[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Authentication using LDAP for 802.1x
From: Roberto Ortega Ramiro <roberto.ortega () esj ! es>
Date: 2013-06-22 0:50:57
Message-ID: CADFe3m_nRemjp3h_30Jzwim9ZFByaAwMsb2=hWvQM4XzbYWQjg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi, do you have a user who can read the password in the ldap.
It might be in raddb/modules/ldap
ldap {
server = ldap.yourorg.com
login = "cn=admin,o=My Org,c=US"
password = mypass
basedn = "ou=users,dc=yourorg,dc=com"
filter = "(posixAccount)(uid=%u))"
}
2013/6/19 Marco Streich <marco.streich@kshp.ch>
> Hi all
>
> We have deployed FreeRADIUS on OS X before, but our configuration was
> rather ugly. What we would do is authenticate users locally, having the
> machine attached to our OpenDirectory server directly using the Connect
> Network Account Server functionality provided by OS X.
>
> I have seen this question getting asked a lot but still wasn't able to
> fill my gap in understanding the whole process.
>
> We're now using FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu
>
> As a start, I'm now trying to get a simple user authentication working.
> What I have done so far is defining ldap {} in the ldap module and added
> ldap into the authorize {} section.
>
> I also uncommented Auth-Type LDAP { ldap } in the authenticate {} section.
> <= Bad?!
>
> The same for the virtual inner-tunnel.
>
>
> When I run radtest from my laptop, the authentication is successful:
>
> $ radtest a4 whatever 192.168.1.231 18120 secret
>
> Sending Access-Request of id 18 to 192.168.1.231 port 1812
> User-Name = "a4"
> User-Password = "whatever"
> NAS-IP-Address = 192.168.17.1
> NAS-Port = 18120
> Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Accept packet from host 192.168.1.231 port 1812, id=18,
> length=20
>
> When I try to authorize a supplicant connected to our switch which is
> configured to be the authenticator, debug shows me the following:
>
> ...
> rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=73,
> length=217
> User-Name = "a4"
> Service-Type = Framed-User
> Cisco-AVPair = "service-type=Framed"
> Framed-MTU = 9000
> Called-Station-Id = "AC-A0-16-58-EB-07"
> Calling-Station-Id = "00-23-32-CF-1D-A2"
> EAP-Message = 0x020b0007016134
> Message-Authenticator = 0xa3eaf856385eef096a4a8da0a9b938c3
> Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
> NAS-Port-Type = Ethernet
> NAS-Port = 50007
> NAS-Port-Id = "GigabitEthernet0/7"
> NAS-IP-Address = 192.168.99.99
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "a4", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 11 length 7
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for a4
> [ldap] expand: %{Stripped-User-Name} ->
> [ldap] ... expanding second conditional
> [ldap] expand: %{User-Name} -> a4
> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=a4)
> [ldap] expand: dc=ldap,dc=hopro,dc=edu -> dc=ldap,dc=hopro,dc=edu
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] attempting LDAP reconnection
> [ldap] (re)connect to ldap.hopro.edu:389, authentication 0
> [ldap] bind as / to ldap.hopro.edu:389
> [ldap] waiting for bind result ...
> [ldap] Bind was successful
> [ldap] performing search in dc=ldap,dc=hopro,dc=edu, with filter (uid=a4)
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP. Are you sure that
> the user is configured correctly?
> [ldap] user a4 authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type md5
> rlm_eap_md5: Issuing Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 73 to 192.168.99.99 port 1645
> EAP-Message = 0x010c00160410f7b955ffcad777bb64a0c2591f2a1852
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xab1bf9b7ab17fdd1d339d19378335aaa
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=74,
> length=234
> User-Name = "a4"
> Service-Type = Framed-User
> Cisco-AVPair = "service-type=Framed"
> Framed-MTU = 9000
> Called-Station-Id = "AC-A0-16-58-EB-07"
> Calling-Station-Id = "00-23-32-CF-1D-A2"
> EAP-Message = 0x020c00060315
> Message-Authenticator = 0x265e5392ae96ffd2f0c96666a02c9035
> Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
> NAS-Port-Type = Ethernet
> NAS-Port = 50007
> NAS-Port-Id = "GigabitEthernet0/7"
> State = 0xab1bf9b7ab17fdd1d339d19378335aaa
> NAS-IP-Address = 192.168.99.99
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "a4", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 12 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for a4
> [ldap] expand: %{Stripped-User-Name} ->
> [ldap] ... expanding second conditional
> [ldap] expand: %{User-Name} -> a4
> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=a4)
> [ldap] expand: dc=ldap,dc=hopro,dc=edu -> dc=ldap,dc=hopro,dc=edu
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] performing search in dc=ldap,dc=hopro,dc=edu, with filter (uid=a4)
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP. Are you sure that
> the user is configured correctly?
