(RADIATOR) RADIATOR and LDAP authentication problem

Hugh Irvine hugh at open.com.au
Wed Feb 4 15:50:39 CST 2004 

Hello Paulo -

It looks to me like you have configured "User-Password" as the LDAP  
field that contains the password, but it is not found.

Are you sure that "User-Password" is correct?

BTW - if you do not want the lookup for DEFAULT to occur you should add  
"NoDefault" to the AuthBy clause:

<AuthBy LDAP2>
	.....
	NoDefault
	.....
</AuthBy>

You will also have problems with passwords if the shared secrets  
between the client device and the Client clause are not identical.

regards

Hugh


On 4 Feb 2004, at 23:41, Paulo Valverde Costa wrote:

> Hello,
>
> I'm testing authentication with Radiator 3.7.1 on Netscape Directory  
> Server
> 4.0 (each on a separate server) and I have trouble with the  
> authentication
> of VPN users (Cisco 3030 VPN Concentrator).
>
> This is a log of the RADIATOR:
>
> Wed Feb  4 12:00:36 2004: ERR: Attribute number 195 (vendor 3076) is  
> not
> defined in your dictionary
> Wed Feb  4 12:00:36 2004: DEBUG: Packet dump:
> *** Received from 193.137.17.1 port 1040 ....
>
> Packet length = 112
> 01 26 00 70 d5 c5 f3 a4 71 14 ff 19 fe d5 19 7c
> 7e 54 ec ba 01 17 75 73 65 72 31 40 74 65 73 74
> 65 2e 75 6d 69 6e 68 6f 2e 70 74 02 12 17 fd 55
> 98 93 bf 6e fe 88 32 e5 dc d0 fc 2e a3 05 06 00
> 00 04 1c 06 06 00 00 00 02 07 06 00 00 00 01 42
> 0d 31 37 32 2e 31 39 2e 30 2e 34 31 1a 08 00 00
> 0c 04 c3 02 04 06 c1 89 11 01 3d 06 00 00 00 05
> Code:       Access-Request
> Identifier: 38
> Authentic:   
> <213><197><243><164>q<20><255><25><254><213><25>|~T<236><186>
> Attributes:
>         User-Name = "user1 at teste.uminho.pt"
>         User-Password =
> "<23><253>U<152><147><191>n<254><136>2<229><220><208><252>.<163>"
>         NAS-Port = 1052
>         Service-Type = Framed
>         Framed-Protocol = PPP
>         Tunnel-Client-Endpoint = 172.19.0.41
>         NAS-IP-Address = 193.137.17.1
>         NAS-Port-Type = Virtual
>
> Wed Feb  4 12:00:36 2004: DEBUG: Handling request with Handler
> 'Realm=/uminho.pt$/'
> Wed Feb  4 12:00:36 2004: DEBUG:  Deleting session for
> user1 at teste.uminho.pt, 193.137.17.1, 1052
> Wed Feb  4 12:00:36 2004: DEBUG: Handling with Radius::AuthLDAP2:  
> ldap_auth
> Wed Feb  4 12:00:36 2004: INFO: Connecting to 193.137.16.145, port 389
> Wed Feb  4 12:00:36 2004: INFO: Attempting to bind to LDAP server
> 193.137.16.145:389)
> Wed Feb  4 12:00:36 2004: DEBUG: LDAP got result for cn=Utilizador Um
> (user1),ou=people,dc=teste,dc=uminho,dc=pt,o=internet
> Wed Feb  4 12:00:36 2004: DEBUG: LDAP got businessCategory:  
> funcionarios
> Wed Feb  4 12:00:36 2004: ERR: There was no password attribute found  
> for
> user1 at teste.uminho.pt. Check your LDAP database.
> Wed Feb  4 12:00:36 2004: DEBUG: Radius::AuthLDAP2 looks for match with
> user1 at teste.uminho.pt
> Wed Feb  4 12:00:36 2004: DEBUG: Radius::AuthLDAP2 REJECT: Bad  
> Encrypted
> password
> Wed Feb  4 12:00:36 2004: INFO: Connecting to 193.137.16.145, port 389
> Wed Feb  4 12:00:36 2004: INFO: Attempting to bind to LDAP server
> 193.137.16.145:389)
> Wed Feb  4 12:00:36 2004: DEBUG: No entries for DEFAULT found in LDAP
> database
> Wed Feb  4 12:00:36 2004: INFO: Access rejected for  
> user1 at teste.uminho.pt:
> Bad Encrypted password
> Wed Feb  4 12:00:36 2004: DEBUG: Packet dump:
> *** Sending to 193.137.17.1 port 1040 ....
>
> Packet length = 44
> 03 26 00 2c 99 41 84 17 50 92 cb 55 c7 eb c9 5d
> b5 c2 a7 a5 12 18 42 61 64 20 45 6e 63 72 79 70
> 74 65 64 20 70 61 73 73 77 6f 72 64
> Code:       Access-Reject
> Identifier: 38
> Authentic:   
> <213><197><243><164>q<20><255><25><254><213><25>|~T<236><186>
> Attributes:
>         Reply-Message = "Bad Encrypted password"
>
>
>
>
>
> This is a problem of inexistence of the password atribute or the "Bad
> Encrypted password"
>
>
> I'm sure of my password, and I don't understand why Radiator rejects my
> requests.
>
>
> How can i pass this problem?
>
>
> an excert of my Radius conf. file is:
>
> ...
> <AuthBy LDAP2>
>   AutoMPPEKeys
>   AuthDN cn=Admin Teste
> (admin),ou=People,dc=teste,dc=uminho,dc=pt,o=internet
>   AuthPassword teste
>   BaseDN dc=teste,dc=uminho,dc=pt,o=internet
>   Description Autenticador por LDAP
>   Host 172.16.172.20
>   Identifier ldap_auth
>   PasswordAttr User-Password
> #  EncryptedPasswordAttr Encrypted-Password
> #  EncryptedPasswordAttr User-Password
> #  EncryptedPasswordAttr userPassword
> #  PasswordAttr userPassword
> #  PasswordAttr Password
> # PasswordAttr User-Password
>   AuthAttrDef businessCategory, Class, reply
>   Port 389
>   UsernameAttr mail
> </AuthBy>
>
> ....
>
>
> best regards,
> paulo
>
> ----------------------------------------------------------------------- 
> -----
> Paulo J. Valverde V. Costa
> Centro de Comunicações - Campus de Gualtar - Universidade do Minho
> 4710-057 Braga, PORTUGAL
> Tel.: + 351 253 604023; Fax: + 351 253 604021
> e-mail: pcosta at ccom.uminho.pt
> http://www.ccom.uminho.pt
>
> ----------------------------------------------------------------------- 
> -----
> "Few things are harder to put up with than the annoyance of a good  
> example."
>                       Mark Twain (1835-1910);
> ----------------------------------------------------------------------- 
> -----
>
> This email is confidential. If you are not the intended recipient,
> you must not disclose or use the information contained in it.
> If you have received this mail in error, please tell us
> immediately by return email and delete the document.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list