Trying to configure eap ttls with mschapv2 using Freeradius version Version 1.1.3 in Redhat enterprise Linux 5. I have configured everything and gotten free radius to authenticate off /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have run into is when I switch the securew2 windows xp eap-ttls client to use the current logged on user credentials. Then, SecureW2 sends the username in the format of DOMAIN/user (which in this case is HTN/josh). Authentication then fails because of this extra domain part in the user. Ok fine, I first enable the nt_domain_hack in the mschap module then I configured realm ntdomain and simply set a default realm in proxy.conf to strip off the domain part. Nope, that fails (output will be included below). I also tried nostrip but that also fails obviously. Also tried silently stripping the domain in pre-process in radiusd.conf. Auth is successful but finally rejected because the user doesnt match the original HTN/josh user sent. Finally I simply added the username and password I was testing to the users file. It works there. My default realm strips the domain, proxies it back to localhost, authenticates of the users file and is successful. Arrg what Im I doing wrong. I really need to use the etc_smbpasswd module as I cant get ntlm_auth to work. It says no logon servers found. I think its because I am running it on the actual samba server I want to auth off of. Anyways, anyone know of how to get etc_smbpasswd module to work. I dont want to use the users file (blech) even though it does work when I put the user in there, and again, if I just supply the username and password (and leave the domain part blank in SecureW2 ttls client) authentication does work of /etc/samba/smbpasswd. Here is the /usr/sbin/radiusd -X output. Sorry its long. Below that I will put the relevant lines of config. Thanks a ton for any help. -Josh [root@file raddb]# /usr/sbin/radiusd -s -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "ttls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/server_key.pem" tls: certificate_file = "/etc/raddb/certs/server_cert.pem" tls: CA_file = "/etc/raddb/certs/cacert.pem" tls: private_key_password = "serverH08ght0n23kip" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "mschapv2" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = yes Module: Instantiated realm (suffix) realm: format = "prefix" realm: delimiter = "\" realm: ignore_default = no realm: ignore_null = yes Module: Instantiated realm (ntdomain) Module: Loaded passwd passwd: filename = "/etc/samba/smbpasswd" passwd: format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" passwd: authtype = "MS-CHAP" passwd: delimiter = ":" passwd: ignorenislike = no passwd: ignoreempty = yes passwd: allowmultiplekeys = no passwd: hashsize = 100 rlm_passwd: nfields: 7 keyfield 0(User-Name) listable: no Module: Instantiated passwd (etc_smbpasswd) passwd: filename = "/etc/group" passwd: format = "=Group-Name:::*,User-Name" passwd: authtype = "(null)" passwd: delimiter = ":" passwd: ignorenislike = yes passwd: ignoreempty = yes passwd: allowmultiplekeys = yes passwd: hashsize = 50 rlm_passwd: nfields: 4 keyfield 3(User-Name) listable: yes Module: Instantiated passwd (etc_group) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.100.13.12:19527, id=104, length=202 User-Name = "HTN\\josh" Called-Station-Id = "00-17-A4-9C-00-AF:HTNStaff" Calling-Station-Id = "00-0E-35-B6-74-AF" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 10.100.13.12 NAS-Identifier = "Houghton Wireless Services" NAS-Port-Id = "HTNStaff" Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201000d0148544e5c6a6f7368 Message-Authenticator = 0xdf195f238143503d49244d6203620b10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "josh" rlm_realm: Proxying request from user josh to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "etc_smbpasswd" returns notfound for request 0 modcall[authorize]: module "etc_group" returns notfound for request 0 users: Matched entry DEFAULT at line 175 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 104 to 10.100.13.12 port 19527 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x61bf2476da0a8dbee700d7b52748377c Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.100.13.12:19527, id=105, length=263 User-Name = "HTN\\josh" Called-Station-Id = "00-17-A4-9C-00-AF:HTNStaff" Calling-Station-Id = "00-0E-35-B6-74-AF" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 10.100.13.12 NAS-Identifier = "Houghton Wireless Services" NAS-Port-Id = "HTNStaff" Connect-Info = "CONNECT 54Mbps 802.11g" State = 0x61bf2476da0a8dbee700d7b52748377c EAP-Message = 0x020200381500160301002d010000290301e9a07acc81410bcdf08077330d07ad8f018e56a6641624ec64a66da3f79bd121000002000a0100 Message-Authenticator = 0x0334fb063e9a6d53bd8682ba37d0620e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 1 rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "josh" rlm_realm: Proxying request from user josh to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 56 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "etc_smbpasswd" returns notfound for request 1 modcall[authorize]: module "etc_group" returns notfound for request 1 users: Matched entry DEFAULT at line 175 modcall[authorize]: module "files" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 03d2], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 105 to 10.100.13.12 port 19527 