again: 802.1x auto login with win login/pass

Hegedus Gabor hegedus.gabor at ewn.hu
Tue Nov 18 12:22:37 CET 2008


> > Hi all, I have a problem, can't authenticate my user with win login

>> user/pass.
>>
>> I use:
>> - 802.1x
>> - newest freeradius, and ubuntu 8.4
>> - eap-tls
>> - win xp sp2 client, use automatic win logon and pass
>>
>> When "Automatically use my Windows login name and password" is unchecked
>> on the windows, i type user/pass and my radius is accept the request.
>> and everything is okay.
>>
>> But, When i try it with automatic win login/pass, the radius reject
>> the request.
>> I set the with-ntdomain-hack=yes to preprocess and it cut the domain
>> part.
>> its seems okay but still reject.
>>
>> I have good user settings.
>>
>> what is the problem? password encription?
>>
>> log:
>> when windows send automaticly the login and pass:
>> Auth: Login incorrect: [Joe/<via Auth-Type = EAP>] (from client switch
>> port
>> 50003 cli 00-13-D4-E7-B3-FB)
>> Auth: Login incorrect: [Joe/<via Auth-Type = EAP>] (from client switch
>> port
>> 50003 cli 00-13-D4-E7-B3-FB)
>> Auth: Login incorrect: [joe/<via Auth-Type = EAP>] (from client switch
>> port
>> 50003 cli 00-13-D4-E7-B3-FB)
>> when I type the l/p:
>> Auth: Login OK: [Joe/<via Auth-Type = EAP>] (from client switch port 0
>> via TLS
>> tunnel)
>> Auth: Login OK: [Joe/<via Auth-Type = EAP>] (from client switch port
>> 50003 cli
>> 00-13-D4-E7-B3-FB)
>>
>>
>> <snip>
> Two quick simple questions, is your windows password the same as the
> radius server password?


radius server password means the password after the username in the users file?
or anything else?

users file contains: Joe Cleartext-Password:= "pass"

> The biggest thing with this that I have seen is
> Windows, the password may not be the same as what you may type in. If it
> works in manual mode, I wouldn't think it is anything else but user/pass
> not working right. The EAP messages you see (Joe/<via Auth-Type = EAP>)
> shows that the encrypted tunnel is correct, and since manual mode works,
> password encryption is working as well. I would double check the
> passwords first,
>

I checked the uname and pass in the users file, this u/p and the win logon/pass
is same.
This u/p is not the same with the client certificate u/p.
my passwords:
for server cert: private_key_password = "pass"
for client cert: test/test
for winlogin: Joe/joepass
in users file: Joe/joepass

I created the cerst like certs/README said, and then set tls modul.
I installed the server cert and the client cert to the windows client, and the
client cert asked the pass and I wrote it in, and that was correct.
This was all what I do with the certs.
Yes, it works good with manual mode, when I type it...
I think something wrong with the password encription or the windows send it to
the radius in wrong format...
I don't know.

> make sure that the cert profiles seem to match for
> windows auto mode,

sry I dont understand, what have to check?

> and then if that fails, run radius in debug (radiusd
> -xxx)  and see what is breaking in that debug then run that forward to
> the list.
> ~Seann
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list