> [ldap] user a4 authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP NAK
> [eap] EAP-NAK asked for EAP-Type/ttls
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 74 to 192.168.99.99 port 1645
> EAP-Message = 0x010d00061520
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xab1bf9b7aa16ecd1d339d19378335aaa
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=75,
> length=356
> User-Name = "a4"
> Service-Type = Framed-User
> Cisco-AVPair = "service-type=Framed"
> Framed-MTU = 9000
> Called-Station-Id = "AC-A0-16-58-EB-07"
> Calling-Station-Id = "00-23-32-CF-1D-A2"
> EAP-Message =
> 0x020d008015800000007616030100710100006d030151c19a457c2d148d872abd670c09fe7719d9b316 \
> 318eb0134b0db1b5ce12e57700003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c0 \
> 0ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100
> Message-Authenticator = 0x474af0e5e41006c5947328ada905bf63
> Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
> NAS-Port-Type = Ethernet
> NAS-Port = 50007
> NAS-Port-Id = "GigabitEthernet0/7"
> State = 0xab1bf9b7aa16ecd1d339d19378335aaa
> NAS-IP-Address = 192.168.99.99
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "a4", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 13 length 128
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
> TLS Length 118
> [ttls] Length Included
> [ttls] eaptls_verify returned 11
> [ttls] (other): before/accept initialization
> [ttls] TLS_accept: before/accept initialization
> [ttls] <<< TLS 1.0 Handshake [length 0071], ClientHello
> [ttls] TLS_accept: SSLv3 read client hello A
> [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello
> [ttls] TLS_accept: SSLv3 write server hello A
> [ttls] >>> TLS 1.0 Handshake [length 084f], Certificate
> [ttls] TLS_accept: SSLv3 write certificate A
> [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
> [ttls] TLS_accept: SSLv3 write key exchange A
> [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> [ttls] TLS_accept: SSLv3 write server done A
> [ttls] TLS_accept: SSLv3 flush data
> [ttls] TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [ttls] eaptls_process returned 13
> ++[eap] returns handled
> Sending Access-Challenge of id 75 to 192.168.99.99 port 1645
> EAP-Message =
> 0x010e040015c0000009eb160301003902000035030151c19a44f7368e4456fc7b31270848d83dbe071b \
> 6969f1e6f9d0d7adb8527c9400c01400000dff01000100000b000403000102160301084f0b00084b0008 \
> 480003a33082039f30820287a003020102020101300d06092a864886f70d010105050030818f310b3009 \
> 060355040613024348310b3009060355040813025a483110300e060355040713075a7565726963683125 \
> 3023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06 \
> 092a864886f70d010901161069637461646d696e406b7368702e636831193017060355040313107261646975
> EAP-Message =
> 0x732e686f70726f2e656475301e170d3132313231393130353634305a170d3133313231393130353634 \
> 305a307d310b3009060355040613024348310b3009060355040813025a4831253023060355040a131c4b \
> 616e746f6e73736368756c6520486f68652050726f6d656e616465311930170603550403131072616469 \
> 75732e686f70726f2e656475311f301d06092a864886f70d010901161069637461646d696e406b736870 \
> 2e636830820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd4065ec39d \
> ecc5191947b7fae6df68b82333bce018385b48d641bfde2d9ba6294a786cd7e15b7d1824591d077af2a4c2fe
> EAP-Message =
> 0x7e66cbccd3f279171bb3e77936b8e6a92cbb0e17eb0abbcdac9945db8c11af0074d9480d263664e17d \
> 021663e0694dbfe839def4202ddede6958974bc82e8023c68adc741ab7c9e64027171b32d0d04c3e93cf \
> 1bd49947e3e462ed368fb71e8ce9fcff7414fe921494836b128635e0004e8ce29dc26a919f58d7c91f71 \
> 81dcb1a71e404960f04ba20c51d42ff3872c3335cbb612ac48c6234a326c9d83f6416e32a070f6307496 \
> ca83066f071d92b29732c4045105a726e359388542437214e6480df09c8e4ce4149f53da2b449d020301 \
> 0001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382
> EAP-Message =
> 0x0101000e14a8494074acd8a45fb6b8e3a4ed0966823b82d9aa29417ccfd1b47764a8ae60cf65b6cf41 \
> 1e686e0fd8748ca655495d30408f12afef47897e31af44e8833601af028f101df0a2534f680ce10df4c7 \
> d88c312af4a5b2fc3711d2ce021bbe0ab4e439d095c102005dbce074a0a90767729ea3f1edb88b2c7d4b \
> 9e5f727cb10c5309afb41d0acdd75548de5508de058b2d684e1390fe1d917da97c34bbc13548ef1fc71a \
> a8b4bf52dc76ccaa537f96b2460e56faa0ed34b1a3b5e4d6b3f10458883ba6bf4cb38f9096300181038c \
> 2d471e21bb4a9184d7521ba143fcf19608677da5b9e3ecce9b4d47d6f0a3b44c85380c1bd4cd15e325160d28
> EAP-Message = 0x324bf7e31c3b00049f308204
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xab1bf9b7a915ecd1d339d19378335aaa
> Finished request 2.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=76,
> length=234
> User-Name = "a4"
> Service-Type = Framed-User
> Cisco-AVPair = "service-type=Framed"
> Framed-MTU = 9000
> Called-Station-Id = "AC-A0-16-58-EB-07"
> Calling-Station-Id = "00-23-32-CF-1D-A2"
> EAP-Message = 0x020e00061500
> Message-Authenticator = 0x37d15b32cc7d6ece0c91b13551cd0b93
> Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
> NAS-Port-Type = Ethernet
> NAS-Port = 50007
> NAS-Port-Id = "GigabitEthernet0/7"
> State = 0xab1bf9b7a915ecd1d339d19378335aaa
> NAS-IP-Address = 192.168.99.99
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "a4", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 14 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
> [ttls] Received TLS ACK
> [ttls] ACK handshake fragment handler
> [ttls] eaptls_verify returned 1
> [ttls] eaptls_process returned 13
> ++[eap] returns handled
> Sending Access-Challenge of id 76 to 192.168.99.99 port 1645
> EAP-Message =
> 0x010f040015c0000009eb9b30820383a003020102020900b75f4cb4031a50e3300d06092a864886f70d \
> 010105050030818f310b3009060355040613024348310b3009060355040813025a483110300e06035504 \
> 0713075a75657269636831253023060355040a131c4b616e746f6e73736368756c6520486f6865205072 \
> 6f6d656e616465311f301d06092a864886f70d010901161069637461646d696e406b7368702e63683119 \
> 3017060355040313107261646975732e686f70726f2e656475301e170d3132313231393130353634305a \
> 170d3133313231393130353634305a30818f310b3009060355040613024348310b3009060355040813025a48
> EAP-Message =
