Excellent! Kostas, you are the best. So, I'm back to square one. I'm sure I
accidently removed that while I was trying to fix an issue I'm currently
having, Perhaps someone can give advice on it?
I'm running freeradius 1.0.1 to authenticate wireless and VPN users, using
the NTpassword and LMpassword attributes stored in LDAP. If windows sends only
the username and password everything works fine. The problem is wireless
clients can't connect when windows sends the credentials in the DOMAIN\USER
form. I originally tried the with_ntdoman_hack = Yes setting but always
received the following error:
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
After doing some research, I found a suggestion to add the following to hints:
DEFAULT Prefix == "DOMAIN\\"
Hint = "EAP",
Service-Type = Framed-User,
Framed-Protocol = EAP
After doing this I now receive this error:
lm_ldap: performing search in ou=Users,dc=domain,dc=com, with filter
(uid=testuser)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaNTPassword as NT-Password, value
AB6FD631EB61B62587E3E1E1D4108D34 & op=21
rlm_ldap: Adding sambaLMPassword as LM-Password, value
E8DD557F11182BD16A59F3FB1669ACA0 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user DOMAIN\testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 7
modcall: group authorize returns updated for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 7
modcall: group authenticate returns invalid for request 7
auth: Failed to validate the user.
Delaying request 7 for 1 seconds
Finished request 7
Any thoughts on why this is happening? Is there another solution?
I would like to find out if I can allow all users in LDAP to access to our
access point, but at the same time only allowing members of the VPN group to
have VPN access. Is there anyway to achieve what I want using a single radius
server? If so can someone point me to some docs...I've been unable to find
anything. Thanks for your time...
>
> From: Kostas Kalevras <[EMAIL PROTECTED]>
> Date: 2005/04/26 Tue AM 09:08:29 EDT
> To: [email protected]
> Subject: Re: Restricting access by LDAP group.
>
> On Mon, 25 Apr 2005 [EMAIL PROTECTED] wrote:
>
> > I had this working, I don't know why but for some reason it doesn't
> > anymore.
> > Any user in LDAP receives an Access-Accept. Here's my entire radiusd.conf
> > and
> > the output of a user that is not in the "VPN" group receiving an
> > Access-Accept
> > using radtest. Is there something wrong with my configuration?
> >
> > Thanks
>
> > authorize {
> > preprocess
> > chap
> > mschap
> > suffix
> > eap
> > ldap
> > }
>
> You don't have the files (users file) module in the authorize section.
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 210 7721861
> 'Go back to the shadow' Gandalf
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
