Re: OpenLDAP / FreeRADIUS / Cisco 5350 problem

Douglas G. Phillips wrote:

>I'm running into an issue here, and I can't seem to find the forest for
>the trees. I'm probably overlooking something obvious, and am not
>searching correctly for the problem.
>
>Our LDAP server is using crypted passwords at the moment.
>
>The router is a cisco 5350. RADIUS is FreeRADIUS 1.0.1-2 on Debian
>Sarge.
>
>The problem is this: If I pass the radtest client a clear-text password,
>authentication is successful. If either I pass the client an encrypted
>password (copied from the logs) or point the 5350 at the radius server,
>it doesn't work. I verified that the shared secret is correctly matched
>with what is in the router.
>
>Here is a sample of the password that is being passed:
>
>User-Password = "\240d\351E\3737\025\022\0227,(rest removed)"
>
>Here is the configuration (comments omitted to save space). I have
>tried with the password_header both set to {CRYPT} and commented out.
>
>ldap {
> server = "*******"
> identity = ********
> password = ********
> basedn = "ou=people,dc=eiu,dc=edu"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> password_header = "{CRYPT}"
> timeout = 4
> timelimit = 3
> net_timeout = 1
>}
>
>authorize {
> preprocess
> auth_log
> suffix
> ldap
>}
>
>authenticate {
> Auth-Type LDAP {
> ldap
> }
>}
>
>Any ideas?
>
>Thanks.
>
>

Please post the portion of radiusd -X output that illustrates the
problem. password_header = "{clear}" in the ldap module config
directives should make your CISCO authentication work properly. Give it
a try. Is this what you want?

Chris Carver


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html