> 0x3110300e060355040713075a75657269636831253023060355040a131c4b616e746f6e73736368756c \
> 6520486f68652050726f6d656e616465311f301d06092a864886f70d010901161069637461646d696e40 \
> 6b7368702e636831193017060355040313107261646975732e686f70726f2e65647530820122300d0609 \
> 2a864886f70d01010105000382010f003082010a0282010100d63a0ad9924d4bbf29ea25b2abfa17eb9d \
> 47e36ad480ce8dc1ec454aaf6470396a570eebeec3363c818882061081437e5367266e30b91be77f4e37 \
> ea9a01e56221dcbeb6f52c2157da7a74b5b024f98e3f45670aa8b6968c4b939c6b80302c318bf66f63d4f116
> EAP-Message =
> 0x450cbb35f51f3565e121276f7fa61f2a326d432cc0cfbb94411671b3a3e3db42879419f0e18b86ba02 \
> 0a8d5c6e8c817f755891eb10876a57194f57780baef2b90997c16b03aab89d66833765b711bb66453be6 \
> 4883c0265ddc50c761525902e16cbfc7567962037f2b1ddd49e700ea4f94a55864ef801aad3315c688de \
> 2e6e15141ccedcdc016745a3ad46aef6223c66cadab19fe17cc3b7a50203010001a381f73081f4301d06 \
> 03551d0e0416041442c8e782326f14866e14f0328f22ef21e5dca7683081c40603551d230481bc3081b9 \
> 801442c8e782326f14866e14f0328f22ef21e5dca768a18195a4819230818f310b3009060355040613024348
> EAP-Message =
> 0x310b3009060355040813025a483110300e060355040713075a75657269636831253023060355040a13 \
> 1c4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06092a864886f70d01 \
> 0901161069637461646d696e406b7368702e636831193017060355040313107261646975732e686f7072 \
> 6f2e656475820900b75f4cb4031a50e3300c0603551d13040530030101ff300d06092a864886f70d0101 \
> 05050003820101000b570cdc802ec347643ce7e5a81cd487273f8eb79f7580d9423e0ac121c39d23b8d7 \
> e606fa291515bfa8e232e845b04788cb14bbac1e67cdeded46cdead9957a88eb3c04075cbb2f9d66c81451f7
> EAP-Message = 0xc982a3f0ae66f5d41f3c2ff9
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xab1bf9b7a814ecd1d339d19378335aaa
> Finished request 3.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=77,
> length=234
> User-Name = "a4"
> Service-Type = Framed-User
> Cisco-AVPair = "service-type=Framed"
> Framed-MTU = 9000
> Called-Station-Id = "AC-A0-16-58-EB-07"
> Calling-Station-Id = "00-23-32-CF-1D-A2"
> EAP-Message = 0x020f00061500
> Message-Authenticator = 0x49c786eea0efa3a358db3c5c61d82830
> Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
> NAS-Port-Type = Ethernet
> NAS-Port = 50007
> NAS-Port-Id = "GigabitEthernet0/7"
> State = 0xab1bf9b7a814ecd1d339d19378335aaa
> NAS-IP-Address = 192.168.99.99
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "a4", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 15 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
> [ttls] Received TLS ACK
> [ttls] ACK handshake fragment handler
> [ttls] eaptls_verify returned 1
> [ttls] eaptls_process returned 13
> ++[eap] returns handled
> Sending Access-Challenge of id 77 to 192.168.99.99 port 1645
> EAP-Message =
> 0x011002091580000009eb6cf7c88612440aaa64dd8ca6d9533e4bd26a893bbee70e343d13c54accb14e \
> e61b9e7ec6ee78090b76e0e353da5da86cfeb3f2c9381011e5f25cfb755e4dbcc8a78f37d906019e5a2c \
> 2225a03a5f2318e3bf8c56eb0b43ad64ac8ddebb84ca1352b5a80b4a8c8757c5a37352508833404ebd86 \
> 8c5dd0cc92b3df240cf05b1e721b7a90d8e0a060e4834fff2dc79a04353dab2492381d4488ab7e92257f \
> 4ed7fb3eb4053e22a3160301014b0c0001470300174104e284bd8b7ec8e3510d4a6bb593e671a0945af1 \
> e997ce5cc010d13fd0e76a68e71c034e1412d7fc4b26233ca3df8dba3463719b1fa33f4ab4934a7208005205
> EAP-Message =
> 0x5f010042df9b97e266190e04d0b6ea3fdaf36282b104caaee17a75acbccf6e74e427b6fa6a600c9db9 \
> 2fcbe7e34cffc49deb6a2e3949e17692845c03a7ab92d4daf19bee3788c1afcf23fbc5c9ddd487f335bd \
> 83d238cfe52f80ca59a6cc6ad58b3ecb7502ab687184733c42cd5de45e06cd101ae2e41f4943c01ac337 \
> 9e928240ac532451599dce12979065ad088a056130f57d119038f40003d55fcebe5edd0acde65036f24f \
> d69cc0fda63ff408c25ee9c3ad100bf0a90d6031a0034d064b8ecf8a5323d79e7d7b764d08105ea8c35c \
> 7548983060ce8f8577909b8a2c2049d78f99b0acc37a55b993519f1e475b7b4f9fff67e943f61c7a9f4a18fd
> EAP-Message = 0x05b6bbbc248c16030100040e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xab1bf9b7af0becd1d339d19378335aaa
> Finished request 4.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=78,
> length=372
> User-Name = "a4"
> Service-Type = Framed-User
> Cisco-AVPair = "service-type=Framed"
> Framed-MTU = 9000
> Called-Station-Id = "AC-A0-16-58-EB-07"
> Calling-Station-Id = "00-23-32-CF-1D-A2"
> EAP-Message =
> 0x021000901580000000861603010046100000424104ee7b81c5eb47db38fd9999628065d8bc69504fd0 \
> 08ffcce581bf49a5dc349fac012b27f4d21db7352c31e8be8bc097f9fd3414f7160990963cd9ad8e5316 \
> 6e951403010001011603010030ed341f879e3591dedc6633d8a0376280178fe300950d293b30747d15b35f4867c69765e98c2f0a15bcb95a992cbc77a4
> Message-Authenticator = 0xe7c4329c24d68ad3919250d82c96961a
> Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
> NAS-Port-Type = Ethernet
> NAS-Port = 50007
> NAS-Port-Id = "GigabitEthernet0/7"
> State = 0xab1bf9b7af0becd1d339d19378335aaa
> NAS-IP-Address = 192.168.99.99
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "a4", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 16 length 144
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
> TLS Length 134
> [ttls] Length Included
> [ttls] eaptls_verify returned 11
> [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
> [ttls] TLS_accept: SSLv3 read client key exchange A
> [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
> [ttls] <<< TLS 1.0 Handshake [length 0010], Finished
> [ttls] TLS_accept: SSLv3 read finished A
> [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
> [ttls] TLS_accept: SSLv3 write change cipher spec A
> [ttls] >>> TLS 1.0 Handshake [length 0010], Finished
> [ttls] TLS_accept: SSLv3 write finished A
> [ttls] TLS_accept: SSLv3 flush data
> [ttls] (other): SSL negotiation finished successfully
> SSL Connection Established
> [ttls] eaptls_process returned 13
> ++[eap] returns handled
> Sending Access-Challenge of id 78 to 192.168.99.99 port 1645
> EAP-Message =
> 0x0111004515800000003b1403010001011603010030b0518066786178044d44483eb37026fdd8406df7f6eaae28282bc696f782e64198a16f06ecde63a263375845bf3304f7
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xab1bf9b7ae0aecd1d339d19378335aaa
> Finished request 5.
