Serom Posté(e) le 16 mai 2008 Partager Posté(e) le 16 mai 2008 Salut à tous: J'essai de mettre en place un système d'auto assignation des port d'un switch dans le bon VLAN en fonction de l'authentification sur le serveur RADIUS. Pour ce faire j'ai un serveur avec freeradius, un annuaire LDAP et un switch HP procurve 2650 J'authentifie les utilisateurs en utilisant EAP-TTLS-PAP et le serveur Radius interroge l'annuaire LDAP pour voir si l'utilisateur existe et si le mot de passe correspond. Donc l'authentification fonctionne correctement cependant, le port ne s'affecte pas correctement au VLAN renvoyé par Radius. Voici le fichier users: DEFAULT Ldap-Group == "disabled", Auth-Type := Reject Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-Id = "2" DEFAULT Ldap-Group == "enabled", Auth-Type := LDAP Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-Id = "3" Voici la config de mon switch(show running config). J'essai d'abord seulement sur le port 47: Running configuration: ; J4899B Configuration Editor; Created on release #H.10.50 hostname "ProCurve Switch 2650" interface 47 no lacp exit snmp-server community "public" Unrestricted vlan 1 name "DEFAULT_VLAN" untagged 1-50 ip address 10.1.1.1 255.255.0.0 exit vlan 2 name "hell" ip address 10.2.1.1 255.255.0.0 exit vlan 3 name "paradise" ip address 10.3.1.1 255.255.0.0 exit aaa authentication port-access eap-radius radius-server key testing123 radius-server host 10.1.1.13 aaa port-access authenticator 47 aaa port-access authenticator 47 unauth-vid 2 aaa port-access authenticator active aaa port-access 47 password manager Et voici les log de freeradius: Ready to process requests. rad_recv: Access-Request packet from host 10.1.1.1 port 1024, id=71, length=218 Framed-MTU = 1480 NAS-IP-Address = 10.1.1.1 NAS-Identifier = "ProCurve Switch 2650" User-Name = "anonymous" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 47 NAS-Port-Type = Ethernet NAS-Port-Id = "47" Called-Station-Id = "00-1c-2e-71-df-00" Calling-Station-Id = "00-15-b7-d5-70-e9" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0x0201000e01616e6f6e796d6f7573 Message-Authenticator = 0xc1372f49cdc099ae6c441951af51b4fd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: Entering ldap_groupcmp() expand: o=radius -> o=radius WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(rADIUSActiveConnections=1)) -> (&(uid=anonymous)(rADIUSActiveConnections=1)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.1.1.13:389, authentication 0 rlm_ldap: starting TLS rlm_ldap: bind as cn=admin,o=radius/admin to 10.1.1.13:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=radius, with filter (&(uid=anonymous)(rADIUSActiveConnections=1)) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() expand: o=radius -> o=radius WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(rADIUSActiveConnections=1)) -> (&(uid=anonymous)(rADIUSActiveConnections=1)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=radius, with filter (&(uid=anonymous)(rADIUSActiveConnections=1)) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(rADIUSActiveConnections=1)) -> (&(uid=anonymous)(rADIUSActiveConnections=1)) expand: o=radius -> o=radius rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=radius, with filter (&(uid=anonymous)(rADIUSActiveConnections=1)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 71 to 10.1.1.1 port 1024 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x459fffbc459dea57ef3ee1d36baff220 Finished request 0. