Fwd: (RADIATOR) Help with configure radius.cfg with eap and ldap

tudalat at shaw.ca tudalat at shaw.ca
Wed Jan 21 16:03:03 CST 2004 



----- Original Message -----
From: Mike McCauley <mikem at open.com.au>
Date: Tuesday, January 20, 2004 2:50 pm
Subject: Re: Fwd: (RADIATOR) Help with configure radius.cfg with eap and ldap

> Hello Andy,
>
Hi Mike:
 
> I think the problem is that you do not have PasswordAttr defined 
> in your 
> config file for AuthBy LDAP2. You should have seen an error 
> message about that when it starts up? Its not required with 

There was no error when ServerChecksPassword is not used. I tried
"PasswordAttr    userPassword" and I got "There was no password attribute found"
PasswordAttr (alone) and EncryptedPasswordAttr, however, work successfully with LDAP but
MD5-Challenge still fails. Just wonder if it's because of our 
peculiar way of implementing ldap.  I am not allowed to retrieve
the UserPassword, I can only use it to do a LDAP bind.


Here are the two logs, .1 with  "PasswordAttr    userPassword"
and .2 with "PasswordAttr   "

.1
*** Received from xxx.xxx.254.224 port 1024 ....
Code:       Access-Request
Identifier: 165
Authentic:  <187>O<211><155><163><153><10><156>C<179><242>9<230><208><164><144>
Attributes:
        Framed-MTU = 1480
        NAS-IP-Address = xxx.xxx.254.224
        NAS-Identifier = "HP ProCurve Switch 2626"
        User-Name = "tudalat"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 21
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "21"
        Called-Station-Id = "00-30-6e-ae-d1-2b"
        Calling-Station-Id = "00-d0-b7-70-8d-7c"
        Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
        Tunnel-Type = VLAN
        Tunnel-Medium-Type = IEEE-802
        Tunnel-Private-Group-ID = "1"
        EAP-Message = <2><2><0><28><4><16>Y<10><4>>l8<155>Y<158><133><166>xl<185>J<204>tudalat
        Message-Authenticator = <139><249>p<127><184>70<165><139>K<207>w<181><182><141>x

Wed Jan 21 14:34:35 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Jan 21 14:34:35 2004: DEBUG: Rewrote user name to tudalat
Wed Jan 21 14:34:35 2004: DEBUG:  Deleting session for tudalat, xxx.xxx.254.224, 21
Wed Jan 21 14:34:35 2004: DEBUG: Handling with Radius::AuthLDAP2: uidauthent
Wed Jan 21 14:34:35 2004: DEBUG: Handling with EAP: code 2, 2, 28
Wed Jan 21 14:34:35 2004: DEBUG: Response type 4
Wed Jan 21 14:34:35 2004: INFO: Connecting to test.ldap.ucalgary.ca, port 389
Wed Jan 21 14:34:35 2004: INFO: Attempting to bind to LDAP server test.ldap.ucalgary.ca:389)
Wed Jan 21 14:34:35 2004: DEBUG: LDAP got result for uid=tudalat,ou=uidauthent,o=ucalgary.ca
Wed Jan 21 14:34:35 2004: ERR: There was no password attribute found for tudalat. Check your LDAP database.
Wed Jan 21 14:34:35 2004: DEBUG: Radius::AuthLDAP2 looks for match with tudalat
Wed Jan 21 14:34:35 2004: DEBUG: Radius::AuthLDAP2 ACCEPT:
Wed Jan 21 14:34:35 2004: DEBUG: EAP result: 1, EAP MD5-Challenge failed
Wed Jan 21 14:34:35 2004: INFO: Access rejected for tudalat: EAP MD5-Challenge failed
Wed Jan 21 14:34:35 2004: DEBUG: Packet dump:
*** Sending to xxx.xxx.254.224 port 1024 ....
Code:       Access-Reject
Identifier: 165
Authentic:  <187>O<211><155><163><153><10><156>C<179><242>9<230><208><164><144>
Attributes:
        EAP-Message = <4><2><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Reply-Message = "Request Denied"

.2

And here is the log for just "PasswordAttr"*** Received from xxx.xxx.254.224 port 1024 ....
Code:       Access-Request
Identifier: 167
Authentic:  <3><187><208>-3{e<252>H<196>)e<250><185><171><127>
Attributes:
        Framed-MTU = 1480
        NAS-IP-Address = xxx.xxx.254.224
        NAS-Identifier = "HP ProCurve Switch 2626"
        User-Name = "tudalat"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 21
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "21"
        Called-Station-Id = "00-30-6e-ae-d1-2b"
        Calling-Station-Id = "00-d0-b7-70-8d-7c"
        Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
        Tunnel-Type = VLAN
        Tunnel-Medium-Type = IEEE-802
        Tunnel-Private-Group-ID = "1"
        EAP-Message = <2><2><0><28><4><16><241><185><222><167><132><20><175><196><10>;<234><21><138>d<242>+tudalat
        Message-Authenticator = F<1>Q(|3Oc<5>$@4<22>t<208>~

Wed Jan 21 14:52:33 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Jan 21 14:52:33 2004: DEBUG: Rewrote user name to tudalat
Wed Jan 21 14:52:33 2004: DEBUG:  Deleting session for tudalat, xxx.xxx.254.224, 21
Wed Jan 21 14:52:33 2004: DEBUG: Handling with Radius::AuthLDAP2: uidauthent
Wed Jan 21 14:52:33 2004: DEBUG: Handling with EAP: code 2, 2, 28
Wed Jan 21 14:52:33 2004: DEBUG: Response type 4
Wed Jan 21 14:52:33 2004: INFO: Connecting to test.ldap.ucalgary.ca, port 389
Wed Jan 21 14:52:33 2004: INFO: Attempting to bind to LDAP server test.ldap.ucalgary.ca:389)
Wed Jan 21 14:52:33 2004: DEBUG: LDAP got result for uid=tudalat,ou=uidauthent,o=ucalgary.ca
Wed Jan 21 14:52:33 2004: DEBUG: Radius::AuthLDAP2 looks for match with tudalat
Wed Jan 21 14:52:33 2004: DEBUG: Radius::AuthLDAP2 ACCEPT:
Wed Jan 21 14:52:33 2004: DEBUG: EAP result: 1, EAP MD5-Challenge failed
Wed Jan 21 14:52:33 2004: INFO: Access rejected for tudalat: EAP MD5-Challenge failed
Wed Jan 21 14:52:33 2004: DEBUG: Packet dump:
*** Sending to xxx.xxx.254.224 port 1024 ....
Code:       Access-Reject
Identifier: 167
Authentic:  <3><187><208>-3{e<252>H<196>)e<250><185><171><127>
Attributes:
        EAP-Message = <4><2><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Reply-Message = "Request Denied"

Can you advise?

thanks
Andy Dalat
tudalat at shaw.ca

 


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list