[strongSwan] eap vs. Ldap

bjoern wahl bjoern.wahl at hospital-borken.de
Wed Oct 9 18:00:08 CEST 2013 

Hello!

Me again, having some trouble with my Radius-Server spreaking to my
Strongswan.

My installation is like "ikev2/rw-eap-md5-radius" [1] and everything
looks good to me.

MD5 is working, "loaded certificate" is ok, Radius tells me "Ready to
process requests" but:

When I log in, the strongswan asks the Radius, the Radius is talking to
my ldap and here is what
Radius is telling me:

========================================================


rlm_ldap: Bind was successful
rlm_ldap: performing search in o=XXXX, with filter (uid=xxxx)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?
[ldap] user xxxx authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 126 to xxxx port xxxx
    EAP-Message = 0x01010016041056e354abc8151b7ee983b9abd94c209f
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xc63fc80cc63ecca6fd2b5989778ae9e5
Finished request 0.
Going to the next request
========================================================

And I can not log in, as my client tells me:

========================================================
authentication of 'C=xx, ST=xx, L=xxx, O=xxx, OU=xxx, CN=xxxx, E=xx at xx'
(myself) with RSA signature successful
06[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/MD5 ]
06[NET] sending packet: from xxxx[4500] to xxxx[4500] (540 bytes)
08[NET] received packet: from xxx[4500] to xxx[4500] (76 bytes)
08[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
08[ENC] generating INFORMATIONAL response 2 [ N(AUTH_FAILED) ]
08[NET] sending packet: from xxx[4500] to xxxx[4500] (76 bytes)
========================================================

I don`t get the point why this fails !

Is the "[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this." the problem ?
It does not tell my anything.

Yes, i googled it, but didn`t find a good answer except looking into
RADIUS<->Ldap conifgs. I know in this case this would be the 
wrong forum but maybe somebody here has experienced the same problem ?

Thanks!

Björn

[1] http://www.strongswan.org/testresults4.html

----------------------------------------------------------------------------------------------------
Klinikverbund Westmünsterland gGmbH
 Jur. Sitz der Gesellschaft: Am Boltenhof 7, 46325 Borken
 Registergericht Coesfeld, HRB Nr. 8983
 Ust.-Id.Nr.: DE 222740345
 Hauptgeschäftsführer: Hermann Nientiedt
 Geschäftsführer: Christoph Bröcker, Ludger Hellmann
 
 Diese E-Mail enthält vertrauliche oder rechtlich geschützte
Informationen. Wenn Sie nicht der beabsichtige Empfänger sind,
informieren Sie bitte sofort den Absender und löschen Sie diese E-Mail.
 
 Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
enthaltenen Informationen ist nicht gestattet.
 
 Dem Klinikverbund Westmünsterland sind fünf Krankenhäuser mit 1.332
Planbetten und mehrere Einrichtungen der Altenhilfe angeschlossen. Mehr
als 50 Fachbereiche orientieren sich an neusten medizinischen Standards
und erfüllen die hohen Anforderungen einer qualifizierten und
zertifizierten Versorgung. Rund 50.000 Patienten werden jährlich in den
Krankenhäusern stationär behandelt. Mit über 3.800 Mitarbeitern gehört
der Verbund zu den größten Arbeitgebern der Region.

More information about the Users mailing list