So I did some more reading about realms and it is doing what I figured.
username@domain hits the realm DEFAULT which I have pointed at the
external radius server.
The logs show that NO @ in user-name domain\name", looking up realm
NULL
----------------------------
rad_recv: Access-Request packet from host 10.10.10.91 port 32769,
id=160, length=303
User-Name = "USER1@DOMAIN"
Calling-Station-Id = "00-23-4e-1c-82-92"
Called-Station-Id = "b4-a4-e3-58-be-d0:test-secure"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=189fde5b000a6220512be867"
NAS-IP-Address = 10.10.10.91
NAS-Identifier = "wificont-2"
Airespace-Wlan-Id = 412
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "401"
EAP-Message =
0x0265002b19001703010020458e2aacd97e57b25db42575559ce5ae193d802ef801f00195e4edbfade73bff
State = 0x4541503d302e3439632e38666139342e363b5356433d302e31346466333b
Message-Authenticator = 0x12da2d7a3e54f95a9d095d9ac433fe03
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm "DOMAIN" for User-Name = "USER1@DOMAIN"
[suffix] Found realm "DEFAULT"
[suffix] Adding Realm = "DEFAULT"
[suffix] Proxying request from user USER1 to realm DEFAULT
[suffix] Preparing to proxy authentication request to realm "DEFAULT"
++[suffix] returns updated
++[preprocess] returns ok
[eap] Request is supposed to be proxied to Realm DEFAULT. Not doing
EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
----------------------------------------------------------------------
rad_recv: Access-Request packet from host 10.10.10.91 port 32769,
id=162, length=246
User-Name = "DOMAIN\\USER1"
Calling-Station-Id = "00-23-4e-1c-82-92"
Called-Station-Id = "b4-a4-e3-58-be-d0:test-secure"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=189fde5b000a6220512be867"
NAS-IP-Address = 10.10.10.91
NAS-Identifier = "wificont-2"
Airespace-Wlan-Id = 412
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "401"
EAP-Message = 0x020200120163616d7075735c7261686e7331
Message-Authenticator = 0xbf92db40f2f929f2416716d2e2a1e741
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = "DOMAIN\USER1", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "DOMAIN\USER1"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[preprocess] returns ok
[eap] EAP packet type response id 2 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
--------------------------------------------------------
my proxy.conf looks as follows
realm NULL {
authhost = LOCAL
accthost = LOCAL
}
realm DEFAULT {
ignore_null = yes
type = radius
authhost = x.x.x.x:1812
accthost = x.x.x.x:1813
secret = the password
}
So it looks like I have modify the site-available packetfence to grab
the domain\username to force proxy it over to the DEFAULT?
Thanks
------------------------------------------------------------------
On 2013-02-25 13:27, forums wrote:
> I have recently put packetfence into production using the vlan
> enforcement method. Despite having to push it into production
> quickly
> it has performance has been great. The documentation has been great
> and has solved all my issues except one.
>
> I am using radius to register nodes and can do it with either
> username or domain\username without issues on wired or wireless.
>
> I have a secure wireless network so I modified proxy.conf and added
> my external radius servers in a new realm. I can now point the
> wireless controller secure wlan at Packetfence and have
> wpa2-enterprise working if I use username@domain format. However
> domain\username fails. In reading freeradius and packetfence groups
> I
> see that ntdomain is enabled so realm/username, username%realm,
> realm\username should also work but do not.
>
> I have checked the sites-available and site-enabled for ntdomain
> issues and it seems to match the documentation.
>
> If somebody might be able to point me in the right direction or the
> right freeradius incantation I would appreciate it.
>
> Thanks
> Sean
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
