EAP-MSCHAP v2 + LDAP: Identity does not match User-Name, setting from EAP Identity.

Andras Dosztal adosztal at gmail.com
Wed Jun 2 12:26:10 CEST 2010


Hi,

I've configured FreeRADIUS (version 1.1.7, supplied with SLES10) to  
authenticate from Novell eDirectory with LDAP. The problem is that I can't  
connect to the network when I check the "Automatically use my Windows  
logon name and password" on a WinXP client's PEAP properties. This is the  
output of radiusd -A -X:

rad_recv: Access-Request packet from host 10.128.128.3:1812, id=15,  
length=194
         User-Name = "E00\\user1"
         Service-Type = Framed-User
         Framed-MTU = 1500
         Called-Station-Id = "00-26-CA-8D-A7-85"
         Calling-Station-Id = "00-0B-CD-04-75-8C"
         Attr-102 = 0x
         NAS-Port-Type = Ethernet
         NAS-Port = 50005
         NAS-Port-Id = "FastEthernet0/5"
         NAS-IP-Address = 10.128.128.1
         EAP-Message = 0x0201000e014530305c7573657231
         Proxy-State =  
0x280000000000000646010000400900000000000000000000a74212c6bb2daec4f3110aa90d1af235
         Message-Authenticator = 0x928d46624aad188e71d3c6bbd88af6f1
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "chap" returns noop for request 0
   modcall[authorize]: module "mschap" returns noop for request 0
     rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 0
   rlm_eap: EAP packet type response id 1 length 14
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 0
     users: Matched entry user1 at line 88
   modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user1
radius_xlat:  '(uid=user1)'
radius_xlat:  'o=snac'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.128.128.5:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/ip_cert.b64
rlm_ldap: bind as cn=admin,o=snac/xxx to 10.128.128.5:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=snac, with filter (uid=user1)
rlm_ldap: checking if remote access for user1 is allowed by dialupAccess
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
   modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
   rlm_eap: Failed in handler
   modcall[authenticate]: module "eap" returns invalid for request 0
modcall: leaving group authenticate (returns invalid) for request 0
auth: Failed to validate the user.
Login incorrect: [user1/<no User-Password attribute>] (from client lan  
port 50005 cli 00-0B-CD-04-75-8C)
   Found Post-Auth-Type
   Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 0
   modcall[post-auth]: module "ldap" returns noop for request 0
modcall: leaving group REJECT (returns noop) for request 0
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 15 to 10.128.128.3 port 1812
         Proxy-State =  
0x280000000000000646010000400900000000000000000000a74212c6bb2daec4f3110aa90d1af235
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 15 with timestamp 4c06337d
Nothing to do.  Sleeping until we see a request.



The with_ntdomain_hack directive is set to "yes" in the preprocess and  
mschap modules of radiusd.conf. When I set it to "no" and uncheck the  
"Automatically use my Windows..." and enter the user's credentials in a  
pop-up box, it's working fine.
Could you guys help me with this problem? Thanks in advance.

Regards,
Andras




More information about the Freeradius-Users mailing list