On 05/20/2011 10:33 PM, Mark Jones wrote:
Here is the latest debug...Im not sure what to try next.
Latest debug... ok, what has changed?
rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=186, length=216 NAS-IP-Address = 10.152.0.100 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "host/TEST-11501.hpsd48.ab.ca" Calling-Station-Id = "00265EE9B2CA" Called-Station-Id = "000B86611894" MS-CHAP-Challenge = 0xa389f8f8a19c2761c3f31128115bac7f MS-CHAP2-Response = 0x0800afc6531b8f43785e186a0578c795c13b00000000000000005f4828b8f016c112e3e453505d0c203f7172ad8a40f17c02 Service-Type = Login-User Aruba-Essid-Name = "HPSD_RAD2" Aruba-Location-Id = "Tech 01"
This is still a plain MSCHAP request, indicating that the Aruba equipment is still terminating the PEAP itself, and translating the EAP-MSCHAP to plain MSCHAP. As per my previous emails, I recommend you change this.
# Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' <mailto:'@'> in User-Name = "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca
So this is a full host/name.domain.com now - what did you change?
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$) [ldap] expand: o=hpsd_48 -> o=hpsd_48 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.17.152.4:636, authentication 0 [ldap] setting TLS mode to 1 [ldap] bind as cn=admin,o=hpsd_48/xxxxxx to 172.17.152.4:636 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$) [ldap] Added the eDirectory password xxxxxx in check items as Cleartext-Password
Ok, you're using Novell eDir here? Are you using DSFW? I know almost nothing about Novell, but a recent poster to the list was using eDir and DFSW, and he suggested that you need to: 1. use LDAP/eDir for users 2. use Samba/ntlm_auth for machines See here: https://lists.freeradius.org/pipermail/freeradius-users/2011-May/msg00069.ht...
[ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect
Again, only three possible choices: 1. The client is sending the wrong data (i.e password - unlikely) 2. The server is using the wrong data (i.e. password from LDAP is incorrect) 3. Something is fiddling with the data in-flight (e.g. Aruba messing with the EAP)