freeradius, windows 2003 ADS - authentication fails
Jacob Jarick
mem.namefix at gmail.com
Thu Apr 12 14:23:38 CEST 2007
OK,
1st off here is the document I have been following:
http://www.swami.se/swami/space/Categories/EduRoam/Workshop+about+eduroam+implementation/freeRadius_AD_tutorial.pdf
I have managed to get all tests and commands working except for
radtest (which i found out via google) and having an xpro client login
via wireless (as per the guide).
Sorry about only posting the debug info from the wireless session and
only the results from radtest, as I said earlier I will retest
tomorrow and repost correctly.
I definitely need to find out what is mangling the user name, the
document also mentions something about it (which I did follow).
"
Make sure that the following lines are uncommented and that the
value is the same as indicated here.
authtype = MS-CHAP
with_ntdomain_hack = yes
Ntdomain_hack is necessary to correct an error due to the
challenge/response and the format in which the user information is
sent.
"
I just re read the erd.conf I included, all seems fine (but dont take
my word on that) the only bit Im curious about is :
"
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
mschapv2 {
}
}
"
Its inside the peap { backets. Should mschapv2 brackets have any
configuration options ?
Ive been doing some more looking @ the config files (I can only read
the attached ones atm).
Thanks again for the help :)
On 4/12/07, Jacob Jarick <mem.namefix at gmail.com> wrote:
> Thanks for your prompt reply Alan,
> My 1st post so forgive the omission, I will clear the logs then post
> radtest and the log info tomorrow once at work.
>
> On 4/12/07, Alan DeKok <aland at deployingradius.com> wrote:
> > Jacob Jarick wrote:
> > > Hi I have recently setup freeradius on fedora 6 and I need it to
> > > authenticate against windows ADS. Currently the requests come through
> > > the AP but are rejected by freeradius.
> >
> > The reason is in the logs.
> >
> > > [root at fedora raddb]# radtest Administrator tfxsol 127.0.0.1:1812 10 testing123
> > > Sending Access-Request of id 40 to 127.0.0.1 port 1812
> > > User-Name = "Administrator"
> > > User-Password = "tfxsol"
> > > NAS-IP-Address = 255.255.255.255
> > > NAS-Port = 10
> > > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=40, length=20
> >
> > Unfortunately, you've showed radtest giving a reject, but have NOT
> > shown the corresponding debugging output from radtest. Instead, the
> > debugging output is from a login via the AP:
> > ...
> > > rad_recv: Access-Request packet from host 10.1.1.110:1645, id=117, length=164
> > > User-Name = "TFXSCHOOL\\Administrator"
> >
> > Which is not the "radtest" packet you quoted above.
> >
> > > rlm_eap: Identity does not match User-Name, setting from EAP Identity.
> > > rlm_eap: Failed in handler
> >
> > Read "eap.conf". Also, see which module is mangling the User-Name
> > attribute.
> >
> > Alan DeKok.
> > --
> > http://deployingradius.com - The web site of the book
> > http://deployingradius.com/blog/ - The blog
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
More information about the Freeradius-Users
mailing list