ntlm_auth multiple nt4 domains peap xp
crawford at cmsu1.cmsu.edu
Tue Aug 30 00:36:51 CEST 2005
I have a two nt4 trusted domain infrastructure and am trying to setup freeradius to authenticate xp supplicants with peap. I have nmbd and winbindd running correctly, and can run the ntlm_auth program with no problems. But what I have found out is that my freeradius server is joined to the DOMAINA domain. So when running /usr/bin/ntlm_auth --username=domainatestuser it automatically validates the user against DOMAINA. But if I try to run /usr/bin/ntlm_auth --username=domainbtestuser it will fail. I have to add the --domain=DOMAINB for it to validate correctly.
So when I use my xp supplicant to validate my user, domainatestuser (without typing in the DOMAINA), it works perfectly. If I put in DOMAINA in the domain box, I get rejected. If I try to validate the domainbtestuser using nothing for the domain box, I get rejected. If I put in DOMAINB in the domain box, I get rejected.
I guess I am needing to setup realms for each domain. How do I setup DOMAINA users to go to the DOMAINA domain controllers, and how do I setup DOMAINB users to go to DOMAINB domain controllers. I shouldn't really have to setup to go do different domain controllers, I just need freeradius to pass on the "domain" in the ntlm_auth command.
Thanks for any help!!!!
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:3076, id=85, length=181
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = "DOMAINB\\domainbtestuser"
Calling-Station-Id = "001217a8df41"
Called-Station-Id = "0001f4449c4c"
NAS-Identifier = "RoamAbout AP"
State = 0x1ce29e6a91a9663ff39346a69f85748c
EAP-Message = 0x020800261900170301001b4ca905292ffadaa855c356acd5417b6989915df2dd32ffdc0b08d3
Message-Authenticator = 0x6dca7a93ca473745cab0f6a063b66d0e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 15
modcall[authorize]: module "preprocess" returns ok for request 15
modcall[authorize]: module "mschap" returns noop for request 15
rlm_realm: No '@' in User-Name = "DOMAINB\domainbtestuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 15
rlm_realm: Looking up realm "DOMAINB" for User-Name = "DOMAINB\domainbtestuser"
rlm_realm: No such realm "DOMAINB"
modcall[authorize]: module "ntdomain" returns noop for request 15
rlm_eap: EAP packet type response id 8 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 15
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 15
modcall: group authorize returns updated for request 15
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 15
rlm_eap: Request found, released from the list
rlm_eap: processing type peap
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 15
modcall: group authenticate returns invalid for request 15
auth: Failed to validate the user.
Delaying request 15 for 1 seconds
Finished request 15
Going to the next request
Jamie Crawford, MCSE RHCT Network Analyst I
Central Missouri State University
Warrensburg, MO 64093
Email:CRAWFORD at CMSU1.CMSU.EDU
More information about the Freeradius-Users