>>Hi all, I have a problem, can't authenticate my user with win login user/pass.
>>
>>I use:
>>- 802.1x
>>- newest freeradius, and ubuntu 8.4
>>- eap-tls
>>- win xp sp2 client, use automatic win logon and pass
>>
>>When "Automatically use my Windows login name and password" is unchecked
>>on the windows, i type user/pass and my radius is accept the request.
>>and everything is okay.
>>
>>But, When i try it with automatic win login/pass, the radius reject the
>> request.
>>I set the with-ntdomain-hack=yes to preprocess and it cut the domain part.
>>its seems okay but still reject.
>>
>>I have good user settings.
>>
>>what is the problem? password encription?
>>
>
> No.
>
>>the debug log:
>>
>>rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=228,
>>length=160
> ..
>> User-Name = "DOMAIN\\Joe"
> ..
>>[suffix] No '@' in User-Name = "Joe", looking up realm NULL
> ..
>>[eap] Identity does not match User-Name, setting from EAP Identity.
> ..
>
> You are rewriting the User-Name. Don't do that.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
when I use the with-ntdomain-hack=no the result is :
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=137,
length=200
NAS-IP-Address = 192.168.1.1
NAS-Port = 50003
Cisco-NAS-Port = "FastEthernet0/3"
NAS-Port-Type = Ethernet
User-Name = DOMAIN\\Joe"
Called-Station-Id = "00-09-B7-94-CA-83"
Calling-Station-Id = "00-13-D4-E7-B3-FB"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xd2b62910daab305146382a3fd0fd1f65
EAP-Message =
0x021d00261900170301001b4857496f15b6b51dff76c2cd1e72b58feb956122b8ae08030ba37d
Message-Authenticator = 0x2361c53f5b43fce8fdfa4799b5112dde
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\Joe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 29 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [DOMAIN\\Joe/<via Auth-Type = EAP>] (from client switch port
50003 cli 00-13-D4-E7-B3-FB)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> DOMAIN\Joe
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 29 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 29
Sending Access-Reject of id 137 to 192.168.1.1 port 1812
EAP-Message = 0x041d0004
Message-Authenticator = 0x00000000000000000000000000000000
rejected too.
GH
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
