wow! it's working great!!! Tests with two instances for now are working - thanks a lot! i'm must do more tests but it seems this is the way!
regards! Lukasz 2009/1/29 <[email protected]>: >>i'm not splitting user name from realm (well i don't know), below is >>an example with NT-Domain expand: (not working host/host.domain.local >>eap/peap but works ppp authorization from all domains User-name is >>DOMAIN\\user and domain is correctly expanded it works also with >>OTHERDOMAIN\\otheruser - another trusted ads domain) >> >><code> >>server inner-tunnel { >>+- entering group authorize >>++[chap] returns noop >>++[mschap] returns noop >>++[unix] returns notfound >> rlm_realm: No '@' in User-Name = "host/somehost.domain.local", >>looking up realm NULL >> rlm_realm: No such realm "NULL" >>++[suffix] returns noop >>++[control] returns noop >> rlm_eap: EAP packet type response id 9 length 89 >> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation >>++[eap] returns updated >>++[files] returns noop >>++[expiration] returns noop >>++[logintime] returns noop >>++[pap] returns noop >> rad_check_password: Found Auth-Type EAP >>auth: type "EAP" >>+- entering group authenticate >> rlm_eap: Request found, released from the list >> rlm_eap: EAP/mschapv2 >> rlm_eap: processing type mschapv2 >>+- entering group MS-CHAP >> rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. >> rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. >> rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with >>NT-Password >> expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ >> expand: --domain=%{mschap:NT-Domain:-DOMAIN} -> --domain=domain <--- >> here >> mschap2: fa >> expand: --challenge=%{mschap:Challenge:-00} -> >> --challenge=19601d7be2fxxxxx >> expand: --nt-response=%{mschap:NT-Response:-00} -> >>--nt-response=3a04766fxxxxxxxbfaedba4977c0xxxxxxx >>Exec-Program output: Logon failure (0xc000006d) >>Exec-Program-Wait: plaintext: Logon failure (0xc000006d) >>Exec-Program: returned: 1 >> rlm_mschap: External script failed. >> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect >>++[mschap] returns reject >></code> >> >>and here is an example without NT-Domain expand for ntlm_auth (it is >>working well for only "domain.local" and "DOMAIN\\user" but not for >>thrusted OTHERDOMAIN\\otheruser ): >> >><code> >>server inner-tunnel { >>+- entering group authorize >>++[chap] returns noop >>++[mschap] returns noop >>++[unix] returns notfound >> rlm_realm: No '@' in User-Name = "host/somehost.domain.local", >>looking up realm NULL >> rlm_realm: No such realm "NULL" >>++[suffix] returns noop >>++[control] returns noop >> rlm_eap: EAP packet type response id 7 length 89 >> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation >>++[eap] returns updated >>++[files] returns noop >>++[expiration] returns noop >>++[logintime] returns noop >>++[pap] returns noop >> rad_check_password: Found Auth-Type EAP >>auth: type "EAP" >>+- entering group authenticate >> rlm_eap: Request found, released from the list >> rlm_eap: EAP/mschapv2 >> rlm_eap: processing type mschapv2 >>+- entering group MS-CHAP >> rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. >> rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. >> rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with >>NT-Password >> expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ >> mschap2: 96 >> expand: --challenge=%{mschap:Challenge:-00} -> >> --challenge=2dff1a169cxxxxx >> expand: --nt-response=%{mschap:NT-Response:-00} -> >>--nt-response=7fa7664801defd917c241937bd4xxxxxxx >>Exec-Program output: NT_KEY: 7C54FDDBA668A77xxxxxxxx >>Exec-Program-Wait: plaintext: NT_KEY: 7C54FDDBA668A77Fxxxxxx >>Exec-Program: returned: 0 >>rlm_mschap: adding MS-CHAPv2 MPPE keys >>++[mschap] returns ok >></code> > > OK. So you need two mschap instances one for NT format (DOMAIN\\user > type - with NT-Domain in ntlm_auth) and one for IPASS > (host/somehost.domain.local type - without) format. Use unlang to detect > the delimiter and switch the correct instance replacing mschap in > authorize and inside Auth-Type MSCHAP. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- .''`. O.R.Z.E.H.: Obedient Robotic Zealous Exploration Humanoid : :' : '98 linux registered | [FoxGame | ---] team translator | Amiga 2000 user `. `'` [nagios plugin | udev aic9xx] relaser | 220v active user `- http://www.goldenline.pl/lukasz-sitko3 | http://www.linkedin.com/in/lukaszsitko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
