I sent this earlier but it doesn't look like it made it, so here it goes again. This is the output from radiusd -X rad_recv: Access-Request packet from host 192.168.3.44:1645, id=139, length=139 User-Name = "UPG\\test" Framed-MTU = 1400 Called-Station-Id = "0013.8032.40d1" Calling-Station-Id = "0090.4b1d.86cc" Service-Type = Login-User Message-Authenticator = 0x719f121abfb3b27a8746acabe0e1b6c6 EAP-Message = 0x0202000f123d4544566a726176616c NAS-Port-Type = Wireless-802.11 NAS-Port = 1527 NAS-IP-Address = 192.168.3.44 NAS-Identifier = "Cisco_AP" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 32 modcall[authorize]: module "preprocess" returns ok for request 32 rlm_eap: EAP packet type response id 2 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 32 rlm_realm: No '/' in User-Name = "test", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Proxying request from user test to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 32 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 32 modcall[authorize]: module "etc_smbpasswd" returns notfound for request 32 modcall: group authorize returns updated for request 32 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 32 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 32 modcall: group authenticate returns invalid for request 32 auth: Failed to validate the user. Delaying request 32 for 1 seconds Finished request 32 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 139 to 192.168.3.44:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 32 ID 139 with timestamp 441affff Nothing to do. Sleeping until we see a request. Alan DeKok <aland@ox.org> wrote: Agent Smith wrote:
When a user connectes, they are presented with a login box (username, password and domain name) if they put a domain name in the domain field, radius can't authenticate them and gives that error message. when the domain field is left empty, it works fine.
You should be able to use a module before 'eap" to fix the Username.
I read some posting that talked about how you have to turn off ntdomain_hack off and I tried that, it didn't gave me that error but then the ntlm_auth failed saying 'NO SUCH USER' so my guess is that the user-name has to be exactly same as what gets sent into EAP message.
If you're using ntlm_auth, you're not using EAP-TLS. You're using EAP-PEAP, there's a difference. And the ntlm_auth program is run *only* inside of the TLS tunnel, where there's no certificate, so matching username to certificate isn't a problem.
has anyone else ran into this? any ideas on how to fix it?
Run the server in debugging mode and post the results to the list. Odds are there's a simple way to do what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --------------------------------- Yahoo! Mail Use Photomail to share photos without annoying attachments.