(RADIATOR) LDAP2 servercheckpassword

Barry Ard barry.ard at ualberta.ca
Tue Jun 17 16:01:49 CDT 2008


I am having problems getting eduroam working in oiur environment. We use 
radiator to successfully authenticate local users using PEAP and 
EAP-TTLS eap types. Our handlers authenticate against an ldap directory 
server that store nthash passwords in the case of PEAP and bind to ldap 
in the case of TTLS. This works locally.

The TTLS handler looks like:

<AuthBy LDAP2>
    Identifier              LDAPAuthTTLS
    Host                    directory.srv.ualberta.ca
    BaseDN                  ou=people,dc=ualberta,dc=ca
    HoldServerConnection
    ServerChecksPassword
    UsernameMatchesWithoutRealm yes
    UseSSL
    SSLVerify               require
    SSLCAPath               /etc/ssl/certs

    EAPType                 TTLS
    EAPTLS_CAPath           /etc/ssl/certs
    EAPTLS_CertificateType  PEM
    EAPTLS_CertificateFile  /etc/ssl/public/%h.crt
    EAPTLS_PrivateKeyFile   /etc/ssl/private/%h.key
    EAPTLS_RandomFile       %D/random
    EAPTLS_MaxFragmentSize  1024
    EAPTTLS_NoAckRequired
    AutoMPPEKeys
</AuthBy>


Now that I am trying to get eduroam working, remote clients, using TTLS 
give this error in the log:


Tue Jun 17 14:27:30 2008: DEBUG: EAP TTLS inner authentication request 
for XXXXXXXX at ualberta.ca
Tue Jun 17 14:27:30 2008: DEBUG: Handling request with Handler 
'TunnelledByTTLS=1, Realm=/ualberta\.ca/i'
Tue Jun 17 14:27:30 2008: DEBUG:  Deleting session for 
XXXXXXXX at ualberta.ca, 136.159.77.203,
Tue Jun 17 14:27:30 2008: DEBUG: Handling with Radius::AuthLDAP2: 
LDAPAuthTTLS
Tue Jun 17 14:27:30 2008: INFO: Connecting to directory.srv.ualberta.ca:636
Tue Jun 17 14:27:30 2008: INFO: Attempting to bind to LDAP server 
directory.srv.ualberta.ca:636
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got result for 
uid=XXXXXXXX,ou=people,dc=ualberta,dc=ca
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got cn: XXXXXXXX
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got gidNumber: 99
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got givenName: XXXXXXXX
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got homeDirectory: 
/afs/ualberta.ca/home/a/p/XXXXXXXX
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got mail: XXXXXXXX at ualberta.ca
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got sn: XXXXXXXX
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got uid: XXXXXXXX
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got uidNumber: 33657
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got displayName: XXXXXXXX
Tue Jun 17 14:27:30 2008: DEBUG: Radius::AuthLDAP2 looks for match with 
XXXXXXXX [XXXXXXXX at ualberta.ca]
Tue Jun 17 14:27:30 2008: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted 
password: XXXXXXXX [XXXXXXXX at ualberta.ca]
Tue Jun 17 14:27:30 2008: DEBUG: No entries for DEFAULT found in LDAP 
database
Tue Jun 17 14:27:30 2008: DEBUG: AuthBy LDAP2 result: REJECT, Bad 
Encrypted password
Tue Jun 17 14:27:30 2008: INFO: Access rejected for 
XXXXXXXX at ualberta.ca: Bad Encrypted password

I should note that PEAP isn't  working at this point either but I 
thought if a handler specifies 'ServerCheckPassword' and the log shows a 
successful bind then authentication is sucessful. What's up  with:
Radius::AuthLDAP2 looks for match with XXXXXXXX [XXXXXXXX at ualberta.ca]
Radius::AuthLDAP2 REJECT: Bad Encrypted password: XXXXXXXX 
[XXXXXXXX at ualberta.ca]

-- 
=================================================================
Barry Ard                                   barry.ard at ualberta.ca
Network Operations
Academic Information and Communication Technologies (AICT)
University of Alberta
Edmonton, Alberta   Canada

This communication is intended for the use of the recipient to which it
is addressed, and may contain confidential, personal, and/or privileged
information.  Please contact us immediately if you are not the intended
recipient of this communication.  If you are not the intended recipient
of this communication, do not copy, distribute, or take action on it.
Any communication received in error, or subsequent reply, should be
deleted or destroyed.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list