again: 802.1x auto login with win login/pass

Hegedus Gabor hegedus.gabor at ewn.hu
Tue Nov 18 12:16:38 CET 2008


>
>> >>Hi all, I have a problem, can't authenticate my user with win login user/pass.
>> >>
>> >>I use:
>> >>- 802.1x
>> >>- newest freeradius, and ubuntu 8.4
>> >>- eap-tls
>> >>- win xp sp2 client, use automatic win logon and pass
>> >>
>> >>When "Automatically use my Windows login name and password" is unchecked
>> >>on the windows, i type user/pass and my radius is accept the request.
>> >>and everything is okay.
>> >>
>> >>But, When i try it with automatic win login/pass, the radius reject the
>> >> request.
>> >>I set the with-ntdomain-hack=yes to preprocess and it cut the domain part.
>> >>its seems okay but still reject.
>> >>
>> >>I have good user settings.
>> >>
>> >>what is the problem? password encription?
>> >>
>>     
> >
> > No.
> >
>   
>> >>the debug log:
>> >>
>> >>rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=228,
>> >>length=160
>>     
> > ..
>   
>> >>    User-Name = "DOMAIN\\Joe"
>>     
> > ..
>   
>> >>[suffix] No '@' in User-Name = "Joe", looking up realm NULL
>>     
> > ..
>   
>> >>[eap] Identity does not match User-Name, setting from EAP Identity.
>>     
> > ..
> >
> > You are rewriting the User-Name. Don't do that.
> >
> > Ivan Kalik
> > Kalik Informatika ISP
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>   
when I use the with-ntdomain-hack=no the result is :

rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=137, length=200
	NAS-IP-Address = 192.168.1.1
	NAS-Port = 50003
	Cisco-NAS-Port = "FastEthernet0/3"
	NAS-Port-Type = Ethernet
	User-Name = DOMAIN\\Joe"
	Called-Station-Id = "00-09-B7-94-CA-83"
	Calling-Station-Id = "00-13-D4-E7-B3-FB"
	Service-Type = Framed-User
	Framed-MTU = 1500
	State = 0xd2b62910daab305146382a3fd0fd1f65
	EAP-Message =
0x021d00261900170301001b4857496f15b6b51dff76c2cd1e72b58feb956122b8ae08030ba37d
	Message-Authenticator = 0x2361c53f5b43fce8fdfa4799b5112dde
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\Joe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 29 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [DOMAIN\\Joe/<via Auth-Type = EAP>] (from client switch port
50003 cli 00-13-D4-E7-B3-FB)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> DOMAIN\Joe
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 29 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 29
Sending Access-Reject of id 137 to 192.168.1.1 port 1812
	EAP-Message = 0x041d0004
	Message-Authenticator = 0x00000000000000000000000000000000

rejected too.
GH






More information about the Freeradius-Users mailing list