Error: User-Name is not the same as MS-CHAP name
The "MS-CHAP-Use-NTLM-Auth := no" did the job but I still have one problem with Windows XP clients, I get a " [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2". Users log on locally, the host name is not a domain name. Windows 7 clients work fine because they send only the username. I do some rewrites so I can get the username for the LDAP authentication and the computers name for computer account authentication (I'm not familiar with unlang yet). We use FR 2.1.10. Any idea how to fix this ? Windows XP debug: http://www.cspi.qc.ca/sinfrmc/windowsxp.htm Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm On 05/05/11 15:17, Robert Mc Cready wrote:
We use Novell eDirectory and DSFW (Directory Services for Windows)
which is kind of a Windows domain inside an OU in eDirectory. I want
to authenticate users using LDAP and Windows computers account using
ntlm_auth. There is only computers accounts in the Windows domain.
The computer authentication is working fine but the users
authentication with LDAP fails if ntlm_auth is configured. If I don't
use ntlm_auth the users authentication works. Is there a way to have
both of them working together?
Yes. Something like this: authorize { ... if (User-Name !~ /^host\//) { update control { MS-CHAP-Use-NTLM-Auth := no } } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html We use Novell eDirectory and DSFW (Directory Services for Windows) which is kind of a Windows domain inside an OU in eDirectory. I want to authenticate users using LDAP and Windows computers account using ntlm_auth. There is only computers accounts in the Windows domain. The computer authentication is working fine but the users authentication with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the users authentication works. Is there a way to have both of them working together? We use PEAP. Working user authentication with LDAP debug (ntlm_auth not configured): http://www.cspi.qc.ca/sinfrmc/ldap_only.htm Working Windows computer account authentication: http://www.cspi.qc.ca/sinfrmc/mschap_only.htm User account getting rejected debug (with ntlm_auth configured): http://www.cspi.qc.ca/sinfrmc/mschap_and_ldap.htm Thanks, Robert.
W dniu 2011-05-07 20:50, Robert Mc Cready pisze:
The "MS-CHAP-Use-NTLM-Auth := no" did the job but I still have one problem with Windows XP clients, I get a " [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2". Users log on locally, the host name is not a domain name. Windows 7 clients work fine because they send only the username. I do some rewrites so I can get the username for the LDAP authentication and the computers name for computer account authentication (I'm not familiar with unlang yet). We use FR 2.1.10.
Any idea how to fix this ?
Try to uncomment the ntdomain line in the authorize section of site configuration. This will split the realm (computer name) and login. Maybe you'll also need to set the with_ntdomain_hack = yes in mschap module configuration. Daniel
On 05/07/2011 07:50 PM, Robert Mc Cready wrote:
The "MS-CHAP-Use-NTLM-Auth := no" did the job but I still have one problem with Windows XP clients, I get a " [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2". Users log on locally, the host name is not a domain name. Windows 7 clients work fine because they send only the username. I do some rewrites so I can get the username for the LDAP authentication and the computers name for computer account authentication (I'm not familiar with unlang yet). We use FR 2.1.10.
Any idea how to fix this ?
