Re: [Packetfence-users] EAP failure

Thu, 18 Aug 2011 11:11:12 -0700 

Samba 3.5.11
The server is joined to the domain and I can run the ntlm_auth command
and login with either name format. 
I commented out the ntlm_auth line in mschap, but that didn't change
anything. We need to enter the EAP tunnel before it will try to
authenticate with mschap, don't we? 
rlm_perl runs packetfence.pm. Is that module having an issue with the
backslash?
 
Were the servers you were connecting to Win 2008?

 
________________________________

From: Francois Gaudreault [mailto:[email protected]] 
Sent: Thursday, August 18, 2011 12:35 PM
To: [email protected]
Subject: Re: [Packetfence-users] EAP failure


Tom,

The wierd thing is that I installed that same package on maybe 3
deployments, and it worked at the first try for all of them.  Is it
possible that the samba configuration is, for a weird reason, not right?
Which version of samba you installed?

Can you comment the ntlm_auth line in the mschap module, at least it
should fail saying RADIUS cannot find the proper username.  Are the
machines joined to the domain? Can you also provide the samba
configuration and your krb5.conf?

Also, what are the user rights for : /var/lib/samba/winbindd_privileged/


On 11-08-18 1:15 PM, Tom Fischer wrote: 


           I gave up on the box I built and dowloaded the VM image. I
configured and tested the Active Directory connection for Samba. I setup
PF with the configurator for option2 ARP. I added a test AP and
configured it to authorize through PF. If I try to connect with an XP
workstation, I get the identity mismatch from EAP. I get this error
whether I use the Windows credentials domain\user

        rad_recv: Access-Request packet from host a.b.c.d port 1645,
id=112, length=132 
                User-Name = "domain\\user" 
                Framed-MTU = 1400 
                Called-Station-Id = "0022.90b3.9501" 
                Calling-Station-Id = "0090.4b78.9270" 
                Service-Type = Login-User 
                Message-Authenticator =
0xcdf952bf1241e5ec93f0736e54d149d6 
                EAP-Message = 0x0202000b014f475c746f6d 
                NAS-Port-Type = Wireless-802.11 
                NAS-Port = 83777 
                NAS-Port-Id = "83777" 
                NAS-IP-Address = a.b.c.d 
                NAS-Identifier = "ap" 
        +- entering group authorize {...} 
        ++[preprocess] returns ok 
        [eap] EAP packet type response id 2 length 11 
        [eap] No EAP Start, assuming it's an on-going EAP conversation 
        ++[eap] returns updated 
        ++[files] returns noop 
        ++[expiration] returns noop 
        ++[logintime] returns noop 
        rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 
        rlm_perl: Added pair Service-Type = Login-User 
        rlm_perl: Added pair Calling-Station-Id = 0090.4b78.9270 
        rlm_perl: Added pair Called-Station-Id = 0022.90b3.9501 
        rlm_perl: Added pair Message-Authenticator =
0xcdf952bf1241e5ecccf0736e54d149d6 
        rlm_perl: Added pair User-Name = domain\\user 
        rlm_perl: Added pair NAS-Identifier = ap 
        rlm_perl: Added pair EAP-Message = 0x0202000b014fdddc746f6d 
        rlm_perl: Added pair EAP-Type = Identity 
        rlm_perl: Added pair NAS-IP-Address = a.b.c.d 
        rlm_perl: Added pair NAS-Port = 83777 
        rlm_perl: Added pair NAS-Port-Id = 83777 
        rlm_perl: Added pair Framed-MTU = 1400 
        rlm_perl: Added pair Auth-Type = EAP 
        ++[perl] returns noop 
        Found Auth-Type = EAP 
        +- entering group authenticate {...} 
        [eap] Identity does not match User-Name, setting from EAP
Identity. 
        [eap] Failed in handler 
        ++[eap] returns invalid 
        Failed to authenticate the user. 

           If I go to manual login on the workstation and enter
user@domain, the EAP identity is okay. The only differences that I can
see are the EAP response length, and there is a GOT CLONE message for
the user@domain.

        +- entering group authorize {...} 
        ++[preprocess] returns ok 
        [eap] EAP packet type response id 2 length 17 
        [eap] No EAP Start, assuming it's an on-going EAP conversation 
        ++[eap] returns updated 
        ++[files] returns noop 
        ++[expiration] returns noop 
        ++[logintime] returns noop 
        GOT CLONE -1342070192 0xf476580 
        rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 

           I have no realms defined, and the conf  files are as vanilla
as they can be. I have tried nostrip in the proxy.conf and tried yes/no
for with_ntdomain_hack in the mschap module. Can someone please help me
get past this?

        
        
------------------------------------------------------------------------
------
        Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
        user administration capabilities and model configuration. Take 
        the hassle out of deploying and managing Subversion and the 
        tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
        
        _______________________________________________
        Packetfence-users mailing list
        [email protected]
        https://lists.sourceforge.net/lists/listinfo/packetfence-users



-- 
Francois Gaudreault, ing. jr
[email protected]  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
www.packetfence.org)

Attachment: krb5.conf.save
Description: krb5.conf.save

Attachment: smb.conf.save
Description: smb.conf.save

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to