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0103040a15c00000042f160301004a02000046030149642f7ba9e448ca30ab30a9b6ed817c8aff8c408e4023e6940c762c1f36a6de20e1a7c54190eaf152b7593b2b138e0c050f4d101a4e1791b3f21981bd0acbe EAP-Message = 0x092a864886f70d010901161972656d637374616666406c697374732e72656d63312e6e6574301e170d3038313231353230323332365a170d3138313231333230323332365a308198310b300906035504061302555 EAP-Message = 0x82010100a721638f80275c7d8c29f90e3669da66da29a4dcb0e6d18b17c9349bd6eb88e205da76218efdf67065ee07977b86ccfbc278e1c229e5f9f32340cc2a04dc418528588e667ccb783bc13133bc15a0a0936 EAP-Message = 0xd5652a17fa2f1b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010064900d552e6d98d35cde88dc41403c05fb45c2a2bdb2f5d6f9f0fdc EAP-Message = 0x21eaab40c755b46a6e7892ae526d055d6da3c8c3190a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x60ab04b8fd2e304f5d42050b620e1513 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.100.13.12:19527, id=106, length=213 User-Name = "HTN\\josh" Called-Station-Id = "00-17-A4-9C-00-AF:HTNStaff" Calling-Station-Id = "00-0E-35-B6-74-AF" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 10.100.13.12 NAS-Identifier = "Houghton Wireless Services" NAS-Port-Id = "HTNStaff" Connect-Info = "CONNECT 54Mbps 802.11g" State = 0x60ab04b8fd2e304f5d42050b620e1513 EAP-Message = 0x020300061500 Message-Authenticator = 0x85c0f98d60c740ec669de9a9c7da4986 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 2 rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "josh" rlm_realm: Proxying request from user josh to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 2 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall[authorize]: module "etc_smbpasswd" returns notfound for request 2 modcall[authorize]: module "etc_group" returns notfound for request 2 users: Matched entry DEFAULT at line 175 modcall[authorize]: module "files" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 106 to 10.100.13.12 port 19527 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0104003915800000042f639f242a6f6541ec7b1afbb86af1958c2e4ed1ab48a226b2d15b08e4b7887f25691e005162bd16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xabc302506c895702968419cddb2c0be9 Finished request 2 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.100.13.12:19527, id=107, length=533 User-Name = "HTN\\josh" Called-Station-Id = "00-17-A4-9C-00-AF:HTNStaff" Calling-Station-Id = "00-0E-35-B6-74-AF" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 10.100.13.12 NAS-Identifier = "Houghton Wireless Services" NAS-Port-Id = "HTNStaff" Connect-Info = "CONNECT 54Mbps 802.11g" State = 0xabc302506c895702968419cddb2c0be9 EAP-Message = 0x020401441500160301010610000102010037c452398dbb3df5559e7ef631f93adac1c31949e8b2e189e656c42563825fedb650c87be7a05cfa2b6ab6d25b111dfb5ed36ceafc6a81c2d90982bc4b9514fc25cca8f EAP-Message = 0xb50e2ba24d87acf465b6923ae7229fe4e011258f1403010001011603010028faee95c6e785c7a0c1f7794e71c76e67ff5ba2f4006e2aa188af3b9da28d6e2419833ca0820678c1 Message-Authenticator = 0xc0ff62f05516e184511c415d87cbbc2c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 3 rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "josh" rlm_realm: Proxying request from user josh to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 3 rlm_eap: EAP packet type response id 4 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall[authorize]: module "etc_smbpasswd" returns notfound for request 3 modcall[authorize]: module "etc_group" returns notfound for request 3 users: Matched entry DEFAULT at line 175 modcall[authorize]: module "files" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 107 to 10.100.13.12 port 19527 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0105003d1580000000331403010001011603010028721fb19555db97969e579863ff1f6fce4169183c7a0abb3ea443be416f722adbc21b355b7ac01a45 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe4bddc9ecec467abc03da29934752e16 Finished request 3 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.100.13.12:19527, id=108, length=290 User-Name = "HTN\\josh" Called-Station-Id = "00-17-A4-9C-00-AF:HTNStaff" Calling-Station-Id = "00-0E-35-B6-74-AF" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 10.100.13.12 NAS-Identifier = "Houghton Wireless Services" NAS-Port-Id = "HTNStaff" Connect-Info = "CONNECT 54Mbps 802.11g" State = 0xe4bddc9ecec467abc03da29934752e16 EAP-Message = 0x02050053150017030100485562de8771e70ff92e34bb96bf0f6c24b6e6aca70841355cc05a96146c524e1c2b177149e577817012b73f9bb41d96639692cbab41f711878b16e20d5a7c04b16bc67577457b2d47 Message-Authenticator = 0x37c5fec48b0fa7f5c14dddc680e8c4f2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 4 rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "josh" rlm_realm: Proxying request from user josh to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 4 rlm_eap: EAP packet type response id 5 length 83 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall[authorize]: module "etc_smbpasswd" returns notfound for request 4 modcall[authorize]: module "etc_group" returns notfound for request 4 users: Matched entry DEFAULT at line 175 modcall[authorize]: module "files" returns ok for request 4 modcall[authorize]: module "mschap" returns noop for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request EAP-Message = 0x0200000d0148544e5c6a6f7368 Message-Authenticator = 0x00000000000000000000000000000000 FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Got tunneled identity of HTN\josh TTLS: Setting default EAP type for tunneled EAP session. TTLS: Sending tunneled request EAP-Message = 0x0200000d0148544e5c6a6f7368 