Re: Request for directions: WinXP + Samba + LDAP + 802.1x
Have you defined Auth-Type in users file to mschapv2 (don't do it)? What is the configuration for this user in the users file? On Tuesday 15 December 2009 13:00:07 you wrote:
As you can see, it says that it has stripped realm from username but it passes it along with username to ldap. How can I fix this?
Never mind. ldap filter did the job. Sorry about that.
Actually it's not working yet.
rad_recv: Access-Request packet from host 192.168.205.29 port 49154, id=0, length=178 Cleaning up request 15 ID 0 with timestamp +1232 NAS-IP-Address = 192.168.205.29 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "DOMAIN\\sti" State = 0x9bb6fc759d93e55343410152d73b1dba EAP-Message = 0x0225005b1900170301005046c5a952e0ad6d2ea7d132dd3c00c1a132df2329a23561c760d 4a45fb4f02e3bd1a848f5d4d3106ae52d4f442971b4c6aa4d0c157805647 9f03c76d350fc041b659e556368c4a63e30e09849d0aae29a Message-Authenticator = 0xf9700c8c22d81ecdb12a8f6731151a38 +- entering group authorize {...} ++[preprocess] returns ok [ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\sti" [ntdomain] Found realm "DOMAIN" [ntdomain] Adding Stripped-User-Name = "sti" [ntdomain] Adding Realm = "DOMAIN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 37 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x022500441a0225003f31a156d1579957b003643781fff8636e87000000000000000003367 b7948111ad6081798c179995c91c0268edae3409ae30046454152505c737 469 server { PEAP: Setting User-Name to DOMAIN\sti Sending tunneled request EAP-Message = 0x022500441a0225003f31a156d1579957b003643781fff8636e87000000000000000003367 b7948111ad6081798c179995c91c0268edae3409ae30046454152505c737 469 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DOMAIN\\sti" State = 0x7b5d7eb57b7864abf97396c9fbfa8cb4 server { +- entering group authorize {...} ++[preprocess] returns ok [ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\sti" [ntdomain] Found realm "DOMAIN" [ntdomain] Adding Stripped-User-Name = "sti" [ntdomain] Adding Realm = "DOMAIN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 37 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 204 ++[files] returns ok [ldap] performing user authorization for sti [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=sti) [ldap] expand: ou=Users,dc=domain,dc=br -> ou=Users,dc=domain,dc=br rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,dc=domain,dc=br, with filter (uid=sti) [ldap] checking if remote access for sti is allowed by radiusFilterId [ldap] looking for check items in directory... rlm_ldap: userPassword -> User-Password == "{SMD5}/S4d+fNkBFL3TnpjceYuUiDPd+Q=" rlm_ldap: sambaNtPassword -> NT-Password == 0x4443384142353837303246373432304532443042323537333343453938394634 rlm_ldap: sambaLmPassword -> LM-Password == 0x3245414443463036424438463531344541414433423433354235313430344545 [ldap] looking for reply items in directory... rlm_ldap: radiusFilterId -> Filter-Id = "Enterasys:version=1:policy=Enterprise User" [ldap] user sti authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [DOMAIN\\sti/<via Auth-Type = EAP>] (from client tplink port 0 via TLS tunnel) } # server [peap] Got tunneled reply code 3 Filter-Id = "Enterasys:version=1:policy=Enterprise User" EAP-Message = 0x04250004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 Filter-Id = "Enterasys:version=1:policy=Enterprise User" EAP-Message = 0x04250004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.205.29 port 49154 EAP-Message = 0x012600261900170301001b5cfd418b7da0ea2be30d04270a1403956143966fe487e0870c4 b57 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9bb6fc759c90e55343410152d73b1dba Finished request 16. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.205.29 port 49154, id=0, length=125 Cleaning up request 16 ID 0 with timestamp +1232 NAS-IP-Address = 192.168.205.29 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "DOMAIN\\sti" State = 0x9bb6fc759c90e55343410152d73b1dba EAP-Message = 0x022600261900170301001b21b51585f6a2a91a76b4b00b320ac2a87db1c24bf9bfa298197 bf1 Message-Authenticator = 0x30d1290632d45610b95a3253910ba83b +- entering group authorize {...} ++[preprocess] returns ok [ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\sti" [ntdomain] Found realm "DOMAIN" [ntdomain] Adding Stripped-User-Name = "sti" [ntdomain] Adding Realm = "DOMAIN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 38 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [DOMAIN\\sti/<via Auth-Type = EAP>] (from client tplink port 2) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> DOMAIN\sti attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 17 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 17 Sending Access-Reject of id 0 to 192.168.205.29 port 49154 EAP-Message = 0x04260004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 17 ID 0 with timestamp +1232 Ready to process requests.
And how can I set XP for it to try authenticate during logon proccess?
That first question remains....
2009/12/15 nf-vale <nf-vale@critical-links.com>:
Have you defined Auth-Type in users file to mschapv2 (don't do it)? What is the configuration for this user in the users file?
Not really. Actually, the users file is empty since my users info are stored on openldap. -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP
participants (2)
-
Fabiano Caixeta Duarte -
nf-vale