<HTML><BODY><p style="font-family: Arial, Tahoma, Verdana, sans-serif; font-size: 13px; line-height: 18.2000007629395px;" data-mce-style="font-family: Arial, Tahoma, Verdana, sans-serif; font-size: 13px; line-height: 18.2000007629395px;">>What is the debug output of FreeRADIUS? <br>rlm_ldap (ldap): Reserved connection (4)<br>(3) ldap : expand: "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(uid=test_user1)'<br>(3) ldap : expand: "cn=users,cn=accounts,dc=local,dc=yopt1k,dc=ru" -> 'cn=users,cn=accounts,dc=local,dc=yopt1k,dc=ru'<br>(3) ldap : Performing search in 'cn=users,cn=accounts,dc=local,dc=yopt1k,dc=ru' with filter '(uid=test_user1)'<br>(3) ldap : Waiting for search result...<br>(3) ldap : User object found at DN "uid=test_user1,cn=users,cn=accounts,dc=local,dc=yopt1k,dc=ru"<br>(3) ldap : Processing user attributes<br>(3) ldap : control:Password-With-Header += '{SSHA}CDKDY7QxB6DVDCHBHrEpqTMqsxyD5mJorM2nbQ=='<br>rlm_ldap (ldap): Released connection (4)<br>rlm_ldap (ldap): Closing connection (1): Too many free connections (4 > 3)<br>rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 129 seconds<br>rlm_ldap (ldap): You probably need to lower "min"<br>rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 129 seconds<br>(3) [-ldap] = ok<br>(3) [expiration] = noop<br>(3) [logintime] = noop<br>(3) WARNING: pap : Auth-Type already set. Not setting to PAP<br>(3) [pap] = noop<br>(3) } # authorize = updated<br>(3) Found Auth-Type = EAP<br>(3) # Executing group from file /etc/raddb/sites-enabled/default<br>(3) authenticate {<br>(3) eap : Expiring EAP session with state 0xe22e0a1de22f0e3e<br>(3) eap : Finished EAP session with state 0xe22e0a1de22f0e3e<br>(3) eap : Previous EAP request found for state 0xe22e0a1de22f0e3e, released from the list<br>(3) eap : Peer sent MD5 (4)<br>(3) eap : EAP MD5 (4)<br>(3) eap : Calling eap_md5 to process EAP data<br>rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication<br>(3) eap : Failed in EAP select<br>(3) [eap] = invalid<br>(3) } # authenticate = invalid<br>(3) Failed to authenticate the user.<br>(3) Using Post-Auth-Type Reject<br>(3) # Executing group from file /etc/raddb/sites-enabled/default<br>(3) Post-Auth-Type REJECT {<br>(3) attr_filter.access_reject : expand: "%{User-Name}" -> 'test_user1'<br>(3) attr_filter.access_reject : Matched entry DEFAULT at line 11<br>(3) [attr_filter.access_reject] = updated<br>(3) eap : Reply already contained an EAP-Message, not inserting EAP-Failure<br>(3) [eap] = noop<br>(3) remove_reply_message_if_eap remove_reply_message_if_eap {<br>(3) ? if (reply:EAP-Message && reply:Reply-Message)<br>(3) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE<br>(3) else else {<br>(3) [noop] = noop<br>(3) } # else else = noop<br>(3) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop<br>(3) } # Post-Auth-Type REJECT = updated<br>(3) Finished request 3.<br>Waking up in 0.2 seconds.<br>Waking up in 0.6 seconds.<br>(3) Sending delayed reject<br>Sending Access-Reject of id 109 from 10.0.100.249 port 1812 to 10.0.100.8 port 52342<br>EAP-Message = 0x04010004<br>Message-Authenticator = 0x00000000000000000000000000000000</p><p style="font-family: Arial, Tahoma, Verdana, sans-serif; font-size: 13px; line-height: 18.2000007629395px;" data-mce-style="font-family: Arial, Tahoma, Verdana, sans-serif; font-size: 13px; line-height: 18.2000007629395px;">>What authentication protocol does MOBIKE use?<br>MOBIKE is possible only with ikev2.<br><br>>You are aware of the authentication protocol and password storage compatibility matrix? <a style="color: #0077cc;" href="http://deployingradius.com/documents/protocols/compatibility.html" target="_blank" data-mce-href="http://deployingradius.com/documents/protocols/compatibility.html" data-mce-style="color: #0077cc;">http://deployingradius.com/documents/protocols/compatibility.html</a><br>Yes. After some reading rfc 3748, it's looks like it is impossible to use eap with ssha passwords. EAP methods available in strongwan does not include cleartext. Thus we have one password in md5(or other cipher) and another in ssha. We can't decrypt them, and we can't compare them.</p><p style="font-family: Arial, Tahoma, Verdana, sans-serif; font-size: 13px; line-height: 18.2000007629395px;" data-mce-style="font-family: Arial, Tahoma, Verdana, sans-serif; font-size: 13px; line-height: 18.2000007629395px;"><br>>Do you do a ldapbind oder ldapsearch?<br>I'm using:<br>radiusd: FreeRADIUS Version 3.0.1, for host x86_64-redhat-linux-gnu<br>There is no any word about ldapbind in configuration files.<br>I tried to use <br>set_auth_type = yes<br>Nothing happens.</p><p style="font-family: Arial, Tahoma, Verdana, sans-serif; font-size: 13px; line-height: 18.2000007629395px;" data-mce-style="font-family: Arial, Tahoma, Verdana, sans-serif; font-size: 13px; line-height: 18.2000007629395px;">Thank you for your help!</p><br><style type="text/css"></style></BODY></HTML>