EAP-MSCHAP v2 + LDAP: Identity does not match User-Name, setting from EAP Identity.
Hi, I've configured FreeRADIUS (version 1.1.7, supplied with SLES10) to authenticate from Novell eDirectory with LDAP. The problem is that I can't connect to the network when I check the "Automatically use my Windows logon name and password" on a WinXP client's PEAP properties. This is the output of radiusd -A -X: rad_recv: Access-Request packet from host 10.128.128.3:1812, id=15, length=194 User-Name = "E00\\user1" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-26-CA-8D-A7-85" Calling-Station-Id = "00-0B-CD-04-75-8C" Attr-102 = 0x NAS-Port-Type = Ethernet NAS-Port = 50005 NAS-Port-Id = "FastEthernet0/5" NAS-IP-Address = 10.128.128.1 EAP-Message = 0x0201000e014530305c7573657231 Proxy-State = 0x280000000000000646010000400900000000000000000000a74212c6bb2daec4f3110aa90d1af235 Message-Authenticator = 0x928d46624aad188e71d3c6bbd88af6f1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry user1 at line 88 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for user1 radius_xlat: '(uid=user1)' radius_xlat: 'o=snac' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.128.128.5:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/ip_cert.b64 rlm_ldap: bind as cn=admin,o=snac/xxx to 10.128.128.5:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=snac, with filter (uid=user1) rlm_ldap: checking if remote access for user1 is allowed by dialupAccess rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [user1/<no User-Password attribute>] (from client lan port 50005 cli 00-0B-CD-04-75-8C) Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 0 modcall[post-auth]: module "ldap" returns noop for request 0 modcall: leaving group REJECT (returns noop) for request 0 Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 15 to 10.128.128.3 port 1812 Proxy-State = 0x280000000000000646010000400900000000000000000000a74212c6bb2daec4f3110aa90d1af235 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 15 with timestamp 4c06337d Nothing to do. Sleeping until we see a request. The with_ntdomain_hack directive is set to "yes" in the preprocess and mschap modules of radiusd.conf. When I set it to "no" and uncheck the "Automatically use my Windows..." and enter the user's credentials in a pop-up box, it's working fine. Could you guys help me with this problem? Thanks in advance. Regards, Andras
Switch to the newsiest freeradius version. Maybe it will help. 2010/6/2 Andras Dosztal <adosztal@gmail.com>:
Hi,
I've configured FreeRADIUS (version 1.1.7, supplied with SLES10) to authenticate from Novell eDirectory with LDAP. The problem is that I can't connect to the network when I check the "Automatically use my Windows logon name and password" on a WinXP client's PEAP properties. This is the output of radiusd -A -X:
rad_recv: Access-Request packet from host 10.128.128.3:1812, id=15, length=194 User-Name = "E00\\user1" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-26-CA-8D-A7-85" Calling-Station-Id = "00-0B-CD-04-75-8C" Attr-102 = 0x NAS-Port-Type = Ethernet NAS-Port = 50005 NAS-Port-Id = "FastEthernet0/5" NAS-IP-Address = 10.128.128.1 EAP-Message = 0x0201000e014530305c7573657231 Proxy-State = 0x280000000000000646010000400900000000000000000000a74212c6bb2daec4f3110aa90d1af235 Message-Authenticator = 0x928d46624aad188e71d3c6bbd88af6f1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry user1 at line 88 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for user1 radius_xlat: '(uid=user1)' radius_xlat: 'o=snac' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.128.128.5:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/ip_cert.b64 rlm_ldap: bind as cn=admin,o=snac/xxx to 10.128.128.5:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=snac, with filter (uid=user1) rlm_ldap: checking if remote access for user1 is allowed by dialupAccess rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user user1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Login incorrect: [user1/<no User-Password attribute>] (from client lan port 50005 cli 00-0B-CD-04-75-8C) Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 0 modcall[post-auth]: module "ldap" returns noop for request 0 modcall: leaving group REJECT (returns noop) for request 0 Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 15 to 10.128.128.3 port 1812 Proxy-State = 0x280000000000000646010000400900000000000000000000a74212c6bb2daec4f3110aa90d1af235 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 15 with timestamp 4c06337d Nothing to do. Sleeping until we see a request.
The with_ntdomain_hack directive is set to "yes" in the preprocess and mschap modules of radiusd.conf. When I set it to "no" and uncheck the "Automatically use my Windows..." and enter the user's credentials in a pop-up box, it's working fine. Could you guys help me with this problem? Thanks in advance.
Regards, Andras
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Pozdrawiam! Maciej Drobniuch
I've upgraded to 2.1.8, but now I can't even authenticate with the pop-up box. Debug output: http://pastebin.ca/1875922 Regards, Andras On Wed, 02 Jun 2010 12:35:11 +0200, Maciej Drobniuch <maciej@drobniuch.pl> wrote:
Switch to the newsiest freeradius version. Maybe it will help.
