The change would have been whatever changed with yum-update, which ran on the 16th, and did include the freeradius, freeradius-utils and freeradius-mysql packages, but according to the RedHat change logs those packages were updated in September to fix the miscalculated MPPE keys with TLS 1.2 and nothing beyond that. Apart from running updates, the only thing we typically ever is adding new access points in clients.conf. Thanks, -mat Full debug: Waking up in 2.6 seconds. rad_recv: Access-Request packet from host 172.18.255.6 port 20002, id=254, length=162 NAS-Port-Id = "AP1306/2" Calling-Station-Id = "6C-88-14-54-69-28" Called-Station-Id = "00-26-3E-8D-79-C1:UWMWiFi" Service-Type = Framed-User EAP-Message = 0x020100120141445c706f6469612d75736572 User-Name = "AD\\podia-user" NAS-Port = 64901 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 172.18.255.6 NAS-Identifier = "Juniper" Message-Authenticator = 0xe3d83b401df09685c4df6a885095fa4f # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "podia-user", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry DEFAULT at line 50 ++[files] = ok ++[expiration] = noop ++[logintime] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Identity (AD\podia-user) does not match User-Name (podia-user). Authentication failed. [eap] Failed in handler ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [podia-user] (from client 172.18.255.6 port 64901 cli 6C-88-14-54-69-28) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> podia-user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 55 for 1 seconds On Tue, Dec 29, 2015 at 10:21 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 29, 2015, at 11:11 AM, Migo Pod <migopod@gmail.com> wrote:
Previously we've been having no issues authenticating people with username. AD\username. and username@realm, but on around the 16th people with the AD\username format started getting authentication failures.
What changed on the 16th?
We're running RHEL6 with the distro supplied freeradius binary (freeradius-2.2.6-6.el6_7.x86_64) and haven't made any changes to anything besides system updates in over a year, and it has been working perfectly up until now.
Things don't change by magic. *Something* changed.
Here's a relevant log snippet that appears to describe the issue, but I have no idea where to start looking for a solution. ... [eap] Identity (AD\podia-user) does not match User-Name (podia-user).
Post the FULL debug log, including the packet that the server received.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html