windows users having trouble authenticating

Sallee, Stephen (Jake) Jake.Sallee at umhb.edu
Mon Aug 2 23:31:48 CEST 2010 

Alan:

>  The supplicant is sending a certificate that the server doesn't
recognize.
	I have turned off everything I can find on the windows box about
verifying certs and the like but still no joy.  Is there a way to tell
the FreeRADIUS box to accept the cert?

>  What "strange things" show up in the log?  Is it a secret?
	No, no secrets just the following weirdness:
-------------------------------------
rad_recv: Access-Request packet from host 10.11.30.5 port 32853, id=253,
length=164
        User-Name = "umhb\\test1"
        NAS-IP-Address = 10.11.30.5
        NAS-Port = 641
        Called-Station-Id = "00-0F-7D-09-73-20:Temp"
        Calling-Station-Id = "00-17-C4-F0-75-C8"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 1Mbps/36Mbps 802.11g"
        EAP-Message = 0x0200000f01756d68625c7465737431
        Message-Authenticator = 0x149047682e6d36b8bc634cfa08e39088
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Calling-Station-Id = 00-17-C4-F0-75-C8
rlm_perl: Added pair Called-Station-Id = 00-0F-7D-09-73-20:Temp
rlm_perl: Added pair Message-Authenticator =
0x149047682e6d36b8bc634cfa08e39088
rlm_perl: Added pair User-Name = umhb\\test1
rlm_perl: Added pair EAP-Message = 0x0200000f01756d68625c7465737431
rlm_perl: Added pair Connect-Info = CONNECT 1Mbps/36Mbps 802.11g
rlm_perl: Added pair NAS-IP-Address = 10.11.30.5
rlm_perl: Added pair NAS-Port = 641
rlm_perl: Added pair Framed-MTU = 1400
++[perl] returns ok
[suffix] No '@' in User-Name = "umhb\   est11", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [umhb\\\test1] (from client Sanderford port 641 cli
00-17-C4-F0-75-C8)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> umhb\   est11
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 56 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 56
Sending Access-Reject of id 253 to 10.11.30.5 port 32853
Waking up in 4.9 seconds.
Cleaning up request 56 ID 253 with timestamp +14627
-------------------------------------


The user (me) types in umhb\test1, but for some reason the server sees
umhb\\test1 which gets expanded into umhb\   est11.  There is even a
umhb\\\test1 in there! I know this has got to be a MS thing as it works
perfectly with Linux .. probably mac too as they are linux based.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221

More information about the Freeradius-Users mailing list