> Going to the next request
> Waking up in 4.8 seconds.
> rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=79,
> length=275
> User-Name = "a4"
> Service-Type = Framed-User
> Cisco-AVPair = "service-type=Framed"
> Framed-MTU = 9000
> Called-Station-Id = "AC-A0-16-58-EB-07"
> Calling-Station-Id = "00-23-32-CF-1D-A2"
> EAP-Message =
> 0x0211002f1580000000251503010020f0c878ea3889abbd6850566e4a4b6b5e5777dc3f5e0f11789e9a9430219cc5b3
> Message-Authenticator = 0x69b565f9da2f3112f04fc8a2197444a4
> Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
> NAS-Port-Type = Ethernet
> NAS-Port = 50007
> NAS-Port-Id = "GigabitEthernet0/7"
> State = 0xab1bf9b7ae0aecd1d339d19378335aaa
> NAS-IP-Address = 192.168.99.99
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "a4", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 17 length 47
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
> TLS Length 37
> [ttls] Length Included
> [ttls] eaptls_verify returned 11
> [ttls] <<< TLS 1.0 Alert [length 0002], warning close_notify
> TLS Alert read:warning:close notify
> [ttls] WARNING: No data inside of the tunnel.
> [ttls] eaptls_process returned 7
> [ttls] Session established. Proceeding to decode tunneled attributes.
> [ttls] SSL_read Error
> [eap] Handler failed in EAP/ttls
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> a4
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 6 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 6
> Sending Access-Reject of id 79 to 192.168.99.99 port 1645
> EAP-Message = 0x04110004
> Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.7 seconds.
> ...
>
> > [ttls] WARNING: No data inside of the tunnel.
>
> At this moment, I cannot wrap my mind around what is going on here.
>
> I understand that ldap tries to authenticate the user by itself, instead
> of handing it to the LDAP server. But what is different when I run radtest?
>
> Debug from radtest:
> ...
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group LDAP {...}
> [ldap] login attempt by "a4" with password "whatever"
> [ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu
> [ldap] (re)connect to ldap.hopro.edu:389, authentication 1
> [ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to
> ldap.hopro.edu:389
> [ldap] waiting for bind result ...
> [ldap] Bind was successful
> [ldap] user a4 authenticated successfully
> ++[ldap] returns ok
> ...
>
>
> Would someone from you guys guide me in the right direction?
>
> Thank you in advance
>
> Marco
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
--
Un saludo.
____________________
Roberto Ortega
Profesor de Informática.
http://www.proyectoret.es
Escuelas San José Valencia
Avd.Cortes Valencianas n º1
46015 Valencia
R4600489A
Tf:963499011 ext. 262
Fax:963488835
http://www.escuelassj.com
No imprimas este correo si no es necesario. Protejamos el medio ambiente.
[Attachment #5 (text/html)]
<div dir="ltr">Hi, do you have a user who can read the password in the ldap.<div \
style>It might be in raddb/modules/ldap</div><div style><br></div><div style><pre \
class="" style="color:rgb(0,0,0);background-color:rgb(224,224,224)">
ldap {
server = <a href="http://ldap.yourorg.com">ldap.yourorg.com</a>
login = "cn=admin,o=My Org,c=US"
password = mypass
basedn = "ou=users,dc=yourorg,dc=com"
filter = "(posixAccount)(uid=%u))"
}</pre></div></div><div class="gmail_extra"><br><br><div \
class="gmail_quote">2013/6/19 Marco Streich <span dir="ltr"><<a \
href="mailto:marco.streich@kshp.ch" \
target="_blank">marco.streich@kshp.ch</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Hi all<br> <br>
We have deployed FreeRADIUS on OS X before, but our configuration was rather ugly. \
What we would do is authenticate users locally, having the machine attached to our \
OpenDirectory server directly using the Connect Network Account Server functionality \
provided by OS X.<br>
<br>
I have seen this question getting asked a lot but still wasn't able to fill my \
gap in understanding the whole process.<br> <br>
We're now using FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu<br>
<br>
As a start, I'm now trying to get a simple user authentication working. What I \
have done so far is defining ldap {} in the ldap module and added ldap into the \
authorize {} section.<br> <br>
I also uncommented Auth-Type LDAP { ldap } in the authenticate {} section. <= \
Bad?!<br> <br>
The same for the virtual inner-tunnel.<br>
<br>
<br>
When I run radtest from my laptop, the authentication is successful:<br>
<br>
$ radtest a4 whatever 192.168.1.231 18120 secret<br>
<br>
Sending Access-Request of id 18 to 192.168.1.231 port 1812<br>
User-Name = "a4"<br>
User-Password = "whatever"<br>
NAS-IP-Address = 192.168.17.1<br>
NAS-Port = 18120<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
rad_recv: Access-Accept packet from host 192.168.1.231 port 1812, id=18, \
length=20<br> <br>
When I try to authorize a supplicant connected to our switch which is configured to \
be the authenticator, debug shows me the following:<br> <br>
...<br>
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=73, \
length=217<br> User-Name = "a4"<br>
Service-Type = Framed-User<br>
Cisco-AVPair = "service-type=Framed"<br>
Framed-MTU = 9000<br>
Called-Station-Id = "AC-A0-16-58-EB-07"<br>
Calling-Station-Id = "00-23-32-CF-1D-A2"<br>
EAP-Message = 0x020b0007016134<br>
