VLAN Mapping with MS-CHAP

Phil Mayers p.mayers at imperial.ac.uk
Mon May 8 18:57:39 CEST 2006 

robiwan at arcor.de wrote:
> 
> robiwan: Okay, here is the complete output from my radiusd, when user roka do a request:
> sorry, it's huge
> 
> rad_recv: Access-Request packet from host 10.187.0.15:1645, id=231, length=137
>         NAS-IP-Address = 10.187.0.15
>         NAS-Port = 50103
>         NAS-Port-Type = Ethernet
>         User-Name = "WINLAB\\roka"
>         Called-Station-Id = "00-14-69-5B-8B-03"
>         Calling-Station-Id = "00-0B-5D-84-AE-CA"
>         Service-Type = Framed-User
>         Framed-MTU = 1500
>         EAP-Message = 0x020000100157494e4c41425c726f6b61
>         Message-Authenticator = 0x58539e67c56f220589cf69d3485c493d
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
>     rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
>   rlm_eap: EAP packet type response id 0 length 16
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 0
>     users: Matched entry DEFAULT at line 185
>   modcall[authorize]: module "files" returns ok for request 0
> modcall: leaving group authorize (returns updated) for request 0

It should be obvious what's happening here. The "files" module is only 
matching a DEFAULT entry. This is because your username is DOMAIN\user. 
DOMAIN\user != user

Either do this to break the user into realm+user:

authorize {
   preprocess
   ntdomain
   mschap
   eap
   files
}

...and this in proxy.conf:

realm WINLAB {
   type = radius
   authhost = LOCAL
   accthost = LOCAL
   strip
}

OR edit your "users" to read:

WINLAB\\roka The-Stuff-Here := whatever>

> peap {
> default_eap_type = mschapv2
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> proxy_tunneled_request_as_eap = no
>                 }
> 

You may not in fact need these if this was the problem, though I always 
enable them since if you later on start matching on other attributes 
(e.g. SSID, etc.) they need to be copied to/from the inner tunnel.

More information about the Freeradius-Users mailing list