It seems to be not a particular question, but... client - winxp wireless, ap - AIR-AP1131AG-E-K9, server 1.1.6. fresh install. certificates generated according to CA.all (with xp-extension and conversion to pkcs12) eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = xxxxx private_key_file = ${raddbdir}/certs/merlin-crt.pem certificate_file = ${raddbdir}/certs/merlin-crt.pem CA_file = ${raddbdir}/certs/cacert.pem dh_key_length = 1024 dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } peap { default_eap_type = mschapv2 } mschapv2 { } } Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 224 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 224 modcall: leaving group authenticate (returns reject) for request 224 auth: Failed to validate the user. -- Olimp, System Administrator IT Dept. Fax. +380(62)381-3428 Tel. +380(62)381-3978-5 ---- Looking forward to reading yours. RUFF-RIPE DI76-GANDI RUFF-6BONE Ruslan N. Marchenko
On Tue, 12 Jun 2007 07:56:28 +0100 "Ruslan N. Marchenko" <ruff@olimp.ua> wrote:
It seems to be not a particular question, but...
client - winxp wireless, ap - AIR-AP1131AG-E-K9, server 1.1.6. fresh install. certificates generated according to CA.all (with xp-extension and conversion to pkcs12)
Dumb question, nothing to say or ignore? -- Olimp, System Administrator IT Dept. Fax. +380(62)381-3428 Tel. +380(62)381-3978-5 ---- Looking forward to reading yours. RUFF-RIPE DI76-GANDI RUFF-6BONE Ruslan N. Marchenko
On Tue, 12 Jun 2007 07:56:28 +0100 "Ruslan N. Marchenko" <ruff@olimp.ua> wrote:
It seems to be not a particular question, but...
client - winxp wireless, ap - AIR-AP1131AG-E-K9, server 1.1.6. fresh install. certificates generated according to CA.all (with xp-extension and conversion to pkcs12)
Ok, tls seems to be working now. But ntlm_auth fails. It pass username with domain name, despite --username=%{Stripped-User-Name:-%{User-Name:-None}} option and with_ntdomain_hack = yes in mschapv2 section in eap.conf. radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: '--domain=headquarters' radius_xlat: '--username=headquarters\\test' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 41 radius_xlat: '--challenge=67b84c92c98d2be0' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=52471b2a1db2fa3a00a03c182551317e48acea4a4f30f393' Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 maybe there are some more options to specify in order to make it work properly? -- Olimp, System Administrator IT Dept. Fax. +380(62)381-3428 Tel. +380(62)381-3978-5 ---- Looking forward to reading yours. RUFF-RIPE DI76-GANDI RUFF-6BONE Ruslan N. Marchenko
Hi,
radius_xlat: '--nt-response=52471b2a1db2fa3a00a03c182551317e48acea4a4f30f393' Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
ta-da! either you arent running winbindd, or the permissions for it are wrong (eg winbind_priviledged directory, or what you are sending to the server is wrong - eg wrong realm or userid etc. alan
On Thu, 14 Jun 2007 12:44:42 +0100 A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
radius_xlat: '--nt-response=52471b2a1db2fa3a00a03c182551317e48acea4a4f30f393' Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
ta-da! either you arent running winbindd, or the permissions for it are wrong (eg winbind_priviledged directory, or what you are sending to the server is wrong - eg wrong realm or userid etc.
nope, I've already fixed directory permission. Problem is in domain prefix. When i manually enter ntlm_auth command with such parameters it gives me no such user. But without domain - success. -- Olimp, System Administrator IT Dept. Fax. +380(62)381-3428 Tel. +380(62)381-3978-5 ---- Looking forward to reading yours. RUFF-RIPE DI76-GANDI RUFF-6BONE Ruslan N. Marchenko
On Thu, 14 Jun 2007 12:44:42 +0100 A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
radius_xlat: '--nt-response=52471b2a1db2fa3a00a03c182551317e48acea4a4f30f393' Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
ta-da! either you arent running winbindd, or the permissions for it are wrong (eg winbind_priviledged directory, or what you are sending to the server is wrong - eg wrong realm or userid etc.
Oh, about realms... It seems like one of realms depicted in default config - ntdomain # # 'domain\user' # realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } but i didn't specify any realm in client configuration. -- Olimp, System Administrator IT Dept. Fax. +380(62)381-3428 Tel. +380(62)381-3978-5 ---- Looking forward to reading yours. RUFF-RIPE DI76-GANDI RUFF-6BONE Ruslan N. Marchenko
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Ruslan N. Marchenko