Message-Authenticator = 0x00000000000000000000000000000000 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "HTN\\josh" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 4 rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "josh" rlm_realm: Proxying request from user josh to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 4 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall[authorize]: module "etc_smbpasswd" returns notfound for request 4 modcall[authorize]: module "etc_group" returns notfound for request 4 modcall[authorize]: module "files" returns notfound for request 4 modcall[authorize]: module "mschap" returns noop for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 TTLS: Got tunneled reply RADIUS code 11 EAP-Message = 0x010100221a0101001d1023197ffb3fbee0431fa33dd4ffe6ee4848544e5c6a6f7368 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9023e8d5cfb89d9eedf0b95ea0ea8077 TTLS: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 108 to 10.100.13.12 port 19527 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0106007415800000006a170301001869103bd6a2fc06d853c018dec840fcee432f605b3bbd5c7b170301004882ddab817db15367d699b45444ae600ef8afaba3ca3c2eae0b4be817885fde9ab28ecedeca71e5371 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc1a3900bb47d4eeed37494a4af610f6a Finished request 4 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.100.13.12:19527, id=109, length=346 User-Name = "HTN\\josh" Called-Station-Id = "00-17-A4-9C-00-AF:HTNStaff" Calling-Station-Id = "00-0E-35-B6-74-AF" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 10.100.13.12 NAS-Identifier = "Houghton Wireless Services" NAS-Port-Id = "HTNStaff" Connect-Info = "CONNECT 54Mbps 802.11g" State = 0xc1a3900bb47d4eeed37494a4af610f6a EAP-Message = 0x0206008b15001703010080ec308e1a81a20c80b07a9399135ce92cb9856ea5b98bf1d18e5b53c8959c899f7e0a5ac3cb31cd966591961318eb728dc0cdc95c3a09318920c6f9fba21b88827380f0ca91a8b66b9da Message-Authenticator = 0x24e4740de40c15633d63d47b2e2dcc5e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 5 rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "josh" rlm_realm: Proxying request from user josh to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 5 rlm_eap: EAP packet type response id 6 length 139 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "etc_smbpasswd" returns notfound for request 5 modcall[authorize]: module "etc_group" returns notfound for request 5 users: Matched entry DEFAULT at line 175 modcall[authorize]: module "files" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request EAP-Message = 0x020100431a0201003e310fc0026c362449dfb52a48226b9bf58e000000000000000055a52026985b92247cf83d076fd500b15479fccd5f204f5f0048544e5c6a6f7368 Message-Authenticator = 0x00000000000000000000000000000000 FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Adding old state with 90 23 TTLS: Sending tunneled request EAP-Message = 0x020100431a0201003e310fc0026c362449dfb52a48226b9bf58e000000000000000055a52026985b92247cf83d076fd500b15479fccd5f204f5f0048544e5c6a6f7368 Message-Authenticator = 0x00000000000000000000000000000000 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "HTN\\josh" State = 0x9023e8d5cfb89d9eedf0b95ea0ea8077 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 rlm_realm: No '@' in User-Name = "HTN\josh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 5 rlm_realm: Looking up realm "HTN" for User-Name = "HTN\josh" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "josh" rlm_realm: Proxying request from user josh to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 5 rlm_eap: EAP packet type response id 1 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "etc_smbpasswd" returns notfound for request 5 modcall[authorize]: module "etc_group" returns notfound for request 5 modcall[authorize]: module "files" returns notfound for request 5 modcall[authorize]: module "mschap" returns noop for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 5 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for josh with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 5 modcall: leaving group MS-CHAP (returns reject) for request 5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: leaving group authenticate (returns reject) for request 5 auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\001E=691 R=1" EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls TTLS: Freeing handler for user HTN\josh rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: leaving group authenticate (returns invalid) for request 5 auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 104 with timestamp 49642f7a Sending Access-Reject of id 109 to 10.100.13.12 port 19527 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1 seconds... [root@file raddb]# Relevent lines of config (all else is default pretty much) proxy.conf realm DEFAULT { type = radius authhost = LOCAL accthost = LOCAL # authhost = radius.company.com:1600 # accthost = radius.company.com:1601 secret = testing123 # nostrip } In radiusd.conf here is my etc_smbpasswd section passwd etc_smbpasswd { filename = /etc/samba/smbpasswd format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" authtype = MS-CHAP hashsize = 100 ignorenislike = no allowmultiplekeys = no } My ntdomain realm definition realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = yes }
Josh Hiner wrote:
Trying to configure eap ttls with mschapv2 using Freeradius version Version 1.1.3 in Redhat enterprise Linux 5.
