Il 19/01/2012 13:01, Phil Mayers ha scritto:
I'm not sure what the problem is then. From your original post, the authentication is failing at the *client*, in the inner EAP section. This normally means the final MSCHAP response is invalid, which only happens if some crypto has gone wrong somewhere. But then it should fail immediately, not after a timeout! And an immediate failure is the result when I *disable* 'with_ntdomain_hack=yes' line in mschap.
No changes even enabling "ntdomain" lines in 'default' and 'inner-tunnel' sites (IIUC those should only detect the domain, regardless of it being prefix or suffix).
Another problem I should fix is the fact that ZS's captive portal passes user@realm credentials instead of realm\user ... rewriting w/ a simple rule in hints file seems to block the rest, so I left it behind, for now. You can't alter usernames in EAP. They are usually mixed into the challenge/response data, and altering them in-flight means the challenge/response will fail. Ok. I'm not going to change 'em.
To be honest, there's too much going on in your setup; my advice would be to create a new server (running 2.1.12) and use the default setup. Test your EAP with eapol_test. Make small changes, storing the config into version control at each step. Identify exactly which point the failures start happening at. That's exactly what I've done till now. The failures start when I enable the auth I need. The problem w/ CP is just an "issue scheduled for later examination" -- nothing configured yet to fix it.
That's my 'hg diff' output (w/o the certs part) from the base config (from the tutorial): diff -r 434b2b3ededc clients.conf --- a/clients.conf Mon Jan 16 15:17:07 2012 +0100 +++ b/clients.conf Fri Jan 20 11:22:45 2012 +0100 @@ -232,3 +232,10 @@ # secret = testing123 # } #} + +client 137.204.65.161 { + secret = testing123qaz +} +client 137.204.65.96 { + secret = testing123qaz +} diff -r 434b2b3ededc modules/mschap --- a/modules/mschap Mon Jan 16 15:17:07 2012 +0100 +++ b/modules/mschap Fri Jan 20 11:22:45 2012 +0100 @@ -34,6 +34,7 @@ # corrects for that incorrect behavior. # #with_ntdomain_hack = no + #with_ntdomain_hack = yes # The module can perform authentication itself, OR # use a Windows Domain Controller. This configuration @@ -63,4 +64,7 @@ # the "best" user name for the request. # #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" + ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-PERSONALE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" +# ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{Stripped-User-Name}:-%{User-Name}} --domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" +# ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE} --username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}} --password=%{User-Password} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } diff -r 434b2b3ededc modules/ntlm_auth --- a/modules/ntlm_auth Mon Jan 16 15:17:07 2012 +0100 +++ b/modules/ntlm_auth Fri Jan 20 11:22:45 2012 +0100 @@ -8,5 +8,6 @@ # exec ntlm_auth { wait = yes - program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" +# program = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-PERSONALE} --username=%{mschap:User-Name} --password=%{User-Password}" + program = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE} --username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}} --password=%{User-Password} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } diff -r 434b2b3ededc sites-available/default --- a/sites-available/default Mon Jan 16 15:17:07 2012 +0100 +++ b/sites-available/default Fri Jan 20 11:22:45 2012 +0100 @@ -116,7 +116,7 @@ # the other styles won't be checked. # suffix -# ntdomain + ntdomain # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP @@ -306,6 +306,8 @@ # handled # override the "updated" code from attr_filter # } # } + +# ntlm_auth } @@ -347,7 +349,7 @@ # home server as authentication requests. # IPASS suffix -# ntdomain + ntdomain # # Read the 'acct_users' file diff -r 434b2b3ededc sites-available/inner-tunnel --- a/sites-available/inner-tunnel Mon Jan 16 15:17:07 2012 +0100 +++ b/sites-available/inner-tunnel Fri Jan 20 11:22:45 2012 +0100 @@ -89,7 +89,7 @@ # it difficult to bill people for their network activity. # suffix -# ntdomain + ntdomain # # The "suffix" module takes care of stripping the domain @@ -231,6 +231,8 @@ # ldap # } +# ntlm_auth + # # Allow EAP authentication. eap As you can see there are only minimal changes... BYtE, Diego.