In our test lab we are working on using FreeRADIUS to authenticate users against their AD credentials. We loaded FreeRADIUS on a Fedora 10. We loaded SAMBA and it works. We loaded freeradius-2.1.3-1.fc10.i386. We followed the http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO. We booted an XP workstation and logged in. It never got a DHCP address and failed authentication. I noticed a message, [suffix] No '@' in User-Name = "DOM002\DW68406A", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop In the smb.conf file we configured the workgroup to be the netbios name of the domain DOM002. Should that have been the IP name, fm.testdomain.com? Below is the output from the radius -X. FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on Dec 8 2008 at 15:31:31 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client 172.18.134.248 { require_message_authenticator = no secret = "testing123" shortname = "172.18.134.248" nastype = "other" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "peap" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.18.134.248 port 1812, id=83, length=333 Framed-MTU = 1480 NAS-IP-Address = 172.18.134.248 NAS-Identifier = "IDM test 5406" User-Name = "DOM002\\DW68406A" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 6 NAS-Port-Type = Ethernet NAS-Port-Id = "A6" Called-Station-Id = "00-21-f7-6e-02-00" Calling-Station-Id = "00-1e-4f-b0-27-10" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "999" EAP-Message = 0x0204001401444f4d3030325c4457363834303641 Message-Authenticator = 0xb42d28522d0b20c06178f6ca7e7a45aa MS-RAS-Vendor = 11 HP-Attr-255 = 0x011a0000000b28 HP-Attr-255 = 0x011a0000000b2e HP-Attr-255 = 0x011a0000000b3d HP-Attr-255 = 0x0138 HP-Attr-255 = 0x013a HP-Attr-255 = 0x0140 HP-Attr-255 = 0x0141 HP-Attr-255 = 0x0151 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DOM002\DW68406A", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 20 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 83 to 172.18.134.248 port 1812 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010500061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc651d6b8c654cf27ba01eec66aff3857 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.134.248 port 1812, id=84, length=411 Framed-MTU = 1480 NAS-IP-Address = 172.18.134.248 NAS-Identifier = "IDM test 5406" User-Name = "DOM002\\DW68406A" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 6 NAS-Port-Type = Ethernet NAS-Port-Id = "A6" Called-Station-Id = "00-21-f7-6e-02-00" Calling-Station-Id = "00-1e-4f-b0-27-10" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "999" State = 0xc651d6b8c654cf27ba01eec66aff3857 EAP-Message = 0x0205005019800000004616030100410100003d03014a00a4e6275cb2018565ad9e287d82f60ac726ef17efadae0c24cb245b56bef200001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x63a1081298f73e7c4143818242a8e5e8 MS-RAS-Vendor = 11 HP-Attr-255 = 0x011a0000000b28 HP-Attr-255 = 0x011a0000000b2e HP-Attr-255 = 0x011a0000000b3d HP-Attr-255 = 0x0138 HP-Attr-255 = 0x013a HP-Attr-255 = 0x0140 HP-Attr-255 = 0x0141 HP-Attr-255 = 0x0151 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DOM002\DW68406A", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 84 to 172.18.134.248 port 1812 EAP-Message = 0x0106040019c00000089b160301002a0200002603014a00a4ed4a3e2ac1489de523e4a75a46e342f93f08ce07266c3706baacc75b0c00000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303530343232323232355a170d3130303530343232323232355a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ba09d960ea3260af04d8e598747c45e986dd96a5610168a17aa1ba2199a9e310798230b2dcaf50afc0595f55e73e3e3a16d97a37aea0691b33be6441224e EAP-Message = 0xaa3e7ae28ec352d3742165a53e86eb01206a2c6d981e4e6661390980a8daca354de1f6f53d8da2f70dbf2db7a74ed5bf8f9cb40e9a1c305ea5ee832fbe947dd74253a174a477555a3963ec96c366153d35643f5915691e07178b78008614d49ebbeb77cd51d80cf522a6cbfe42c7df2e251a888d09d410e8204e25387be968b997511e3fc554e0ac6376f51c8ef421015b8adc9203ecd801c7177992620ad8594b91e3fc06345fb33768c95c5484e7b581edf539554d855032505f682befca5fcfa70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100540f0cbea4618045f3 EAP-Message = 0xe10753d45f4fedd23906f32490b1fc7b1ac0ef87e6e7690fc0c1d5d5f1ca10a985ee95c3a5eba0639baf2ef068c25c0bceae385b261488a0b973c8094a7dc72b55923387eae276cbb2b44e662cb12e27026bf9f906fa55f73771d21d5bfbc18157295030934a02bd175784ab036acb5679cbe232060028ac93e910551a3006dcc84c89905f2e549fdbe29730816b8edf06020ab951fe62b03ce46428488e54243793ac5c375142b79f439a77f5b8bd521633683884d72e5374e66181b73d1b221f80cb9db794221945c56bf7d34d2d0bbb5296e4e995a15175baed922bc922ea17ded14cee86a358782aeab2354f107fba4f4d6bea609b0004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc651d6b8c757cf27ba01eec66aff3857 Finished request 1. Going to the next request Waking up in 4.9 seconds. Thanks, Mike Davies ________________________________ This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.