You CANNOT rewrite the User-Name attribute, or you will have this problem. If you want to manipulate the username, you must do so in a separate attribute, like so: if (User-Name =~ /^(.+)\\(.+)/) { update request { Stripped-User-Name := "%{2}" } } An easier alternative is to not mangle the username at all, and instead update any string expansions to use: %{mschap:User-Name} ...including your LDAP filters. This will "just work"
I do not rewrite the User-name attribute I rewrite only the Stripped-User-Name attribute with these: attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = "" searchin = packet replacewith = "%{User-Name}" } attr_rewrite remove-domain-name { attribute = Stripped-User-Name searchfor = "(\.nw2\.test\.local)" searchin = packet new_attribute = no replacewith = "" } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = "^(host/.*)" searchin = packet new_attribute = no replacewith = "%{1}$" } attr_rewrite strip-realm-name { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = "^(.*[\\/]+)" replacewith = "" max_matches = 1 } This is where I use Stripped-User-Name: freeradius:/etc/raddb # grep -ir Stripped-User-Name * | grep -v \# modules/attr_rewrite: attribute = Stripped-User-Name modules/attr_rewrite: attribute = Stripped-User-Name modules/attr_rewrite: attribute = Stripped-User-Name modules/attr_rewrite: attribute = Stripped-User-Name modules/ldap: filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" The User-Name attribute is untouch. [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2 As I mentionned before the host name (CAD08862) is not a domain name it's a computer account name. I tried with_ntdomain_hack, no luck. freeradius:/etc/raddb # grep -ir with_ntdomain_hack * | grep -v \# modules/preprocess: with_ntdomain_hack = no modules/mschap: with_ntdomain_hack = yes Windows XP debug: http://www.cspi.qc.ca/sinfrmc/windowsxp.htm Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm On 05/07/2011 07:50 PM, Robert Mc Cready wrote:
The "MS-CHAP-Use-NTLM-Auth := no" did the job but I still have one problem with Windows XP clients, I get a " [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2". Users log on locally, the host name is not a domain name. Windows 7 clients work fine because they send only the username. I do some rewrites so I can get the username for the LDAP authentication and the computers name for computer account authentication (I'm not familiar with unlang yet). We use FR 2.1.10.
Any idea how to fix this ?
You CANNOT rewrite the User-Name attribute, or you will have this problem. If you want to manipulate the username, you must do so in a separate attribute, like so: if (User-Name =~ /^(.+)\\(.+)/) { update request { Stripped-User-Name := "%{2}" } } An easier alternative is to not mangle the username at all, and instead update any string expansions to use: %{mschap:User-Name} ...including your LDAP filters. This will "just work" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6106 (20110509) __________ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __________ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6107 (20110509) __________ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __________ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6107 (20110509) __________ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com
Robert Mc Cready wrote:
I do not rewrite the User-name attribute I rewrite only the Stripped-User-Name attribute with these:
No. Go READ the debug log you posted. The "inner-tunnel" virtual server gets: Sending tunneled request EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b6338671202 ... FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CAD08862\\ldapuser" You then RE-WRITE the User-Name. Don't do that. As you were told, re-writing the User-Name for EAP is wrong. Don't do it.
The User-Name attribute is untouch.
You can believe what you *think* happens. Or you can believe the debug output of the server. Alan DeKok.
If the User-Name is being rewritten it is not intentional. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = "CAD08862\\ldapuser" but I don't know want I am doing wrong. http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm freeradius:/etc # diff -qr raddb raddefault Files raddb/clients.conf and raddefault/clients.conf differ Files raddb/modules/attr_rewrite and raddefault/modules/attr_rewrite differ Files raddb/modules/ldap and raddefault/modules/ldap differ Files raddb/modules/mschap and raddefault/modules/mschap differ Files raddb/sites-available/inner-tunnel and raddefault/sites-available/inner-tunnel differ Files raddb/sites-enabled/inner-tunnel and raddefault/sites-enabled/inner-tunnel differ ---------------------------------------------------------------------------- ----------------- freeradius:/etc # diff raddb/clients.conf raddefault/clients.conf 206,209d205 < client 10.0.0.0/8 { < secret = testing123 < shortname = net1 < } ---------------------------------------------------------------------------- ---------------- freeradius:/etc # diff raddb/modules/attr_rewrite raddefault/modules/attr_rewrite 32,65d31 < < attr_rewrite copy.user-name { < attribute = Stripped-User-Name < new_attribute = yes < searchfor = "" < searchin = packet < replacewith = "%{User-Name}" < } < < attr_rewrite remove-domain-name { < attribute = Stripped-User-Name < searchfor = "(\.test\.local)" < searchin = packet < new_attribute = no < replacewith = "" < } < < attr_rewrite add-dollar-sign { < attribute = Stripped-User-Name < searchfor = "^(host/.