rlm_passwd fails Stripped-User-Name check when in inner-tunnel mode (PEAP)
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Thu Nov 12 10:14:07 CET 2015
hi,
heres your issue:
[mschapv2] # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: john at eduroam.example.edu
[mschap] Client is using MS-CHAPv2 for john at eduroam.example.edu, we need
NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Login incorrect: [john at eduroam.example.edu/<via Auth-Type = EAP>] (from
client network8 port 0 via TLS tunnel)
Using Post-Auth-Type Reject
as you can see, its not using Stripped-User-Name.... its using the User-Name
thats why 'john' works and this "john at eduroam.example.edu" doesnt
I'm guessing you have
'john' in your users file.... though you probably want to have that auth somewhere else
anyway - in LDAP or AD....
alan
More information about the Freeradius-Users
mailing list