EAP-MSCHAP v2 + LDAP: Identity does not match User-Name, setting from EAP Identity.

Maciej Drobniuch maciej at drobniuch.pl
Wed Jun 2 12:35:11 CEST 2010


Switch to the newsiest freeradius version. Maybe it will help.

2010/6/2 Andras Dosztal <adosztal at gmail.com>:
> Hi,
>
> I've configured FreeRADIUS (version 1.1.7, supplied with SLES10) to
> authenticate from Novell eDirectory with LDAP. The problem is that I can't
> connect to the network when I check the "Automatically use my Windows logon
> name and password" on a WinXP client's PEAP properties. This is the output
> of radiusd -A -X:
>
> rad_recv: Access-Request packet from host 10.128.128.3:1812, id=15,
> length=194
>        User-Name = "E00\\user1"
>        Service-Type = Framed-User
>        Framed-MTU = 1500
>        Called-Station-Id = "00-26-CA-8D-A7-85"
>        Calling-Station-Id = "00-0B-CD-04-75-8C"
>        Attr-102 = 0x
>        NAS-Port-Type = Ethernet
>        NAS-Port = 50005
>        NAS-Port-Id = "FastEthernet0/5"
>        NAS-IP-Address = 10.128.128.1
>        EAP-Message = 0x0201000e014530305c7573657231
>        Proxy-State =
> 0x280000000000000646010000400900000000000000000000a74212c6bb2daec4f3110aa90d1af235
>        Message-Authenticator = 0x928d46624aad188e71d3c6bbd88af6f1
>  Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>  modcall[authorize]: module "preprocess" returns ok for request 0
>  modcall[authorize]: module "chap" returns noop for request 0
>  modcall[authorize]: module "mschap" returns noop for request 0
>    rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 0
>  rlm_eap: EAP packet type response id 1 length 14
>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>  modcall[authorize]: module "eap" returns updated for request 0
>    users: Matched entry user1 at line 88
>  modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for user1
> radius_xlat:  '(uid=user1)'
> radius_xlat:  'o=snac'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 10.128.128.5:636, authentication 0
> rlm_ldap: setting TLS mode to 1
> rlm_ldap: setting TLS CACert File to /etc/raddb/certs/ip_cert.b64
> rlm_ldap: bind as cn=admin,o=snac/xxx to 10.128.128.5:636
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in o=snac, with filter (uid=user1)
> rlm_ldap: checking if remote access for user1 is allowed by dialupAccess
> rlm_ldap: Added the eDirectory password in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user user1 authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>  modcall[authorize]: module "ldap" returns ok for request 0
> rlm_pap: Found existing Auth-Type, not changing it.
>  modcall[authorize]: module "pap" returns noop for request 0
> modcall: leaving group authorize (returns updated) for request 0
>  rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>  Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_eap: Identity does not match User-Name, setting from EAP Identity.
>  rlm_eap: Failed in handler
>  modcall[authenticate]: module "eap" returns invalid for request 0
> modcall: leaving group authenticate (returns invalid) for request 0
> auth: Failed to validate the user.
> Login incorrect: [user1/<no User-Password attribute>] (from client lan port
> 50005 cli 00-0B-CD-04-75-8C)
>  Found Post-Auth-Type
>  Processing the post-auth section of radiusd.conf
> modcall: entering group REJECT for request 0
>  modcall[post-auth]: module "ldap" returns noop for request 0
> modcall: leaving group REJECT (returns noop) for request 0
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 15 to 10.128.128.3 port 1812
>        Proxy-State =
> 0x280000000000000646010000400900000000000000000000a74212c6bb2daec4f3110aa90d1af235
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 15 with timestamp 4c06337d
> Nothing to do.  Sleeping until we see a request.
>
>
>
> The with_ntdomain_hack directive is set to "yes" in the preprocess and
> mschap modules of radiusd.conf. When I set it to "no" and uncheck the
> "Automatically use my Windows..." and enter the user's credentials in a
> pop-up box, it's working fine.
> Could you guys help me with this problem? Thanks in advance.
>
> Regards,
> Andras
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Pozdrawiam!
Maciej Drobniuch




More information about the Freeradius-Users mailing list