*)" < searchin = packet < new_attribute = no < replacewith = "%{1}$" < } < < attr_rewrite strip-realm-name { < attribute = Stripped-User-Name < new_attribute = no < searchin = packet < searchfor = "^(.*[\\/]+)" < replacewith = "" < max_matches = 1 < } < ---------------------------------------------------------------------------- -------------- freeradius:/etc # diff raddb/modules/ldap raddefault/modules/ldap 33,36c33,36 < server = "10.220.7.7" < identity = "cn=tics,o=test" < password = ldappass < basedn = "o=test" ---
server = "ldap.your.domain" #identity = "cn=admin,o=My Org,c=UA" #password = mypass basedn = "o=My Org,c=UA"
77,79c77,78 < #start_tls = no < start_tls = yes < port=636 ---
start_tls = no
118c117 < password_attribute = nspmPassword ---
124c123 < edir_account_policy_check = yes ---
edir_account_policy_check = no
---------------------------------------------------------------------------- ------------------------------ freeradius:/etc # diff raddb/modules/mschap raddefault/modules/mschap 37c37 < with_ntdomain_hack = yes ---
65,66c65 < #ntlm_auth = "/path/to/nitlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" < ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NW2} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ---
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ---------------------------------------------------------------------------- ---------------------------- freeradius:/etc # diff raddb/sites-available/inner-tunnel raddefault/sites-available/inner-tunnel 48,52d47 < if (User-Name !~ /^host\//) { < update control { < MS-CHAP-Use-NTLM-Auth := no < } < } 97,101c92 < copy.user-name < remove-domain-name < add-dollar-sign < strip-realm-name < ntdomain ---
# ntdomain 151c142 < ldap
# ldap 239,241c230,232 < Auth-Type LDAP { < ldap < }
# Auth-Type LDAP { # ldap # } 299c290 < ldap
# ldap 311d301 < ldap
---------------------------------------------------------------------------- ---------------------------- Robert Mc Cready wrote:
I do not rewrite the User-name attribute I rewrite only the Stripped-User-Name attribute with these:
No. Go READ the debug log you posted. The "inner-tunnel" virtual server gets: Sending tunneled request EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b6338671202 ... FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CAD08862\\ldapuser" You then RE-WRITE the User-Name. Don't do that. As you were told, re-writing the User-Name for EAP is wrong. Don't do it.
The User-Name attribute is untouch.
You can believe what you *think* happens. Or you can believe the debug output of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __________ Le message a ete verifie par ESET NOD32 Antivirus. http://www.eset.com
On 05/10/2011 03:35 PM, Robert Mc Cready wrote:
If the User-Name is being rewritten it is not intentional.
Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = "CAD08862\\ldapuser" but I don't know want I am doing wrong.
I presume there's a debug at this URL, but I have no reachability to it from where I am (tried from a couple of different source networks): 17 Vlan1999.icore1.MTT-Montreal.as6453.net (216.6.115.54) 90.786 ms 90.770 ms 90.740 ms 18 Vlan50.icore1.MTT-Montreal.as6453.net (206.82.135.10) 90.800 ms 90.918 ms 91.056 ms 19 tge-1-3.ar1.mtl2.mtotelecom.net (64.254.224.165) 91.241 ms 90.598 ms 90.634 ms 20 tge-1-2.ar1.mtrlpq07.mtotelecom.net (64.254.224.198) 79.405 ms 79.282 ms 79.230 ms 21 * * * 22 * * * 23 * * *
Here it is: FreeRADIUS Debugging Output This colorized output was produced by an automated tool from Network RADIUS ---------------------------------------------------------------------------- ---- Packet 0 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=171, length=177 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x020b00150143414430383836325c54656368524d43 Message-Authenticator = 0x0a731b00ed8632709fd7a0cd73425aac # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 11 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 171 to 10.220.30.5 port 29002 EAP-Message = 0x010c00160410b6e7676fb05991e0012286fb7d646c1e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a5f2453a08d7b8b3e893ab3f Finished request 229. Going to the next request Waking up in 4.9 seconds. Packet 1 