handling win domain name in username
Environmnet: Freeradius with PAP on Windows Username: domain\user1 password: ******* Looks like the Freeradius doesn't seem to like the windows domain name as part of username? Just plain username without a backslash works fine.
Hi,
Environmnet: Freeradius with PAP on Windows Username: domain\user1 password: ******* Looks like the Freeradius doesn't seem to like the windows domain name as part of username?
FreeRADIUS doesnt care. your chosen authentication method cares. if you dont want that 'domain' to appear then use the prefix module and ensure you have that domain listed in proxy.conf eg domain { } alan
The user name in LDAP is of the form domainname\username. I wanted to configure the same username in the freeradius as well but different password than LDAP. Authentication fails on the Radius side with this kind of username. If freeradius doesn;t care, not sure why it fails for such usernames. ________________________________ From: alan buxey <A.L.M.Buxey@lboro.ac.uk> To: Crne We <crnewe@yahoo.com>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Wednesday, September 26, 2012 1:07 AM Subject: Re: handling win domain name in username Hi,
Environmnet: Freeradius with PAP on Windows Username: domain\user1 password: ******* Looks like the Freeradius doesn't seem to like the windows domain name as part of username?
FreeRADIUS doesnt care. your chosen authentication method cares. if you dont want that 'domain' to appear then use the prefix module and ensure you have that domain listed in proxy.conf eg domain { } alan
Here is the failure trace for this user: domain1\user1 Cleartext-Password := "pass1": The backslash leads the code to think it's System auth_type when in fact it's PAP. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:63550, id=1, length=58 User-Name = "domain1\\user1" User-Password = "pass1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '../var/log/radius/radacct/127.0.0.1/auth-detail-20120926.log rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m g expands to ../var/log/radius/radacct/127.0.0.1/auth-detail-20120926.log modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "domain1\\user1", looking up realm rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authenticat ay fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" ERROR: Unknown value specified for Auth-Type. Cannot perform requested a . auth: Failed to validate the user. Login incorrect: [domain1\\user1/pass1] (from client localhost port 0) ________________________________ From: Crne We <crnewe@yahoo.com> To: alan buxey <A.L.M.Buxey@lboro.ac.uk>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Wednesday, September 26, 2012 12:07 PM Subject: Re: handling win domain name in username The user name in LDAP is of the form domainname\username. I wanted to configure the same username in the freeradius as well but different password than LDAP. Authentication fails on the Radius side with this kind of username. If freeradius doesn;t care, not sure why it fails for such usernames. ________________________________ From: alan buxey <A.L.M.Buxey@lboro.ac.uk> To: Crne We <crnewe@yahoo.com>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Wednesday, September 26, 2012 1:07 AM Subject: Re: handling win domain name in username Hi,
Environmnet: Freeradius with PAP on Windows Username: domain\user1 password: ******* Looks like the Freeradius doesn't seem to like the windows domain name as part of username?
FreeRADIUS doesnt care. your chosen authentication method cares. if you dont want that 'domain' to appear then use the prefix module and ensure you have that domain listed in proxy.conf eg domain { } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
The backslash leads the code to think it's System auth_type when in fact it's PAP.
no. thats a line at the bottom of your users file thats doing that. if you want to deal with this request then your authentication needs to be configured to handle that - the server is saying it doesnt know the realm...but hasnt been told what to do with it so is trying to do things locally anyway. you could, for example in proxy.conf have eg domain1 { } and it would know, via the prefix module, that this is a local user to deal with.. so, HOW are you currently trying to authenticate, user in users file? user in LDAP? alan
On 09/26/2012 09:00 PM, Crne We wrote:
Here is the failure trace for this user: domain1\user1 Cleartext-Password := "pass1": The backslash leads the code to think it's System auth_type when in fact it's PAP.
No, it doesn't. Can you explain in simple, unambiguous terms, what you want to do? For example: 1. requests are recieved with "user" or "DOMAIN\user" 2. lookup all users in LDAP directory with "DOMAIN\user" form 3. Authentiate user with info returned from LDAP ...or something?
participants (3)
-
alan buxey -
Crne We -
Phil Mayers