Hi, I have a problem with huntgroups and wpa2. It concerns the following: First, huntgroups works with ntradping and crypt-passwd: mysql-db unzinn | NT-Password | := | 7C53CFA5EA7D0F9B3B968AA0FB51A3F5 unzinn | crypt-password | == | $1$7ftISFCW$xp.n8LMOxfPD7GqdSJqZC1 unzinn | Huntgroup-Name | == | hrzvpn with wpa2 (PEAP/MSCHAPv2) it works only without the huntgroup entry. Is this a problem because of different adresses? Access-Request packet from host 129.217.169.191 .. NAS-IP-Address = 129.217.157.246 ? huntgroups: hrzvpn NAS-IP-Address == 129.217.157.246 debug: rad_recv: :32769, id=33, length=176 User-Name = "unzinn" Calling-Station-Id = "00-19-D2-CF-E5-50" Called-Station-Id = "00-0B-85-9A-2D-30:ITMC-WPA2" NAS-Port = 29 NAS-IP-Address = 129.217.157.246 NAS-Identifier = "mh-wlc4" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "3503" EAP-Message = 0x0201000b01756e7a696e6e Message-Authenticator = 0x2bf90a315bc202464b3819722bfef98e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "unzinn", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 1 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 radius_xlat: 'unzinn' rlm_sql (sql): sql_set_user escaped user --> 'unzinn' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'unzinn' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'unzinn' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'unzinn' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'unzinn' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 rlm_sql (sql): No matching entry in the database for request from user [unzinn] modcall[authorize]: module "sql" returns notfound for request 9 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" .... Thanks Hans -- Hans Bornemann Universitaet Dortmund - ITMC Tel. ++49 231 755 2132 Fax. ++49 231 755 2731
Hans Bornemann wrote:
Hi,
I have a problem with huntgroups and wpa2. It concerns the following:
First, huntgroups works with ntradping and crypt-passwd:
mysql-db
unzinn | NT-Password | := | 7C53CFA5EA7D0F9B3B968AA0FB51A3F5 unzinn | crypt-password | == | $1$7ftISFCW$xp.n8LMOxfPD7GqdSJqZC1
This is wrong; remove it, or set the operator to :=
Hi, did you mean the operator for the huntgroups? hans On Thu, 2008-04-10 at 10:29 +0100, Phil Mayers wrote:
Hans Bornemann wrote:
Hi,
I have a problem with huntgroups and wpa2. It concerns the following:
First, huntgroups works with ntradping and crypt-passwd:
mysql-db
unzinn | NT-Password | := | 7C53CFA5EA7D0F9B3B968AA0FB51A3F5 unzinn | crypt-password | == | $1$7ftISFCW$xp.n8LMOxfPD7GqdSJqZC1
This is wrong; remove it, or set the operator to := -- Hans Bornemann Universitaet Dortmund - ITMC Tel. ++49 231 755 2132 Fax. ++49 231 755 2731
Hans Bornemann wrote:
Hi,
did you mean the operator for the huntgroups?
No. Crypt-Password
hans
On Thu, 2008-04-10 at 10:29 +0100, Phil Mayers wrote:
Hans Bornemann wrote:
Hi,
I have a problem with huntgroups and wpa2. It concerns the following:
First, huntgroups works with ntradping and crypt-passwd:
mysql-db
unzinn | NT-Password | := | 7C53CFA5EA7D0F9B3B968AA0FB51A3F5 unzinn | crypt-password | == | $1$7ftISFCW$xp.n8LMOxfPD7GqdSJqZC1 This is wrong; remove it, or set the operator to :=
Hi, maybe a missunderstanding. The authentication with crypt-password works fine. The authentication with nt-passwords only works, if no huntgroup is defined in the database. if huntgroup is defined: rlm_sql (sql): No matching entry in the database for request from user if not: modcall[authorize]: module "sql" returns ok for request 0 i have checked the debug - the nas-ip is the same as defined in the huntgroupsfile thanks Hans On Thu, 2008-04-10 at 10:49 +0100, Phil Mayers wrote:
Hans Bornemann wrote:
Hi,
did you mean the operator for the huntgroups?
