Removing domain prefix from login
Alejandro Gandara
agandara at optaresolutions.com
Thu Nov 10 09:15:38 CET 2011
Hi Alan,
Thanks for your answers and excuse me for my english fill of mistakes.
2011/11/10 Alan DeKok <aland at deployingradius.com>
> Alejandro Gandara wrote:
> > I'm authenticating users in RADIUS against LDAP, if I login from
> > computer with 802.1x configured and users and password taken from domain
> > automatic. Im getting wrong authenticated because the login has the
> > following chain.
> >
> > DOMAIN\\Users
> >
> > How can i avoid that radius read the prefix?
>
> You should be able to authenticate using just the user name, using
> ntlm_auth. See the examples in raddb/modules/ntlm_auth
>
Im reading about it. Thanks for this information.
>
> > I've tried to introduce the option prefix in /etc/sites-enable/default ,
> > but its getting me back errors because of wrong way to introduce that
> line.
>
> Yes. Don't define a realm. It won't work.
>
> Post the debug output. That helps, too.
>
This is my debug output:
rad_recv: Access-Request packet from host 172.20.40.28 port 1025, id=112,
length=218
Framed-MTU = 1480
NAS-IP-Address = 172.20.40.28
NAS-Identifier = "SW-INT-1-3"
User-Name = "PRIVATE\\usertest"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 32
NAS-Port-Type = Ethernet
NAS-Port-Id = "32"
Called-Station-Id = "f0-62-81-05-33-40"
Calling-Station-Id = "f0-4d-a2-bc-77-cd"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
EAP-Message = 0x020a0012014f50544152455c62726f75636f
Message-Authenticator = 0x055981a2c542df52f4c292042c89a019
[ldap] performing user authorization for usertest
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> usertest
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=usertest)
[ldap] expand: dc=private,dc=loc -> dc=private,dc=loc
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 172.20.52.206:389, authentication 0
[ldap] bind as cn=raddbuser,dc=private,dc=loc/password to
172.20.52.206:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=pruebas,dc=loc, with filter (uid=usertest)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] sambaNtPassword -> NT-Password ==
0x3245334230434533423046383434414238374145393237384141453730393331
[ldap] looking for reply items in directory...
[ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "01"
[ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
[ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] radiusFramedIPAddress -> Framed-IP-Address = 192.45.51.9
[ldap] user brouco authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[eap] EAP packet type response id 10 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
*[eap] Identity does not match User-Name, setting from EAP Identity.*
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [usertest/<via Auth-Type = EAP>] (from client privradius
port 32 cli f0-4d-a2-bc-77-cd)
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
requested action.
# Executing group from file /etc/freeradius/sites-enabled/default
Thanks for all Alan.
Regards,
Alejandro Gándara
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111110/835e3d7b/attachment.html>
More information about the Freeradius-Users
mailing list