Message-Authenticator = 0xa3eaf856385eef096a4a8da0a9b938c3<br>
Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50007<br>
NAS-Port-Id = "GigabitEthernet0/7"<br>
NAS-IP-Address = 192.168.99.99<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "a4", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 11 length 7<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>
++[files] returns noop<br>
[ldap] performing user authorization for a4<br>
[ldap] expand: %{Stripped-User-Name} -><br>
[ldap] ... expanding second conditional<br>
[ldap] expand: %{User-Name} -> a4<br>
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=a4)<br>
[ldap] expand: dc=ldap,dc=hopro,dc=edu -> dc=ldap,dc=hopro,dc=edu<br>
[ldap] ldap_get_conn: Checking Id: 0<br>
[ldap] ldap_get_conn: Got Id: 0<br>
[ldap] attempting LDAP reconnection<br>
[ldap] (re)connect to <a href="http://ldap.hopro.edu:389" \
target="_blank">ldap.hopro.edu:389</a>, authentication 0<br> [ldap] bind as / to <a \
href="http://ldap.hopro.edu:389" target="_blank">ldap.hopro.edu:389</a><br> [ldap] \
waiting for bind result ...<br> [ldap] Bind was successful<br>
[ldap] performing search in dc=ldap,dc=hopro,dc=edu, with filter (uid=a4)<br>
[ldap] No default NMAS login sequence<br>
[ldap] looking for check items in directory...<br>
[ldap] looking for reply items in directory...<br>
WARNING: No "known good" password was found in LDAP. Are you sure that \
the user is configured correctly?<br> [ldap] user a4 authorized to use remote \
access<br> [ldap] ldap_release_conn: Release Id: 0<br>
++[ldap] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user. \
Authentication may fail because of this.<br> ++[pap] returns noop<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>
[eap] EAP Identity<br>
[eap] processing type md5<br>
rlm_eap_md5: Issuing Challenge<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 73 to 192.168.99.99 port 1645<br>
EAP-Message = 0x010c00160410f7b955ffcad777bb64a0c2591f2a1852<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xab1bf9b7ab17fdd1d339d19378335aaa<br>
Finished request 0.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=74, \
length=234<br> User-Name = "a4"<br>
Service-Type = Framed-User<br>
Cisco-AVPair = "service-type=Framed"<br>
Framed-MTU = 9000<br>
Called-Station-Id = "AC-A0-16-58-EB-07"<br>
Calling-Station-Id = "00-23-32-CF-1D-A2"<br>
EAP-Message = 0x020c00060315<br>
Message-Authenticator = 0x265e5392ae96ffd2f0c96666a02c9035<br>
Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50007<br>
NAS-Port-Id = "GigabitEthernet0/7"<br>
State = 0xab1bf9b7ab17fdd1d339d19378335aaa<br>
NAS-IP-Address = 192.168.99.99<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "a4", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 12 length 6<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>
++[files] returns noop<br>
[ldap] performing user authorization for a4<br>
[ldap] expand: %{Stripped-User-Name} -><br>
[ldap] ... expanding second conditional<br>
[ldap] expand: %{User-Name} -> a4<br>
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=a4)<br>
[ldap] expand: dc=ldap,dc=hopro,dc=edu -> dc=ldap,dc=hopro,dc=edu<br>
[ldap] ldap_get_conn: Checking Id: 0<br>
[ldap] ldap_get_conn: Got Id: 0<br>
[ldap] performing search in dc=ldap,dc=hopro,dc=edu, with filter (uid=a4)<br>
[ldap] No default NMAS login sequence<br>
[ldap] looking for check items in directory...<br>
[ldap] looking for reply items in directory...<br>
WARNING: No "known good" password was found in LDAP. Are you sure that \
the user is configured correctly?<br> [ldap] user a4 authorized to use remote \
access<br> [ldap] ldap_release_conn: Release Id: 0<br>
++[ldap] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user. \
Authentication may fail because of this.<br> ++[pap] returns noop<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP NAK<br>
[eap] EAP-NAK asked for EAP-Type/ttls<br>
[eap] processing type tls<br>
[tls] Initiate<br>
[tls] Start returned 1<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 74 to 192.168.99.99 port 1645<br>
EAP-Message = 0x010d00061520<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xab1bf9b7aa16ecd1d339d19378335aaa<br>
Finished request 1.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=75, \
length=356<br> User-Name = "a4"<br>
Service-Type = Framed-User<br>
Cisco-AVPair = "service-type=Framed"<br>
Framed-MTU = 9000<br>
Called-Station-Id = "AC-A0-16-58-EB-07"<br>
Calling-Station-Id = "00-23-32-CF-1D-A2"<br>
EAP-Message = \
0x020d008015800000007616030100710100006d030151c19a457c2d148d872abd670c09fe7719d9b31631 \
8eb0134b0db1b5ce12e57700003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec0 \
0fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100<br>
Message-Authenticator = 0x474af0e5e41006c5947328ada905bf63<br>
Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50007<br>
NAS-Port-Id = "GigabitEthernet0/7"<br>
State = 0xab1bf9b7aa16ecd1d339d19378335aaa<br>
NAS-IP-Address = 192.168.99.99<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "a4", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 13 length 128<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
TLS Length 118<br>
[ttls] Length Included<br>
[ttls] eaptls_verify returned 11<br>
[ttls] (other): before/accept initialization<br>
[ttls] TLS_accept: before/accept initialization<br>
