How to raise numbers of request/sec in Freeradius
Hi, I use Freeradius2 to authenticate user login. I use the tools of Evolynx Radius Load Test to test number of request by second. I find only max 20-25 requests/sec in Freeradius. Can I raise the number via editing configuration files? Thanks. Robin Lu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with NTLM authentication
Thank you Phil for your reply, What is prompting here? How is the firewall asking the user for a password? Is this web intercept? exactly right the firewall is prompting the user to authenticate using its internal captive portal page. What I am trying to achieve here is single sign on with radius accounting using the following scenario: our users authenticate to the Windows Domain, and when they try to access the internet they hit a firewall protected policy which requires authentication. now instead of authenticating via the firewall captive portal I want to use NTLM to check is the user is already authenticated on the AD and if so pass the authorization to the radius for accounting. the firewall has the option to do NTLM authentication on the protected policy but I am trying to fit the Radius as well for accounting perpouses Bellow is the debug output rad_recv: Access-Request packet from host 193.188.X.X port 5027, id=40, length=126 NAS-Identifier = WAN-HA User-Name = rsa User-Password = ** NAS-IP-Address = 193.188.X.X NAS-Port = 1 Called-Station-Id = 193.188.X.X Calling-Station-Id = 192.168.1.74 Acct-Session-Id = 0fa5011f Connect-Info = web-auth Fortinet-Vdom-Name = root +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/193.188.X.X/auth-detail-20101022 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/193.188.X.X/auth-detail-20101022 [auth_log] expand: %t - Fri Oct 22 09:04:24 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = rsa, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 71 ++[files] returns ok [sql] expand: %{User-Name} - rsa [sql] sql_set_user escaped user -- 'rsa' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rsa' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'rsa' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User rsa not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=rsa [ntlm_auth] expand: --password=%{User-Password} - --password= Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok Login OK: [rsa/*...@] (from client vdk-f-fgwan port 1 cli 192.168.1.74) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 40 to 193.188.X.X port 5027 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 193.188.X.X port 5028, id=41, length=98 Acct-Status-Type = Start Acct-Session-Id = 0fa5011f User-Name = rsa NAS-Identifier = VDK-F-FGWAN Framed-IP-Address = 30.48.67.87 Fortinet-Client-IP-Address = 192.168.1.74 Fortinet-Vdom-Name = root Calling-Station-Id = 192.168.1.74 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address = 193.188.X.X,NAS-IP-Address = 193.188.X.X,Acct-Session-Id = 0fa5011f,User-Name = rsa' [acct_unique] Acct-Unique-Session-ID = f774c3b998804d6a. ++[acct_unique] returns ok [suffix] No '@' in User-Name = rsa, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail]expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radius/radacct/193.188.X.X/detail-20101022 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/193.188.X.X/detail-20101022 [detail]expand: %t - Fri Oct 22 09:04:24 2010 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - rsa rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING
Re: freeradius proxy can't recognize Delegated-IPv6-Prefix attribute
ichiro tanaka i_tan...@hotmail.co.jp writes: Proxy-Server recognition was repaired, if proxy-server did not include dictionary.ascend. I believe it is time to revisit the Ascend dictionary fixup. This was done once, and then reverted for between 2.1.7 and 2.1.8: commit e23e4754f755e6fe82a28e53ccc1b9ffcaf53fda Author: Alan T. DeKok al...@freeradius.org Date: Wed Dec 2 11:54:23 2009 +0100 Revert Moved Ascends illegal attributes to their own file This reverts commit 0241615ea5e98a13c92c266daab356e057d6a27d. While these dictionaries are unfortunate, making this change in a point release is likely a bad idea. commit 0241615ea5e98a13c92c266daab356e057d6a27d Author: Alan T. DeKok al...@freeradius.org Date: Tue Sep 29 10:10:59 2009 +0200 Moved Ascends illegal attributes to their own file Yes, I can see the point that this will break existing setups. But I will argue that such setups have *always* been broken. At least when we are discussing the FreeRADIUS 2.x era. You cannot support them without breaking RFC conformance, which should have a higher priority even in the stable tree. Or just rename the next 2.1.x release 2.2.0 if that makes you feel better :-) Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco log entry
MONTFORD, AUSTIN wrote: What does this error mean on a cisco switch? Ask Cisco. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with NTLM authentication