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.1.1.1 port 1024, id=72, length=282 Framed-MTU = 1480 NAS-IP-Address = 10.1.1.1 NAS-Identifier = "ProCurve Switch 2650" User-Name = "anonymous" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 47 NAS-Port-Type = Ethernet NAS-Port-Id = "47" Called-Station-Id = "00-1c-2e-71-df-00" Calling-Station-Id = "00-15-b7-d5-70-e9" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" State = 0x459fffbc459dea57ef3ee1d36baff220 EAP-Message = 0x0202003c158000000032160301002d0100002903010e389564e36284344f0e3dbff6b041f73b5a0c03ff095ced901abac9d1d91f7f000002000a0100 Message-Authenticator = 0x598999f53f1a317370ec578741af498b +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 60 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS TLS Length 50 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 070a], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 72 to 10.1.1.1 port 1024 EAP-Message = 0x0103040015c000000767160301004a020000460301482d6647475cd8166c34f42b0606a3c4c6fbeb8ba2114fdc41cf2139d2300b8320761e249cd2f4c9fb6052564b279748d3bcf7a28d06a1125bc7bbc1bf4995ab6e000a00160301070a0b0007060007030002dd308202d930820242020103300d06092a864886f70d01010505003081bb310b3009060355040613024652310f300d060355040813064672616e63653119301706035504071310436c65726d6f6e742d46657272616e64311a3018060355040a1411436f6e7365696c2047c3a96ec3a972616c311d301b060355040b1414436f6e7365696c2047c3a96ec3a972616c204341311d301b EAP-Message = 0x06035504031414436f6e7365696c2047c3a96ec3a972616c2043413126302406092a864886f70d0109011617726f6d61696e2e736572726540686f746d61696c2e6672301e170d3038303430313039303234355a170d3038303530313039303234355a3081ad310b3009060355040613024652310f300d060355040813064672616e63653119301706035504071310436c65726d6f6e742d46657272616e64311a3018060355040a1411436f6e7365696c2047c3a96ec3a972616c311d301b060355040b1414436f6e7365696c2047c3a96ec3a972616c204341310f300d060355040313067261646975733126302406092a864886f70d010901161772 EAP-Message = 0x6f6d61696e2e736572726540686f746d61696c2e667230819f300d06092a864886f70d010101050003818d0030818902818100d3c9ff0f06e63fbb664a496ea2481cd4c763c1cadc120717189342c836cef3bb950c0196564525293236eb4efa96a42372b56ba0ac48141c2619590b427c548c7afa48d1d848cb64861196fb6b513ff05e6a36c9b34e4a172ad4ceabc0e5bac2213289e6144b09cfe188705be57fd5acb3cfebaabf252da4d8ad17ca4a29c31d0203010001300d06092a864886f70d010105050003818100a241b2fa13630f72456e0c205569a11e3f652bd035b61ada09ac1a9daa94ab3e41a94f8d696a3b5511005a793f424166ad2d EAP-Message = 0xda00cdaa6e3fe76e9808c018f54768f7e06518381f95aa89a1c676443a82be7766eb918d372113c4ff081ea399540865badd2028e2b0bd976f57178135d7d98d427bf72fc39b707e65ce386d802b0004203082041c30820385a003020102020900889e72399fd01d37300d06092a864886f70d01010505003081bb310b3009060355040613024652310f300d060355040813064672616e63653119301706035504071310436c65726d6f6e742d46657272616e64311a3018060355040a1411436f6e7365696c2047c3a96ec3a972616c311d301b060355040b1414436f6e7365696c2047c3a96ec3a972616c204341311d301b06035504031414436f6e EAP-Message = 0x7365696c2047c3a96ec3a972 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x459fffbc449cea57ef3ee1d36baff220 Finished request 1. Going to the next request Waking up in 0.7 seconds. rad_recv: Access-Request packet from host 10.1.1.1 port 1024, id=73, length=228 Framed-MTU = 1480 NAS-IP-Address = 10.1.1.1 NAS-Identifier = "ProCurve Switch 2650" User-Name = "anonymous" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 47 NAS-Port-Type = Ethernet NAS-Port-Id = "47" Called-Station-Id = "00-1c-2e-71-df-00" Calling-Station-Id = "00-15-b7-d5-70-e9" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" State = 0x459fffbc449cea57ef3ee1d36baff220 EAP-Message = 0x020300061500 Message-Authenticator = 0x2bb18705e716f10224bf2afc02432611 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 73 to 10.1.1.1 port 1024 EAP-Message = 0x0104037b158000000767616c2043413126302406092a864886f70d0109011617726f6d61696e2e736572726540686f746d61696c2e6672301e170d3038303430313038353930355a170d3038303530313038353930355a3081bb310b3009060355040613024652310f300d060355040813064672616e63653119301706035504071310436c65726d6f6e742d46657272616e64311a3018060355040a1411436f6e7365696c2047c3a96ec3a972616c311d301b060355040b1414436f6e7365696c2047c3a96ec3a972616c204341311d301b06035504031414436f6e7365696c2047c3a96ec3a972616c2043413126302406092a864886f70d01090116 