On Thu, 29 Jul 2004, Willey Kurt D wrote: > >>On Wed, 28 Jul 2004, Willey Kurt D wrote: > >> I have FreeRADIUS (1.0.0-pre2) doing user authentication with W2K AD > >> (peap, mschap, ldap, ntlm_auth); thanks to the archived posts for the > >> help!! > >> > >> I want to use user authentication for non-domain machines (students, > >> home laptops, etc - done) and machine authentication for those in > active > >> directory (our computers). > >> > >> I modified the ldap attribs to check servicePrincipalName > >> (host\computername) but of course the machine doesn't send a password > >> for mschap... > > >What does the machine send anyway? If you can answer that you can > probably >find out a way to authorize these calls. > > >Kostas Kalevras Network Operations Center > >[EMAIL PROTECTED] National Technical University of Athens, Greece > >Work Phone: +30 210 7721861 > > Here is the log of the failed try... The server is trying to use mschap; > do I need to force it to another authentication? I am guessing yes... > what do I use without breaking the user-based auth I have set up and > working?
You can either try and find out what password the machine uses and put them in the machine entries in ldap (or just add them in the users file) or if you have a way to distinguish the machine sessions from user sessions (and i am talking about something more secure than just checking the username provided) you can just set Auth-Type to Accept for those sessions (in the users file). > > THANKS!! > > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in dc=ambrose,dc=sau,dc=edu, with filter > (&(servicePrincipalName=host/sauvxy5n.ambrose.sau.edu)(objectcategory=cn > =computer,cn=schema,cn=configuration,dc=ambrose,dc=sau,dc=edu)) > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user host/sauvxy5n.ambrose.sau.edu authorized to use remote > access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 6 > modcall: group authorize returns updated for request 6 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 6 > rlm_eap: Request found, released from the list > rlm_eap: EAP/mschapv2 > rlm_eap: processing type mschapv2 > Processing the authenticate section of radiusd.conf > modcall: entering group Auth-Type for request 6 > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for host/sauvxy5n.ambrose.sau.edu > with NT-Password > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. > rlm_mschap: FAILED: MS-CHAP2-Response is incorrect > modcall[authenticate]: module "mschap" returns reject for request 6 > modcall: group Auth-Type returns reject for request 6 > rlm_eap: Freeing handler > modcall[authenticate]: module "eap" returns reject for request 6 > modcall: group authenticate returns reject for request 6 > auth: Failed to validate the user. > PEAP: Tunneled authentication was rejected. > rlm_eap_peap: FAILURE > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
