Help PLease
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Mon Mar 30 22:57:48 CEST 2015
Hi,
> Ok I am almost done with all the questions... Now when I go to login to
> wifi I am able to download cert and everything but I get an authentication
> failure. I have read most of it and am a little confused. Just wondering if
> any one had better insight on this.
look, I take it that you are new to FreeRADIUS - but surely you have read
the output that you've posted to this list...and seen what it is that is different
to the request now using EAP compared to when you were testing with radtest....
> [peap] Setting User-Name to CORP\aschappell
look - CORP/aschappell is what was sent through from your client, through the NAS to
your RADIUS server
> User-Name = "CORP\\aschappell"
see...part of the RADIUS datagram
> # Executing section authorize from file
> /etc/raddb/sites-enabled/inner-tunnel
EAP is working okay...you got into the inner-tunnel
> [ldap] performing user authorization for CORP\aschappell
>
> [ldap] expand: %{Stripped-User-Name} ->
stripped-user-name is blank because the user-name didnt match any of your prefix
or suffix rules...so its kept the same.
> [ldap] object not found
>
> [ldap] search failed
..and unlike your plain test, this fails now.
...and because this fails, everything else fails as theres no password to use for the
authentication modules.
so, if you want to deal with this, you either need to handle that prefix OR you need to
strip it - by either defining it in proxy.conf or enabling the ntdomain module which will
deal with it. the domain is coming from your windows client...ist the sort of things they do
(alternatively, configure the windows client to NOT log in using windows username/password(!) )
but I'll stop you at this point.... you appear to be going down the route of trying to
use AD with PEAP - using the LDAP module.... and I'm afraid you wont get much further.
you need to use the mschap module with ntlm_auth to do the required authentication,
AUTHORISATION is okay with LDAP using MS AD but authentication = no.
alan
More information about the Freeradius-Users
mailing list