(RADIATOR) Problem with LDAP2 authentication on Radiator-3.17.1-1
Hugh Irvine
hugh at open.com.au
Mon Jul 16 18:30:54 CDT 2007
Hello Francisco -
As has been mentioned already, the shared secrets are probably not
correct.
You should specifiy the shared secret to match your Client clause in
the configuration file when you run radpwtst.
What format is the password stored in the LDAP server?
What is shown on stderr from the LDAP debug when you run radiusd like
this?
cd /your/Radiator/distribution
perl radiusd -foreground -log_stdout -trace 4 -config_file /your/
configuration/file
regards
Hugh
On 16 Jul 2007, at 23:01, Francisco Rodrigo Cortinas Maseda wrote:
> Hello,
>
> We are having problems with the auth by the LDAP module; we are
> seeing "Bad Password" all the time, we have checked that the LDAP
> server is working fine.
>
> We have installed the RPM version of Radiator, we have used the
> packet Radiator-3.17.1-1.noarch.rpm.
>
>> From here we are having this problem:
>
> 1º We have configured the authby clause to connect to the LDAP
> repository; the clause:
>
> <AuthBy GROUP>
> Identifier ldap_i2p
> AuthByPolicy ContinueWhileIgnore
> <AuthBy LDAP2>
> Host 10.0.27.60
> Port 389
> AuthDN cn=i2p_ldap_write_root, dc=jazzlab,
> dc=com
> AuthPassword i2p_ldap_write_pwd
> BaseDN dc=jazzlab, dc=com
> UsernameAttr login
> PasswordAttr password
> AuthAttrDef sh-srv-profile,Shasta-Service-
> Profile,reply
> NoDefault
> NoDefaultIfFound
> HoldServerConnection
> FailureBackoffTime 30
> Version 3
> Debug 255
> </AuthBy>
> <AuthBy LDAP2>
> Host 10.0.27.61
> Port 389
> AuthDN cn=i2p_ldap_write_root, dc=jazzlab,
> dc=com
> AuthPassword i2p_ldap_write_pwd
> BaseDN dc=jazzlab, dc=com
> UsernameAttr login
> PasswordAttr password
> AuthAttrDef sh-srv-profile,Shasta-Service-
> Profile,reply
> NoDefault
> NoDefaultIfFound
> HoldServerConnection
> FailureBackoffTime 30
> Version 3
> </AuthBy>
> </AuthBy>
>
> 2º We launch a test with this command:
>
> radpwtst -trace 4 -s 10.0.23.126 -secret radius-2G-local -user
> teldat2 at adsl2g.cli1vpn01@i2p -password teldat2 -auth_port 1812 -
> noacct -nas_ip_address 10.252.32.42
>
> 3º We see this on the Trace 4 log archive:
>
> *** Received from 10.0.23.126 port 32807 ....
> Code: Access-Request
> Identifier: 253
> Authentic: 1234567890123456
> Attributes:
> User-Name = "teldat2 at adsl2g.cli1vpn01@i2p"
> Service-Type = Framed-User
> NAS-IP-Address = 10.252.32.42
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password = <140>_<8><130><162><174><20>HU<24>C.