2010/6/2 Andras Dosztal <adosztal@gmail.com>:
Hi,
I've configured FreeRADIUS (version 1.1.7, supplied with SLES10) to authenticate from Novell eDirectory with LDAP. The problem is that I can't connect to the network when I check the "Automatically use my Windows logon name and password" on a WinXP client's PEAP properties. This is the output of radiusd -A -X:
[...] The with_ntdomain_hack directive is set to "yes" in the preprocess and mschap modules of radiusd.conf. When I set it to "no" and uncheck the "Automatically use my Windows..." and enter the user's credentials in a pop-up box, it's working fine.
In freeradius 2.x use ClearText-Password instead of User-Password! 2010/6/2 Andras Dosztal <adosztal@gmail.com>:
I've upgraded to 2.1.8, but now I can't even authenticate with the pop-up box. Debug output: http://pastebin.ca/1875922
Regards, Andras
On Wed, 02 Jun 2010 12:35:11 +0200, Maciej Drobniuch <maciej@drobniuch.pl> wrote:
Switch to the newsiest freeradius version. Maybe it will help.
2010/6/2 Andras Dosztal <adosztal@gmail.com>:
Hi,
I've configured FreeRADIUS (version 1.1.7, supplied with SLES10) to authenticate from Novell eDirectory with LDAP. The problem is that I can't connect to the network when I check the "Automatically use my Windows logon name and password" on a WinXP client's PEAP properties. This is the output of radiusd -A -X:
[...] The with_ntdomain_hack directive is set to "yes" in the preprocess and mschap modules of radiusd.conf. When I set it to "no" and uncheck the "Automatically use my Windows..." and enter the user's credentials in a pop-up box, it's working fine.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Pozdrawiam! Maciej Drobniuch
Sorry for the dumb question, but where can I configure that? On Wed, 02 Jun 2010 13:34:29 +0200, Maciej Drobniuch <maciej@drobniuch.pl> wrote:
In freeradius 2.x use ClearText-Password instead of User-Password!
2010/6/2 Andras Dosztal <adosztal@gmail.com>:
I've upgraded to 2.1.8, but now I can't even authenticate with the pop-up box. Debug output: http://pastebin.ca/1875922
If you are using users file, you have it located there. exp: "testuser" Cleartext-Password := "test123" 2010/6/2 Andras Dosztal <adosztal@gmail.com>:
Sorry for the dumb question, but where can I configure that?
On Wed, 02 Jun 2010 13:34:29 +0200, Maciej Drobniuch <maciej@drobniuch.pl> wrote:
In freeradius 2.x use ClearText-Password instead of User-Password!
2010/6/2 Andras Dosztal <adosztal@gmail.com>:
I've upgraded to 2.1.8, but now I can't even authenticate with the pop-up box. Debug output: http://pastebin.ca/1875922
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Pozdrawiam! Maciej Drobniuch
I'm using LDAP with an eDirectory backend. On Wed, 02 Jun 2010 16:26:19 +0200, Maciej Drobniuch <maciej@drobniuch.pl> wrote:
If you are using users file, you have it located there. exp: "testuser" Cleartext-Password := "test123" 2010/6/2 Andras Dosztal <adosztal@gmail.com>:
Sorry for the dumb question, but where can I configure that?
I'm not using ldap(and i've never used before) so try to find some where the variable User-Password and replace it with ClearText-Password. 2010/6/2 Andras Dosztal <adosztal@gmail.com>:
I'm using LDAP with an eDirectory backend.
On Wed, 02 Jun 2010 16:26:19 +0200, Maciej Drobniuch <maciej@drobniuch.pl> wrote:
If you are using users file, you have it located there. exp: "testuser" Cleartext-Password := "test123" 2010/6/2 Andras Dosztal <adosztal@gmail.com>:
Sorry for the dumb question, but where can I configure that?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Pozdrawiam! Maciej Drobniuch
On 06/02/2010 12:03 PM, Maciej Drobniuch wrote:
I'm not using ldap(and i've never used before) so try to find some where the variable User-Password and replace it with ClearText-Password.
This has been answered multiple times on this list (including recently). Try searching the archives.
2010/6/2 Andras Dosztal<adosztal@gmail.com>:
I'm using LDAP with an eDirectory backend.
On Wed, 02 Jun 2010 16:26:19 +0200, Maciej Drobniuch<maciej@drobniuch.pl> wrote:
If you are using users file, you have it located there. exp: "testuser" Cleartext-Password := "test123" 2010/6/2 Andras Dosztal<adosztal@gmail.com>:
Sorry for the dumb question, but where can I configure that?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
participants (3)
-
Andras Dosztal -
John Dennis -
Maciej Drobniuch