rlm_eap: identity does not match User-Name, setting from EAP identity
NNTP Newsagent
newsacct8080 at yahoo.com
Sat Mar 18 00:39:24 CET 2006
I sent this earlier but it doesn't look like it made it, so here it goes again.
This is the output from radiusd -X
rad_recv: Access-Request packet from host 192.168.3.44:1645, id=139, length=139
User-Name = "UPG\\test"
Framed-MTU = 1400
Called-Station-Id = "0013.8032.40d1"
Calling-Station-Id = "0090.4b1d.86cc"
Service-Type = Login-User
Message-Authenticator = 0x719f121abfb3b27a8746acabe0e1b6c6
EAP-Message = 0x0202000f123d4544566a726176616c
NAS-Port-Type = Wireless-802.11
NAS-Port = 1527
NAS-IP-Address = 192.168.3.44
NAS-Identifier = "Cisco_AP"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 32
modcall[authorize]: module "preprocess" returns ok for request 32
rlm_eap: EAP packet type response id 2 length 15
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 32
rlm_realm: No '/' in User-Name = "test", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "test"
rlm_realm: Proxying request from user test to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 32
users: Matched entry DEFAULT at line 1
modcall[authorize]: module "files" returns ok for request 32
modcall[authorize]: module "etc_smbpasswd" returns notfound for request 32
modcall: group authorize returns updated for request 32
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 32
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 32
modcall: group authenticate returns invalid for request 32
auth: Failed to validate the user.
Delaying request 32 for 1 seconds
Finished request 32
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 139 to 192.168.3.44:1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 32 ID 139 with timestamp 441affff
Nothing to do. Sleeping until we see a request.
Alan DeKok <aland at ox.org> wrote: Agent Smith wrote:
> When a user connectes, they are presented with a login
> box (username, password and domain name) if they put a
> domain name in the domain field, radius can't
> authenticate them and gives that error message. when
> the domain field is left empty, it works fine.
You should be able to use a module before 'eap" to fix the Username.
> I read some posting that talked about how you have to
> turn off ntdomain_hack off and I tried that, it didn't
> gave me that error but then the ntlm_auth failed
> saying 'NO SUCH USER' so my guess is that the
> user-name has to be exactly same as what gets sent
> into EAP message.
If you're using ntlm_auth, you're not using EAP-TLS. You're using
EAP-PEAP, there's a difference.
And the ntlm_auth program is run *only* inside of the TLS tunnel,
where there's no certificate, so matching username to certificate
isn't a problem.
> has anyone else ran into this? any ideas on how to fix
> it?
Run the server in debugging mode and post the results to the list.
Odds are there's a simple way to do what you want.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------------------------------
Yahoo! Mail
Use Photomail to share photos without annoying attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060317/9aa1d18c/attachment.html>
More information about the Freeradius-Users
mailing list