(RADIATOR) Anonymous rejected with PEAP and LDAP authentication

Tom Rixom tom.rixom at alfa-ariss.com
Fri Apr 4 01:40:30 CST 2003 

You can split the inner and outer authentication,

Outer authentication (Anonymous) you handle locally
and the inner can be sent through to the ldap server.

btw. PEAP-MSCHAPV2 is not supported by an LDAP encrypted database,
will need to use clear-text (EAP-TTLS-PAP for example).

#
# Inner authentication
#
<Handler TunnelledByPEAP=1>
	send authentication to LDAP
</Handler>

#
# Outer authentication
#
<Handler> 
	handle locally
<Handler>

Tom

> -----Original Message-----
> From: John McFadden [mailto:dasjlm at uwo.ca]
> Sent: Thursday, April 03, 2003 6:02 PM
> To: radiator at open.com.au
> Subject: (RADIATOR) Anonymous rejected with PEAP and LDAP 
> authentication
> 
> 
> 
> I'm having a small problem getting PEAP to work with OpenLDAP.
> 
> It appears my userid credentials get accepted but the anonymous user 
> gets rejected.
> 
> 
> Thu Apr  3 11:00:12 2003: DEBUG: Handling request with Handler 
> 'TunnelledByPEAP=1'
> Thu Apr  3 11:00:12 2003: DEBUG:  Deleting session for , 
> 129.100.1.145, 29
> Thu Apr  3 11:00:12 2003: DEBUG: Handling with Radius::AuthLDAP2:
> Thu Apr  3 11:00:12 2003: DEBUG: Handling with EAP: code 2, 70, 61
> Thu Apr  3 11:00:12 2003: DEBUG: Response type 26
> Thu Apr  3 11:00:12 2003: INFO: Connecting to 129.100.3.19, port 389
> Thu Apr  3 11:00:12 2003: INFO: Attempting to bind with ,  (server 
> 129.100.3.19:389)
> Thu Apr  3 11:00:12 2003: DEBUG: LDAP got result for 
> uid=dasjlm,ou=People,dc=its,dc=uwo,dc=ca
> Thu Apr  3 11:00:12 2003: DEBUG: LDAP got uid: dasjlm
> Thu Apr  3 11:00:12 2003: DEBUG: LDAP got cn: John McFadden
> Thu Apr  3 11:00:12 2003: DEBUG: LDAP got objectClass: account 
> posixAccount top shadowAccount
> Thu Apr  3 11:00:12 2003: DEBUG: LDAP got shadowMax: 99999
> Thu Apr  3 11:00:12 2003: DEBUG: LDAP got shadowWarning: 7
> Thu Apr  3 11:00:12 2003: DEBUG: LDAP got loginShell: /bin/bash
> Thu Apr  3 11:00:12 2003: DEBUG: LDAP got uidNumber: 14257
> Thu Apr  3 11:00:12 2003: DEBUG: LDAP got gidNumber: 134
> Thu Apr  3 11:00:12 2003: DEBUG: LDAP got homeDirectory: /home/dasjlm
> Thu Apr  3 11:00:12 2003: DEBUG: LDAP got gecos: John McFadden
> Thu Apr  3 11:00:12 2003: DEBUG: LDAP got userPassword: 
> {MD5}1Jbzp9vuY3lJ/SrbMnoaDQ==
> Thu Apr  3 11:00:12 2003: DEBUG: Radius::AuthLDAP2 looks for 
> match with 
> dasjlm
> Thu Apr  3 11:00:12 2003: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Thu Apr  3 11:00:12 2003: INFO: Access rejected for anonymous: EAP 
> MSCHAP-V2 Authentication failure
> 
> 
> Does this mean I need to add an anonymous userid to OpenLDAP?
> 
> If so I assume it has to be an id with no password?
> 
> Any other methods to do this?
> 
> Thanks in advance.
> John McFadden
> 
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list