No. Crypt-Password
hans
On Thu, 2008-04-10 at 10:29 +0100, Phil Mayers wrote:
Hans Bornemann wrote:
Hi,
I have a problem with huntgroups and wpa2. It concerns the following:
First, huntgroups works with ntradping and crypt-passwd:
mysql-db
unzinn | NT-Password | := | 7C53CFA5EA7D0F9B3B968AA0FB51A3F5 unzinn | crypt-password | == | $1$7ftISFCW$xp.n8LMOxfPD7GqdSJqZC1 This is wrong; remove it, or set the operator to :=
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Hans Bornemann Universitaet Dortmund - ITMC Tel. ++49 231 755 2132 Fax. ++49 231 755 2731
Hi, huntgroups and PEAP works, if you set copy_request_to_tunnel = yes in eap.conf. eap.conf: ... peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. default_eap_type = mschapv2 # the PEAP module also has these configuration # items, which are the same as for TTLS. copy_request_to_tunnel = yes .... hans On Thu, 2008-04-10 at 12:50 +0200, Hans Bornemann wrote:
Hi,
maybe a missunderstanding. The authentication with crypt-password works fine. The authentication with nt-passwords only works, if no huntgroup is defined in the database.
if huntgroup is defined: rlm_sql (sql): No matching entry in the database for request from user
if not: modcall[authorize]: module "sql" returns ok for request 0
i have checked the debug - the nas-ip is the same as defined in the huntgroupsfile
thanks Hans
On Thu, 2008-04-10 at 10:49 +0100, Phil Mayers wrote:
Hans Bornemann wrote:
Hi,
did you mean the operator for the huntgroups?
No. Crypt-Password
hans
On Thu, 2008-04-10 at 10:29 +0100, Phil Mayers wrote:
Hans Bornemann wrote:
Hi,
I have a problem with huntgroups and wpa2. It concerns the following:
First, huntgroups works with ntradping and crypt-passwd:
mysql-db
unzinn | NT-Password | := | 7C53CFA5EA7D0F9B3B968AA0FB51A3F5 unzinn | crypt-password | == | $1$7ftISFCW$xp.n8LMOxfPD7GqdSJqZC1 This is wrong; remove it, or set the operator to :=
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Hans Bornemann Universitaet Dortmund - ITMC Tel. ++49 231 755 2132 Fax. ++49 231 755 2731
I have Mike's spot under the carport in the A lot today, so he can be in the shade. I'll come over after staff meeting. -----Original Message----- From: freeradius-users-bounces+cyoho=umpublishing.org@lists.freeradius.org [mailto:freeradius-users-bounces+cyoho=umpublishing.org@lists.freeradius .org] On Behalf Of Hans Bornemann Sent: Thursday, April 10, 2008 8:15 AM To: FreeRadius users mailing list Subject: Re: wpa2 - huntgroup problems -fixed Hi, huntgroups and PEAP works, if you set copy_request_to_tunnel = yes in eap.conf. eap.conf: ... peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. default_eap_type = mschapv2 # the PEAP module also has these configuration # items, which are the same as for TTLS. copy_request_to_tunnel = yes .... hans On Thu, 2008-04-10 at 12:50 +0200, Hans Bornemann wrote:
Hi,
maybe a missunderstanding. The authentication with crypt-password works fine. The authentication with nt-passwords only works, if no huntgroup is defined in the database.
if huntgroup is defined: rlm_sql (sql): No matching entry in the database for request from user
if not: modcall[authorize]: module "sql" returns ok for request 0
i have checked the debug - the nas-ip is the same as defined in the huntgroupsfile
thanks Hans
On Thu, 2008-04-10 at 10:49 +0100, Phil Mayers wrote:
Hans Bornemann wrote:
Hi,
did you mean the operator for the huntgroups?
No. Crypt-Password
hans
On Thu, 2008-04-10 at 10:29 +0100, Phil Mayers wrote:
Hans Bornemann wrote:
Hi,
I have a problem with huntgroups and wpa2. It concerns the following:
First, huntgroups works with ntradping and crypt-passwd:
mysql-db
unzinn | NT-Password | := |
7C53CFA5EA7D0F9B3B968AA0FB51A3F5
unzinn | crypt-password | == | $1$7ftISFCW$xp.n8LMOxfPD7GqdSJqZC1 This is wrong; remove it, or set the operator to :=
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Hans Bornemann Universitaet Dortmund - ITMC Tel. ++49 231 755 2132 Fax. ++49 231 755 2731
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Hans Bornemann -
Phil Mayers -
Yoho, Cindy