Renaming during Machine Authentication

Mark Jones Mjones at hpsd48.ab.ca
Sat May 14 00:03:18 CEST 2011


Hi all i have freeradius 2.1.10 setup on a SLES server. When the workstation boots it sends an mschapv2 request in the form host/machinename.  What is the best way to convert this to machinename$ ? Sorry if this has been asked before Im stumped and cannot find the answer.
 
Here is part of the log:
 
Ready to process requests.
rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=79, length=203
        NAS-IP-Address = 10.152.0.100
        NAS-Port = 0
        NAS-Port-Type = Wireless-802.11
        User-Name = "host/TECH-11501"
        Calling-Station-Id = "00265EE9B2CA"
        Called-Station-Id = "000B86611894"
        MS-CHAP-Challenge = 0x0568442cb1608fce03cb2662dcf52694
        MS-CHAP2-Response = 0x07007e63e9fa7fb503e4cfff2a2c00568698000000000000000057f0c5ece05913c5eeaf48096b25dcbd01f39d20a71404e1
        Service-Type = Login-User
        Aruba-Essid-Name = "HPSD_RAD2"
        Aruba-Location-Id = "Tech 01"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "host/TECH-11501", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for host/TECH-11501
[ldap]  expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TECH-11501$)
[ldap]  expand: o=hpsd_48 -> o=hpsd_48
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in o=hpsd_48, with filter (uid=TECH-11501$)
[ldap] Added the eDirectory password xxxxx in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user host/TECH-11501 authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: host/TECH-11501
[mschap] Told to do MS-CHAPv2 for host/TECH-11501 with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> host/TECH-11501
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 13 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 13
Sending Access-Reject of id 79 to 10.152.0.100 port 32819
Waking up in 4.9 seconds.
Cleaning up request 13 ID 79 with timestamp +926
Ready to process requests.
 
Here is the log from same machine after logging in:
 
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=82, length=194
        NAS-IP-Address = 10.152.0.100
        NAS-Port = 0
        NAS-Port-Type = Wireless-802.11
        User-Name = "mjones"
        Calling-Station-Id = "00265EE9B2CA"
        Called-Station-Id = "000B86611894"
        MS-CHAP-Challenge = 0xe744e26bd3741ff3a339f931e5d541cc
        MS-CHAP2-Response = 0x070001ee52a851770be78f667189c6bdec3b000000000000000050e99570745eb5a68f290dfe79879837d3997b7aa9b7b3cc
        Service-Type = Login-User
        Aruba-Essid-Name = "HPSD_RAD2"
        Aruba-Location-Id = "Tech 01"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "mjones", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for mjones
[ldap]  expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=mjones)
[ldap]  expand: o=hpsd_48 -> o=hpsd_48
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in o=hpsd_48, with filter (uid=mjones)
[ldap] Added the eDirectory password xxxx in check items as Cleartext-Password
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user mjones authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: mjones
[mschap] Told to do MS-CHAPv2 for mjones with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 82 to 10.152.0.100 port 32819
        MS-CHAP2-Success = 0x07533d41344438423931334434454244384437463634353436353933374137343737324136433138463139
        MS-MPPE-Recv-Key = 0x263a0e89b5a8a78aa7e728c79ea3844f
        MS-MPPE-Send-Key = 0xfef0768ff8ca7d3a76d43ce8feb4189b
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
Finished request 16.
Going to the next request
Waking up in 3.7 seconds.
Cleaning up request 15 ID 81 with timestamp +1049
Waking up in 1.2 seconds.
Cleaning up request 16 ID 82 with timestamp +1051
Ready to process requests.
Thanks all
 
Mark

   

This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110513/abe960bb/attachment.html>


More information about the Freeradius-Users mailing list