I suggest upgrading. It's not hard to build an RPM of the latest version of the server. Upgrading will get you a lot.
I have configured everything and gotten free radius to authenticate off /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have run into is when I switch the securew2 windows xp eap-ttls client to use the current logged on user credentials. Then, SecureW2 sends the username in the format of DOMAIN/user (which in this case is HTN/josh). Authentication then fails because of this extra domain part in the user. Ok fine, I first enable the nt_domain_hack in the mschap module then I configured realm ntdomain and simply set a default realm in proxy.conf to strip off the domain part. Nope, that fails (output will be included below). I also tried nostrip but that also fails obviously. Also tried silently stripping the domain in pre-process in radiusd.conf. Auth is successful but finally rejected because the user doesnt match the original HTN/josh user sent.
This is fixed in 2.x. You can have different policies for inside the TLS tunnel and outside of it. This makes these configurations easier.
Anyways, anyone know of how to get etc_smbpasswd module to work. I dont want to use the users file (blech) even though it does work when I put the user in there, and again, if I just supply the username and password (and leave the domain part blank in SecureW2 ttls client) authentication does work of /etc/samba/smbpasswd.
Honestly... there are 3-4 solutions which are trivial in 2.x. Any solution is hard in 1.1.3. I don't even recall what feature set it has (or is missing). Alan DeKok.
Alan DeKok wrote:
I suggest upgrading. It's not hard to build an RPM of the latest version of the server.
Information on this wiki page will be helpful to you: http://wiki.freeradius.org/Red_Hat_FAQ -- John Dennis <jdennis@redhat.com>
Alan DeKok wrote:
Josh Hiner wrote:
Trying to configure eap ttls with mschapv2 using Freeradius version Version 1.1.3 in Redhat enterprise Linux 5.
I suggest upgrading. It's not hard to build an RPM of the latest version of the server.
Upgrading will get you a lot.
Ok I did upgrade, please see my post below =D.
I have configured everything and gotten free radius to authenticate off /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have run into is when I switch the securew2 windows xp eap-ttls client to use the current logged on user credentials. Then, SecureW2 sends the username in the format of DOMAIN/user (which in this case is HTN/josh). Authentication then fails because of this extra domain part in the user. Ok fine, I first enable the nt_domain_hack in the mschap module then I configured realm ntdomain and simply set a default realm in proxy.conf to strip off the domain part. Nope, that fails (output will be included below). I also tried nostrip but that also fails obviously. Also tried silently stripping the domain in pre-process in radiusd.conf. Auth is successful but finally rejected because the user doesnt match the original HTN/josh user sent.
This is fixed in 2.x. You can have different policies for inside the TLS tunnel and outside of it. This makes these configurations easier.
Ok I do see this now but am still getting the same error. Please see below.
Anyways, anyone know of how to get etc_smbpasswd module to work. I dont want to use the users file (blech) even though it does work when I put the user in there, and again, if I just supply the username and password (and leave the domain part blank in SecureW2 ttls client) authentication does work of /etc/samba/smbpasswd.
Honestly... there are 3-4 solutions which are trivial in 2.x. Any solution is hard in 1.1.3. I don't even recall what feature set it has (or is missing).
Alan DeKok.
