VLAN Mapping with MS-CHAP

robiwan at arcor.de robiwan at arcor.de
Tue May 9 08:44:48 CEST 2006 

> robiwan at arcor.de wrote:
> > 
> > robiwan: Okay, here is the complete output from my radiusd, when user roka
> do a request:
> > sorry, it's huge
> > 
> > rad_recv: Access-Request packet from host 10.187.0.15:1645, id=231,
> length=137
> >         NAS-IP-Address = 10.187.0.15
> >         NAS-Port = 50103
> >         NAS-Port-Type = Ethernet
> >         User-Name = "WINLAB\\roka"
> >         Called-Station-Id = "00-14-69-5B-8B-03"
> >         Calling-Station-Id = "00-0B-5D-84-AE-CA"
> >         Service-Type = Framed-User
> >         Framed-MTU = 1500
> >         EAP-Message = 0x020000100157494e4c41425c726f6b61
> >         Message-Authenticator = 0x58539e67c56f220589cf69d3485c493d
> >   Processing the authorize section of radiusd.conf
> > modcall: entering group authorize for request 0
> >   modcall[authorize]: module "preprocess" returns ok for request 0
> >   modcall[authorize]: module "chap" returns noop for request 0
> >   modcall[authorize]: module "mschap" returns noop for request 0
> >     rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
> >     rlm_realm: No such realm "NULL"
> >   modcall[authorize]: module "suffix" returns noop for request 0
> >   rlm_eap: EAP packet type response id 0 length 16
> >   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> >   modcall[authorize]: module "eap" returns updated for request 0
> >     users: Matched entry DEFAULT at line 185
> >   modcall[authorize]: module "files" returns ok for request 0
> > modcall: leaving group authorize (returns updated) for request 0
> 
> It should be obvious what's happening here. The "files" module is only 
> matching a DEFAULT entry. This is because your username is DOMAIN\user. 
> DOMAIN\user != user
> 
> Either do this to break the user into realm+user:
> 
> authorize {
>    preprocess
>    ntdomain
>    mschap
>    eap
>    files
> }
> 
> ...and this in proxy.conf:
> 
> realm WINLAB {
>    type = radius
>    authhost = LOCAL
>    accthost = LOCAL
>    strip
> }
> 
> OR edit your "users" to read:
> 
> WINLAB\\roka The-Stuff-Here := whatever>
> 
> > peap {
> > default_eap_type = mschapv2
> > copy_request_to_tunnel = yes
> > use_tunneled_reply = yes
> > proxy_tunneled_request_as_eap = no
> >                 }
> > 
I edit my users as mentioned above.
Thats it !!!

Thanks a lot.

Robert



Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren
ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig
und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer,
nur  44,85 €  inkl. DSL- und ISDN-Grundgebühr!
http://www.arcor.de/rd/emf-dsl-2

More information about the Freeradius-Users mailing list