Have you defined Auth-Type in users file to mschapv2 (don't do it)? What is the configuration for this user in the users file? On Tuesday 15 December 2009 13:00:07 you wrote:
As you can see, it says that it has stripped realm from username but it passes it along with username to ldap. How can I fix this?
Never mind. ldap filter did the job. Sorry about that.
Actually it's not working yet.
rad_recv: Access-Request packet from host 192.168.205.29 port 49154, id=0, length=178 Cleaning up request 15 ID 0 with timestamp +1232 NAS-IP-Address = 192.168.205.29 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "DOMAIN\\sti" State = 0x9bb6fc759d93e55343410152d73b1dba EAP-Message = 0x0225005b1900170301005046c5a952e0ad6d2ea7d132dd3c00c1a132df2329a23561c760d 4a45fb4f02e3bd1a848f5d4d3106ae52d4f442971b4c6aa4d0c157805647 9f03c76d350fc041b659e556368c4a63e30e09849d0aae29a Message-Authenticator = 0xf9700c8c22d81ecdb12a8f6731151a38 +- entering group authorize {...} ++[preprocess] returns ok [ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\sti" [ntdomain] Found realm "DOMAIN" [ntdomain] Adding Stripped-User-Name = "sti" [ntdomain] Adding Realm = "DOMAIN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 37 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x022500441a0225003f31a156d1579957b003643781fff8636e87000000000000000003367 b7948111ad6081798c179995c91c0268edae3409ae30046454152505c737 469 server { PEAP: Setting User-Name to DOMAIN\sti Sending tunneled request EAP-Message = 0x022500441a0225003f31a156d1579957b003643781fff8636e87000000000000000003367 b7948111ad6081798c179995c91c0268edae3409ae30046454152505c737 469 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DOMAIN\\sti" State = 0x7b5d7eb57b7864abf97396c9fbfa8cb4 server { +- entering group authorize {...} ++[preprocess] returns ok [ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\sti" [ntdomain] Found realm "DOMAIN" [ntdomain] Adding Stripped-User-Name = "sti" [ntdomain] Adding Realm = "DOMAIN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 37 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 204 ++[files] returns ok [ldap] performing user authorization for sti [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=sti) [ldap] expand: ou=Users,dc=domain,dc=br -> ou=Users,dc=domain,dc=br rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,dc=domain,dc=br, with filter (uid=sti) [ldap] checking if remote access for sti is allowed by radiusFilterId [ldap] looking for check items in directory... rlm_ldap: userPassword -> User-Password == "{SMD5}/S4d+fNkBFL3TnpjceYuUiDPd+Q=" rlm_ldap: sambaNtPassword -> NT-Password == 0x4443384142353837303246373432304532443042323537333343453938394634 rlm_ldap: sambaLmPassword -> LM-Password == 0x3245414443463036424438463531344541414433423433354235313430344545 [ldap] looking for reply items in directory... rlm_ldap: radiusFilterId -> Filter-Id = "Enterasys:version=1:policy=Enterprise User" [ldap] user sti authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [DOMAIN\\sti/<via Auth-Type = EAP>] (from client tplink port 0 via TLS tunnel) } # server [peap] Got tunneled reply code 3 Filter-Id = "Enterasys:version=1:policy=Enterprise User" EAP-Message = 0x04250004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 Filter-Id = "Enterasys:version=1:policy=Enterprise User" EAP-Message = 0x04250004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.205.29 port 49154 EAP-Message = 0x012600261900170301001b5cfd418b7da0ea2be30d04270a1403956143966fe487e0870c4 b57 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9bb6fc759c90e55343410152d73b1dba Finished request 16. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.205.29 port 49154, id=0, length=125 Cleaning up request 16 ID 0 with timestamp +1232 NAS-IP-Address = 192.168.205.29 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "DOMAIN\\sti" State = 0x9bb6fc759c90e55343410152d73b1dba EAP-Message = 0x022600261900170301001b21b51585f6a2a91a76b4b00b320ac2a87db1c24bf9bfa298197 bf1 Message-Authenticator = 0x30d1290632d45610b95a3253910ba83b +- entering group authorize {...} ++[preprocess] returns ok [ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\sti" [ntdomain] Found realm "DOMAIN" [ntdomain] Adding Stripped-User-Name = "sti" [ntdomain] Adding Realm = "DOMAIN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 38 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [DOMAIN\\sti/<via Auth-Type = EAP>] (from client tplink port 2) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> DOMAIN\sti attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 17 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 17 Sending Access-Reject of id 0 to 192.168.205.29 port 49154 EAP-Message = 0x04260004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 17 ID 0 with timestamp +1232 Ready to process requests.
And how can I set XP for it to try authenticate during logon proccess?
That first question remains....