Freeradius PROXY: EAP-PEAP - TLS with NT-Password and Cleartext-Password
Andrei Antonelli
andreirp at gmail.com
Thu Jun 28 21:13:26 CEST 2018
Hi Alan,
Thanks a lot, it worked with suffix testuser at hcrpp.com and without
suffix testuser for the domain hcrpp.com, but when i authenticate with of
external domain cr.net i get this error message:
(17) eap: Expiring EAP session with state 0x94f1143794f70ec2
(17) eap: Finished EAP session with state 0x94f1143794f70ec2
(17) eap: Previous EAP request found for state 0x94f1143794f70ec2, released
from the list
(17) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(17) eap: Calling submodule eap_mschapv2 to process data
(17) eap_mschapv2: # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(17) eap_mschapv2: Auth-Type MS-CHAP {
(17) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(17) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(17) mschap: Creating challenge hash with username: testuser at cr.net
(17) mschap: Client is using MS-CHAPv2
(17) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform
authentication
(17) mschap: ERROR: MS-CHAP2-Response is incorrect
Can i send cleartext-password for only the specific domain cr.net ?
Thanks a lot, Alan!
On Thu, Jun 28, 2018 at 3:29 PM Alan DeKok <aland at deployingradius.com>
wrote:
>
> > On Jun 28, 2018, at 2:02 PM, Andrei Antonelli <andreirp at gmail.com>
> wrote:
> >
> > Hi, could someone help me with the example of my configuration below?
>
> Please only post one message instead of two.
>
> > When i'm logging with username and password *without suffix*, *it's
> works*,
> > but when i'm logging with *suffix *like testuser at hcrpp.com or testuser@
> > cr.net i get this error message:
> >
> > suffix: Checking for suffix after "@"
> > (22) suffix: Looking up realm "hcrpp.com" for User-Name = "testuser@
> > hcrpp.com"
> > (22) suffix: Found realm "hcrpp.com"
> > (22) suffix: Adding Realm = "hcrpp.com"
>
> That's fine.
>
> > (22) suffix: Proxying request from user testuser at hcrpp.com to realm
> > hcrpp.com
> > (22) suffix: Preparing to proxy authentication request to realm "
> hcrpp.com"
> > (22) [suffix] = updated
> > (22) update control {
> > (22) &Proxy-To-Realm := "LOCAL"
> > (22) } # update control = noop
>
> Why are you doing this? It's unnecessary. You can just set the "
> hcrpp.com" realm to be a local realm. In proxy.conf, do:
>
> realm hcrpp.com {
> }
>
> That's it. See the comments in proxy.conf for more documentation.
>
> > (22) eap: Peer sent EAP Response (code 2) ID 6 length 81
> > (22) eap: No EAP Start, assuming it's an on-going EAP conversation
> > (22) [eap] = updated
> > (22) sql: EXPAND %{User-Name}
> > (22) sql: --> testuser at hcrpp.com
> > (22) sql: SQL-User-Name set to 'testuser at hcrpp.com'
>
> See the comments in raddb/mods-config/main/mysql/queries.conf
>
> You should edit the "sql_user_name" to be:
>
> sql_user_name = %{%{Stripped-User-Name}:-%{User-Name}}
>
> Which will then use "testuser" instead of "testuser at hcrpp.com"
>
> > *My config below*
>
> We don't need the configuration. See
> http://wiki.freeradius.org/list-help
>
> > realm hcrpp.com {
> > auth_pool = HCRPPOOL
> > strip
> > }
>
> Which causes packets containing "username at hcrpp.com" to be proxied. If
> you don't want them to be proxied, read the comments in proxy.conf. This
> is explained in detail.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list