(RADIATOR) Re: Problems LDAP authentication

Hugh Irvine hugh at open.com.au
Wed Apr 12 23:48:01 CDT 2006


Hello Freerk -

The only thing we can think of is something in the LDAP server that  
does not accept queries from this host.

Are the other boxes running FreeBSD 6.0 also?

regards

Hugh


On 13 Apr 2006, at 05:33, F.J.Bosscha wrote:

> Thanks for reading this question.
>
>
>
> I recently installed a freebsd 6.0 box for using as a Radiator  
> radius box.
>
>
>
> The following is installed:
>
>
>
> bsdpan-DBD-LDAP-0.07      DBD::LDAP - Perl extension for DBI,  
> providing an SQL/P
>
> bsdpan-DBI-1.50     DBI - Database independent interface for Perl
>
> bsdpan-Digest-HMAC-1.01 Digest::HMAC - Keyed-Hashing for Message  
> Authentication
>
> bsdpan-Digest-MD4-1.5 Digest::MD4 - Perl interface to the MD4  
> Algorithm
>
> bsdpan-Digest-MD5-2.36 Digest::MD5 - Perl interface to the MD5  
> Algorithm
>
> bsdpan-Digest-SHA1-2.11 Digest::SHA1 - Perl interface to the SHA-1  
> algorithm
>
> bsdpan-Radiator-3.14 Unknown perl module
>
> cvsup-without-gui-16.1h_2 General network file distribution system  
> optimized for CVS
>
> ldconfig_compat-1.0_6 Ldconfig compatibility script
>
> libtool-1.5.22_2    Generic shared library support script
>
> linux_base-8-8.0_6  Base set of packages needed in Linux mode (only  
> for i386)
>
> lynx-ssl-2.8.5      A non-graphical, text-based World-Wide Web  
> client with SSL
>
> mysql-client-5.0.19 Multithreaded SQL database (client)
>
> net-snmp-5.2.1.2    An extendable SNMP implementation
>
> openssl-stable-0.9.7i SSL and crypto library
>
> p5-Authen-SASL-2.09 Perl5 module for SASL authentication
>
> p5-Convert-ASN1-0.20 Perl5 module to encode and decode ASN.1 data  
> structures
>
> p5-DBD-mysql50-3.0002 MySQL 5.0 driver for the Perl5 Database  
> Interface (DBI)
>
> p5-DBI-1.50         The perl5 Database Interface.  Required for  
> DBD::* modules
>
> p5-IO-Socket-SSL-0.97 Perl5 interface to SSL sockets
>
> p5-Net-SSLeay-1.25  Perl5 interface to SSL
>
> p5-Storable-2.15    Persistency for perl data structures
>
> p5-TimeDate-1.16,1  Perl5 module containing a better/faster date  
> parser for abs
>
> p5-URI-1.35         Perl5 interface to Uniform Resource Identifier  
> (URI) refere
>
> p5-XML-NamespaceSupport-1.09_1 A simple generic namespace support  
> class
>
> p5-XML-SAX-0.12     Simple API for XML
>
> p5-perl-ldap-0.33   A Client interface to LDAP servers
>
> perl-5.8.7          Practical Extraction and Report Language
>
> rdate-1.1           Sets the clock of the local host to the time of  
> another hos
>
> rsync-2.6.6         A network file distribution/synchronization  
> utility
>
> zip-2.3_2           Create/update ZIP files compatible with pkzip
>
>
>
> Next to this system we have 2 other 3.14 radiator boxes which have  
> exactly the same configuration file and works without a problem.
>
>
>
> For some reason, this box doesn’t find any accounts on the ldap- 
> server. I have made a small perl script to read the ldap-entries,  
> and that works fine.
