Renaming during Machine Authentication
Phil Mayers
p.mayers at imperial.ac.uk
Sat May 21 11:08:05 CEST 2011
On 05/20/2011 10:33 PM, Mark Jones wrote:
> Here is the latest debug...Im not sure what to try next.
Latest debug... ok, what has changed?
> rad_recv: Access-Request packet from host 10.152.0.100 port 32819,
> id=186, length=216
> NAS-IP-Address = 10.152.0.100
> NAS-Port = 0
> NAS-Port-Type = Wireless-802.11
> User-Name = "host/TEST-11501.hpsd48.ab.ca"
> Calling-Station-Id = "00265EE9B2CA"
> Called-Station-Id = "000B86611894"
> MS-CHAP-Challenge = 0xa389f8f8a19c2761c3f31128115bac7f
> MS-CHAP2-Response =
> 0x0800afc6531b8f43785e186a0578c795c13b00000000000000005f4828b8f016c112e3e453505d0c203f7172ad8a40f17c02
> Service-Type = Login-User
> Aruba-Essid-Name = "HPSD_RAD2"
> Aruba-Location-Id = "Tech 01"
This is still a plain MSCHAP request, indicating that the Aruba
equipment is still terminating the PEAP itself, and translating the
EAP-MSCHAP to plain MSCHAP. As per my previous emails, I recommend you
change this.
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
> ++[mschap] returns ok
> ++[digest] returns noop
> [suffix] No '@' <mailto:'@'> in User-Name =
> "host/TEST-11501.hpsd48.ab.ca", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> [ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca
So this is a full host/name.domain.com now - what did you change?
> [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$)
> [ldap] expand: o=hpsd_48 -> o=hpsd_48
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] attempting LDAP reconnection
> [ldap] (re)connect to 172.17.152.4:636, authentication 0
> [ldap] setting TLS mode to 1
> [ldap] bind as cn=admin,o=hpsd_48/xxxxxx to 172.17.152.4:636
> [ldap] waiting for bind result ...
> [ldap] Bind was successful
> [ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$)
> [ldap] Added the eDirectory password xxxxxx in check items as
> Cleartext-Password
Ok, you're using Novell eDir here? Are you using DSFW?
I know almost nothing about Novell, but a recent poster to the list was
using eDir and DFSW, and he suggested that you need to:
1. use LDAP/eDir for users
2. use Samba/ntlm_auth for machines
See here:
https://lists.freeradius.org/pipermail/freeradius-users/2011-May/msg00069.html
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> [ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING: Auth-Type already set. Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = MSCHAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group MS-CHAP {...}
> [mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca
> [mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with
> NT-Password
> [mschap] FAILED: MS-CHAP2-Response is incorrect
Again, only three possible choices:
1. The client is sending the wrong data (i.e password - unlikely)
2. The server is using the wrong data (i.e. password from LDAP is
incorrect)
3. Something is fiddling with the data in-flight (e.g. Aruba messing
with the EAP)
More information about the Freeradius-Users
mailing list