EAP-Message = 0x17726f6d61696e2e736572726540686f746d61696c2e667230819f300d06092a864886f70d010101050003818d0030818902818100cd03239a9e832f29417830c13b63c50c42695a2617b39ff2668e694f8988a847ec286f077ae1cc995efb3620844c3366b0a3e3367dce018e856d90e3a17ef13f54a5f105cea0751a6cc3a434987cebfd7802819a809b734e36842678a5ab7535b90ecbec14ca4cb58851ffce6d73e33dcf8193ec2f438ff4be7f68a4739ecb5b0203010001a382012430820120301d0603551d0e04160414c19438472de2930f7fc09fe4ebb2853f02e360773081f00603551d230481e83081e58014c19438472de2930f7fc09fe4 EAP-Message = 0xebb2853f02e36077a181c1a481be3081bb310b3009060355040613024652310f300d060355040813064672616e63653119301706035504071310436c65726d6f6e742d46657272616e64311a3018060355040a1411436f6e7365696c2047c3a96ec3a972616c311d301b060355040b1414436f6e7365696c2047c3a96ec3a972616c204341311d301b06035504031414436f6e7365696c2047c3a96ec3a972616c2043413126302406092a864886f70d0109011617726f6d61696e2e736572726540686f746d61696c2e6672820900889e72399fd01d37300c0603551d13040530030101ff300d06092a864886f70d0101050500038181007e28596197 EAP-Message = 0x2619569a05b2d29ff40a5d261d5b36d848b0ede2fdfea3299a7905f19611f1fc04ae1dccdcae1645367886bb37d4a8755d48b6cdb561566ee4eec728443b0b07b4c3b5e0aac847cda2cc797f87555d2619c41b6fda04ff0431a3f7f65483f385fe4dee92c28341cb2d2f9fa54183fd05f7f4f6ab69e088b642fbd716030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x459fffbc479bea57ef3ee1d36baff220 Finished request 2. Going to the next request Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 10.1.1.1 port 1024, id=74, length=422 Framed-MTU = 1480 NAS-IP-Address = 10.1.1.1 NAS-Identifier = "ProCurve Switch 2650" User-Name = "anonymous" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 47 NAS-Port-Type = Ethernet NAS-Port-Id = "47" Called-Station-Id = "00-1c-2e-71-df-00" Calling-Station-Id = "00-15-b7-d5-70-e9" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" State = 0x459fffbc479bea57ef3ee1d36baff220 EAP-Message = 0x020400c81580000000be16030100861000008200802f553566c96627c56a91b7d5f4735a27be05d23dc730115303fe40f306fc39d95a464cb509d418285fd295adc1976e470fdcc176dbee8a7679a8be101e12cd08d1a513551b8c1eec593a4445383eee15566a416ce822b2ca0c540b52f1dcb48072adf86cdc4a45f8ba2312eb698790c79ecf977db4ccf31637d8f192dcbc67e014030100010116030100285afe06cbf077852d5551f8adeeba137f8a0addcf5824677d23a0a2cb7adc9cdbdb902bfddfed61dc Message-Authenticator = 0x95c319c6d60ba08e4d365fa5adafd215 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 200 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS TLS Length 190 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 74 to 10.1.1.1 port 1024 EAP-Message = 0x0105003d15800000003314030100010116030100287660db6c456dc5ff06de3b56abdd29e5c1ac27a3e3451405ccb87f46f135fe98f30478f61a19cd98 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x459fffbc469aea57ef3ee1d36baff220 Finished request 3. Going to the next request Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 10.1.1.1 port 1024, id=75, length=293 Framed-MTU = 1480 NAS-IP-Address = 10.1.1.1 NAS-Identifier = "ProCurve Switch 2650" User-Name = "anonymous" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 47 NAS-Port-Type = Ethernet NAS-Port-Id = "47" Called-Station-Id = "00-1c-2e-71-df-00" Calling-Station-Id = "00-15-b7-d5-70-e9" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" State = 0x459fffbc469aea57ef3ee1d36baff220 EAP-Message = 0x0205004715800000003d1703010038628fbe3f2c20cb9d62907cb875b79406e3e77c35c1b77536203b291707bd857de5c3b75446256e926403819f4dc0a9fcdc08bbb90d867a44 Message-Authenticator = 0xe490089131b27d2eccdab7c194f602a4 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 71 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS TLS Length 61 rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = "fufu" User-Password = "admin" FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "fufu" User-Password = "admin" FreeRADIUS-Proxied-To = 127.0.0.1 server (null) { +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "fufu", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop rlm_ldap: Entering ldap_groupcmp() expand: o=radius -> o=radius WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(rADIUSActiveConnections=1)) -> (&(uid=fufu)(rADIUSActiveConnections=1)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=radius, with filter (&(uid=fufu)(rADIUSActiveConnections=1)) rlm_ldap: ldap_release_conn: Release Id: 0 WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(rADIUSActiveConnections=1)) -> (&(uid=fufu)(rADIUSActiveConnections=1)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=radius, with filter (&(businessCategory=disabled)(&(uid=fufu)(rADIUSActiveConnections=1))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=fufu,o=radius, with filter (objectclass=*) rlm_ldap::groupcmp: Group disabled not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() expand: o=radius -> o=radius WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(rADIUSActiveConnections=1)) -> (&(uid=fufu)(rADIUSActiveConnections=1)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=radius, with filter (&(businessCategory=enabled)(&(uid=fufu)(rADIUSActiveConnections=1))) rlm_ldap::ldap_groupcmp: User found in group enabled rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 9 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for fufu WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(rADIUSActiveConnections=1)) -> (&(uid=fufu)(rADIUSActiveConnections=1)) expand: o=radius -> o=radius rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=radius, with filter (&(uid=fufu)(rADIUSActiveConnections=1)) rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user fufu authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type LDAP auth: type "LDAP" +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: login attempt by "fufu" with password "admin" rlm_ldap: user DN: cn=fufu,o=radius rlm_ldap: (re)connect to 10.1.1.13:389, authentication 1 rlm_ldap: starting TLS rlm_ldap: bind as cn=fufu,o=radius/admin to 10.1.1.13:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user fufu authenticated succesfully ++[ldap] returns ok Login OK: [fufu/admin] (from client hp port 0) +- entering group post-auth ++[ldap] returns noop } # server (null) TTLS: Got tunneled reply RADIUS code 2 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "3" TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler ++[eap] returns ok Login OK: [anonymous/<via Auth-Type = EAP>] (from client hp port 47 cli 00-15-b7-d5-70-e9) +- entering group post-auth ++[ldap] returns noop Sending Access-Accept of id 75 to 10.1.1.1 port 1024 MS-MPPE-Recv-Key = 0x57ac0d7ae41abc5c2ea0e456d9442c87cb06ae7f497850ebbb0e8102c0aa94cd MS-MPPE-Send-Key = 0x7b50da9c1b7e4b36b6bc8651f887b514231e1640c10b0fc6cfe15053ecb11b9b EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" Finished request 4. Going to the next request Waking up in 0.5 seconds. Waking up in 0.2 seconds. Waking up in 3.6 seconds. Cleaning up request 0 ID 71 with timestamp +15 Waking up in 0.2 seconds. Cleaning up request 1 ID 72 with timestamp +15 Cleaning up request 2 ID 73 with timestamp +15 Cleaning up request 3 ID 74 with timestamp +16 Waking up in 0.1 seconds. Cleaning up request 4 ID 75 with timestamp +16 Ready to process requests. Si quelqu'un à une idée, je serai très, mais alors très heureux de l'entendre En tout cas merci d'avance pour votre aide Lien vers le commentaire Partager sur d’autres sites More sharing options...
Serom Posté(e) le 20 mai 2008 Auteur Partager Posté(e) le 20 mai 2008 Solution trouvé: il faut activé la "tunnelisation" des info supplémentaires pour TTLS dans le fichier eap.conf (deux options à mettre à yes). Lien vers le commentaire Partager sur d’autres sites More sharing options...
Messages recommandés
Archivé
Ce sujet est désormais archivé et ne peut plus recevoir de nouvelles réponses.