>
>
>
> The logfile looks like:
>
>
>
>
>
> Wed Apr 12 21:11:02 2006: DEBUG: Creating Monitor port 0.0.0.0:9048
>
> Wed Apr 12 21:11:02 2006: DEBUG: Finished reading configuration  
> file '/etc/radiator/radius.cfg'
>
> Wed Apr 12 21:11:02 2006: DEBUG: Reading dictionary file '/etc/ 
> radiator/dictionary'
>
> Wed Apr 12 21:11:03 2006: DEBUG: Creating authentication port  
> 0.0.0.0:1812
>
> Wed Apr 12 21:11:03 2006: DEBUG: Creating accounting port 0.0.0.0:1813
>
> Wed Apr 12 21:11:03 2006: NOTICE: Server started: Radiator 3.14 on  
> radius2.nhl.nl
>
> Wed Apr 12 21:11:03 2006: DEBUG: Packet dump:
>
> *** Received from 141.252.251.51 port 1646 ....
>
>
>
> Packet length = 223
>
> 04 9b 00 df bd 7e 67 b9 9e d6 34 87 c2 4f c1 37
>
> ad 0e 69 fd 2c 0a 30 30 30 30 34 35 44 45 1e 10
>
> 30 30 31 31 2e 35 63 63 33 2e 38 33 33 30 1f 10
>
> 30 30 31 32 2e 31 37 36 38 2e 35 37 34 65 1a 10
>
> 00 00 00 09 01 0a 73 73 69 64 3d 4e 48 4c 1a 13
>
> 00 00 00 09 01 0d 76 6c 61 6e 2d 69 64 3d 33 30
>
> 31 1a 20 00 00 00 09 01 1a 6e 61 73 2d 6c 6f 63
>
> 61 74 69 6f 6e 3d 75 6e 73 70 65 63 69 66 69 65
>
> 64 01 0d 6b 6c 75 74 40 6e 68 6c 2e 6e 6c 1a 20
>
> 00 00 00 09 01 1a 63 6f 6e 6e 65 63 74 2d 70 72
>
> 6f 67 72 65 73 73 3d 43 61 6c 6c 20 55 70 28 06
>
> 00 00 00 01 3d 06 00 00 00 13 1a 0d 00 00 00 09
>
> 02 07 31 31 30 39 31 05 06 00 00 2b 53 06 06 00
>
> 00 00 02 04 06 8d fc fb 33 29 06 00 00 00 00
>
> Code:       Accounting-Request
>
> Identifier: 155
>
> Authentic:  <189>~g<185><158><214>4<135><194>O<193>7<173><14>i<253>
>
> Attributes:
>
>         Acct-Session-Id = "000045DE"
>
>         Called-Station-Id = "0011.5cc3.8330"
>
>         Calling-Station-Id = "0012.1768.574e"
>
>         cisco-avpair = "ssid=NHL"
>
>         cisco-avpair = "vlan-id=301"
>
>         cisco-avpair = "nas-location=unspecified"
>
>         User-Name = "klut at nhl.nl"
>
>         cisco-avpair = "connect-progress=Call Up"
>
>         Acct-Status-Type = Start
>
>         NAS-Port-Type = Wireless-IEEE-802-11
>
>         Cisco-NAS-Port = "11091"
>
>         NAS-Port = 11091
>
>         Service-Type = Framed-User
>
>         NAS-IP-Address = 141.252.251.51
>
>         Acct-Delay-Time = 0
>
>
>
> Wed Apr 12 21:11:03 2006: DEBUG: Handling request with Handler  
> 'Request-Type = Accounting-Request'
>
> Wed Apr 12 21:11:03 2006: DEBUG:  Adding session for klut at nhl.nl,  
> 141.252.251.51, 11091
>
> Wed Apr 12 21:11:03 2006: DEBUG: do query is: 'delete from  
> RADONLINE where NASIDENTIFIER='141.252.251.51' and NA
>
> SPORT=011091':
>
> Wed Apr 12 21:11:03 2006: DEBUG: do query is: 'insert into  
> RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESS
>
> IONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE)  
> values ('klut at nhl.nl', '141.252.251.51', 11091, '0
