
        preprocess
       
        chap
        mschap
        suffix
        eap
        files
        ldap
        pap
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        unix
        Auth-Type LDAP {
                ldap
        }
        eap
}
preacct {
        preprocess
        acct_unique
        suffix
        files
}
accounting {
        detail
        unix
        radutmp
}
session {
        radutmp
}
post-auth {
        ldap
}
pre-proxy {
}
post-proxy {
        eap
}


Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/freeradius/proxy.conf
Config:   including file: /etc/freeradius/clients.conf
Config:   including file: /etc/freeradius/imported_clients.cfg
Config:   including file: /etc/freeradius/snmp.conf
Config:   including file: /etc/freeradius/eap.conf
Config:   including file: /etc/freeradius/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/freeradius"
 main: libdir = "/usr/lib/freeradius"
 main: radacctdir = "/var/log/freeradius/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/freeradius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/freeradius/freeradius.pid"
 main: user = "freerad"
 main: group = "freerad"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
 pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "/etc/shadow"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/freeradius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
 ldap: server = "UK-AC-MAN-MTEST"
 ldap: port = 636
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = "cn=radiusadmin,ou=dir,o=ac,c=uk"
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "/home/doctor/oak-test-publickeycert.pem"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "demand"
 ldap: password = "radius30"
 ldap: basedn = "c=uk"
 ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "nspmdistributionpassword"
 ldap: access_attr = "(null)"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
 ldap: edir_account_policy_check = no
 ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x80110648
Module: Instantiated ldap (ldap)
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/etc/freeradius/huntgroups"
 preprocess: hints = "/etc/freeradius/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/etc/freeradius/users"
 files: acctusersfile = "/etc/freeradius/acct_users"
 files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = "/var/log/freeradius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 130.88.200.85:1025, id=58, length=48
        User-Name = "raduser1"
        User-Password = "raduser10"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "raduser1", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 155
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for raduser1
radius_xlat:  '(uid=raduser1)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to UK-AC-MAN-MTEST:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /home/doctor/oak-test-publickeycert.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=radiusadmin,ou=dir,o=ac,c=uk/radius30 to UK-AC-MAN-MTEST:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in c=uk, with filter (uid=raduser1)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user raduser1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  modcall[authenticate]: module "unix" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 58 to 130.88.200.85 port 1025
Waking up in 4 seconds...


Mike

--
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 0
> rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
>   modcall[authorize]: module "pap" returns noop for request 0

The ldap module didn't find a password for the user, thus the PAP module
couldn't authenticate the user.

I don't know enough about eDirectory to help much more; I can say that a
"normal" LDAP server might contain entries of the form:

dn: cn=user,ou=....
cn: user
objectClass: top
objectClass: person
userPassword: {CRYPT}xxxxxxxx

...or similar, and the ldap module is smart enough to figure it out.

As Ivan has pointed out, I suspect this line higher up is the issue:

 > rlm_ldap: No default NMAS login sequence

A quick read through the source code indicates the mysterious NMAS is
novell universal auth / password / blah.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mike Richardson wrote:
...
> rlm_ldap: performing search in c=uk, with filter (uid=raduser1)
> rlm_ldap: No default NMAS login sequence
> rlm_ldap: looking for check items in directory...

  That needs to be fixed.  See Novell's documentation for how.

>   rad_check_password:  Found Auth-Type System

  Delete that entry from raddb/users.  It's not necessary, and it's not
in 2.0.x.

  It won't help solve this problem, but it may make a difference in the
future.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On Tue, Mar 04, 2008 at 10:35:29AM +0000, Phil Mayers wrote:
How does the PAP module attempt to do the authentication? Does it do an
authenticated bind as the user or does it get the password variable and
compare it to something stored?

I've tried it against openldap with the same result but I've not spent much
time on the openldap config. I have to get this working with eDiretory
unfortunately...

I'll go back to the openldap config and see if I can get that set up in the
right way.

Thanks,

Mike

--
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html