Ok, I have upgraded to Freeradius version 2.1.3 (following the suggestion above). I have configured and gotten everything to work except for the domain name stripping at the front of the username (eg: HTN/josh). If I dont supply the domain name, authentication succeeds perfectly. I am still getting the same error that I was with Freeradius version 1.3.1. Ive configured a HTN realm to strip off the HTN part and in the debug, it appears to work as stripped-user=josh gets proxied back. Then authentication failes in the same way as it did before? It is mentioned above that there are 3-4 solutions which are trivial in 2.x. Since I have Freeradius basically running, could someone spare some of their valuable time with a pointer on stripping off the HTN part of the user so authentication will succeed? Thanks =D. Below is the part of my debug output from Freeradius showing the authentication failure. Once again, it works perfectly if I dont supply the domain name (I can then connect perfectly via eap-ttls with mschapv2). Hopefully I am close. I can supply more of my configs if needed. Thanks -Josh server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "HTN\josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "HTN" for User-Name = "HTN\josh" [ntdomain] Found realm "HTN" [ntdomain] Adding Stripped-User-Name = "josh" [ntdomain] Adding Realm = "HTN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 1 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[etc_smbpasswd] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for josh with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 MS-CHAP-Error = "\001E=691 R=1" EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user HTN\josh [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user.
Honestly... there are 3-4 solutions which are trivial in 2.x. Any solution is hard in 1.1.3. I don't even recall what feature set it has (or is missing).
Alan DeKok.
Ok, I have upgraded to Freeradius version 2.1.3 (following the suggestion above). I have configured and gotten everything to work except for the domain name stripping at the front of the username (eg: HTN/josh). If I dont supply the domain name, authentication succeeds perfectly. I am still getting the same error that I was with Freeradius version 1.3.1. Ive configured a HTN realm to strip off the HTN part and in the debug, it appears to work as stripped-user=josh gets proxied back. Then authentication failes in the same way as it did before? It is mentioned above that there are 3-4 solutions which are trivial in 2.x. Since I have Freeradius basically running, could someone spare some of their valuable time with a pointer on stripping off the HTN part of the user so authentication will succeed? Thanks =D. Below is the part of my debug output from Freeradius showing the authentication failure. Once again, it works perfectly if I dont supply the domain name (I can then connect perfectly via eap-ttls with mschapv2). Hopefully I am close. I can supply more of my configs if needed.
Thanks -Josh Ok well once again, the answer was in the debug output. Since it was sending back Stripped-username instead of Username, I had to create a 2nd smbpasswd module. In this module I mapped stripped-user instead of username. This worked. This does work. Is this a good and acceptable solution? I'd still be interested in hearing other solutions if there are any out there. Thanks again!
-Josh
Ok, I have upgraded to Freeradius version 2.1.3 (following the suggestion above). I have configured and gotten everything to work except for the domain name stripping at the front of the username (eg: HTN/josh). If I dont supply the domain name, authentication succeeds perfectly. I am still getting the same error that I was with Freeradius version 1.3.1. Ive configured a HTN realm to strip off the HTN part and in the debug, it appears to work as stripped-user=josh gets proxied back. Then authentication failes in the same way as it did before? It is mentioned above that there are 3-4 solutions which are trivial in 2.x. Since I have Freeradius basically running, could someone spare some of their valuable time with a pointer on stripping off the HTN part of the user so authentication will succeed? .. [ntdomain] Looking up realm "HTN" for User-Name = "HTN\josh" [ntdomain] Found realm "HTN" [ntdomain] Adding Stripped-User-Name = "josh" [ntdomain] Adding Realm = "HTN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 1 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[etc_smbpasswd] returns notfound
You don't have entry josh in users file. Is it suposed to be in smbpasswd? Put Stripped-User-Name in the file format. Ivan Kalik Kalik Informatika ISP
Hi,
I have configured everything and gotten free radius to authenticate off /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have run into is when I switch the securew2 windows xp eap-ttls client to use the current logged on user credentials. Then, SecureW2 sends the username in the format of DOMAIN/user (which in this case is HTN/josh). Authentication then fails because of this extra domain part in the user. Ok fine, I first enable the nt_domain_hack in the mschap module then I configured realm ntdomain and simply set a default realm in proxy.conf to strip off the domain part. Nope, that fails (output will be included below). I also tried nostrip but that also fails obviously. Also tried silently stripping the domain in pre-process in radiusd.conf. Auth is successful but finally rejected because the user doesnt match the original HTN/josh user sent.
you need to look at using the Sripped-User-Name rather than just the User-Name (because that contains the REALM/ stuff). alternatively, you can specify in proxy.conf to proxy anything with REALM/ to your RADIUS server with realm stripping on - this should send the request back to your server with just User-Name plain.. but its not clean. As Alan DeKok states, this sort of thing is very nice in 2.x FreeRADIUS, it just works(tm) alan
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
John Dennis -
Josh Hiner -
tnt@kalik.net