>
> 00045DE', 1144869063, '', 'Wireless-IEEE-802-11', 'Framed-User')':
>
> Wed Apr 12 21:11:03 2006: DEBUG: Handling with Radius::AuthSQL
>
> Wed Apr 12 21:11:03 2006: DEBUG: Handling accounting with  
> Radius::AuthSQL
>
> Wed Apr 12 21:11:03 2006: DEBUG: do query is: 'insert into  
> ACCOUNTING (ACCTDELAYTIME,ACCTSESSIONID,ACCTSTATUSTYP
>
> E,ACTUAL_TIME,CALLEDSTATIONID,CALLINGSTATIONID,NASIPADDRESS,NASPORT,TI 
> ME_STAMP,USERNAME) values (0,'000045DE','S
>
> tart','2006/04/12  
> 21:11:03','0011.5cc3.8330','0012.1768.574e','141.252.251.51', 
> 11091,1144869063,'klut at nhl.nl')':
>
>
>
> Wed Apr 12 21:11:03 2006: DEBUG: AuthBy SQL result: ACCEPT,
>
> Wed Apr 12 21:11:03 2006: DEBUG: Accounting accepted
>
> Wed Apr 12 21:11:03 2006: DEBUG: Packet dump:
>
> *** Sending to 141.252.251.51 port 1646 ....
>
>
>
> Packet length = 20
>
> 05 9b 00 14 3a e6 4b 26 bc f4 45 d5 1f ac b2 ab
>
> 3c c3 5a 58
>
> Code:       Accounting-Response
>
> Identifier: 155
>
> Authentic:  <189>~g<185><158><214>4<135><194>O<193>7<173><14>i<253>
>
> Attributes:
>
>
>
> Wed Apr 12 21:11:06 2006: DEBUG: Packet dump:
>
> *** Received from 141.252.250.201 port 1905 ....
>
>
>
> Packet length = 51
>
> 01 f3 00 33 00 00 37 72 00 00 0a 7a 00 00 79 66
>
> 00 00 7b f8 01 07 71 75 65 72 79 02 12 7a c1 8e
>
> 71 50 30 28 78 16 2e 72 5e 43 d8 62 c6 04 06 00
>
> 00 00 00
>
> Code:       Access-Request
>
> Identifier: 243
>
> Authentic:  <0><0>7r<0><0><10>z<0><0>yf<0><0>{<248>
>
> Attributes:
>
>         User-Name = "query"
>
>         User-Password = z<193><142>qP0(x<22>.r^C<216>b<198>
>
>         NAS-IP-Address = 0.0.0.0
>
>
>
> Wed Apr 12 21:11:06 2006: DEBUG: Handling request with Handler  
> 'Realm=""'
>
> Wed Apr 12 21:11:06 2006: DEBUG:  Deleting session for query, 0.0.0.0,
>
> Wed Apr 12 21:11:06 2006: DEBUG: do query is: 'delete from  
> RADONLINE where NASIDENTIFIER='0.0.0.0' and NASPORT=0
>
> ':
>
> Wed Apr 12 21:11:06 2006: DEBUG: Handling with Radius::AuthLDAP2:  
> NHL_LDAP
>
> Wed Apr 12 21:11:06 2006: INFO: Connecting to ldapmaster.nhl.nl:380
>
> Wed Apr 12 21:11:06 2006: INFO: Attempting to bind to LDAP server  
> ldapmaster.nhl.nl:380
>
> Wed Apr 12 21:11:06 2006: DEBUG: No entries for query found in LDAP  
> database
>
> Wed Apr 12 21:11:06 2006: DEBUG: Radius::AuthLDAP2 looks for match  
> with query [query]
>
> Wed Apr 12 21:11:06 2006: DEBUG: Radius::AuthLDAP2 REJECT: No such  
> user: query [query]
>
> Wed Apr 12 21:11:06 2006: DEBUG: No entries for DEFAULT found in  
> LDAP database
>
> Wed Apr 12 21:11:06 2006: DEBUG: AuthBy LDAP2 result: REJECT, No  
> such user
>
> Wed Apr 12 21:11:06 2006: INFO: Access rejected for query: No such  
> user
>
> Wed Apr 12 21:11:06 2006: DEBUG: Packet dump:
>
> *** Sending to 141.252.250.201 port 1905 ....