On 10/22/2010 07:12 AM, Ramzi Abdallah wrote: exactly right the firewall is prompting the user to authenticate using its internal captive portal page. ... requires authentication. now instead of authenticating via the firewall captive portal I want to use NTLM to check is the user is already authenticated on the AD and if so pass the authorization to the radius for accounting. the firewall has the option to do NTLM authentication on the protected policy but I am trying to fit the Radius as well for accounting perpouses Well, it's the HTTP server (in this case, the firewall captive portal) that asks/makes the client do NTLM. If you want single signon you'll need to enable it there. There's nothing you can do at the radius server to enable this. Maybw the firewall will still do radius accounting even with NTLM enabled? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius proxy can't recognize Delegated-IPv6-Prefix attribute
Bjørn Mork wrote: I believe it is time to revisit the Ascend dictionary fixup. I think so, yes. Yes, I can see the point that this will break existing setups. But I will argue that such setups have *always* been broken. At least when we are discussing the FreeRADIUS 2.x era. You cannot support them without breaking RFC conformance, which should have a higher priority even in the stable tree. Pretty much, yes. Or just rename the next 2.1.x release 2.2.0 if that makes you feel better :-) No... 2.2.0 is a different branch in git, and has major new features, like TCP transport, and many more which are waiting for certain things to happen. For 2.1.11, the safer alternative is to move the illegal attributes to their own dictionaries, and then include those *before* the RFC dictionaries. People will still be able to create/send attributes using the illegal names. But when attributes are received, the new names will be used by default. That *is* a change in behavior. But it's time for 10-year-old equipment to be deprecated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorize an user using a multivalue ldap attribute
Hello, I have a string attribute named Relaciones in my ldap. This attribute can have more than one value. Actually I return those values in the reply: Sending Access-Accept of id 229 to X.X.X.X port 32796 Relaciones += -11 Relaciones += 03 Relaciones += -01 I want to authorize the access only if there is one attibute Relaciones whith a positive value. So I would like to use unlang in authorize module to check all the attributes Relaciones whit a regex, but I don't know how can I check all the attributes, and how can I stop procesing the attributes if I found one wihtout a minus sign. if (%{reply:Relaciones} =~ /^([0-9]{2})/) { } Thanks very much, and sorry for my english. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Activate LDAP group membership checking
Hi, I'm trying to activate the LDAP group membership checking in FreeRadius. In my radiusd.conf i've modified the group checking section: groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) groupmembership_attribute = ou By looking in my openldap logs, freeradius is not even trying to search for the group. Do i have to activate something else to enable group checking? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to raise numbers of request/sec in Freeradius
Robin wrote: I use the tools of Evolynx Radius Load Test to test number of request by second. I find only max 20-25 requests/sec in Freeradius. Can I raise the number via editing configuration files? When authentication is from the users file, the server can do 10K requests/s. The issue isn't FreeRADIUS. It's something else. So... what are you doing with the authentication requests? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Hello again, I have a string attribute named Relaciones in my ldap. This attribute can have more than one value. Actually I return those values in the reply: Sending Access-Accept of id 229 to X.X.X.X port 32796 Relaciones += -11 Relaciones += 03 Relaciones += -01 I want to authorize the access only if there is one attibute Relaciones whith a positive value. So I would like to use unlang in authorize module to check all the attributes Relaciones whit a regex, but I don't know how can I check all the attributes, and how can I stop procesing the attributes if I found one wihtout a minus sign. if (%{reply:Relaciones} =~ /^([0-9]{2})/) { } maybe I can check the value with a check item: #cat /etc/freeradius/ldap.attrmap checkItem NT-Password ntPassword checkItem RelacionesRelaciones ~= /^([0-9]{2})/ replyItem Nombre-Completosn replyItem Relaciones Relaciones += anyway i test both ideas, but don't work: [ldap] looking for check items in directory... [ldap] ntPassword - NT-Password == 0x3... [ldap1] looking for reply items in directory... [ldap1] Relaciones - Relaciones += -11 [ldap1] Relaciones - Relaciones += 03 [ldap1] Relaciones - Relaciones += -01 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user XXX authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 [ldap1] returns ok ? if (fail) ? Evaluating (fail) - FALSE ? if (fail) - FALSE - entering else else {...