Hi all, I have a problem, can't authenticate my user with win login user/pass.
I use: - 802.1x - newest freeradius, and ubuntu 8.4 - eap-tls - win xp sp2 client, use automatic win logon and pass
When "Automatically use my Windows login name and password" is unchecked on the windows, i type user/pass and my radius is accept the request. and everything is okay.
But, When i try it with automatic win login/pass, the radius reject the request. I set the with-ntdomain-hack=yes to preprocess and it cut the domain part. its seems okay but still reject.
I have good user settings.
what is the problem? password encription?
No.
the debug log:
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=228, length=160
..
User-Name = "DOMAIN\\Joe"
..
[suffix] No '@' in User-Name = "Joe", looking up realm NULL
..
[eap] Identity does not match User-Name, setting from EAP Identity.
..
You are rewriting the User-Name. Don't do that.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
when I use the with-ntdomain-hack=no the result is : rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=137, length=200 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = "FastEthernet0/3" NAS-Port-Type = Ethernet User-Name = DOMAIN\\Joe" Called-Station-Id = "00-09-B7-94-CA-83" Calling-Station-Id = "00-13-D4-E7-B3-FB" Service-Type = Framed-User Framed-MTU = 1500 State = 0xd2b62910daab305146382a3fd0fd1f65 EAP-Message = 0x021d00261900170301001b4857496f15b6b51dff76c2cd1e72b58feb956122b8ae08030ba37d Message-Authenticator = 0x2361c53f5b43fce8fdfa4799b5112dde +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DOMAIN\Joe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 29 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [DOMAIN\\Joe/<via Auth-Type = EAP>] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> DOMAIN\Joe attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 29 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 29 Sending Access-Reject of id 137 to 192.168.1.1 port 1812 EAP-Message = 0x041d0004 Message-Authenticator = 0x00000000000000000000000000000000 rejected too. GH