I still haven't managed to get this to work...
After studying the logs closely, it seems as though the tunneled message
is requesting MS-CHAP authentication with NT-Password (?). Is this
typical or expected?
radiusd.conf:
authorize {
preprocess
chap
mschap
suffix
eap
files
ldap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
Log file:
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP'
modcall[authorize]: module "mschap" returns ok for request 4
rlm_realm: No '@' in User-Name = "sotnickd", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 4
modcall[authorize]: module "files" returns notfound for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for sotnickd
radius_xlat: '(uid=sotnickd)'
radius_xlat: 'o=ddv.com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=ddv.com, with filter (uid=sotnickd)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user sotnickd authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 4
modcall: group authorize returns ok for request 4
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 4
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for sotnickd with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 4
modcall: group Auth-Type returns reject for request 4
auth: Failed to validate the user.
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 4
modcall: group authenticate returns invalid for request 4
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.250.12:1122, id=168, length=285
Sending Access-Reject of id 168 to 192.168.250.12:1122
EAP-Message = 0x04b10004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Cleaning up request 0 ID 164 with timestamp 412f9426
Cleaning up request 1 ID 165 with timestamp 412f9426
Cleaning up request 2 ID 166 with timestamp 412f9426
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 167 with timestamp 412f9427
Cleaning up request 4 ID 168 with timestamp 412f9427
Nothing to do. Sleeping until we see a request.
Any help is greatly appreciated. It seems like I'm so close, but
something's just not right.
Thanks!
-David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