[ttls] <<< TLS 1.0 Handshake [length 0071], ClientHello<br>
[ttls] TLS_accept: SSLv3 read client hello A<br>
[ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello<br>
[ttls] TLS_accept: SSLv3 write server hello A<br>
[ttls] >>> TLS 1.0 Handshake [length 084f], Certificate<br>
[ttls] TLS_accept: SSLv3 write certificate A<br>
[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange<br>
[ttls] TLS_accept: SSLv3 write key exchange A<br>
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone<br>
[ttls] TLS_accept: SSLv3 write server done A<br>
[ttls] TLS_accept: SSLv3 flush data<br>
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A<br>
In SSL Handshake Phase<br>
In SSL Accept mode<br>
[ttls] eaptls_process returned 13<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 75 to 192.168.99.99 port 1645<br>
EAP-Message = \
0x010e040015c0000009eb160301003902000035030151c19a44f7368e4456fc7b31270848d83dbe071b69 \
69f1e6f9d0d7adb8527c9400c01400000dff01000100000b000403000102160301084f0b00084b00084800 \
03a33082039f30820287a003020102020101300d06092a864886f70d010105050030818f310b3009060355 \
040613024348310b3009060355040813025a483110300e060355040713075a756572696368312530230603 \
55040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06092a864886 \
f70d010901161069637461646d696e406b7368702e636831193017060355040313107261646975<br>
EAP-Message = \
0x732e686f70726f2e656475301e170d3132313231393130353634305a170d313331323139313035363430 \
5a307d310b3009060355040613024348310b3009060355040813025a4831253023060355040a131c4b616e \
746f6e73736368756c6520486f68652050726f6d656e61646531193017060355040313107261646975732e \
686f70726f2e656475311f301d06092a864886f70d010901161069637461646d696e406b7368702e636830 \
820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd4065ec39decc5191947 \
b7fae6df68b82333bce018385b48d641bfde2d9ba6294a786cd7e15b7d1824591d077af2a4c2fe<br>
EAP-Message = \
0x7e66cbccd3f279171bb3e77936b8e6a92cbb0e17eb0abbcdac9945db8c11af0074d9480d263664e17d02 \
1663e0694dbfe839def4202ddede6958974bc82e8023c68adc741ab7c9e64027171b32d0d04c3e93cf1bd4 \
9947e3e462ed368fb71e8ce9fcff7414fe921494836b128635e0004e8ce29dc26a919f58d7c91f7181dcb1 \
a71e404960f04ba20c51d42ff3872c3335cbb612ac48c6234a326c9d83f6416e32a070f6307496ca83066f \
071d92b29732c4045105a726e359388542437214e6480df09c8e4ce4149f53da2b449d0203010001a31730 \
1530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382<br>
EAP-Message = \
0x0101000e14a8494074acd8a45fb6b8e3a4ed0966823b82d9aa29417ccfd1b47764a8ae60cf65b6cf411e \
686e0fd8748ca655495d30408f12afef47897e31af44e8833601af028f101df0a2534f680ce10df4c7d88c \
312af4a5b2fc3711d2ce021bbe0ab4e439d095c102005dbce074a0a90767729ea3f1edb88b2c7d4b9e5f72 \
7cb10c5309afb41d0acdd75548de5508de058b2d684e1390fe1d917da97c34bbc13548ef1fc71aa8b4bf52 \
dc76ccaa537f96b2460e56faa0ed34b1a3b5e4d6b3f10458883ba6bf4cb38f9096300181038c2d471e21bb \
4a9184d7521ba143fcf19608677da5b9e3ecce9b4d47d6f0a3b44c85380c1bd4cd15e325160d28<br>
EAP-Message = 0x324bf7e31c3b00049f308204<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xab1bf9b7a915ecd1d339d19378335aaa<br>
Finished request 2.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=76, \
length=234<br> User-Name = "a4"<br>
Service-Type = Framed-User<br>
Cisco-AVPair = "service-type=Framed"<br>
Framed-MTU = 9000<br>
Called-Station-Id = "AC-A0-16-58-EB-07"<br>
Calling-Station-Id = "00-23-32-CF-1D-A2"<br>
EAP-Message = 0x020e00061500<br>
Message-Authenticator = 0x37d15b32cc7d6ece0c91b13551cd0b93<br>
Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50007<br>
NAS-Port-Id = "GigabitEthernet0/7"<br>
State = 0xab1bf9b7a915ecd1d339d19378335aaa<br>
NAS-IP-Address = 192.168.99.99<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "a4", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 14 length 6<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
[ttls] Received TLS ACK<br>
[ttls] ACK handshake fragment handler<br>
[ttls] eaptls_verify returned 1<br>
[ttls] eaptls_process returned 13<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 76 to 192.168.99.99 port 1645<br>
EAP-Message = \
0x010f040015c0000009eb9b30820383a003020102020900b75f4cb4031a50e3300d06092a864886f70d01 \
0105050030818f310b3009060355040613024348310b3009060355040813025a483110300e060355040713 \
075a75657269636831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d65 \
6e616465311f301d06092a864886f70d010901161069637461646d696e406b7368702e6368311930170603 \
55040313107261646975732e686f70726f2e656475301e170d3132313231393130353634305a170d313331 \
3231393130353634305a30818f310b3009060355040613024348310b3009060355040813025a48<br>
EAP-Message = \
0x3110300e060355040713075a75657269636831253023060355040a131c4b616e746f6e73736368756c65 \
20486f68652050726f6d656e616465311f301d06092a864886f70d010901161069637461646d696e406b73 \
68702e636831193017060355040313107261646975732e686f70726f2e65647530820122300d06092a8648 \
86f70d01010105000382010f003082010a0282010100d63a0ad9924d4bbf29ea25b2abfa17eb9d47e36ad4 \
80ce8dc1ec454aaf6470396a570eebeec3363c818882061081437e5367266e30b91be77f4e37ea9a01e562 \
21dcbeb6f52c2157da7a74b5b024f98e3f45670aa8b6968c4b939c6b80302c318bf66f63d4f116<br>
EAP-Message = \
0x450cbb35f51f3565e121276f7fa61f2a326d432cc0cfbb94411671b3a3e3db42879419f0e18b86ba020a \
8d5c6e8c817f755891eb10876a57194f57780baef2b90997c16b03aab89d66833765b711bb66453be64883 \
