again: 802.1x auto login with win login/pass
Hegedus Gabor
hegedus.gabor at ewn.hu
Tue Nov 18 12:16:38 CET 2008
>
>> >>Hi all, I have a problem, can't authenticate my user with win login user/pass.
>> >>
>> >>I use:
>> >>- 802.1x
>> >>- newest freeradius, and ubuntu 8.4
>> >>- eap-tls
>> >>- win xp sp2 client, use automatic win logon and pass
>> >>
>> >>When "Automatically use my Windows login name and password" is unchecked
>> >>on the windows, i type user/pass and my radius is accept the request.
>> >>and everything is okay.
>> >>
>> >>But, When i try it with automatic win login/pass, the radius reject the
>> >> request.
>> >>I set the with-ntdomain-hack=yes to preprocess and it cut the domain part.
>> >>its seems okay but still reject.
>> >>
>> >>I have good user settings.
>> >>
>> >>what is the problem? password encription?
>> >>
>>
> >
> > No.
> >
>
>> >>the debug log:
>> >>
>> >>rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=228,
>> >>length=160
>>
> > ..
>
>> >> User-Name = "DOMAIN\\Joe"
>>
> > ..
>
>> >>[suffix] No '@' in User-Name = "Joe", looking up realm NULL
>>
> > ..
>
>> >>[eap] Identity does not match User-Name, setting from EAP Identity.
>>
> > ..
> >
> > You are rewriting the User-Name. Don't do that.
> >
> > Ivan Kalik
> > Kalik Informatika ISP
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
when I use the with-ntdomain-hack=no the result is :
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=137, length=200
NAS-IP-Address = 192.168.1.1
NAS-Port = 50003
Cisco-NAS-Port = "FastEthernet0/3"
NAS-Port-Type = Ethernet
User-Name = DOMAIN\\Joe"
Called-Station-Id = "00-09-B7-94-CA-83"
Calling-Station-Id = "00-13-D4-E7-B3-FB"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xd2b62910daab305146382a3fd0fd1f65
EAP-Message =
0x021d00261900170301001b4857496f15b6b51dff76c2cd1e72b58feb956122b8ae08030ba37d
Message-Authenticator = 0x2361c53f5b43fce8fdfa4799b5112dde
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\Joe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 29 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [DOMAIN\\Joe/<via Auth-Type = EAP>] (from client switch port
50003 cli 00-13-D4-E7-B3-FB)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> DOMAIN\Joe
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 29 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 29
Sending Access-Reject of id 137 to 192.168.1.1 port 1812
EAP-Message = 0x041d0004
Message-Authenticator = 0x00000000000000000000000000000000
rejected too.
GH
More information about the Freeradius-Users
mailing list