} +? if (%{reply:Relaciones} =~ /^([0-9]{2})/) expand: %{reply:Relaciones} - -11 ? Evaluating (%{reply:Relaciones} =~ /^([0-9]{2})/) - FALSE +? if (%{reply:Relaciones} =~ /^([0-9]{2})/) - FALSE - else else returns ok any ideas? thank you very much. Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Ana Gallardo wrote: I want to authorize the access only if there is one attibute Relaciones whith a positive value. So I would like to use unlang in authorize module to check all the attributes Relaciones whit a regex, but I don't know how can I check all the attributes, and how can I stop procesing the attributes if I found one wihtout a minus sign. if (%{reply:Relaciones} =~ /^([0-9]{2})/) { You can't really do that with unlang. I suggest using the perl module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Activate LDAP group membership checking
mic nightic wrote: By looking in my openldap logs, freeradius is not even trying to search for the group. Do i have to activate something else to enable group checking? doc/rlm_ldap Look for group support Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Activate LDAP group membership checking
Yes sir! thank you Found the solution in the doc On Fri, Oct 22, 2010 at 12:57 PM, Alan DeKok al...@deployingradius.comwrote: mic nightic wrote: By looking in my openldap logs, freeradius is not even trying to search for the group. Do i have to activate something else to enable group checking? doc/rlm_ldap Look for group support Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Hello Alan, and thank you for your response. You can't really do that with unlang. I suggest using the perl module. I flow your suggestion and write this: # cat /etc/freeradius/perl/checkRelaciones.pm use strict; use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use Data::Dumper; use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constantRLM_MODULE_OK=2;# /* the module is OK, continue */ sub authorize { my $attr; my $valor; while (($attr,$valor)= each(%RAD_REPLY{'Relaciones'}){ if ($valor =~ /^([0-9]{2})/) { return RLM_MODULE_OK; } } return RLM_MODULE_REJECT; } and I use this in authorize section: authorize{ ... files ... perl expiration ... } but, when I try to run freeradius in debug mode: ... perl { module = /etc/freeradius/perl/checkRelaciones.pm func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth func_recv_coa = recv_coa func_send_coa = send_coa } Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36 So, I think thah I need to upgrade or something like this. Thank you again. Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
On 22/10/10 13:16, Ana Gallardo wrote: Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36 You need to install the Data::Dumper module from your package manager, or from CPAN, or from somewhere else :) -- Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
On 10/22/10 6:25 AM, Jonathan Gazeley wrote: On 22/10/10 13:16, Ana Gallardo wrote: Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36 You need to install the Data::Dumper module from your package manager, or from CPAN, or from somewhere else :) Conversely, you could comment out/remove the use Data::Dumper line since you're not using it. It's mainly for debugging and easily printing the entire contents of an object/array/hash/etc. -- Kevin Ehlers Network Engineer University of Oregon signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication failed
ok I found my problem. I have forgotten to add my domain in the proxy.conf, after I have done this ldap search works fine. but know I have one more problem with authentification. I want to use peap with mschap to support both windows und linux systems. But authentification fails. I don't know what i have to configure or where is the problem. I would be very happy about some hints. I'm sorry about the very long debug output rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=86, length=149 NAS-IP-Address = 192.168.0.2 NAS-Port = 50006 NAS-Port-Type = Ethernet User-Name = FIRMA1\\usera Called-Station-Id = 00-15-F9-D8-7C-C6 Calling-Station-Id = 00-1A-4B-63-69-0B Service-Type = Framed-User Framed-MTU = 1500 State = 0x1558e554175bfc9edc831547521be2ad EAP-Message = 0x020300061900 Message-Authenticator = 0xfb650903c7207e001d0385d8a036 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] expand: %t - Fri Oct 22 18:32:40 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm FIRMA1 for User-Name = FIRMA1\usera [ntdomain] Found realm FIRMA1 [ntdomain] Adding Stripped-User-Name = usera [ntdomain] Adding Realm = FIRMA1 [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 86 to 192.168.0.2 port 1812 EAP-Message = 0x0104003619000f0b409c6f7dd2e83b8a1ad34c1b43c61b5cfa499e7822f081073040ea4c9280acd2686fd194f216030100040e00 Message-Authenticator = 0x State = 0x1558e554165cfc9edc831547521be2ad Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=87, length=465 NAS-IP-Address = 192.168.0.2 NAS-Port = 