c0265ddc50c761525902e16cbfc7567962037f2b1ddd49e700ea4f94a55864ef801aad3315c688de2e6e15 \
141ccedcdc016745a3ad46aef6223c66cadab19fe17cc3b7a50203010001a381f73081f4301d0603551d0e \
0416041442c8e782326f14866e14f0328f22ef21e5dca7683081c40603551d230481bc3081b9801442c8e7 \
82326f14866e14f0328f22ef21e5dca768a18195a4819230818f310b3009060355040613024348<br>
EAP-Message = \
0x310b3009060355040813025a483110300e060355040713075a75657269636831253023060355040a131c \
4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06092a864886f70d010901 \
161069637461646d696e406b7368702e636831193017060355040313107261646975732e686f70726f2e65 \
6475820900b75f4cb4031a50e3300c0603551d13040530030101ff300d06092a864886f70d010105050003 \
820101000b570cdc802ec347643ce7e5a81cd487273f8eb79f7580d9423e0ac121c39d23b8d7e606fa2915 \
15bfa8e232e845b04788cb14bbac1e67cdeded46cdead9957a88eb3c04075cbb2f9d66c81451f7<br>
EAP-Message = 0xc982a3f0ae66f5d41f3c2ff9<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xab1bf9b7a814ecd1d339d19378335aaa<br>
Finished request 3.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=77, \
length=234<br> User-Name = "a4"<br>
Service-Type = Framed-User<br>
Cisco-AVPair = "service-type=Framed"<br>
Framed-MTU = 9000<br>
Called-Station-Id = "AC-A0-16-58-EB-07"<br>
Calling-Station-Id = "00-23-32-CF-1D-A2"<br>
EAP-Message = 0x020f00061500<br>
Message-Authenticator = 0x49c786eea0efa3a358db3c5c61d82830<br>
Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50007<br>
NAS-Port-Id = "GigabitEthernet0/7"<br>
State = 0xab1bf9b7a814ecd1d339d19378335aaa<br>
NAS-IP-Address = 192.168.99.99<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "a4", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 15 length 6<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
[ttls] Received TLS ACK<br>
[ttls] ACK handshake fragment handler<br>
[ttls] eaptls_verify returned 1<br>
[ttls] eaptls_process returned 13<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 77 to 192.168.99.99 port 1645<br>
EAP-Message = \
0x011002091580000009eb6cf7c88612440aaa64dd8ca6d9533e4bd26a893bbee70e343d13c54accb14ee6 \
1b9e7ec6ee78090b76e0e353da5da86cfeb3f2c9381011e5f25cfb755e4dbcc8a78f37d906019e5a2c2225 \
a03a5f2318e3bf8c56eb0b43ad64ac8ddebb84ca1352b5a80b4a8c8757c5a37352508833404ebd868c5dd0 \
cc92b3df240cf05b1e721b7a90d8e0a060e4834fff2dc79a04353dab2492381d4488ab7e92257f4ed7fb3e \
b4053e22a3160301014b0c0001470300174104e284bd8b7ec8e3510d4a6bb593e671a0945af1e997ce5cc0 \
10d13fd0e76a68e71c034e1412d7fc4b26233ca3df8dba3463719b1fa33f4ab4934a7208005205<br>
EAP-Message = \
0x5f010042df9b97e266190e04d0b6ea3fdaf36282b104caaee17a75acbccf6e74e427b6fa6a600c9db92f \
cbe7e34cffc49deb6a2e3949e17692845c03a7ab92d4daf19bee3788c1afcf23fbc5c9ddd487f335bd83d2 \
38cfe52f80ca59a6cc6ad58b3ecb7502ab687184733c42cd5de45e06cd101ae2e41f4943c01ac3379e9282 \
40ac532451599dce12979065ad088a056130f57d119038f40003d55fcebe5edd0acde65036f24fd69cc0fd \
a63ff408c25ee9c3ad100bf0a90d6031a0034d064b8ecf8a5323d79e7d7b764d08105ea8c35c7548983060 \
ce8f8577909b8a2c2049d78f99b0acc37a55b993519f1e475b7b4f9fff67e943f61c7a9f4a18fd<br>
EAP-Message = 0x05b6bbbc248c16030100040e000000<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xab1bf9b7af0becd1d339d19378335aaa<br>
Finished request 4.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=78, \
length=372<br> User-Name = "a4"<br>
Service-Type = Framed-User<br>
Cisco-AVPair = "service-type=Framed"<br>
Framed-MTU = 9000<br>
Called-Station-Id = "AC-A0-16-58-EB-07"<br>
Calling-Station-Id = "00-23-32-CF-1D-A2"<br>
EAP-Message = \
0x021000901580000000861603010046100000424104ee7b81c5eb47db38fd9999628065d8bc69504fd008 \
ffcce581bf49a5dc349fac012b27f4d21db7352c31e8be8bc097f9fd3414f7160990963cd9ad8e53166e95 \
1403010001011603010030ed341f879e3591dedc6633d8a0376280178fe300950d293b30747d15b35f4867c69765e98c2f0a15bcb95a992cbc77a4<br>
Message-Authenticator = 0xe7c4329c24d68ad3919250d82c96961a<br>
Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50007<br>
NAS-Port-Id = "GigabitEthernet0/7"<br>
State = 0xab1bf9b7af0becd1d339d19378335aaa<br>
NAS-IP-Address = 192.168.99.99<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "a4", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 16 length 144<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
TLS Length 134<br>
[ttls] Length Included<br>
[ttls] eaptls_verify returned 11<br>
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange<br>
[ttls] TLS_accept: SSLv3 read client key exchange A<br>
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]<br>
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished<br>
[ttls] TLS_accept: SSLv3 read finished A<br>
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]<br>
[ttls] TLS_accept: SSLv3 write change cipher spec A<br>
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished<br>
[ttls] TLS_accept: SSLv3 write finished A<br>
[ttls] TLS_accept: SSLv3 flush data<br>
[ttls] (other): SSL negotiation finished successfully<br>
SSL Connection Established<br>
[ttls] eaptls_process returned 13<br>
++[eap] returns handled<br>
Sending Access-Challenge of id 78 to 192.168.99.99 port 1645<br>
EAP-Message = \
0x0111004515800000003b1403010001011603010030b0518066786178044d44483eb37026fdd8406df7f6eaae28282bc696f782e64198a16f06ecde63a263375845bf3304f7<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xab1bf9b7ae0aecd1d339d19378335aaa<br>
