Well, the ntdomain module is not executed. You need it to strip the
domain part so you can proxy.
Edit your sites-enabled, and add "ntdomain" after "suffix". Restart
RADIUS after.
On 2013-02-26 4:07 PM, forums wrote:
> So I did some more reading about realms and it is doing what I figured.
>
> username@domain hits the realm DEFAULT which I have pointed at the
> external radius server.
>
> The logs show that NO @ in user-name domain\name", looking up realm
> NULL
>
> ----------------------------
>
>
> rad_recv: Access-Request packet from host 10.10.10.91 port 32769,
> id=160, length=303
> User-Name = "USER1@DOMAIN"
> Calling-Station-Id = "00-23-4e-1c-82-92"
> Called-Station-Id = "b4-a4-e3-58-be-d0:test-secure"
> NAS-Port = 13
> Cisco-AVPair = "audit-session-id=189fde5b000a6220512be867"
> NAS-IP-Address = 10.10.10.91
> NAS-Identifier = "wificont-2"
> Airespace-Wlan-Id = 412
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "401"
> EAP-Message =
> 0x0265002b19001703010020458e2aacd97e57b25db42575559ce5ae193d802ef801f00195e4edbfade73bff
> State = 0x4541503d302e3439632e38666139342e363b5356433d302e31346466333b
> Message-Authenticator = 0x12da2d7a3e54f95a9d095d9ac433fe03
> server packetfence {
> # Executing section authorize from file
> /usr/local/pf/raddb//sites-enabled/packetfence
> +- entering group authorize {...}
> [suffix] Looking up realm "DOMAIN" for User-Name = "USER1@DOMAIN"
> [suffix] Found realm "DEFAULT"
> [suffix] Adding Realm = "DEFAULT"
> [suffix] Proxying request from user USER1 to realm DEFAULT
> [suffix] Preparing to proxy authentication request to realm "DEFAULT"
> ++[suffix] returns updated
> ++[preprocess] returns ok
> [eap] Request is supposed to be proxied to Realm DEFAULT. Not doing
> EAP.
> ++[eap] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
>
>
> ----------------------------------------------------------------------
>
>
> rad_recv: Access-Request packet from host 10.10.10.91 port 32769,
> id=162, length=246
> User-Name = "DOMAIN\\USER1"
> Calling-Station-Id = "00-23-4e-1c-82-92"
> Called-Station-Id = "b4-a4-e3-58-be-d0:test-secure"
> NAS-Port = 13
> Cisco-AVPair = "audit-session-id=189fde5b000a6220512be867"
> NAS-IP-Address = 10.10.10.91
> NAS-Identifier = "wificont-2"
> Airespace-Wlan-Id = 412
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "401"
> EAP-Message = 0x020200120163616d7075735c7261686e7331
> Message-Authenticator = 0xbf92db40f2f929f2416716d2e2a1e741
> server packetfence {
> # Executing section authorize from file
> /usr/local/pf/raddb//sites-enabled/packetfence
> +- entering group authorize {...}
> [suffix] No '@' in User-Name = "DOMAIN\USER1", looking up realm NULL
> [suffix] Found realm "NULL"
> [suffix] Adding Stripped-User-Name = "DOMAIN\USER1"
> [suffix] Adding Realm = "NULL"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] returns ok
> ++[preprocess] returns ok
> [eap] EAP packet type response id 2 length 18
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
>
> --------------------------------------------------------
>
> my proxy.conf looks as follows
>
> realm NULL {
> authhost = LOCAL
> accthost = LOCAL
> }
>
>
>
> realm DEFAULT {
> ignore_null = yes
> type = radius
> authhost = x.x.x.x:1812
> accthost = x.x.x.x:1813
> secret = the password
>
> }
>
>
> So it looks like I have modify the site-available packetfence to grab
> the domain\username to force proxy it over to the DEFAULT?
>
> Thanks
>
>
>
> ------------------------------------------------------------------
>
>
> On 2013-02-25 13:27, forums wrote:
>> I have recently put packetfence into production using the vlan
>> enforcement method. Despite having to push it into production
>> quickly
>> it has performance has been great. The documentation has been great
>> and has solved all my issues except one.
>>
>> I am using radius to register nodes and can do it with either
>> username or domain\username without issues on wired or wireless.
>>
>> I have a secure wireless network so I modified proxy.conf and added
>> my external radius servers in a new realm. I can now point the
>> wireless controller secure wlan at Packetfence and have
>> wpa2-enterprise working if I use username@domain format. However
>> domain\username fails. In reading freeradius and packetfence groups
>> I
>> see that ntdomain is enabled so realm/username, username%realm,
>> realm\username should also work but do not.
>>
>> I have checked the sites-available and site-enabled for ntdomain
>> issues and it seems to match the documentation.
>>
>> If somebody might be able to point me in the right direction or the
>> right freeradius incantation I would appreciate it.
>>
>> Thanks
>> Sean
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Francois Gaudreault
Architecte de Solution Cloud | Cloud Solutions Architect
[email protected]
514-629-6775
- - -
CloudOps
420 rue Guy
Montréal QC H3J 1S6
www.cloudops.com
@CloudOps_
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
