(RADIATOR) Novell Universal passwords (and EAP)

Hugh Irvine hugh at open.com.au
Fri Oct 6 17:52:56 CDT 2006


Hello Peter -

We will need to see a copy of your configuration file and a trace 4  
debug showing what is happening with the whole sequence. An example  
of a working authentication and an example of one that doesn't work  
would be good.

BTW - have you checked the eDirectory logs?

regards

Hugh


On 7 Oct 2006, at 02:43, Peter Bates wrote:

>
> Hello all...
>
> Apologies for this, but a slight return to a subject I've asked about
> before (01/09/06).
>
> We're seeing a small but significant number of users who cannot
> seem to communicate using WPA + PEAP + MS-CHAPv2, talking to Radiator,
> which then talks LDAP to Novell eDirectory.
>
> I am using 'GetNovellUP' in my AuthBy LDAP2.
>
> I can see that nmasldap_get_password gets called in Ldap.pm.
>
> I also occasionally see this unknown error code message:
> Fri Oct  6 15:44:36 2006: ERR: get_edir_password for
> cn=IMBIZZEE,ou=2006,ou=ITD,ou=MSC,o=LSHTM error code: (-16049) UNKNOWN
> NOVELL ERROR CODE
>
> However I very rarely see the ones defined in the subroutine, such as:
>  -601  => '(-601) No such entry',
>  -603  => '(-603) No such attribute. Universal password not set?',
>
> When the user fails to authenticate, I just see:
>
> Fri Oct  6 09:11:15 2006: DEBUG: Radius::AuthLDAP2 looks for match
> with
> xxxx [anonymous]
> Fri Oct  6 09:11:15 2006: DEBUG: Radius::AuthLDAP2 ACCEPT: : xxxx
> [anonymous]
> Fri Oct  6 09:11:15 2006: DEBUG: EAP result: 1, EAP MSCHAP-V2
> Authentication
> failure
> Fri Oct  6 09:11:15 2006: DEBUG: AuthBy GROUP result: REJECT, EAP
> MSCHAP-V2
> Authentication failure
> Fri Oct  6 09:11:15 2006: INFO: Access rejected for anonymous: EAP
> MSCHAP-V2
> Authentication failure
>
> I have the 'Debug 255'  to debug Net::LDAP but it
> would appear this doesn't increase logging for this particular
> problem.
>
> I also see the reference to:
>
> $self->log($main::LOG_EXTRA_DEBUG, "Got Novell Universal Password:
> $password", $p);
>
> in AuthLDAP2.pm
>
> but I'd rather not log passwords to the logfile just to get a better
> idea of what is going wrong.
>
> If anyone has pointers, particularly people using 802.1x
> to talk to Novell eDirectory, they'd be most gratefully received!
>
> Thanks.
>
>
>
> ---------------------------------------------------------------------- 
> ----------------------------->
> Peter Bates, Systems Support Officer, IT Services.
> London School of Hygiene & Tropical Medicine.
> Telephone:0207-958 8353 / Fax: 0207- 636 9838
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list