50006 NAS-Port-Type = Ethernet User-Name = FIRMA1\\usera Called-Station-Id = 00-15-F9-D8-7C-C6 Calling-Station-Id = 00-1A-4B-63-69-0B Service-Type = Framed-User Framed-MTU = 1500 State = 0x1558e554165cfc9edc831547521be2ad EAP-Message = 0x0204014019800136160301010611020100626313e9c274f169e9ed94821e91d59e61578ab381c0e35788422b88b6e12b77d9551a970514289baaaf9c2ec3edb8ae126c1c5b5f29d7883997fee2eee9f55a635005cb534cf7c708f0a0ec98dbda376e88b67de4616926d9aa586737b2536998fad9c4648c8ce1e3b704415c4031063fc103bf0ddd1159d8b8ef2c5c41332aca99428569333c19f8d539b1a01f232cdf9023030176aef9c9bcea7588447853febc8b340da21d9b5af78d2d8b5b3acc0779e9f8d970f93471273749a0653a7e6611ee11bfcabb019b34e3f54f5e1b693d89fe471eab29d8027641dfed05bfeeeca249fd3561371c EAP-Message = 0xa736d666ebba66d8c0a368d306e0af12f71b43504cad85a614030100010116030100204c903a9993c942b403d46902c7564ea7f66787ca59a02e46fc08946a84aa509d Message-Authenticator = 0x67bf63ab1ed1abebb8161ae463114461 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] expand: %t - Fri Oct 22 18:32:40 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm FIRMA1 for User-Name = FIRMA1\usera [ntdomain] Found realm FIRMA1 [ntdomain] Adding Stripped-User-Name = usera [ntdomain] Adding Realm = FIRMA1 [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept
RE: LDAP authentication failed
2 things: 1) near the bottom of the debug output there is a line that's says you are passing the username as domain\user, and it asks if you have enabled the with NT domain hack option?Check your mschap module config to see if this is enabled, it is commented out by default. You can check the complete debug output that includes the server initializing and you can see it there IF it is enabled. 2) I gave up on PEAP/MSCHAPv2 on linux, EAP/TTLS works great for me with no other config tweaks after I got the windows clients working! If there is not a super important requirement to use the same authorization on both platforms you could do the same, just an idea. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of snowman5840 Sent: Friday, October 22, 2010 11:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP authentication failed ok I found my problem. I have forgotten to add my domain in the proxy.conf, after I have done this ldap search works fine. but know I have one more problem with authentification. I want to use peap with mschap to support both windows und linux systems. But authentification fails. I don't know what i have to configure or where is the problem. I would be very happy about some hints. I'm sorry about the very long debug output rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=86, length=149 NAS-IP-Address = 192.168.0.2 NAS-Port = 50006 NAS-Port-Type = Ethernet User-Name = FIRMA1\\usera Called-Station-Id = 00-15-F9-D8-7C-C6 Calling-Station-Id = 00-1A-4B-63-69-0B Service-Type = Framed-User Framed-MTU = 1500 State = 0x1558e554175bfc9edc831547521be2ad EAP-Message = 0x020300061900 Message-Authenticator = 0xfb650903c7207e001d0385d8a036 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022 [auth_log] expand: %t - Fri Oct 22 18:32:40 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [ntdomain] Looking up realm FIRMA1 for User-Name = FIRMA1\usera [ntdomain] Found realm FIRMA1 [ntdomain] Adding Stripped-User-Name = usera [ntdomain] Adding Realm = FIRMA1 [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 86 to 192.168.0.2 port 1812 EAP-Message = 0x0104003619000f0b409c6f7dd2e83b8a1ad34c1b43c61b5cfa499e7822f081073040ea 4c9280acd2686fd194f216030100040e00 Message-Authenticator = 0x State = 0x1558e554165cfc9edc831547521be2ad Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=87, length=465 NAS-IP-Address = 192.168.0.2 NAS-Port = 50006 NAS-Port-Type = Ethernet User-Name = FIRMA1\\usera Called-Station-Id = 00-15-F9-D8-7C-C6 Calling-Station-Id = 00-1A-4B-63-69-0B Service-Type = Framed-User Framed-MTU = 1500 State = 0x1558e554165cfc9edc831547521be2ad EAP-Message = 0x0204014019800136160301010611020100626313e9c274f169e9ed94821e91 d59e61578ab381c0e35788422b88b6e12b77d9551a970514289baaaf9c2ec3edb8ae126c 1c5b5f29d7883997fee2eee9f55a635005cb534cf7c708f0a0ec98dbda376e88b67de461 6926d9aa586737b2536998fad9c4648c8ce1e3b704415c4031063fc103bf0ddd1159d8b8 ef2c5c41332aca99428569333c19f8d539b1a01f232cdf9023030176aef9c9bcea758844 7853febc8b340da21d9b5af78d2d8b5b3acc0779e9f8d970f93471273749a0653a7e6611 ee11bfcabb019b34e3f54f5e1b693d89fe471eab29d8027641dfed05bfeeeca249fd3561 371c EAP-Message = 0xa736d666ebba66d8c0a368d306e0af12f71b43504cad85a61403010001011603010020 4c903a9993c942b403d46902c7564ea7f66787ca59a02e46fc08946a84aa509d Message-Authenticator = 0x67bf63ab1ed1abebb8161ae463114461 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/192.168.0.2/auth-detail
RE: LDAP authentication failed
wow. hey now it's working with both OS ;-) . thx for your hint, nt_hack was missing. -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-authentication-failed-tp3217861p3232899.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html