>
>
>
> Packet length = 36
>
> 03 f3 00 24 c2 03 25 1a bf 0a 97 f6 4c a2 a3 87
>
> 6d c5 63 20 12 10 52 65 71 75 65 73 74 20 44 65
>
> 6e 69 65 64
>
> Code:       Access-Reject
>
> Identifier: 243
>
> Authentic:  <0><0>7r<0><0><10>z<0><0>yf<0><0>{<248>
>
> Attributes:
>
>         Reply-Message = "Request Denied"
>
>
>
> Wed Apr 12 21:11:07 2006: DEBUG: Packet dump:
>
> *** Received from 141.252.251.51 port 1646 ....
>
>
>
> Packet length = 322
>
> 04 9d 01 42 7d 08 07 b7 a6 1c 15 2f 74 6b ac d1
>
> 26 ac d2 a3 2c 0a 30 30 30 30 34 35 44 43 1e 10
>
> 30 30 31 31 2e 35 63 63 33 2e 38 33 33 30 1f 10
>
> 30 30 31 32 2e 31 37 36 38 2e 35 37 34 65 1a 10
>
> 00 00 00 09 01 0a 73 73 69 64 3d 4e 48 4c 1a 13
>
> 00 00 00 09 01 0d 76 6c 61 6e 2d 69 64 3d 33 30
>
> 31 1a 20 00 00 00 09 01 1a 6e 61 73 2d 6c 6f 63
>
> 61 74 69 6f 6e 3d 75 6e 73 70 65 63 69 66 69 65
>
> 64 1a 1f 00 00 00 09 01 19 61 75 74 68 2d 61 6c
>
> 67 6f 2d 74 79 70 65 3d 65 61 70 2d 74 74 6c 73
>
> 01 0d 6b 6c 75 74 40 6e 68 6c 2e 6e 6c 1a 20 00
>
> 00 00 09 01 1a 63 6f 6e 6e 65 63 74 2d 70 72 6f
>
> 67 72 65 73 73 3d 43 61 6c 6c 20 55 70 2e 06 00
>
> 00 00 1e 2a 06 00 00 17 52 2b 06 00 00 18 05 2f
>
> 06 00 00 00 38 30 06 00 00 00 1f 31 06 00 00 00
>
> 02 1a 20 00 00 00 09 01 1a 64 69 73 63 2d 63 61
>
> 75 73 65 2d 65 78 74 3d 4e 6f 20 52 65 61 73 6f
>
> 6e 28 06 00 00 00 02 3d 06 00 00 00 13 1a 0d 00
>
> 00 00 09 02 07 31 31 30 39 30 05 06 00 00 2b 52
>
> 06 06 00 00 00 02 04 06 8d fc fb 33 29 06 00 00
>
> 00 0a
>
> Code:       Accounting-Request
>
> Identifier: 157
>
> Authentic:  }<8><7><183><166><28><21>/tk<172><209>&<172><210><163>
>
> Attributes:
>
>         Acct-Session-Id = "000045DC"
>
>         Called-Station-Id = "0011.5cc3.8330"
>
>         Calling-Station-Id = "0012.1768.574e"
>
>         cisco-avpair = "ssid=NHL"
>
>         cisco-avpair = "vlan-id=301"
>
>
>
>
>
> my LDAP2-config part is:
>
>
>
> AcctPort 1813
>
> AuthPort 1812
>
> DbDir /etc/radiator
>
> LogDir /var/log/radius
>
> LogFile /var/log/radius/radius.log.%m%d
>
> Trace 5
>
>
>
> <AuthBy FILE>
>
>   AutoMPPEKeys
>
>   EAPTLS_CAFile %D/cert/nhlca.crt
>
>   EAPTLS_CertificateFile %D/cert/nhlserver.crt
>
>   EAPTLS_CertificateType PEM
>
>   EAPTLS_MaxFragmentSize 1024
>
>   EAPTLS_PrivateKeyFile %D/cert/nhlserver.key
>
>   EAPTLS_PrivateKeyPassword XXXXX
>
>   EAPType TTLS
>
>   Filename %D/users
>
>   Identifier NHL_FILE
>
>   SSLeayTrace 4
>
> </AuthBy>
>
>
>
> <AuthBy FILE>
>
>   EAPType LEAP
>
>   Filename %D/ap-users
>
>   Identifier NHL_AP
>
> </AuthBy>
>
>
>
> <AuthBy SQL>
>
>   AccountingTable ACCOUNTING
