<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19019"></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV><BR><BR>>>> Phil Mayers <p.mayers@imperial.ac.uk> 5/21/2011 3:08 AM >>><BR>On 05/20/2011 10:33 PM, Mark Jones wrote:<BR>> Here is the latest debug...Im not sure what to try next.<BR><BR>Latest debug... ok, what has changed?</DIV>
<DIV> </DIV>
<DIV>I added the dns suffix to the computer name<BR><BR><BR>> rad_recv: Access-Request packet from host 10.152.0.100 port 32819,<BR>> id=186, length=216<BR>> NAS-IP-Address = 10.152.0.100<BR>> NAS-Port = 0<BR>> NAS-Port-Type = Wireless-802.11<BR>> User-Name = "host/TEST-11501.hpsd48.ab.ca"<BR>> Calling-Station-Id = "00265EE9B2CA"<BR>> Called-Station-Id = "000B86611894"<BR>> MS-CHAP-Challenge = 0xa389f8f8a19c2761c3f31128115bac7f<BR>> MS-CHAP2-Response =<BR>> 0x0800afc6531b8f43785e186a0578c795c13b00000000000000005f4828b8f016c112e3e453505d0c203f7172ad8a40f17c02<BR>> Service-Type = Login-User<BR>> Aruba-Essid-Name = "HPSD_RAD2"<BR>> Aruba-Location-Id = "Tech 01"<BR><BR>This is still a plain MSCHAP request, indicating that the Aruba <BR>equipment is still terminating the PEAP itself, and translating the <BR>EAP-MSCHAP to plain MSCHAP. As per my previous emails, I recommend you <BR>change this.</DIV>
<DIV> </DIV>
<DIV>Your right I turned it off and then re-enabled it my next post will be with it off<BR><BR>> # Executing section authorize from file /etc/raddb/sites-enabled/default<BR>> +- entering group authorize {...}<BR>> ++[preprocess] returns ok<BR>> ++[chap] returns noop<BR>> [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'<BR>> ++[mschap] returns ok<BR>> ++[digest] returns noop<BR>> [suffix] No '@' <mailto:'@'> in User-Name =<BR>> "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL<BR>> [suffix] No such realm "NULL"<BR>> ++[suffix] returns noop<BR>> [eap] No EAP-Message, not doing EAP<BR>> ++[eap] returns noop<BR>> ++[files] returns noop<BR>> [ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca<BR><BR>So this is a full host/name.domain.com now - what did you change?</DIV>
<DIV> </DIV>
<DIV>as per above i added the dns suffix to the computer (under name change...more)<BR><BR>> [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$)<BR>> [ldap] expand: o=hpsd_48 -> o=hpsd_48<BR>> [ldap] ldap_get_conn: Checking Id: 0<BR>> [ldap] ldap_get_conn: Got Id: 0<BR>> [ldap] attempting LDAP reconnection<BR>> [ldap] (re)connect to 172.17.152.4:636, authentication 0<BR>> [ldap] setting TLS mode to 1<BR>> [ldap] bind as cn=admin,o=hpsd_48/xxxxxx to 172.17.152.4:636<BR>> [ldap] waiting for bind result ...<BR>> [ldap] Bind was successful<BR>> [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$)<BR>> [ldap] Added the eDirectory password xxxxxx in check items as<BR>> Cleartext-Password<BR><BR>Ok, you're using Novell eDir here? Are you using DSFW?</DIV>
<DIV> </DIV>
<DIV>Edir only <BR><BR>I know almost nothing about Novell, but a recent poster to the list was <BR>using eDir and DFSW, and he suggested that you need to:<BR><BR> 1. use LDAP/eDir for users<BR> 2. use Samba/ntlm_auth for machines<BR><BR>See here:<BR><BR><A href="https://lists.freeradius.org/pipermail/freeradius">https://lists.freeradius.org/pipermail/freeradius</A>-users/2011-May/msg00069.html<BR><BR>> [ldap] looking for check items in directory...<BR>> [ldap] looking for reply items in directory...<BR>> [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access<BR>> [ldap] ldap_release_conn: Release Id: 0<BR>> ++[ldap] returns ok<BR>> ++[expiration] returns noop<BR>> ++[logintime] returns noop<BR>> [pap] WARNING: Auth-Type already set. Not setting to PAP<BR>> ++[pap] returns noop<BR>> Found Auth-Type = MSCHAP<BR>> # Executing group from file /etc/raddb/sites-enabled/default<BR>> +- entering group MS-CHAP {...}<BR>> [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca<BR>> [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with<BR>> NT-Password<BR>> [mschap] FAILED: MS-CHAP2-Response is incorrect<BR><BR>Again, only three possible choices:<BR><BR> 1. The client is sending the wrong data (i.e password - unlikely)<BR> 2. The server is using the wrong data (i.e. password from LDAP is <BR>incorrect)<BR> 3. Something is fiddling with the data in-flight (e.g. Aruba messing <BR>with the EAP)</DIV>
<DIV> </DIV>
<DIV>I will post a new debug with termination off in a couple minutes<BR>-<BR>List info/subscribe/unsubscribe? See <A href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</A><BR></DIV><BR>
<p>
<font face="Times New Roman"><b>This communication is intended for the
use of the recipient to which it is addressed and may contain
confidential, personal and/or privileged information. If you received
this e-mail in error, please advise me (by return e-mail or otherwise)
immediately.</b></font>
</p>
</BODY></HTML>