Request for directions: WinXP + Samba + LDAP + 802.1x

nf-vale nf-vale at critical-links.com
Tue Dec 15 15:26:07 CET 2009 

Have you defined Auth-Type in users file to mschapv2 (don't do it)? What is the 
configuration for this user in the users file?


On Tuesday 15 December 2009 13:00:07 you wrote:
> > As you can see, it says that it has stripped realm from username but
> > it passes it along with username to ldap. How can I fix this?
> 
> Never mind. ldap filter did the job. Sorry about that.
> 
> Actually it's not working yet.
> 
> rad_recv: Access-Request packet from host 192.168.205.29 port 49154,
> id=0, length=178
> Cleaning up request 15 ID 0 with timestamp +1232
>         NAS-IP-Address = 192.168.205.29
>         NAS-Port-Type = Ethernet
>         NAS-Port = 2
>         User-Name = "DOMAIN\\sti"
>         State = 0x9bb6fc759d93e55343410152d73b1dba
>         EAP-Message =
> 0x0225005b1900170301005046c5a952e0ad6d2ea7d132dd3c00c1a132df2329a23561c760d
> 4a45fb4f02e3bd1a848f5d4d3106ae52d4f442971b4c6aa4d0c157805647
>  9f03c76d350fc041b659e556368c4a63e30e09849d0aae29a
>         Message-Authenticator = 0xf9700c8c22d81ecdb12a8f6731151a38
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\sti"
> [ntdomain] Found realm "DOMAIN"
> [ntdomain] Adding Stripped-User-Name = "sti"
> [ntdomain] Adding Realm = "DOMAIN"
> [ntdomain] Authentication realm is LOCAL.
> ++[ntdomain] returns ok
> [eap] EAP packet type response id 37 length 91
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] EAP type mschapv2
> [peap] Got tunneled request
>         EAP-Message =
> 0x022500441a0225003f31a156d1579957b003643781fff8636e87000000000000000003367
> b7948111ad6081798c179995c91c0268edae3409ae30046454152505c737 469
> server  {
>   PEAP: Setting User-Name to DOMAIN\sti
> Sending tunneled request
>         EAP-Message =
> 0x022500441a0225003f31a156d1579957b003643781fff8636e87000000000000000003367
> b7948111ad6081798c179995c91c0268edae3409ae30046454152505c737 469
>         FreeRADIUS-Proxied-To = 127.0.0.1
>         User-Name = "DOMAIN\\sti"
>         State = 0x7b5d7eb57b7864abf97396c9fbfa8cb4
> server  {
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\sti"
> [ntdomain] Found realm "DOMAIN"
> [ntdomain] Adding Stripped-User-Name = "sti"
> [ntdomain] Adding Realm = "DOMAIN"
> [ntdomain] Authentication realm is LOCAL.
> ++[ntdomain] returns ok
> [eap] EAP packet type response id 37 length 68
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry DEFAULT at line 204
> ++[files] returns ok
> [ldap] performing user authorization for sti
> [ldap] WARNING: Deprecated conditional expansion ":-".  See "man
> unlang" for details
> [ldap]  expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=sti)
> [ldap]  expand: ou=Users,dc=domain,dc=br -> ou=Users,dc=domain,dc=br
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Users,dc=domain,dc=br, with filter
>  (uid=sti) [ldap] checking if remote access for sti is allowed by
>  radiusFilterId [ldap] looking for check items in directory...
> rlm_ldap: userPassword -> User-Password ==
>  "{SMD5}/S4d+fNkBFL3TnpjceYuUiDPd+Q=" rlm_ldap: sambaNtPassword ->
>  NT-Password ==
> 0x4443384142353837303246373432304532443042323537333343453938394634
> rlm_ldap: sambaLmPassword -> LM-Password ==
> 0x3245414443463036424438463531344541414433423433354235313430344545
> [ldap] looking for reply items in directory...
> rlm_ldap: radiusFilterId -> Filter-Id =
> "Enterasys:version=1:policy=Enterprise User"
> [ldap] user sti authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> Found Auth-Type = EAP
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!! !!!    Replacing User-Password in config items with
>  Cleartext-Password.     !!!
>  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!! !!! Please update your configuration so that the "known good"        
>        !!! !!! clear text password is in Cleartext-Password, and not in
>  User-Password. !!!
>  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!! +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2]   WARNING: Unknown value specified for Auth-Type.  Cannot
> perform requested action.
> [eap] Freeing handler
> ++[eap] returns reject
> Failed to authenticate the user.
> Login incorrect: [DOMAIN\\sti/<via Auth-Type = EAP>] (from client
> tplink port 0 via TLS tunnel)
> } # server
> [peap] Got tunneled reply code 3
>         Filter-Id = "Enterasys:version=1:policy=Enterprise User"
>         EAP-Message = 0x04250004
>         Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Got tunneled reply RADIUS code 3
>         Filter-Id = "Enterasys:version=1:policy=Enterprise User"
>         EAP-Message = 0x04250004
>         Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
> ++[eap] returns handled
> Sending Access-Challenge of id 0 to 192.168.205.29 port 49154
>         EAP-Message =
> 0x012600261900170301001b5cfd418b7da0ea2be30d04270a1403956143966fe487e0870c4
> b57 Message-Authenticator = 0x00000000000000000000000000000000 State =
>  0x9bb6fc759c90e55343410152d73b1dba
> Finished request 16.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.205.29 port 49154,
> id=0, length=125
> Cleaning up request 16 ID 0 with timestamp +1232
>         NAS-IP-Address = 192.168.205.29
>         NAS-Port-Type = Ethernet
>         NAS-Port = 2
>         User-Name = "DOMAIN\\sti"
>         State = 0x9bb6fc759c90e55343410152d73b1dba
>         EAP-Message =
> 0x022600261900170301001b21b51585f6a2a91a76b4b00b320ac2a87db1c24bf9bfa298197
> bf1 Message-Authenticator = 0x30d1290632d45610b95a3253910ba83b +- entering
>  group authorize {...}
> ++[preprocess] returns ok
> [ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\sti"
> [ntdomain] Found realm "DOMAIN"
> [ntdomain] Adding Stripped-User-Name = "sti"
> [ntdomain] Adding Realm = "DOMAIN"
> [ntdomain] Authentication realm is LOCAL.
> ++[ntdomain] returns ok
> [eap] EAP packet type response id 38 length 38
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Received EAP-TLV response.
> [peap]  Had sent TLV failure.  User was rejected earlier in this session.
> [eap] Handler failed in EAP/peap
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Login incorrect: [DOMAIN\\sti/<via Auth-Type = EAP>] (from client tplink
>  port 2) Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> DOMAIN\sti
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 17 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 17
> Sending Access-Reject of id 0 to 192.168.205.29 port 49154
>         EAP-Message = 0x04260004
>         Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 4.9 seconds.
> Cleaning up request 17 ID 0 with timestamp +1232
> Ready to process requests.
> 
> > And how can I set XP for it to try authenticate during logon proccess?
> 
> That first question remains....
>

More information about the Freeradius-Users mailing list