Finished request 5.<br>
Going to the next request<br>
Waking up in 4.8 seconds.<br>
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=79, \
length=275<br> User-Name = "a4"<br>
Service-Type = Framed-User<br>
Cisco-AVPair = "service-type=Framed"<br>
Framed-MTU = 9000<br>
Called-Station-Id = "AC-A0-16-58-EB-07"<br>
Calling-Station-Id = "00-23-32-CF-1D-A2"<br>
EAP-Message = \
0x0211002f1580000000251503010020f0c878ea3889abbd6850566e4a4b6b5e5777dc3f5e0f11789e9a9430219cc5b3<br>
Message-Authenticator = 0x69b565f9da2f3112f04fc8a2197444a4<br>
Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"<br>
NAS-Port-Type = Ethernet<br>
NAS-Port = 50007<br>
NAS-Port-Id = "GigabitEthernet0/7"<br>
State = 0xab1bf9b7ae0aecd1d339d19378335aaa<br>
NAS-IP-Address = 192.168.99.99<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "a4", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] EAP packet type response id 17 length 47<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
TLS Length 37<br>
[ttls] Length Included<br>
[ttls] eaptls_verify returned 11<br>
[ttls] <<< TLS 1.0 Alert [length 0002], warning close_notify<br>
TLS Alert read:warning:close notify<br>
[ttls] WARNING: No data inside of the tunnel.<br>
[ttls] eaptls_process returned 7<br>
[ttls] Session established. Proceeding to decode tunneled attributes.<br>
[ttls] SSL_read Error<br>
[eap] Handler failed in EAP/ttls<br>
[eap] Failed in EAP select<br>
++[eap] returns invalid<br>
Failed to authenticate the user.<br>
Using Post-Auth-Type Reject<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group REJECT {...}<br>
[attr_filter.access_reject] expand: %{User-Name} -> a4<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 6 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 6<br>
Sending Access-Reject of id 79 to 192.168.99.99 port 1645<br>
EAP-Message = 0x04110004<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
Waking up in 3.7 seconds.<br>
...<br>
<br>
>[ttls] WARNING: No data inside of the tunnel.<br>
<br>
At this moment, I cannot wrap my mind around what is going on here.<br>
<br>
I understand that ldap tries to authenticate the user by itself, instead of handing \
it to the LDAP server. But what is different when I run radtest?<br> <br>
Debug from radtest:<br>
...<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group LDAP {...}<br>
[ldap] login attempt by "a4" with password "whatever"<br>
[ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu<br>
[ldap] (re)connect to <a href="http://ldap.hopro.edu:389" \
target="_blank">ldap.hopro.edu:389</a>, authentication 1<br> [ldap] bind as \
uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to <a \
href="http://ldap.hopro.edu:389" target="_blank">ldap.hopro.edu:389</a><br> [ldap] \
waiting for bind result ...<br> [ldap] Bind was successful<br>
[ldap] user a4 authenticated successfully<br>
++[ldap] returns ok<br>
...<br>
<br>
<br>
Would someone from you guys guide me in the right direction?<br>
<br>
Thank you in advance<br>
<br>
Marco<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a \
href="http://www.freeradius.org/list/users.html" \
target="_blank">http://www.freeradius.org/list/users.html</a><br> \
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><span \
style="font-family:arial;font-size:small">-- </span><br \
style="font-family:arial;font-size:small"><span \
style="font-family:arial;font-size:small">Un saludo.</span><br \
style="font-family:arial;font-size:small">
<span style="font-family:arial;font-size:small">____________________</span><br \
style="font-family:arial;font-size:small"><br \
style="font-family:arial;font-size:small"><span \
style="font-family:arial;font-size:small">Roberto Ortega</span><br \
style="font-family:arial;font-size:small">
<span style="font-family:arial;font-size:small">Profesor de Informática.</span><br \
style="font-family:arial;font-size:small"><a href="http://www.proyectoret.es/" \
style="color:rgb(17,85,204);font-family:arial;font-size:small" \
target="_blank">http://www.proyectoret.es</a><br \
style="font-family:arial;font-size:small">
<br style="font-family:arial;font-size:small"><span \
style="font-family:arial;font-size:small">Escuelas San José Valencia</span><br \
style="font-family:arial;font-size:small"><span \
style="font-family:arial;font-size:small">Avd.Cortes Valencianas n º1</span><br \
style="font-family:arial;font-size:small">
<span style="font-family:arial;font-size:small">46015 Valencia</span><br \
style="font-family:arial;font-size:small"><span \
style="font-family:arial;font-size:small">R4600489A</span><br \
style="font-family:arial;font-size:small">
<span style="font-family:arial;font-size:small">Tf:963499011 ext. 262</span><br \
style="font-family:arial;font-size:small"><span \
style="font-family:arial;font-size:small">Fax:963488835</span><br \
style="font-family:arial;font-size:small">
<a href="http://www.escuelassj.com/" \
style="color:rgb(17,85,204);font-family:arial;font-size:small" \
target="_blank">http://www.escuelassj.com</a><br \
style="font-family:arial;font-size:small"><br \
style="font-family:arial;font-size:small">
<span style="font-family:arial;font-size:small">No imprimas este correo si no es \
necesario. Protejamos el medio ambiente.</span><br></div> </div>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic