RE: Problem with EAP/MD5 behind proxy
You're stripping the realm at the proxy; add "nostrip" to the realm stanza defined in realms.conf for the server you're proxying to. Josh.
-----Original Message----- From: freeradius-users-bounces+j.howlett=ukerna.ac.uk@lists.freeradi us.org [mailto:freeradius-users-bounces+j.howlett=ukerna.ac.uk@lists. freeradius.org] On Behalf Of Hans Bornemann Sent: 07 December 2006 10:57 To: freeradius-users@lists.freeradius.org Subject: Problem with EAP/MD5 behind proxy
Hi,
I run into this problem:
Config:
802.1x client (Windows XP with 802.1x / md5 ) --> freeradius-proxy --> freeradius-server
Same prg-version on both server (1.1.0) same radius.conf same users file
if i try to authenticate against the proxy without realm, everything ist o.k.
if i try this with a realm the second radius-server shows this error:
rlm_eap: Identity does not match User-Name, setting from EAP Identity rlm_eap: Failed in handler
any ideas?
Hans
-- Hans Bornemann Universitaet Dortmund - Hochschulrechenzentrum Tel. ++49 231 755 2132 Fax. ++49 231 755 2731
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Josh, Thats what i want: stripping the realm at the proxy: proxy.conf: .. realm notebook { type = radius authhost = 111.222.111.111:1812 accthost = 111.222.111.111:1813 secret = blabla } users: .... testuser User-password == testing .... Login with testuser@notebook --> Authentication failed on radius-server no. 2 Login with testuser --> Authentication o.k. on radius-server no. 1 Both radius-server has the same users-file. Hans On Thu, 2006-12-07 at 11:28 +0000, Josh Howlett wrote:
You're stripping the realm at the proxy; add "nostrip" to the realm stanza defined in realms.conf for the server you're proxying to.
Josh.
-----Original Message----- From: freeradius-users-bounces+j.howlett=ukerna.ac.uk@lists.freeradi us.org [mailto:freeradius-users-bounces+j.howlett=ukerna.ac.uk@lists. freeradius.org] On Behalf Of Hans Bornemann Sent: 07 December 2006 10:57 To: freeradius-users@lists.freeradius.org Subject: Problem with EAP/MD5 behind proxy
Hi,
I run into this problem:
Config:
802.1x client (Windows XP with 802.1x / md5 ) --> freeradius-proxy --> freeradius-server
Same prg-version on both server (1.1.0) same radius.conf same users file
if i try to authenticate against the proxy without realm, everything ist o.k.
if i try this with a realm the second radius-server shows this error:
rlm_eap: Identity does not match User-Name, setting from EAP Identity rlm_eap: Failed in handler
any ideas?
Hans
-- Hans Bornemann Universitaet Dortmund - Hochschulrechenzentrum Tel. ++49 231 755 2132 Fax. ++49 231 755 2731
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Hans Bornemann Universitaet Dortmund - Hochschulrechenzentrum Tel. ++49 231 755 2132 Fax. ++49 231 755 2731
Hi Alan, Auth-Type := Local produced the following failure: users: steve Auth-Type := Local, User-Password = "testing" Debug output: Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 129.217.169.240:1645, id=134, length=149 User-Name = "steve" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-0E-84-A0-28-0D" Calling-Station-Id = "00-0B-5D-52-76-94" EAP-Message = 0x0202000a017374657665 Message-Authenticator = 0x21b9b903131d1f20dbfafc8035ad22ae Cisco-NAS-Port = "FastEthernet0/13" NAS-Port = 50013 NAS-Port-Type = Ethernet NAS-IP-Address = 129.217.169.240 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 44 rlm_eap: EAP packet type response id 2 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 44 modcall[authorize]: module "preprocess" returns ok for request 44 modcall[authorize]: module "chap" returns noop for request 44 modcall[authorize]: module "mschap" returns noop for request 44 rlm_realm: No '@' in User-Name = "steve", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 44 users: Matched entry steve at line 15 modcall[authorize]: module "files" returns ok for request 44 modcall: leaving group authorize (returns updated) for request 44 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [steve/<no User-Password attribute>] (from client gb5-sw5 port 50013 cli 00-0B-5D-52-76-94) Delaying request 44 for 1 seconds Finished request 44 Going to the next request Hans On Thu, 2006-12-07 at 12:32 +0000, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
testuser User-password == testing
testuser User-Password == "testing", Auth-Type := local
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Hans Bornemann Universitaet Dortmund - Hochschulrechenzentrum Tel. ++49 231 755 2132 Fax. ++49 231 755 2731
Sorry, only a typing error in the mail. the users file ist correct: steve Auth-Type := Local, User-Password == "testing" Hans
Hi,
Hi Alan,
Auth-Type := Local produced the following failure:
users: steve Auth-Type := Local, User-Password = "testing" ^^^^
do i have to query you on this one?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Hans Bornemann -
Josh Howlett