UCS LDAP and FreeRadius Disconnect


#1

Hello All,

I have had issues battling with authenticating (wired and wireless users) with the in built Freeradius. I configured my switch IP on /etc/freeradius/clients.conf and also configured ports /etc/freeradius/radiusd.conf and I have done the radius configuration on the switch.

Whenever a client (supplicant) tries to authenticate, it fails. I get the below error:

rad_recv: Access-Request packet from host x.x.x.x port 1645, id=50, length=159
User-Name = “MYDOMAINuser”
Service-Type = Framed-User
Framed-MTU = 1800
Called-Station-Id = “00-22-0C-6B-C4-8F”
Calling-Station-Id = “5C-B9-01-FA-A1-2D”
EAP-Message = 0x0203001b0149504e584e4947455249415c746261626174756e6465
Message-Authenticator = 0x8fc0385285f264b2cb113d2cb8d5c36b
NAS-Port-Type = Ethernet
NAS-Port = 50015
NAS-IP-Address = x.x.x.x

Executing section authorize from file /etc/freeradius/sites-enabled/default

± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] Looking up realm “MYDOMAIN” for User-Name = “MYDOMAINuser”
[ntdomain] No such realm “MYDOMAIN”

++[ntdomain] returns noop
[eap] EAP packet type response id 3 length 27
[eap] No EAP Start, assuming it’s an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for MYDOMAINuser
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=user)
[ldap] expand: dc=mydomain,dc=net -> dc=mydomain,dc=net
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=mydomain,dc=net, with filter (uid=user)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory…
[ldap] sambaNTPassword -> NT-Password == 0x4544353333333630314532433030423244303338423134444643353735364438
[ldap] looking for reply items in directory…
WARNING: No “known good” password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user MYDOMAINuser authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP

Executing group from file /etc/freeradius/sites-enabled/default

± entering group authenticate {…}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 50 to x.x.x.x port 1645
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaf5b2ec6af5f37020777d5704452926c
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 50 with timestamp +74
WARNING: !!!
WARNING: !! EAP session for state 0xaf5b2ec6af5f3702 did not finish!
WARNING: !! Please read wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!
Ready to process requests.


#2

Hi,

have you already verified your settings with the information provided in RADIUS.

There is also a mention of the CLI-tool univention-radius-check-access which might help.

Best Regards,
Dirk Ahrnke