Try uncommenting "with_ntdomain_hack = yes" in the
mschap config. The "WORKGROUP\\" needs to be
stripped. Which happens automatically when that
config is enabled.
Laker
--- Agus Supriyadi <sorcerershell at gmail.com> wrote:
> On 2/28/06, Laker Netman <laker_netman at yahoo.com>
> wrote:
> >
> >
> > It looks like you didn't include the domain info
> by
> > having --domain=%{mschap:NT-Domain} in your
> > "ntlm_auth" command line in the mschap section of
> your
> > radius.conf file.
> >
> >
> Thanks Laker,,,
> You're right.. after I added
> --domain=%{mschap:NT-Domain} to ntlm_auth,,
> script failed error is gone.
> But.... There's new error occured, It looks like
> this:
>
> ---- BEGIN ERROR ---
> rlm_eap: Identity does not match User-Name, setting
> from EAP Identity.
> rlm_eap: Failed in handler
> modcall[authenticate]: module "eap" returns
> invalid for request 28
> --- END ERROR ---
>
> The full debug message of the request just like
> this:
>
> === BEGIN DEBUG ===
> rad_recv: Access-Request packet from host
> 128.16.100.2:21646, id=106,
> length=144
> User-Name = "WORKGROUP\\agus"
> Framed-MTU = 1400
> Called-Station-Id = "0012.43f9.07f0"
> Calling-Station-Id = "0040.96a6.0915"
> Service-Type = Login-User
> Message-Authenticator =
> 0xceeac013eeaa43fc5650c013e93f651c
> EAP-Message =
> 0x0201001301574f524b47524f55505c61677573
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 491
> NAS-IP-Address = 128.16.100.2
> NAS-Identifier = "iSpot"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 28
> modcall[authorize]: module "preprocess" returns ok
> for request 28
> modcall[authorize]: module "chap" returns noop for
> request 28
> modcall[authorize]: module "mschap" returns noop
> for request 28
> rlm_realm: No '@' in User-Name = "agus", looking
> up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop
> for request 28
> rlm_eap: EAP packet type response id 1 length 19
> rlm_eap: No EAP Start, assuming it's an on-going
> EAP conversation
> modcall[authorize]: module "eap" returns updated
> for request 28
> users: Matched entry DEFAULT at line 152
> modcall[authorize]: module "files" returns ok for
> request 28
> rlm_passwd: Added LM-Password:
> 'B736D7A84FBDE543AAD3B435B51404EE' to
> config_items
> rlm_passwd: Added NT-Password:
> 'AA4348E74FCFE5BB2061F2FF5C085304' to
> config_items
> rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U
> ]' to config_items
> rlm_passwd: Adding "Auth-Type = MS-CHAP"
> modcall[authorize]: module "etc_smbpasswd" returns
> ok for request 28
> modcall: leaving group authorize (returns updated)
> for request 28
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of
> radiusd.conf
> modcall: entering group authenticate for request 28
> rlm_eap: Identity does not match User-Name, setting
> from EAP Identity.
> rlm_eap: Failed in handler
> modcall[authenticate]: module "eap" returns
> invalid for request 28
> modcall: leaving group authenticate (returns
> invalid) for request 28
> auth: Failed to validate the user.
> === END DEBUG ===
>
> Is that because eap performing certificate CN check
> with user-name attrib
> but not with the hostname of the server? (Just my
> guess)
>
>
>
>
>
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GCS d(-) s:- a--- C++(+++)$>++++$ UL$>++++$ P+?
> L++$>$ !E--- W++ !N !o !K--
> w !O M !V PS PE !Y PGP t 5 X R tv b DI D G e h r y
> ------END GEEK CODE BLOCK------
> > -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com