Alan, Your pointer to the MS-CHAP issue with usernames got me thinking. I looked closely at the logs and one machine was sending usernames in lowercase, and the other was sending them partially upper-cased (which, after some research, i found they were in our Active Directory with some characters capitalized for some reason =/ ). After changing the user in AD to have an all-lowercase name just as they are in our OpenLDAP, the problem laptop is able to login.
This doesn't explain why one laptop would lowercase the username before authenticating, but I don't think that is anything I'll ever understand. Thanks for the help. -Matt MNU Network Administrator --- Original Message Below --- From: "Matt Sapp" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: PEAP Woes Date: Wed, 29 Oct 2003 16:03:21 -0500 Alan, Upon setting "with_ntdomain_hack = no", of course now my wireless users cannot be found in ldap, so the systems that did work before do not now: radius_xlat: '(uid=MNU.EDU\\Matt)' radius_xlat: 'dc=mnu,dc=edu' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=mnu,dc=edu, with filter (uid=MNU.EDU\\Matt) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 25 It looks to me like the domain is not used in the calculation of ms-chap, otherwise it would not work at all when using with_ntdomain_hack, or am I missing something? I'll do a packet dump and come back with the results. -Matt MNU Network Administrator --- Original Message Below --- From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: PEAP Woes Date: Wed, 29 Oct 2003 16:44:33 -0500 "Matt Sapp" <[EMAIL PROTECTED]> wrote: > On the Centrino laptop, logging into the domain, wireless also comes up. > > However, the laptop with the Atheros card in it, when logging into > the domain rather than locally to the laptop, I get this when running > with -X: If one works and the other doesn't, then the ONLY difference is in the RADIUS requests. Compare the RADIUS requests from the two laptop authentications, and see what's different. The differences are breaking authentication. > I am using "with_ntdomain_hack = yes" in my configuration. See a post earlier today on the list. MS-CHAP depends on usernames. "with_ntdomain_hack = yes" means that the user name is changed, so MS-CHAP authentication will NOT work. Try setting "with_ntdomain_hack = no" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
