EAP-MSCHAP v2 + LDAP: Identity does not match User-Name, setting from EAP Identity.
Andras Dosztal
adosztal at gmail.com
Wed Jun 2 12:26:10 CEST 2010
Hi,
I've configured FreeRADIUS (version 1.1.7, supplied with SLES10) to
authenticate from Novell eDirectory with LDAP. The problem is that I can't
connect to the network when I check the "Automatically use my Windows
logon name and password" on a WinXP client's PEAP properties. This is the
output of radiusd -A -X:
rad_recv: Access-Request packet from host 10.128.128.3:1812, id=15,
length=194
User-Name = "E00\\user1"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-26-CA-8D-A7-85"
Calling-Station-Id = "00-0B-CD-04-75-8C"
Attr-102 = 0x
NAS-Port-Type = Ethernet
NAS-Port = 50005
NAS-Port-Id = "FastEthernet0/5"
NAS-IP-Address = 10.128.128.1
EAP-Message = 0x0201000e014530305c7573657231
Proxy-State =
0x280000000000000646010000400900000000000000000000a74212c6bb2daec4f3110aa90d1af235
Message-Authenticator = 0x928d46624aad188e71d3c6bbd88af6f1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry user1 at line 88
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user1
radius_xlat: '(uid=user1)'
radius_xlat: 'o=snac'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.128.128.5:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/ip_cert.b64
rlm_ldap: bind as cn=admin,o=snac/xxx to 10.128.128.5:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=snac, with filter (uid=user1)
rlm_ldap: checking if remote access for user1 is allowed by dialupAccess
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user user1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 0
modcall: leaving group authenticate (returns invalid) for request 0
auth: Failed to validate the user.
Login incorrect: [user1/<no User-Password attribute>] (from client lan
port 50005 cli 00-0B-CD-04-75-8C)
Found Post-Auth-Type
Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 0
modcall[post-auth]: module "ldap" returns noop for request 0
modcall: leaving group REJECT (returns noop) for request 0
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 15 to 10.128.128.3 port 1812
Proxy-State =
0x280000000000000646010000400900000000000000000000a74212c6bb2daec4f3110aa90d1af235
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 15 with timestamp 4c06337d
Nothing to do. Sleeping until we see a request.
The with_ntdomain_hack directive is set to "yes" in the preprocess and
mschap modules of radiusd.conf. When I set it to "no" and uncheck the
"Automatically use my Windows..." and enter the user's credentials in a
pop-up box, it's working fine.
Could you guys help me with this problem? Thanks in advance.
Regards,
Andras
More information about the Freeradius-Users
mailing list