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=172, length=180 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x020c00060319 State = 0xa5fe4130a5f2453a08d7b8b3e893ab3f Message-Authenticator = 0xa70f38635c3dc90b94a63ba069f76ebb # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 172 to 10.220.30.5 port 29002 EAP-Message = 0x010d00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a4f3583a08d7b8b3e893ab3f Finished request 230. Going to the next request Waking up in 4.9 seconds. Packet 2 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=173, length=254 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x020d005019800000004616030100410100003d03014dc932cb ... State = 0xa5fe4130a4f3583a08d7b8b3e893ab3f Message-Authenticator = 0x2e2e0708c73b34e905daee695ee8032a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 13 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 173 to 10.220.30.5 port 29002 EAP-Message = 0x010e040019c00000089b160301002a0200002603014dc932cb ... EAP-Message = 0x301e170d3131303531303131343933315a170d313230353039 ... EAP-Message = 0x247a871d8a28fca6ca77871f75158cb881bc154162482826dd ... EAP-Message = 0x3ca0d3dd2e4fe050819da932da5eb9b05a8732cdbfae1ecd97 ... EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a7f0583a08d7b8b3e893ab3f Finished request 231. Going to the next request Waking up in 4.9 seconds. Packet 3 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=174, length=180 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x020e00061900 State = 0xa5fe4130a7f0583a08d7b8b3e893ab3f Message-Authenticator = 0x299e7d9bc6c1576d75b2dc575bb8d131 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 14 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 174 to 10.220.30.5 port 29002 EAP-Message = 0x010f03fc194000ae4924c977166296300d06092a864886f70d ... EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578 ... EAP-Message = 0x9f6d4aba6ff7e424f8e3053ecd0d88e8e2b8441d43588d5519 ... EAP-Message = 0x0813065261646975733112301006035504071309536f6d6577 ... EAP-Message = 0x912aa6d3291cd0dc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a6f1583a08d7b8b3e893ab3f Finished request 232. Going to the next request Waking up in 4.9 seconds. Packet 4 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=175, length=180 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x020f00061900 State = 0xa5fe4130a6f1583a08d7b8b3e893ab3f Message-Authenticator = 0x21deff950681e5b9ed5d0b915238df63 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 15 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 175 to 10.220.30.5 port 29002 EAP-Message = 0x011000b519000dd9a5fde73f897737b0f264443de17265d729 ... Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a1ee583a08d7b8b3e893ab3f Finished request 233. Going to the next request Waking up in 4.9 seconds. Packet 5 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=176, length=496 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x0210014019800000013616030101061000010201000cd623d8 ... EAP-Message = 0x7e97ab57b201610cb97da732dc3ea2fa8d945c59af7f5d6e14 ... State = 0xa5fe4130a1ee583a08d7b8b3e893ab3f Message-Authenticator = 0x9b6a444a93ad642167d08affdee03b15 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 16 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 176 to 10.220.30.5 port 29002 EAP-Message = 0x01110031190014030100010116030100208a615f5002c2f168 ... Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a0ef583a08d7b8b3e893ab3f Finished request 234. Going to the next request Waking up in 4.8 seconds. Packet 6 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=177, length=180 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x021100061900 State = 0xa5fe4130a0ef583a08d7b8b3e893ab3f Message-Authenticator = 0x40f129dcea3d601dbd5f744da4c406c3 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 17 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 177 to 10.220.30.5 port 29002 EAP-Message = 0x011200201900170301001586534e83dd452d3c59548f8ad4e9 ... Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a3ec583a08d7b8b3e893ab3f Finished request 235. Going to the next request Waking up in 4.8 seconds. Packet 7 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=178, length=218 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x0212002c19001703010021a58a75cc4381a250bba38251cd2c ... State = 0xa5fe4130a3ec583a08d7b8b3e893ab3f Message-Authenticator = 0x265a6aa891e196ddbd3280a30cfb3e0f # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 18 length 44 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - CAD08862\ldapuser [peap] Got inner identity 'CAD08862\ldapuser' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x021200150143414430383836325c54656368524d43 server { PEAP: Setting User-Name to CAD08862\ldapuser Sending tunneled request EAP-Message = 0x021200150143414430383836325c54656368524d43 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CAD08862\\ldapuser" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++? if (User-Name !