Fwd: Request for directions: WinXP + Samba + LDAP + 802.1x

Fabiano Caixeta Duarte fcd.listas at gmail.com
Tue Dec 15 14:02:55 CET 2009


> As you can see, it says that it has stripped realm from username but
> it passes it along with username to ldap. How can I fix this?

Never mind. ldap filter did the job. Sorry about that.

Actually it's not working yet.

rad_recv: Access-Request packet from host 192.168.205.29 port 49154,
id=0, length=178
Cleaning up request 15 ID 0 with timestamp +1232
       NAS-IP-Address = 192.168.205.29
       NAS-Port-Type = Ethernet
       NAS-Port = 2
       User-Name = "DOMAIN\\sti"
       State = 0x9bb6fc759d93e55343410152d73b1dba
       EAP-Message =
0x0225005b1900170301005046c5a952e0ad6d2ea7d132dd3c00c1a132df2329a23561c760d4a45fb4f02e3bd1a848f5d4d3106ae52d4f442971b4c6aa4d0c157805647
9f03c76d350fc041b659e556368c4a63e30e09849d0aae29a
       Message-Authenticator = 0xf9700c8c22d81ecdb12a8f6731151a38
+- entering group authorize {...}
++[preprocess] returns ok
[ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\sti"
[ntdomain] Found realm "DOMAIN"
[ntdomain] Adding Stripped-User-Name = "sti"
[ntdomain] Adding Realm = "DOMAIN"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 37 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
       EAP-Message =
0x022500441a0225003f31a156d1579957b003643781fff8636e87000000000000000003367b7948111ad6081798c179995c91c0268edae3409ae30046454152505c737
469
server  {
 PEAP: Setting User-Name to DOMAIN\sti
Sending tunneled request
       EAP-Message =
0x022500441a0225003f31a156d1579957b003643781fff8636e87000000000000000003367b7948111ad6081798c179995c91c0268edae3409ae30046454152505c737
469
       FreeRADIUS-Proxied-To = 127.0.0.1
       User-Name = "DOMAIN\\sti"
       State = 0x7b5d7eb57b7864abf97396c9fbfa8cb4
server  {
+- entering group authorize {...}
++[preprocess] returns ok
[ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\sti"
[ntdomain] Found realm "DOMAIN"
[ntdomain] Adding Stripped-User-Name = "sti"
[ntdomain] Adding Realm = "DOMAIN"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 37 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 204
++[files] returns ok
[ldap] performing user authorization for sti
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[ldap]  expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=sti)
[ldap]  expand: ou=Users,dc=domain,dc=br -> ou=Users,dc=domain,dc=br
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,dc=domain,dc=br, with filter (uid=sti)
[ldap] checking if remote access for sti is allowed by radiusFilterId
[ldap] looking for check items in directory...
rlm_ldap: userPassword -> User-Password == "{SMD5}/S4d+fNkBFL3TnpjceYuUiDPd+Q="
rlm_ldap: sambaNtPassword -> NT-Password ==
0x4443384142353837303246373432304532443042323537333343453938394634
rlm_ldap: sambaLmPassword -> LM-Password ==
0x3245414443463036424438463531344541414433423433354235313430344545
[ldap] looking for reply items in directory...
rlm_ldap: radiusFilterId -> Filter-Id =
"Enterasys:version=1:policy=Enterprise User"
[ldap] user sti authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2]   WARNING: Unknown value specified for Auth-Type.  Cannot
perform requested action.
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [DOMAIN\\sti/<via Auth-Type = EAP>] (from client
tplink port 0 via TLS tunnel)
} # server
[peap] Got tunneled reply code 3
       Filter-Id = "Enterasys:version=1:policy=Enterprise User"
       EAP-Message = 0x04250004
       Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
       Filter-Id = "Enterasys:version=1:policy=Enterprise User"
       EAP-Message = 0x04250004
       Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.205.29 port 49154
       EAP-Message =
0x012600261900170301001b5cfd418b7da0ea2be30d04270a1403956143966fe487e0870c4b57
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0x9bb6fc759c90e55343410152d73b1dba
Finished request 16.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.205.29 port 49154,
id=0, length=125
Cleaning up request 16 ID 0 with timestamp +1232
       NAS-IP-Address = 192.168.205.29
       NAS-Port-Type = Ethernet
       NAS-Port = 2
       User-Name = "DOMAIN\\sti"
       State = 0x9bb6fc759c90e55343410152d73b1dba
       EAP-Message =
0x022600261900170301001b21b51585f6a2a91a76b4b00b320ac2a87db1c24bf9bfa298197bf1
       Message-Authenticator = 0x30d1290632d45610b95a3253910ba83b
+- entering group authorize {...}
++[preprocess] returns ok
[ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\sti"
[ntdomain] Found realm "DOMAIN"
[ntdomain] Adding Stripped-User-Name = "sti"
[ntdomain] Adding Realm = "DOMAIN"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 38 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [DOMAIN\\sti/<via Auth-Type = EAP>] (from client tplink port 2)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> DOMAIN\sti
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 17 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 17
Sending Access-Reject of id 0 to 192.168.205.29 port 49154
       EAP-Message = 0x04260004
       Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 17 ID 0 with timestamp +1232
Ready to process requests.


> And how can I set XP for it to try authenticate during logon proccess?

That first question still remains....


--
Fabiano Caixeta Duarte
Especialista em Redes de Computadores
Linux User #195299
Ribeirão Preto - SP




More information about the Freeradius-Users mailing list