(RADIATOR) Inner auth failed due to "Bad Password" in EAP-TTLS

양승용 joshua.yang at samsung.com
Wed Mar 17 02:02:35 CST 2004 

While testing I got following message from Radiator which says that inner auth failed due to "Bad password"
But I corretly set the username and password both in SUPPLICANT and LDAP

please help

======================================================================================

Wed Mar 17 16:15:59 2004: DEBUG: Handling with Radius::AuthLDAP2:
Wed Mar 17 16:15:59 2004: DEBUG: Handling with EAP: code 2, 5, 151
Wed Mar 17 16:15:59 2004: DEBUG: Response type 21
Wed Mar 17 16:15:59 2004: DEBUG: EAP TTLS inner authentication request for syyan
g
Wed Mar 17 16:15:59 2004: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <206>7<222><220><11><168><163><16>V<164>B<17><236>i\<197>
Attributes:
        User-Name = "syyang"
        MS-CHAP-Challenge = "<232><161><223><252>*<215>j:<222><171><211><130><25
5><194><185><246>"
        MS-CHAP2-Response = "<212><0><225>7A<7>(<234>l2<153><150>g<246><250><203
><242><22><0><0><0><0><0><0><0><0>@<137><0>_<216><183><187>E<199><171><145>'<223
><164>=Db<187><133><139><12>^<12>z"

Wed Mar 17 16:15:59 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Mar 17 16:15:59 2004: DEBUG:  Deleting session for syyang, 172.23.18.110,
Wed Mar 17 16:15:59 2004: DEBUG: Handling with Radius::AuthLDAP2:
Wed Mar 17 16:15:59 2004: INFO: Connecting to localhost, port 10389
Wed Mar 17 16:15:59 2004: INFO: Attempting to bind to LDAP server localhost:1038
9)
Wed Mar 17 16:16:00 2004: DEBUG: LDAP got result for uid=syyang,ou=People, o=sec
ui
Wed Mar 17 16:16:00 2004: DEBUG: LDAP got userPassword: {SHA}3vhhXWO4swZ9hxvhOxg
Zbuuq60c=
Wed Mar 17 16:16:00 2004: DEBUG: Radius::AuthLDAP2 looks for match with syyang
Wed Mar 17 16:16:00 2004: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Wed Mar 17 16:16:00 2004: INFO: Connecting to localhost, port 10389
Wed Mar 17 16:16:00 2004: INFO: Attempting to bind to LDAP server localhost:1038
9)
Wed Mar 17 16:16:00 2004: DEBUG: No entries for DEFAULT found in LDAP database
Wed Mar 17 16:16:00 2004: INFO: Access rejected for syyang: Bad Password
Wed Mar 17 16:16:00 2004: DEBUG: EAP result: 1, EAP TTLS inner authentication re
despatched to a Handler
Wed Mar 17 16:16:00 2004: INFO: Access rejected for anonymous: EAP TTLS inner au
thentication redespatched to a Handler
Wed Mar 17 16:16:00 2004: DEBUG: Packet dump:
*** Sending to 172.23.18.110 port 1645 ....
Code:       Access-Reject
Identifier: 140
Authentic:  <156><169><141>+<203><160><241><227>Y<1><131>-<25><1><212><250>
Attributes:
        EAP-Message = <4><5><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Reply-Message = "Request Denied"

=================================== environment =======================================

supplicant :  odyssey client with id : syyang password : syyang
AP : cisco aironet : with shared secret "mysecret"

===================================  configuration file ===============================

<Client 172.23.18.110>
        Secret  mysecret
        DupInterval 0
</Client>
<Client DEFAULT>
        Secret  mysecret
        DupInterval 0
</Client>

<Realm DEFAULT>
        <AuthBy LDAP2>
                # Tell Radiator how to talk to the LDAP server
                Host            localhost
                Port            10389

                # You will only need these if your LDAP server
                # requires authentication. These are the examples
                # in a default OpenLDAP installation
                # see /etc/openldap/slapd.conf
                AuthDN          cn=Directory Manager
                AuthPassword    directory

                # This the top of the search tree where users
                # will be found. It should match the configuration
                # of your server, see /etc/openldap/slapd.conf
                BaseDN          ou=people,o=secui

                # base, one , sub  ( scope )
                Scope           sub

                # This is the LDAP attribute to match the radius user name
                UsernameAttr    uid

                # If you dont specify ServerChecksPassword, you
                # need to tell Radiator wjhich attribute contains
                # the password. It can be plaintext or encrypted
                PasswordAttr    userPassword

                EAPType TTLS
                EAPTLS_CAFile %D/certificates/ca_cls_sig.cert.pem
                EAPTLS_CertificateFile %D/certificates/ca_svr_sig.cert.pem
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile %D/certificates/ca_svr_sig.key.pem
                EAPTLS_PrivateKeyPassword a123456A
                EAPTLS_MaxFragmentSize 1000
                SSLeayTrace 3
        </AuthBy>
</Realm>

=======================================================================================
Directory Server SUN ONE directory server 4.1

uid=syyang, ou=people, o =secui

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list