Authenticate SSH user in a H3C Switch using FreeRadius + OpenLDAP

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Authenticate SSH user in a H3C Switch using FreeRadius + OpenLDAP

Leandro Marçal
I have a problem that I not able to fix it. I am trying to authenticate a
SSH user in a H3C switch. This switch is configured to authenticate the
user in a Radius server wich is using openldap to store the user's name and
password. Everytime I try to authenticate, I see a message in the
radius.log saying that "[eap] No EAP-Message, not doing EAP". I tryed do
use PAP, but I got "[pap] WARNING! No "known good" password found for the
user.  Authentication may fail because of this." Dont't know what to do
anymore. I don't know how to (and if I have to) force the switch to use EAP
packetes.



rad_recv: Access-Request packet from host *nasipaddress *port 1758, id=67,
length=237
        User-Name = "*username*"
        User-Password = "*userpassword*"
        NAS-IP-Address = *nasipaddress*
        NAS-Identifier = "SwitchTeste"
        NAS-Port = 0
        NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=0"
        NAS-Port-Type = Virtual
        Service-Type = Login-User
        Login-IP-Host = login-ip-host
        Calling-Station-Id = "00-00-00-00-00-00"
        Acct-Session-Id = "1170409171244010"
        Framed-IP-Address = *framed-ip-address*
        Huawei-Connect-ID = 290817
        Huawei-Product-ID = "H3C S5500-28C-PWR-EI"
        Huawei-IPHost-Addr = "*X.X.X.X 00:00:00:00:00:00*"
        Huawei-Startup-Stamp = 956750420
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+group authorize {
++[preprocess] = ok
++[mschap] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] = noop
[ldap] performing user authorization for *username*
[ldap]  expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=*username*)
[ldap]  expand: dc=*x*,dc=*x*,dc=*x* -> dc=*x*,dc=*x*,dc=*x*
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=*x*,dc=*x*,dc=*x*, with filter (uid=
*username*)
[ldap] looking for check items in directory...
  [ldap] sambaNtPassword -> NT-Password == 0x3141363239333542344541464539
453736383232383241463838393445364439
  [ldap] sambaLmPassword -> LM-Password == 0x3230433630443539444246304241
383345363841413236413834314138364641
[ldap] looking for reply items in directory...
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
+} # group authorize = ok
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> *username*
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 12
Sending Access-Reject of id 67 to *framed-ip-address* port 1758

ps.: had to put the names in bold so that i don't expose the client's
information.


Below is the ouput of the radius -X:

