Hi Alan,<br><br>Thanks for your answers and excuse me for my english fill of mistakes.<br><br><div class="gmail_quote">2011/11/10 Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Alejandro Gandara wrote:<br>
> I'm authenticating users in RADIUS against LDAP, if I login from<br>
> computer with 802.1x configured and users and password taken from domain<br>
> automatic. Im getting wrong authenticated because the login has the<br>
> following chain.<br>
><br>
> DOMAIN\\Users<br>
><br>
> How can i avoid that radius read the prefix?<br>
<br>
</div> You should be able to authenticate using just the user name, using<br>
ntlm_auth. See the examples in raddb/modules/ntlm_auth<br></blockquote><div><br>Im reading about it. Thanks for this information.<br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div><br>
> I've tried to introduce the option prefix in /etc/sites-enable/default ,<br>
> but its getting me back errors because of wrong way to introduce that line.<br>
<br>
</div> Yes. Don't define a realm. It won't work.<br>
<br>
Post the debug output. That helps, too.<br></blockquote><div><br>This is my debug output:<br><br>rad_recv: Access-Request packet from host 172.20.40.28 port 1025, id=112, length=218<br> Framed-MTU = 1480<br> NAS-IP-Address = 172.20.40.28<br>
NAS-Identifier = "SW-INT-1-3"<br> User-Name = "PRIVATE\\usertest"<br> Service-Type = Framed-User<br> Framed-Protocol = PPP<br> NAS-Port = 32<br> NAS-Port-Type = Ethernet<br>
NAS-Port-Id = "32"<br> Called-Station-Id = "f0-62-81-05-33-40"<br> Calling-Station-Id = "f0-4d-a2-bc-77-cd"<br> Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"<br>
Tunnel-Type:0 = VLAN<br> Tunnel-Medium-Type:0 = IEEE-802<br> Tunnel-Private-Group-Id:0 = "1"<br> EAP-Message = 0x020a0012014f50544152455c62726f75636f<br> Message-Authenticator = 0x055981a2c542df52f4c292042c89a019<br>
[ldap] performing user authorization for usertest<br>[ldap] expand: %{Stripped-User-Name} -><br>[ldap] ... expanding second conditional<br>[ldap] expand: %{User-Name} -> usertest<br>[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=usertest)<br>
[ldap] expand: dc=private,dc=loc -> dc=private,dc=loc<br> [ldap] ldap_get_conn: Checking Id: 0<br> [ldap] ldap_get_conn: Got Id: 0<br> [ldap] attempting LDAP reconnection<br> [ldap] (re)connect to <a href="http://172.20.52.206:389" target="_blank">172.20.52.206:389</a>, authentication 0<br>
[ldap] bind as cn=raddbuser,dc=private,dc=loc/password to <a href="http://172.20.52.206:389" target="_blank">172.20.52.206:389</a><br> [ldap] waiting for bind result ...<br> [ldap] Bind was successful<br> [ldap] performing search in dc=pruebas,dc=loc, with filter (uid=usertest)<br>
[ldap] No default NMAS login sequence<br>[ldap] looking for check items in directory...<br> [ldap] sambaNtPassword -> NT-Password == 0x3245334230434533423046383434414238374145393237384141453730393331<br>[ldap] looking for reply items in directory...<br>
[ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "01"<br> [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802<br> [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN<br> [ldap] radiusFramedIPAddress -> Framed-IP-Address = 192.45.51.9<br>
[ldap] user brouco authorized to use remote access<br> [ldap] ldap_release_conn: Release Id: 0<br>++[ldap] returns ok<br>[eap] EAP packet type response id 10 length 18<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>++[expiration] returns noop<br>++[logintime] returns noop<br>Found Auth-Type = EAP<br># Executing group from file /etc/freeradius/sites-enabled/default<br>+- entering group authenticate {...}<br>
<b>[eap] Identity does not match User-Name, setting from EAP Identity.</b><br>[eap] Failed in handler<br>++[eap] returns invalid<br>Failed to authenticate the user.<br>Login incorrect: [usertest/<via Auth-Type = EAP>] (from client privradius port 32 cli f0-4d-a2-bc-77-cd)<br>
Using Post-Auth-Type Reject<br> WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.<br># Executing group from file /etc/freeradius/sites-enabled/default<br><br><br>Thanks for all Alan.<br>
<br><br>Regards,<br><br>Alejandro Gándara<br><br>
<br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<span><font color="#888888"><br>
Alan DeKok.<br>
</font></span><div><div>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br>