~ /^host\//) ? Evaluating (User-Name !~ /^host\//) -> TRUE ++? if (User-Name !~ /^host\//) -> TRUE ++- entering if (User-Name !~ /^host\//) {...} +++[control] returns notfound ++- if (User-Name !~ /^host\//) returns notfound ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [copy.user-name] expand: %{User-Name} -> CAD08862\ldapuser copy.user-name: Added attribute Stripped-User-Name with value 'CAD08862\ldapuser' ++[copy.user-name] returns ok [remove-domain-name] expand: (.nw2.test.local) -> (.nw2.test.local) remove-domain-name: Does not match: Stripped-User-Name = CAD08862\ldapuser ++[remove-domain-name] returns ok [add-dollar-sign] expand: ^(host/.*) -> ^(host/.*) add-dollar-sign: Does not match: Stripped-User-Name = CAD08862\ldapuser ++[add-dollar-sign] returns ok [strip-realm-name] expand: ^(.*[\/]+) -> ^(.*[\/]+) strip-realm-name: Changed value for attribute Stripped-User-Name from 'CAD08862\ldapuser' to 'ldapuser' ++[strip-realm-name] returns ok [ntdomain] Looking up realm "CAD08862" for User-Name = "CAD08862\ldapuser" [ntdomain] No such realm "CAD08862" ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 18 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for CAD08862\ldapuser [ldap] expand: %{Stripped-User-Name} -> ldapuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ldapuser) [ldap] expand: o=test -> o=test [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=test, with filter (uid=ldapuser) [ldap] Added the eDirectory password 1234567 in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user CAD08862\ldapuser authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0113002a1a0113002510cf908a1b7ebf4d936c15f1224e9ed3 ... Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb1d14868b1c252824a02ce38607236ef [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0113002a1a0113002510cf908a1b7ebf4d936c15f1224e9ed3 ... Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb1d14868b1c252824a02ce38607236ef [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 178 to 10.220.30.5 port 29002 EAP-Message = 0x011300411900170301003636791f38ba2c2c44f57b5e62c92e ... Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130a2ed583a08d7b8b3e893ab3f Finished request 236. Going to the next request Waking up in 4.8 seconds. Packet 8 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=179, length=263 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x021300591900170301004ebc0a4c73422ad0f2958deff363d6 ... State = 0xa5fe4130a2ed583a08d7b8b3e893ab3f Message-Authenticator = 0x7db4139bac8a822e9a923f4758080856 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 19 length 89 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x021300421a0213003d315d7829b8f975c70fa9a07456cb5f19 ... server { PEAP: Setting User-Name to CAD08862\ldapuser Sending tunneled request EAP-Message = 0x021300421a0213003d315d7829b8f975c70fa9a07456cb5f19 ... FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CAD08862\\ldapuser" State = 0xb1d14868b1c252824a02ce38607236ef server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++? if (User-Name !~ /^host\//) ? Evaluating (User-Name !~ /^host\//) -> TRUE ++? if (User-Name !~ /^host\//) -> TRUE ++- entering if (User-Name !~ /^host\//) {...} +++[control] returns notfound ++- if (User-Name !~ /^host\//) returns notfound ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [copy.user-name] expand: %{User-Name} -> CAD08862\ldapuser copy.user-name: Added attribute Stripped-User-Name with value 'CAD08862\ldapuser' ++[copy.user-name] returns ok [remove-domain-name] expand: (.nw2.test.local) -> (.nw2.test.local) remove-domain-name: Does not match: Stripped-User-Name = CAD08862\ldapuser ++[remove-domain-name] returns ok [add-dollar-sign] expand: ^(host/.*) -> ^(host/.*) add-dollar-sign: Does not match: Stripped-User-Name = CAD08862\ldapuser ++[add-dollar-sign] returns ok [strip-realm-name] expand: ^(.*[\/]+) -> ^(.*[\/]+) strip-realm-name: Changed value for attribute Stripped-User-Name from 'CAD08862\ldapuser' to 'ldapuser' ++[strip-realm-name] returns ok [ntdomain] Looking up realm "CAD08862" for User-Name = "CAD08862\ldapuser" [ntdomain] No such realm "CAD08862" ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 19 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for CAD08862\ldapuser [ldap] expand: %{Stripped-User-Name} -> ldapuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ldapuser) [ldap] expand: o=test -> o=test [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=test, with filter (uid=ldapuser) [ldap] Added the eDirectory password 1234567 in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user CAD08862\ldapuser authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2 ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 EAP-Message = 0x04130004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04130004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 179 to 10.220.30.5 port 29002 EAP-Message = 0x011400261900170301001b042d951bea675042a05ce3fed5c1 ... Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa5fe4130adea583a08d7b8b3e893ab3f Finished request 237. Going to the next request Waking up in 4.8 seconds. Packet 9 ---------------------------------------------------------------------------- ---- rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=180, length=212 User-Name = "CAD08862\\ldapuser" NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS" Calling-Station-Id = "00-16-EA-C5-78-9C" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x021400261900170301001b7a27bfb0b0524f3a9afbf1b1f407 ... State = 0xa5fe4130adea583a08d7b8b3e893ab3f Message-Authenticator = 0xe8c786bb73038b5f6172a3637d73a61d # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 20 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> CAD08862\ldapuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 238 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 238 Sending Access-Reject of id 180 to 10.220.30.5 port 29002 EAP-Message = 0x04140004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Cleaning up request 229 ID 171 with timestamp +857 Cleaning up request 230 ID 172 with timestamp +857 Cleaning up request 231 ID 173 with timestamp +857 Cleaning up request 232 ID 174 with timestamp +857 Cleaning up request 233 ID 175 with timestamp +857 Cleaning up request 234 ID 176 with timestamp +857 Cleaning up request 235 ID 177 with timestamp +857 Cleaning up request 236 ID 178 with timestamp +857 Cleaning up request 237 ID 179 with timestamp +857 Waking up in 1.0 seconds. --------------------------------------------------------------------------- On 05/10/2011 03:35 PM, Robert Mc Cready wrote:
If the User-Name is being rewritten it is not intentional.
Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = "CAD08862\\ldapuser" but I don't know want I am doing wrong.
I presume there's a debug at this URL, but I have no reachability to it from where I am (tried from a couple of different source networks): 17 Vlan1999.icore1.MTT-Montreal.as6453.net (216.6.115.54) 90.786 ms 90.770 ms 90.740 ms 18 Vlan50.icore1.MTT-Montreal.as6453.net (206.82.135.10) 90.800 ms 90.918 ms 91.056 ms 19 tge-1-3.ar1.mtl2.mtotelecom.net (64.254.224.165) 91.241 ms 90.598 ms 90.634 ms 20 tge-1-2.ar1.mtrlpq07.mtotelecom.net (64.254.224.198) 79.405 ms 79.282 ms 79.230 ms 21 * * * 22 * * * 23 * * * __________ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __________ Le message a ete verifie par ESET NOD32 Antivirus. http://www.eset.com
Robert Mc Cready wrote:
If the User-Name is being rewritten it is not intentional.
Well... it's obviously someone you've changed, because it doesn't happen in the default configuration.
Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = "CAD08862\\ldapuser" but I don't know want I am doing wrong.
You're stripping the domain. Why? It's just not necessary. The way you're doing it is wrong, and is breaking the server. Instead, set up CAD08862 as a LOCAL realm. See proxy.conf. Alan DeKok.
The host name are not domain names, there are computers account name, and we have hundreds of them . We only use the MS Domain to authenticate the computers account, not the users. -----Message d'origine----- De : freeradius-users-bounces+robert-mccready=cspi.qc.ca@lists.freeradius.org [mailto:freeradius-users-bounces+robert-mccready=cspi.qc.ca@lists.freeradius .org] De la part de Alan DeKok Envoyé : 10 mai 2011 10:49 À : FreeRadius users mailing list Objet : Re: Error: User-Name is not the same as MS-CHAP name Robert Mc Cready wrote:
If the User-Name is being rewritten it is not intentional.
Well... it's obviously someone you've changed, because it doesn't happen in the default configuration.
Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = "CAD08862\\ldapuser" but I don't know want I am doing wrong.
You're stripping the domain. Why? It's just not necessary. The way you're doing it is wrong, and is breaking the server. Instead, set up CAD08862 as a LOCAL realm. See proxy.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __________ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __________ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __________ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com
Robert Mc Cready wrote:
The host name are not domain names, there are computers account name, and we have hundreds of them . We only use the MS Domain to authenticate the computers account, not the users.
Well... re-writing the names in the "inner-tunnel" server is breaking authentication. *Why* are you re-writing them? What do you expect to do with the names? Why isn't there another way to achieve the same goal? Alan DeKok.
participants (4)
-
Alan DeKok -
Daniel Deptuła -
Phil Mayers -
Robert Mc Cready