>
>   AcctColumnDef USERNAME,User-Name
>
>   AcctColumnDef ACTUAL_TIME,Timestamp,formatted-date,'%Y/%m/%e %H:% 
> M:%S'
>
>   AcctColumnDef TIME_STAMP,Timestamp,integer
>
>   AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>
>   AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>
>   AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>
>   AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>
>   AcctColumnDef ACCTINPUTPACKETS,Acct-Input-Packets,integer
>
>   AcctColumnDef ACCTOUTPUTPACKETS,Acct-Output-Packets,integer
>
>   AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>
>   AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>
>   AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
>
>   AcctColumnDef NASIDENTIFIER,NAS-Identifier
>
>   AcctColumnDef NASIPADDRESS,NAS-IP-Address
>
>   AcctColumnDef NASPORT,NAS-Port,integer
>
>   AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>
>   AcctColumnDef CALLEDSTATIONID,Called-Station-Id
>
>   AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
>
>   AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
>
>   AcctColumnDef CLASS,Class
>
>   AcctColumnDef ACCOUNTSESSIONTIME,Acct-Session-Time,integer
>
>   AcctColumnDef TUNNELCLIENTENDPOINT,Tunnel-Client-Endpoint
>
>   AcctColumnDef LOCATION,WISPr-Location-Name
>
>   AuthSelect
>
>   DBAuth XXXXX
>
>   DBSource dbi:mysql:RADIUS:mysql01.nhl.nl
>
>   DBUsername radius
>
>   Identifier SQLAccountingOnly
>
> </AuthBy>
>
>
>
> <AuthBy LDAP2>
>
>   Debug 255
>
>   AddToReply Session-Timeout = "7200"
>
>   AuthAttrDef VlanID, Tunnel-Private-Group-ID, reply
>
>   AuthDN cn=Manager,o=Noordelijke Hogeschool Leeuwarden,c=nl
>
>   AuthPassword XXXXXX
>
>   AutoMPPEKeys
>
>   BaseDN o=Noordelijke Hogeschool Leeuwarden,c=nl
>
>   EAPTLS_CAFile %D/cert/nhlca.crt
>
>   EAPTLS_CertificateFile %D/cert/nhlserver.crt
>
>   EAPTLS_CertificateType PEM
>
>   EAPTLS_MaxFragmentSize 1024
>
>   EAPTLS_PrivateKeyFile %D/cert/nhlserver.key
>
>   EAPTLS_PrivateKeyPassword XXXXXX
>
>   EAPType TTLS
>
>   HoldServerConnection
>
>   Host ldapmaster.nhl.nl
>
>   Identifier NHL_LDAP
>
>   PasswordAttr userPassword
>
>   Port 380
>
>   SSLeayTrace 4
>
>   StripFromReply Class
>
>   UsernameAttr uid
>
>   AuthAttrDef NHLipAddress, Framed-IP-Address, reply
>
>   AuthAttrDef NHLipNetMask, Framed-IP-Netmask, reply
>
>   Version 3
>
> </AuthBy>
>
>
>
>
>
> What can be wrong.
>
>
>
> Thanks for your reply,
>
>
>
> Freerk Bosscha
>
> Noordelijke Hogeschool Leeuwarden
>
> The Netherlands
>
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list