Ok I am almost done with all the questions... Now when I go to login to wifi I am able to download cert and everything but I get an authentication failure. I have read most of it and am a little confused. Just wondering if any one had better insight on this. # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x02b0004a1a02b00045315bc9cd734ccc2fe9d6828b890731a36500000000000000005095b99f78e93a0cbf7b644f020752b0d8ea2f460ece269100434f52505c61736368617070656c6c server { [peap] Setting User-Name to CORP\aschappell Sending tunneled request EAP-Message = 0x02b0004a1a02b00045315bc9cd734ccc2fe9d6828b890731a36500000000000000005095b99f78e93a0cbf7b644f020752b0d8ea2f460ece269100434f52505c61736368617070656c6c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CORP\\aschappell" State = 0x56c64cb95676560312b36f089a4e917a server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "CORP\aschappell", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 176 length 74 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> CORP\aschappell [sql] sql_set_user escaped user --> 'CORP\aschappell' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'CORP=5Caschappell' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'CORP=5Caschappell' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 [sql] User CORP\aschappell not found ++[sql] returns notfound [ldap] performing user authorization for CORP\aschappell [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> CORP\5caschappell [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=CORP\5caschappell) [ldap] expand: dc=corp,dc=clearedgeit,dc=com -> dc=corp,dc=clearedgeit,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (sAMAccountName=CORP\5caschappell) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? [mschap] Creating challenge hash with username: CORP\aschappell [mschap] Told to do MS-CHAPv2 for CORP\aschappell with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\260E=691 R=1" EAP-Message = 0x04b00004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\260E=691 R=1" EAP-Message = 0x04b00004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 126 to 10.0.1.149 port 32776 EAP-Message = 0x01b1002b190017030100209af0407cf44f78b901232ee0fa6c447f520423a19f0fa21733930383a8d19585 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdfd6c0e5d767d92d9b96730baefb4877 Finished request 29. Going to the next request Waking up in 2.7 seconds. rad_recv: Access-Request packet from host 10.0.1.149 port 32776, id=127, length=231 User-Name = "CORP\\aschappell" NAS-IP-Address = 10.0.1.149 NAS-Identifier = "24a43c105cfc" NAS-Port = 0 Called-Station-Id = "24-A4-3C-1B-9F-92:ClearEdgeCORP" Calling-Station-Id = "C8-BC-C8-C0-1D-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02b1002b1900170301002062c0e9553e6ba5810b4c114546a334c660bc79916f7276b819b2d01a9fe7faab State = 0xdfd6c0e5d767d92d9b96730baefb4877 Message-Authenticator = 0x8de5a0f2aaede3f1ef08eecdd9bad205 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CORP\aschappell", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 177 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> CORP\aschappell attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 30 for 1 seconds Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/> On Mon, Mar 30, 2015 at 3:33 PM, Adam Schappell <aschappell@clearedgeit.com> wrote:
Thanks for everyones help. I dont know what exactly I did but I got access accept..
Found Auth-Type = LDAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "radius" with password "test"
[ldap] user DN: CN=rtest,OU=Users,OU=Jetestp,OU=ClearEdge,DC=corp,DC=test,DC=com
[ldap] (re)connect to dc1.corp.clearedgeit.com:389, authentication 1
[ldap] bind as CN=rtests,OU=Users,OU=test,OU=ClearEdge,DC=corp,DC=testeit,DC=com/test to dc1.corp.clearedgeit.com:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user radius authenticated succesfully
++[ldap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 135 to 127.0.0.1 port 48249
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 135 with timestamp +8
Ready to process requests.
Adam Schappell System Administrator II Clearedge IT Solutions, LLC 10620 Guilford Road Jessup, MD 20794 Office:443-212-4712 Fax:443-212-4809 www.ClearEdgeIT.com <http://www.clearedgeit.com/>
On Mon, Mar 30, 2015 at 3:23 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I get its failing but I do not know what else to set it to, It is the
read the error. deduce the issue
[ldap] expand: (&(SAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (&(SAMAccountName=radius) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
thats wehat came out of the expansion of your current config
[ldap] performing search in dc=corp,dc=clearedgeit,dc=com, with filter (&(SAMAccountName=radius)
[ldap] ldap_search() failed: Bad search filter: (&(SAMAccountName=radius)
and thats the result
[ldap] search failed
which means that happens
the binding and the searching are 2 different things. you had 'working' but failing search with uid - you've now just got a broken search
I'd just hazard a guess that you should be using eg (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name})
note how upper and lower case have been chosen.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html