Fwd: Request for directions: WinXP + Samba + LDAP + 802.1x
As you can see, it says that it has stripped realm from username but it passes it along with username to ldap. How can I fix this?
Never mind. ldap filter did the job. Sorry about that. Actually it's not working yet. rad_recv: Access-Request packet from host 192.168.205.29 port 49154, id=0, length=178 Cleaning up request 15 ID 0 with timestamp +1232 NAS-IP-Address = 192.168.205.29 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "DOMAIN\\sti" State = 0x9bb6fc759d93e55343410152d73b1dba EAP-Message = 0x0225005b1900170301005046c5a952e0ad6d2ea7d132dd3c00c1a132df2329a23561c760d4a45fb4f02e3bd1a848f5d4d3106ae52d4f442971b4c6aa4d0c157805647 9f03c76d350fc041b659e556368c4a63e30e09849d0aae29a Message-Authenticator = 0xf9700c8c22d81ecdb12a8f6731151a38 +- entering group authorize {...} ++[preprocess] returns ok [ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\sti" [ntdomain] Found realm "DOMAIN" [ntdomain] Adding Stripped-User-Name = "sti" [ntdomain] Adding Realm = "DOMAIN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 37 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x022500441a0225003f31a156d1579957b003643781fff8636e87000000000000000003367b7948111ad6081798c179995c91c0268edae3409ae30046454152505c737 469 server { PEAP: Setting User-Name to DOMAIN\sti Sending tunneled request EAP-Message = 0x022500441a0225003f31a156d1579957b003643781fff8636e87000000000000000003367b7948111ad6081798c179995c91c0268edae3409ae30046454152505c737 469 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DOMAIN\\sti" State = 0x7b5d7eb57b7864abf97396c9fbfa8cb4 server { +- entering group authorize {...} ++[preprocess] returns ok [ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\sti" [ntdomain] Found realm "DOMAIN" [ntdomain] Adding Stripped-User-Name = "sti" [ntdomain] Adding Realm = "DOMAIN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 37 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 204 ++[files] returns ok [ldap] performing user authorization for sti [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=sti) [ldap] expand: ou=Users,dc=domain,dc=br -> ou=Users,dc=domain,dc=br rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,dc=domain,dc=br, with filter (uid=sti) [ldap] checking if remote access for sti is allowed by radiusFilterId [ldap] looking for check items in directory... rlm_ldap: userPassword -> User-Password == "{SMD5}/S4d+fNkBFL3TnpjceYuUiDPd+Q=" rlm_ldap: sambaNtPassword -> NT-Password == 0x4443384142353837303246373432304532443042323537333343453938394634 rlm_ldap: sambaLmPassword -> LM-Password == 0x3245414443463036424438463531344541414433423433354235313430344545 [ldap] looking for reply items in directory... rlm_ldap: radiusFilterId -> Filter-Id = "Enterasys:version=1:policy=Enterprise User" [ldap] user sti authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [DOMAIN\\sti/<via Auth-Type = EAP>] (from client tplink port 0 via TLS tunnel) } # server [peap] Got tunneled reply code 3 Filter-Id = "Enterasys:version=1:policy=Enterprise User" EAP-Message = 0x04250004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 Filter-Id = "Enterasys:version=1:policy=Enterprise User" EAP-Message = 0x04250004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.205.29 port 49154 EAP-Message = 0x012600261900170301001b5cfd418b7da0ea2be30d04270a1403956143966fe487e0870c4b57 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9bb6fc759c90e55343410152d73b1dba Finished request 16. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.205.29 port 49154, id=0, length=125 Cleaning up request 16 ID 0 with timestamp +1232 NAS-IP-Address = 192.168.205.29 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "DOMAIN\\sti" State = 0x9bb6fc759c90e55343410152d73b1dba EAP-Message = 0x022600261900170301001b21b51585f6a2a91a76b4b00b320ac2a87db1c24bf9bfa298197bf1 Message-Authenticator = 0x30d1290632d45610b95a3253910ba83b +- entering group authorize {...} ++[preprocess] returns ok [ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\sti" [ntdomain] Found realm "DOMAIN" [ntdomain] Adding Stripped-User-Name = "sti" [ntdomain] Adding Realm = "DOMAIN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 38 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [DOMAIN\\sti/<via Auth-Type = EAP>] (from client tplink port 2) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> DOMAIN\sti attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 17 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 17 Sending Access-Reject of id 0 to 192.168.205.29 port 49154 EAP-Message = 0x04260004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 17 ID 0 with timestamp +1232 Ready to process requests.
And how can I set XP for it to try authenticate during logon proccess?
That first question still remains.... -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP
hi, adjust your matching ocndition in ldap - fix the :- issue adjust your LDAP assignments so that Cleartext-Password is known. does the LDAP store the password in a clear format or as some encrypted/hashed method? is this MS AD? we us ntlm_auth to authenticate users against the MS AD - simply bind the machine into the AD and then we dont need to worry about plain password etc MSCHAPv2 all the way. alan
2009/12/15 Alan Buxey <A.L.M.Buxey@lboro.ac.uk>:
hi,
adjust your matching ocndition in ldap - fix the :- issue
You mean a substitute for filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ???
adjust your LDAP assignments so that Cleartext-Password is known.
I use OpenLDAP with hashed passwords.
does the LDAP store the password in a clear format or as some encrypted/hashed method? is this MS AD?
No.
we us ntlm_auth to authenticate users against the MS AD - simply bind the machine into the AD and then we dont need to worry about plain password etc MSCHAPv2 all the way.
That's not my environment. Thank you though -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP
[ldap] looking for check items in directory... rlm_ldap: userPassword -> User-Password == "{SMD5}/S4d+fNkBFL3TnpjceYuUiDPd+Q=" rlm_ldap: sambaNtPassword -> NT-Password == 0x4443384142353837303246373432304532443042323537333343453938394634 rlm_ldap: sambaLmPassword -> LM-Password == 0x3245414443463036424438463531344541414433423433354235313430344545
OK, you have the NT-Password that can be used.
[eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] WARNING: Unknown value specified for Auth-Type. Cannot perform requested action.
Well, default eap module knows about this type. Have you been playing with eap.conf? Ivan Kalik
Well, default eap module knows about this type. Have you been playing with eap.conf?
I touched, yes. But I had stripped mschap conf from default vhost and that was just wrong... Now everything is partially working. If client has already logged on (auth info cached by XP), he needs to restart the network connection for it to authenticate against freeradius. So, I'll try to understand what do I have to do so XP machines uses auth info during logon process to auth against freeradius. -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP
participants (3)
-
Alan Buxey -
Fabiano Caixeta Duarte -
tnt@kalik.net