Alan DeKok wrote:
Josh Hiner wrote:
Trying to configure eap ttls with mschapv2 using Freeradius version Version 1.1.3 in Redhat enterprise Linux 5.
I suggest upgrading. It's not hard to build an RPM of the latest version of the server.
Upgrading will get you a lot.
Ok I did upgrade, please see my post below =D.
I have configured everything and gotten free radius to authenticate off /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have run into is when I switch the securew2 windows xp eap-ttls client to use the current logged on user credentials. Then, SecureW2 sends the username in the format of DOMAIN/user (which in this case is HTN/josh). Authentication then fails because of this extra domain part in the user. Ok fine, I first enable the nt_domain_hack in the mschap module then I configured realm ntdomain and simply set a default realm in proxy.conf to strip off the domain part. Nope, that fails (output will be included below). I also tried nostrip but that also fails obviously. Also tried silently stripping the domain in pre-process in radiusd.conf. Auth is successful but finally rejected because the user doesnt match the original HTN/josh user sent.
This is fixed in 2.x. You can have different policies for inside the TLS tunnel and outside of it. This makes these configurations easier.
Ok I do see this now but am still getting the same error. Please see below.
Anyways, anyone know of how to get etc_smbpasswd module to work. I dont want to use the users file (blech) even though it does work when I put the user in there, and again, if I just supply the username and password (and leave the domain part blank in SecureW2 ttls client) authentication does work of /etc/samba/smbpasswd.
Honestly... there are 3-4 solutions which are trivial in 2.x. Any solution is hard in 1.1.3. I don't even recall what feature set it has (or is missing).
Alan DeKok.
Ok, I have upgraded to Freeradius version 2.1.3 (following the suggestion above). I have configured and gotten everything to work except for the domain name stripping at the front of the username (eg: HTN/josh). If I dont supply the domain name, authentication succeeds perfectly. I am still getting the same error that I was with Freeradius version 1.3.1. Ive configured a HTN realm to strip off the HTN part and in the debug, it appears to work as stripped-user=josh gets proxied back. Then authentication failes in the same way as it did before? It is mentioned above that there are 3-4 solutions which are trivial in 2.x. Since I have Freeradius basically running, could someone spare some of their valuable time with a pointer on stripping off the HTN part of the user so authentication will succeed? Thanks =D. Below is the part of my debug output from Freeradius showing the authentication failure. Once again, it works perfectly if I dont supply the domain name (I can then connect perfectly via eap-ttls with mschapv2). Hopefully I am close. I can supply more of my configs if needed. Thanks -Josh server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "HTN\josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "HTN" for User-Name = "HTN\josh" [ntdomain] Found realm "HTN" [ntdomain] Adding Stripped-User-Name = "josh" [ntdomain] Adding Realm = "HTN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 1 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[etc_smbpasswd] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for josh with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 MS-CHAP-Error = "\001E=691 R=1" EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user HTN\josh [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user.