Hello Allan, Thank you for your reply.
ensure your netmask etc are correct
:-)) I hope so. I was giving it like this (IP address plus slash 29: 10.1.1.112/29) My trouble was I did not know if I could use 10.1.1.112/29 as nasname. Thank you all. Cheers Irina ============== Hi,
Hello,
Could someone let me know if I can insert a new NAS in the following format
insert into nas values('','xx.xx.xx.112/29','shortname',....)
you can use sucha netmask to cover a range....but they'll all then use the same secret and be identified by the same shortname. ...jyst ensure your netmask etc are correct :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, I'm relatively new to FR, unlang, etc. - so bear with me. Trying to use M$ XP 802.1x supplicant to auth to a Cisco switch. I've gotten MD5 to work no prob (also vty login to the switch itself using NTLM-Auth) - but can't seem to get EAP-TLS (certs) or PEAP to work. Given that in my cert config I couldn't even get the PC to find a cert, I decided to try PEAP. In my PEAP config on the XSupplicant I use: (EAP-MSCHAP v2) and select (Automatically use my Windows logon name and password) This is what fails. I THINK it's because my Domain Name is cat'd with my username and thus not found? Logs show stuff like "DOMAIN//username" and "DOMAIN/username" If in my PEAP conf I uncheck "Automatically use my Windows logon name and password" and enter my username/password manually - I auth fine. I've been playing around with conf/module files trying to strip the DOMAIN out of my login request - but no luck! Any help would be GREATLY appreciated! TIA! Gary <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Hi,
If in my PEAP conf I uncheck "Automatically use my Windows logon name and password" and enter my username/password manually - I auth fine.
I've been playing around with conf/module files trying to strip the DOMAIN out of my login request - but no luck!
this pretty muhc works out of the box... you just need to ensure that in your mschap module you have with_ntdomain_hack = yes and the ntlm_auth line needs to look like /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} (if using eg AD) this should happily deal with the 'windows logon' issue alan
Nope - no love! I'll capture a successful PEAP login when I manually enter the credentials, and the failed login when using the "windows" credentials. Standby. Gary -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.or g] On Behalf Of Alan Buxey Sent: Thursday, August 20, 2009 2:14 PM To: FreeRadius users mailing list Subject: Re: MS 8021.x PEAP failing Hi,
If in my PEAP conf I uncheck "Automatically use my Windows logon name and password" and enter my username/password manually - I auth fine.
I've been playing around with conf/module files trying to strip the DOMAIN out of my login request - but no luck!
this pretty muhc works out of the box... you just need to ensure that in your mschap module you have with_ntdomain_hack = yes and the ntlm_auth line needs to look like /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} (if using eg AD) this should happily deal with the 'windows logon' issue alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Whoops! I tried the change you mentioned and now can't get manual auth to work either. I commented out the working lines and restored them, but still no love! $hit..... -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.or g] On Behalf Of Gary Gatten Sent: Thursday, August 20, 2009 3:22 PM To: FreeRadius users mailing list Subject: RE: MS 8021.x PEAP failing Nope - no love! I'll capture a successful PEAP login when I manually enter the credentials, and the failed login when using the "windows" credentials. Standby. Gary -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.or g] On Behalf Of Alan Buxey Sent: Thursday, August 20, 2009 2:14 PM To: FreeRadius users mailing list Subject: Re: MS 8021.x PEAP failing Hi,
If in my PEAP conf I uncheck "Automatically use my Windows logon name and password" and enter my username/password manually - I auth fine.
I've been playing around with conf/module files trying to strip the DOMAIN out of my login request - but no luck!
this pretty muhc works out of the box... you just need to ensure that in your mschap module you have with_ntdomain_hack = yes and the ntlm_auth line needs to look like /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} (if using eg AD) this should happily deal with the 'windows logon' issue alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
OK, got manual PEAP auth working again. -----Original Message----- From: Gary Gatten Sent: Thursday, August 20, 2009 3:55 PM To: 'FreeRadius users mailing list' Subject: RE: MS 8021.x PEAP failing Whoops! I tried the change you mentioned and now can't get manual auth to work either. I commented out the working lines and restored them, but still no love! $hit..... -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.or g] On Behalf Of Gary Gatten Sent: Thursday, August 20, 2009 3:22 PM To: FreeRadius users mailing list Subject: RE: MS 8021.x PEAP failing Nope - no love! I'll capture a successful PEAP login when I manually enter the credentials, and the failed login when using the "windows" credentials. Standby. Gary -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.or g] On Behalf Of Alan Buxey Sent: Thursday, August 20, 2009 2:14 PM To: FreeRadius users mailing list Subject: Re: MS 8021.x PEAP failing Hi,
If in my PEAP conf I uncheck "Automatically use my Windows logon name and password" and enter my username/password manually - I auth fine.
I've been playing around with conf/module files trying to strip the DOMAIN out of my login request - but no luck!
this pretty muhc works out of the box... you just need to ensure that in your mschap module you have with_ntdomain_hack = yes and the ntlm_auth line needs to look like /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} (if using eg AD) this should happily deal with the 'windows logon' issue alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Check this out... I entered the Domain Name manually and it worked! So, now I have no freaking clue... I thought it was something with the "//" in the DomainName//UserName - but doesn't look like it. Here's some debug output. I snipped all the stuff before this output - from what I can tell it's exactly the same, but I guess I'll save it to a file and diff it to make sure. In the mean time: ** Here's manually using Domain Name in PEAP - working ** +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for ggatten with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=WADDELL\ggatten [mschap] mschap2: c0 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=SANITIZED [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response= SANITIZED Exec-Program output: NT_KEY: SANITIZED Exec-Program-Wait: plaintext: NT_KEY: SANITIZED Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ** Here's using Windows logon info automatically, NOT working ** +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for ggatten with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=WADDELL\ggatten [mschap] mschap2: 73 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge= SANITIZED [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response= SANITIZED Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Check this out... I entered the Domain Name manually and it worked! So, now I have no freaking clue... I thought it was something with the "//" in the DomainName//UserName - but doesn't look like it.
Here's some debug output. I snipped all the stuff before this output - from what I can tell it's exactly the same, but I guess I'll save it to a file and diff it to make sure. In the mean time:
** Here's using Windows logon info automatically, NOT working **
You haven't modified the ntlm_auth line in mschap module the way Alan suggested (and is also mentioned above the line in mschap module). Ivan Kalik Kalik Informatika ISP
participants (5)
-
Alan Buxey -
Garber, Neal -
Gary Gatten -
Irina -
Ivan Kalik