> <137><169><132>
>
> Mon Jul 16 14:38:13 2007 705184: DEBUG: Handling request with
> Handler 'Realm=/^adsl2g\.[a-z][a-z][a-z]\wvpn\d\d/i, User-Realm=/i2p
> $/i'
> Mon Jul 16 14:38:13 2007 705624: DEBUG: Rewrote user name to
> teldat2 at adsl2g.cli1vpn01
> Mon Jul 16 14:38:13 2007 705993: DEBUG: Deleting session for
> teldat2 at adsl2g.cli1vpn01@i2p, 10.252.32.42, 1234
> Mon Jul 16 14:38:13 2007 706239: DEBUG: Handling with
> Radius::AuthGROUP: ldap_i2p
> Mon Jul 16 14:38:13 2007 706498: DEBUG: Handling with
> Radius::AuthLDAP2:
> Mon Jul 16 14:38:13 2007 706834: INFO: Connecting to 10.0.27.60:389
> Mon Jul 16 14:38:13 2007 711031: INFO: Attempting to bind to LDAP
> server 10.0.27.60:389
> Mon Jul 16 14:38:13 2007 892214: DEBUG: LDAP got result for
> login=teldat2 at adsl2g.cli1vpn01,realmId=adsl2g,o=cli1vpn01,dc=jazzlab,d
> c=com
> Mon Jul 16 14:38:13 2007 892538: DEBUG: LDAP got password: teldat2
> Mon Jul 16 14:38:13 2007 892765: DEBUG: LDAP got sh-srv-profile:
> Modalidad-2G-2M/640
> Mon Jul 16 14:38:13 2007 893058: DEBUG: Radius::AuthLDAP2 looks for
> match with teldat2 at adsl2g.cli1vpn01 [teldat2 at adsl2g.cli1vpn01@i2p]
> Mon Jul 16 14:38:13 2007 893814: DEBUG: Radius::AuthLDAP2 REJECT:
> Bad Password: teldat2 at adsl2g.cli1vpn01 [teldat2 at adsl2g.cli1vpn01@i2p]
> Mon Jul 16 14:38:13 2007 894065: DEBUG: AuthBy GROUP result:
> REJECT, Bad Password
> Mon Jul 16 14:38:13 2007 894414: INFO: Access rejected for
> teldat2 at adsl2g.cli1vpn01: Bad Password
> Mon Jul 16 14:38:13 2007 895562: DEBUG: Packet dump:
> *** Sending to 10.0.23.126 port 32807 ....
> Code: Access-Reject
> Identifier: 253
> Authentic: 1234567890123456
> Attributes:
> Tunnel-Server-Endpoint = 1:XXX.XXX.XXX.XXX
> Reply-Message = "Request Denied"
> Tunnel-Type = 1:L2TP
> Tunnel-Client-Auth-ID = 1:I2PADSL2G
> Tunnel-Server-Auth-ID = 1:LNS-I2PADSL2G
> Tunnel-Password =
> "<1><184>0<19><198>"pE<168><19><230><154><165><247>Ek<255><177><11>"
>
> [root at RAD0MA11 radiator]#
>
> 4º On the password file we are seen this:
>
> Mon Jul 16 14:18:49 2007:1184588329:fprc1868:`ÒX{Y¶ˆé
> JŽøôÑ:acc05006:FAIL
>
>
> Anybody can imagine what is happening?
>
> Thanks to all.
>
> Antes de imprimir este e-mail piense bien si es necesario hacerlo.
>
> *********
> Este mensaje es privado y CONFIDENCIAL y se dirige exclusivamente a
> su destinatario. Si usted ha recibido este mensaje por error, no
> debe revelar, copiar, distribuir o usarlo en ningún sentido. Le
> rogamos lo comunique al remitente y borre dicho mensaje y cualquier
> documento adjunto que pudiera contener. El correo electrónico via
> Internet no permite asegurar la confidencialidad de los mensajes
> que se transmiten ni su integridad o correcta recepción. JAZZTEL no
> asume responsabilidad por estas circunstancias. Si el destinatario
> de este mensaje no consintiera la utilización del correo
> electrónico via Internet y la grabación de los mensajes, rogamos lo
> ponga en nuestro conocimiento de forma inmediata.Cualquier opinión
> expresada en este mensaje pertenece únicamente al autor remitente,
> y no representa necesariamente la opinión de JAZZTEL, a no ser que
> expresamente se diga y el remitente esté autorizado para hacerlo.
> *********
> This message is private and CONFIDENTIAL and it is intended
> exclusively for its addressee. If you receive this message in
> error, you should not disclose, copy, distribute this e-mail or use
> it in any other way. Please inform the sender and delete the
> message and attachments from your system.Internet e-mail neither
> guarantees the confidentiality nor the integrity or proper receipt
> of the messages sent. JAZZTEL does not assume any liability for
> those circumstances. If the addressee of this message does not
> consent to the use of Internet e-mail and message recording, please
> notify us immediately.Any views or opinions contained in this
> message are solely those of the author, and do not necessarily
> represent those of JAZZTEL, unless otherwise specifically stated
> and the sender is authorised to do so.
> *********
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list