You _cannot_ read the unicodePwd attribute (where the actual passwd lies) from AD. It can only be written to, and then only under certain conditions (SSL/TLS connection, and if not written by an admin, then a delete/add must be performed in the same operation).
This is why you should use ntlm_auth w/PEAP for AD auth. You could be able to auth against LDAP (PAP) in a TTLS situation (not tried that yet, so I don't know how it would work), but you will never retrieve the unicodePwd attribute.
Hope this helps.
OK. Back to the drawing board... I looked at my options regarding the authenitication method on the W2K client and noticed that I can also used Protected EAP (PEAP). So I switched the client to this. When I tried the authenitication again, this time I get: rlm_eap: Identity does not match User-Name, setting from EAP Identity I did more searches on this error, and tried several suggestions, from using the hints file: DEFAULT Prefix == "MEM\\", Strip-User-Name = Yes Hint = "MEM", Service-Type = Framed-User, Framed-Protocol = PPP I also ensured that use_with_nt_hack was set to "no" in the preprocessor section. I modified the proxy.conf file for the local domain: realm MEM { type = radius authhost = LOCAL accthost = LOCAL } and no matter what I do I still get this error... There was a post on the mailing list that mentioned that some patches were applied to freeradius in Nov 2004, I took a look at the freeradius version I was using on my Fedora Core 3 box and it shows: radiusd: FreeRADIUS Version 1.0.1, for host , built on Oct 6 2004 at 05:25:02 Copyright (C) 2000-2003 The FreeRADIUS server project. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. I wonder if this is now my problem..... I have attached the debug output: rad_recv: Access-Request packet from host 172.16.5.71:1645, id=235, length=93 User-Name = "MEM\\RGraham" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.5.71 NAS-Port = 24 EAP-Message = 0x02000010014d454d5c5247726168616d Message-Authenticator = 0xeeeaea4ed86a064f533da57687432cb4 rad_lowerpair: User-Name now 'mem\rgraham' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 41 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/172.16.5.71/auth-detail-20050630' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.5.71/auth-detail-20050630 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "rgraham", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for rgraham radius_xlat: '(sAMAccountName=rgraham)' radius_xlat: 'ou=mem users,dc=mem-ins,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to mem-dc.mem-ins.com:389, authentication 0 rlm_ldap: bind as cn=administrator,ou=admin,ou=mem users,dc=mem-ins,dc=com/{secret} to mem-dc.mem-ins.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=mem users,dc=mem-ins,dc=com, with filter (sAMAccountName=rgraham) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user rgraham authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0
"Graham, Robert" <rgraham@mem-ins.com> wrote:
rlm_eap: Identity does not match User-Name, setting from EAP Identity
I did more searches on this error, and tried several suggestions, from using the hints file:
DEFAULT Prefix == "MEM\\", Strip-User-Name = Yes
That would cause the problem. The default configuration of the server DOES NOT have rlm_eap produce that message. You've added something to create the problem. Start off with the default configuration of the server, and test it. Make changes, test them, and repeat, until you have the configuration you want.
I have attached the debug output: .. rad_lowerpair: User-Name now 'mem\rgraham'
Why have you configured that? It's causing the problem. The debug output is telling you that the User-Name doesn't match something else, and it's ALSO telling you that you've configured it to change the User-Name, So.... don't change the User-Name. Alan DeKok.
participants (2)
-
Alan DeKok -
Graham, Robert