[root@radius ~]# radiusd -X
radiusd: FreeRADIUS Version 2.2.9, for host x86_64-unknown-linux-gnu, built
on Feb  7 2017 at 15:49:06
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
        user = "radiusd"
        group = "radiusd"
        allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
        name = "radiusd"
        prefix = "/usr"
        localstatedir = "/var"
        sbindir = "/usr/sbin"
        logdir = "/var/log/radius/"
        run_dir = "/var/run/radiusd"
        libdir = "/usr/lib/freeradius"
        radacctdir = "/var/log/radius//radacct"
        hostname_lookups = yes
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        pidfile = "/var/run/radiusd/radiusd.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 2
        proxy_requests = no
 log {
        stripped_names = yes
        auth = no
        auth_badpass = yes
        auth_goodpass = yes
 }
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
        allow_vulnerable_openssl = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
 client localhost {
        ipaddr = 127.0.0.1
        require_message_authenticator = no
        secret = "*xxx*"
        nastype = "other"
 }
 client *IP1 *{
        require_message_authenticator = no
        secret = "*xxx*"
        shortname = "*yyy*"
 }
 client *IP2 *{
        require_message_authenticator = no
        secret = "*xxx*"
        shortname = "*yyy*"
 }
 client * IP3 *{
        require_message_authenticator = no
        secret = "*xxx*"
        shortname = "*yyy*"
        nastype = "other"
 }
 client  *IP4 *{
        require_message_authenticator = no
        secret = "*xxx*"
        shortname = "*yyy*"
        nastype = "other"
 }
 client *IP5* {
        require_message_authenticator = no
        secret = "*xxx*"
        shortname = "*yyy*"
        nastype = "other"
 }
 client *IP6* {
        require_message_authenticator = no
        secret = "xxx"
        shortname = "*yyy*"
        nastype = "other"
 }
 client *IP7* {
        require_message_authenticator = no
        secret = "xxx"
        shortname = "*yyy*"
        nastype = "other"
 }
 client *IP8* {
        require_message_authenticator = no
        secret = "*xxx*"
 }
 client *IP9* {
        require_message_authenticator = no
        secret = "*xxx*"
        shortname = "SwitchTeste"
        nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file
/usr/local/etc/raddb/modules/exec
  exec {
        wait = no
        input_pairs = "request"
        shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file
/usr/local/etc/raddb/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file
/usr/local/etc/raddb/modules/expiration
  expiration {
        reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file
/usr/local/etc/raddb/modules/logintime
  logintime {
        reply-message = "You are calling outside your allowed timespan  "
        minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file
/usr/local/etc/raddb/modules/mschap
  mschap {
        use_mppe = yes
        require_encryption = yes
        require_strong = yes
        with_ntdomain_hack = yes
        allow_retry = yes
  }
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file
/usr/local/etc/raddb/radiusd.conf
  pap {
        encryption_scheme = "clear"
        auto_header = no
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
  eap {
        default_eap_type = "peap"
        timer_expire = 120
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/etc/raddb/certs/server_key.pem"
        certificate_file = "/etc/raddb/certs/server_cert.pem"
        CA_file = "/etc/raddb/certs/cacert.pem"
        private_key_password = "oservidorquerentrar"
        dh_file = "/etc/raddb/certs/dh"
        random_file = "/etc/raddb/certs/random"
        fragment_size = 1024
        include_length = no
        check_crl = no
        check_all_crl = no
        cipher_list = "DEFAULT"
        ecdh_curve = "prime256v1"
    cache {
        enable = yes
        lifetime = 12
        max_entries = 0
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        proxy_tunneled_request_as_eap = yes
        soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
        send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file
/usr/local/etc/raddb/modules/preprocess
  preprocess {
        huntgroups = "/usr/local/etc/raddb/huntgroups"
        hints = "/usr/local/etc/raddb/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
reading pairlist file /usr/local/etc/raddb/huntgroups
reading pairlist file /usr/local/etc/raddb/hints
 Module: Linked to module rlm_ldap
 Module: Instantiating module "ldap" from file
/usr/local/etc/raddb/modules/ldap
  ldap {
        server = "*xxx*"
        port = 389
        password = "*xxx*"
        expect_password = yes
        identity = "cn=Manager,dc=*xxx*,dc=*xxx*,dc=*xxx*"
        net_timeout = 1
        timeout = 4
        timelimit = 3
        max_uses = 0
        tls_mode = no
        start_tls = no
        tls_require_cert = "allow"
   tls {
        start_tls = no
        require_cert = "never"
   }
        basedn = "dc=*xxx*,dc=*xxx*,dc=*xxx*"
        filter = "(uid=%{mschap:User-Name:-%{User-Name}})"
        base_filter = "(objectclass=radiusprofile)"
        auto_header = no
        access_attr_used_for_allow = yes
        groupname_attribute = "cn"
        groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
        dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
        ldap_debug = 0
        ldap_connections_number = 5
        compare_check_items = no
        do_xlat = yes
        set_auth_type = yes
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in
the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x1e83b40
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file
/usr/local/etc/raddb/modules/acct_unique
  acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
  }
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file
/usr/local/etc/raddb/modules/realm
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file
/usr/local/etc/raddb/modules/files
  files {
        usersfile = "/usr/local/etc/raddb/users"
        acctusersfile = "/usr/local/etc/raddb/acct_users"
        preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
        compat = "no"
  }
reading pairlist file /usr/local/etc/raddb/users
reading pairlist file /usr/local/etc/raddb/acct_users
reading pairlist file /usr/local/etc/raddb/preproxy_users
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file
/usr/local/etc/raddb/modules/detail
  detail {
        detailfile =
"/var/log/radius//radacct/%{Client-IP-Address}/detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
        escape_filenames = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file
/usr/local/etc/raddb/modules/unix
  unix {
        radwtmp = "/var/log/radius//radwtmp"
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file
/usr/local/etc/raddb/modules/radutmp
  radutmp {
        filename = "/var/log/radius//radutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        perm = 384
        callerid = yes
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.accounting_response" from file
/usr/local/etc/raddb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
        attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
        key = "%{User-Name}"
        relaxed = no
  }
reading pairlist file /usr/local/etc/raddb/attrs.accounting_response
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/modules/attr_filter
  attr_filter attr_filter.access_reject {
        attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
        key = "%{User-Name}"
        relaxed = no
  }
reading pairlist file /usr/local/etc/raddb/attrs.access_reject
 } # modules
} # server
server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file
/usr/local/etc/raddb/radiusd.conf
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *xxx*
        port = 1812
}
listen {
        type = "acct"
        ipaddr = *xxx*
        port = 1813
}
listen {
        type = "control"
 listen {
        socket = "/var/run/radiusd/radiusd.sock"
        uid = "*XXX*"
        gid = "*XXX*"
        mode = "rw"
 }
}
Listening on authentication address *xxx* port 1812
Listening on accounting address *xxx* port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Ready to process requests.

Att.
Leandro
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: Authenticate SSH user in a H3C Switch using FreeRadius + OpenLDAP

Alan DeKok-2
On May 10, 2017, at 10:07 AM, Leandro Marçal <[hidden email]> wrote:

>
> I have a problem that I not able to fix it. I am trying to authenticate a
> SSH user in a H3C switch. This switch is configured to authenticate the
> user in a Radius server wich is using openldap to store the user's name and
> password. Everytime I try to authenticate, I see a message in the
> radius.log saying that "[eap] No EAP-Message, not doing EAP". I tryed do
> use PAP, but I got "[pap] WARNING! No "known good" password found for the
> user.  Authentication may fail because of this." Dont't know what to do
> anymore. I don't know how to (and if I have to) force the switch to use EAP
> packetes.

 You're using an old version of the server.  And you edited the default configuration and broke it.

  Don't do that.

> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
> ++[pap] = noop

  This message is important.

> [ldap] performing user authorization for *username*
> [ldap]  expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=*username*)
> [ldap]  expand: dc=*x*,dc=*x*,dc=*x* -> dc=*x*,dc=*x*,dc=*x*
>  [ldap] ldap_get_conn: Checking Id: 0
>  [ldap] ldap_get_conn: Got Id: 0
>  [ldap] performing search in dc=*x*,dc=*x*,dc=*x*, with filter (uid=
> *username*)
> [ldap] looking for check items in directory...
>  [ldap] sambaNtPassword -> NT-Password == 0x3141363239333542344541464539
> 453736383232383241463838393445364439
>  [ldap] sambaLmPassword -> LM-Password == 0x3230433630443539444246304241
> 383345363841413236413834314138364641
> [ldap] looking for reply items in directory...
>  [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok

  And now a password is available.

> +} # group authorize = ok
> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
> the user

  Except the server doesn't know it needs to do PAP authentication, so it fails.

  Edit your configuration so that "pap" comes AFTER "ldap".  This is how the default configuration has it, because it works.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html