Dear Alan and people, thanks for your response. Below I show you the log from Freeradius in debug mode. But I need to say something before showing the logs: the WiFi notebook clients are Windows 7 and 10, the users logged into them are domain users, and we want to use these users in order to connect AUTOMATICALLY to our WiFi network. This means that we need the user to automatically connect to wifi network without type user or user@domain or domain\user, just type the corresponding password to the domain user from the notebook. The log is this: rad_recv: Access-Request packet from host 192.168.1.250 port 32769, id=59, length=412 User-Name = "host/NB100.domain.com" Calling-Station-Id = "24:0a:64:33:43:c7" Called-Station-Id = "44:ad:d9:0e:dd:40:Test-radius" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000000685943ee2e" NAS-IP-Address = 192.168.1.250 NAS-Identifier = "WLC" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x020700901580000000861603010046100000424104df31414042b0d244a7712595d396618c2b2b1bed913f71b10c4b86a308500b9979452bec950cf5c175adc2a421f3e1379d4f2bdb2e1bb7fc14eeb78e6dd1baa114030100010116030100307c89f3e96ccb753fc640b7610548d56f0c3ed30a73e291c63eb7085a430189922680bb69c7cbd567500b05c63bb76c8d State = 0xf7161b91f3110e7694cf1c709482b6fc Message-Authenticator = 0xc0000c50748336541b27a2a07c1cf909 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/NB100.domain.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 7 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 134 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [ttls] TLS_accept: unknown state [ttls] TLS_accept: unknown state [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: unknown state [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: unknown state [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: unknown state [ttls] TLS_accept: unknown state [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 59 to 192.168.1.250 port 32769 EAP-Message = 0x0108004515800000003b1403010001011603010030ec57aa02d394d0e82f3c4e7e7615f5c9d454c1b7a187db4110a6e4bf4279e4470958bf3a061fadfe3b0bd9eb3778c688 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf7161b91f21e0e7694cf1c709482b6fc Finished request 6. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 54 with timestamp +511 Cleaning up request 2 ID 55 with timestamp +511 Cleaning up request 3 ID 56 with timestamp +511 Cleaning up request 4 ID 57 with timestamp +511 Cleaning up request 5 ID 58 with timestamp +511 Cleaning up request 6 ID 59 with timestamp +511 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xf7161b91f21e0e76 did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility rad_recv: Access-Request packet from host 192.168.1.250 port 32769, id=60, length=258 User-Name = "DOMAIN.COM\\alejandro" Calling-Station-Id = "24:0a:64:33:43:c7" Called-Station-Id = "44:ad:d9:0e:dd:40:Test-radius" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac1f0c62000000685943ee2e" NAS-IP-Address = 192.168.1.250 NAS-Identifier = "WLC" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0202001501472d424150524f5c616261726c697a61 Message-Authenticator = 0x6909a617235e3ada0db90748d81e7ddd # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "DOMAIN\alejandro", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [sql] expand: %{User-Name} -> DOMAIN.COM\\alejandro [sql] sql_set_user escaped user --> 'DOMAIN.COM\\alejandro' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'DOMAIN=5C=5C=5C=5Calejandro' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'DOMAIN=5C=5C=5C=5Calejandro' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 [sql] User DOMAIN.COM\\alejandro not found ++[sql] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 60 to 192.168.1.250 port 32769 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x92095a79920a4f103a071bb9e5e9a7b2 Finished request 7. Going to the next request Waking up in 4.9 seconds. Special thanks !!! Alejandro 2017-06-15 14:05 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Jun 15, 2017, at 12:22 PM, Alejandro Cabrera Obed <aco1967@gmail.com> wrote:
Dear, we have a Freeradius 2.2.5 server in order to authenticate WiFi users from cell phones and notebooks.
In the case of cell phones, the users type the corresponding usernames and passwords and after that Freeradius passes it to the AD and everything works OK.
That's good.
In the case of the notebooks, the Windows users are logged into our DC domain, then they type the username or username@domain or domain\username with the corresponding passwords but in theses cases they can't authenticate against the AD (there is a reject message in the Freradius log).
So... what is the reject message?
Please post the full debug output as suggested in the FAQ, "man" pages, wiki, and daily on this list.
In case they are not logged into the domain, and they are local users in the notebooks, if they type just their usernames (without domain) they authenticate OK.
That's good.
So how can I authenticate Windows users against the AD when they are logged into the domain??? Do I have to define a special directive in a config file from freeradius, winbind or samba?
It's not magic. But it DOES require that you read the debug output.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- // Alejandro //